Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
11/09/2024, 17:15
240911-vs3d1aselj 311/09/2024, 17:12
240911-vq4t2sshle 311/09/2024, 17:09
240911-vphv7ascpp 7Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/09/2024, 17:15
Static task
static1
Behavioral task
behavioral1
Sample
toaleta.jar
Resource
win10v2004-20240802-en
General
-
Target
toaleta.jar
-
Size
2.2MB
-
MD5
8e48fc3bda0bc899ba7c38b5bd2ac165
-
SHA1
bff45691858d8278b55b46af99ab0b5890564e53
-
SHA256
648ca4f9c2964bea3e91685a32e0381c803d648cc358b39ae4071fd3be77fed6
-
SHA512
a807a35eee990b75d85417bdddc3aabbe1275319ccd982c08b7bd929eb175992b96d7728a4615885b1368c9693550968a899b2d308fc8a0c9c3b1420ad7bc5d0
-
SSDEEP
49152:J1dxsLIha5XhNN9gD3b+V9JqG+XFpJ7JUZRlwxBRR+IMNT58:JZJhhb+Xqd1DJmR6xHlMU
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133705486596988705" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-523280732-2327480845-3730041215-1000\{620724BD-E397-45F6-B09C-264ECEED6D61} msedge.exe -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 2852 notepad.exe 4432 notepad.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 3260 powershell.exe 3260 powershell.exe 3260 powershell.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe 472 java.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs
pid Process 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe Token: SeDebugPrivilege 472 java.exe -
Suspicious use of FindShellTrayWindow 53 IoCs
pid Process 472 java.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 472 java.exe 472 java.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4024 wrote to memory of 1672 4024 chrome.exe 106 PID 4024 wrote to memory of 1672 4024 chrome.exe 106 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2636 4024 chrome.exe 107 PID 4024 wrote to memory of 2200 4024 chrome.exe 108 PID 4024 wrote to memory of 2200 4024 chrome.exe 108 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109 PID 4024 wrote to memory of 3976 4024 chrome.exe 109
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\toaleta.jar1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:472
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Desktop\UnpublishDebug.ps1"1⤵
- Opens file in notepad (likely ransom note)
PID:2852
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Desktop\BlockRegister.ps1"1⤵
- Opens file in notepad (likely ransom note)
PID:4432
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3260
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb9206cc40,0x7ffb9206cc4c,0x7ffb9206cc582⤵PID:1672
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,13099050570537544345,11562635424863194080,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1896 /prefetch:22⤵PID:2636
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2196,i,13099050570537544345,11562635424863194080,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2248 /prefetch:32⤵PID:2200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2308,i,13099050570537544345,11562635424863194080,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2432 /prefetch:82⤵PID:3976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,13099050570537544345,11562635424863194080,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3172 /prefetch:12⤵PID:3688
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,13099050570537544345,11562635424863194080,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3196 /prefetch:12⤵PID:1972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4544,i,13099050570537544345,11562635424863194080,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4528 /prefetch:12⤵PID:4924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4884,i,13099050570537544345,11562635424863194080,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4892 /prefetch:82⤵PID:4336
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4904,i,13099050570537544345,11562635424863194080,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5100 /prefetch:82⤵PID:408
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4476,i,13099050570537544345,11562635424863194080,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4932 /prefetch:12⤵PID:3052
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:5060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3496 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb940446f8,0x7ffb94044708,0x7ffb940447182⤵PID:792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,14736097465780072792,7732746333242533157,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:22⤵PID:2688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,14736097465780072792,7732746333242533157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:32⤵PID:1692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,14736097465780072792,7732746333242533157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:82⤵PID:3476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14736097465780072792,7732746333242533157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:12⤵PID:4496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14736097465780072792,7732746333242533157,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:12⤵PID:2292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14736097465780072792,7732746333242533157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:12⤵PID:4460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14736097465780072792,7732746333242533157,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:12⤵PID:4688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,14736097465780072792,7732746333242533157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:82⤵PID:5232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,14736097465780072792,7732746333242533157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:82⤵PID:5328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14736097465780072792,7732746333242533157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵PID:5412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14736097465780072792,7732746333242533157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4284 /prefetch:12⤵PID:5728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14736097465780072792,7732746333242533157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:12⤵PID:5916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14736097465780072792,7732746333242533157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:12⤵PID:6068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14736097465780072792,7732746333242533157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:12⤵PID:6076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14736097465780072792,7732746333242533157,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:12⤵PID:6084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14736097465780072792,7732746333242533157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:12⤵PID:1044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14736097465780072792,7732746333242533157,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:12⤵PID:4368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14736097465780072792,7732746333242533157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:12⤵PID:4552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14736097465780072792,7732746333242533157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:12⤵PID:1356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2024,14736097465780072792,7732746333242533157,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3440 /prefetch:82⤵PID:5672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2024,14736097465780072792,7732746333242533157,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5008 /prefetch:82⤵
- Modifies registry class
PID:5676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14736097465780072792,7732746333242533157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:12⤵PID:2884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14736097465780072792,7732746333242533157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:12⤵PID:5172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14736097465780072792,7732746333242533157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:12⤵PID:5896
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4460
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3252
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\4f2938f7-38f3-4eef-a775-ad36ee0a709d.tmp
Filesize649B
MD566c43efe56fb584155519dffdb995510
SHA146707c6d55b89cc115fc8d4367d2317fe2e590d9
SHA2567a715bec169eb3aba8b0088978db178bc59e54db097e5c9738749056d5313472
SHA51239c39aefe380b4879b0f4d4b1d5d5b43485db3429a691ec826540435ae13b90e121a42dc20ce95d139892dae67514d3cd5cbd6d6e9d831e7b1cf75c356e96fc7
-
Filesize
144B
MD5a34c9881097e01e5a4b8d8e40fc96fad
SHA1c80695c28620bec3554fd666596bf412593fad98
SHA2569e4f823a4c3677fa5455fc78c0ba4d746eec05f7cfa332a347845748efc1fad2
SHA51232ac22d6dfb6b57cfebbf1db88eb9b096b66cb1d73be43c3ee84d23974a6123f0010f08fe2c56f3da4ee325d911014a6c9753fd7c91341dc39346e8d3c3164c7
-
Filesize
1KB
MD56bbc972133bc5dd52311535ce0a7d2a9
SHA1948e6850eed3a43e85515478d9a7fc54857cc4db
SHA25668d5d99545d106967428514e5004feba8b53079df26063904c6dbd9ec8aec3de
SHA512ee3e1d07953f34c664e814fcdd9082ed3f6a4a8ec6c0fe354515b209d25b9255a8185b85f153e402ac1c5a7ef4de98e8bcbb7f1e11156cc9bb795e0c04adcb9a
-
Filesize
1KB
MD5b37ad12275c776f83da1709a8386bb80
SHA18c3f1065b6b31babccf8901dda12bb0331d9052b
SHA2569ace62d093a323f18bf487d8c72fe969968655a17c649cb02d4607b3a45d197d
SHA5126d6e0d44a330c6dd8b4ec8cfdcec5c0a3c2e6759f3d57f3a404d1b5a1f8ebc88b020e087cb3e9f85e697fc700c127764d5c1cdcaef451f98f8d789e217e4461f
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
354B
MD50387f5f4c11ac0f9ec9f0fdd480c3fb9
SHA1777967c8c656ec986e742fa30b2a144c61438822
SHA256352ba9d8ce1e405398d0ea3ca0a2e9dba5916c3c524ba1706a4f20d4c33b2a96
SHA512968c2fc52b004fcbb50f5573512a0d9cfc640594be54826b300bba269d46c3cf991185a850adc5cac7d951f724c0079af8209f783e844914c3c4fffd31e78f53
-
Filesize
9KB
MD5dd02d34a0a37c8f7b7761dd910e91b91
SHA10373a87b5e9e4d42d656c8cb828e43b2204d8154
SHA25646416269d87c12604355ba70fa70bc753438fc84d5efbdd0b3082ff58d8b840b
SHA5122ff5f4fcf2ea952e0fa13b96449ae72e12341722a6e4253abceb6620ec2177330a5cd89e865f5d4727e68db11087287603ccb2427f198c90d5629f43da54e65d
-
Filesize
9KB
MD58b2e4d7ac77aa9ecb7a14fdd36ae5863
SHA142ebe9476d3b6a88b659c2755cf54bdbb9d5ddf2
SHA2561070d3af8c59b2c3efb3b5b128e42196b998e3e7d50120e397cefec28a8e9e95
SHA5129d279b40994cd6c2a1bef85212b12bc3e2938aacd59a5064c1b8813cbfa50013830a72ba72b0be891e1c1118e65f93d3f4d81781c068aca4b7a5a82dd808eb73
-
Filesize
15KB
MD5751598e6bf2d7eefa14a7405e35acecb
SHA18d842f6401e8dc601120496f9b08b7ee66baf2be
SHA256813bcfcb4767d4052484013d1570e6980f3049b7e0d0372d7f0bf0902b5d3841
SHA512cdd5eabf990820a78c842cb54b009f60c6ae6390bf9910f8df503c58eb553b2f853e564dab788ec93608c42039cf6de24e21d1901e0bb3d0edd8faa40ce88572
-
Filesize
206KB
MD52aa59495bd814a672fe2884ce7643fc2
SHA1ac00d02cd380d8b115acff78bde37e3239a50a2e
SHA256fa6453910634513db096cb3c8fc3540c7a3d54365a10d36e76b5356f5e1a77f2
SHA5121c24df97af67286bf83cc6b2ec948d45ab5642b201bc280e262e3184a39c5c9e978149c77aee15562624d59ea779542ec5f572ac634b12cee76a72ea5df098b4
-
Filesize
206KB
MD5c07c066321678b84d886bc7b425f680d
SHA1c32b55cc9b27e8d5dc3ceb5f7429329f09096fa8
SHA25681a7c83cab25183c2b61db7d448013a49dcc33100e0049c08329db3c6c9e0fc8
SHA51220118cc91ce69b1b9060a89f21859bfcb21737f65c61e3f31be1373fe07c0e2f95e71e6d244e8e99b6b89590c7d7218f2c81ec6a7493423bd5b9cdbe6b0480c8
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
152B
MD5e765f3d75e6b0e4a7119c8b14d47d8da
SHA1cc9f7c7826c2e1a129e7d98884926076c3714fc0
SHA256986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89
SHA512a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079
-
Filesize
152B
MD553bc70ecb115bdbabe67620c416fe9b3
SHA1af66ec51a13a59639eaf54d62ff3b4f092bb2fc1
SHA256b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771
SHA512cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\18d574d0-55ee-4dab-b4e2-aa76de5e5dd6.tmp
Filesize5KB
MD5a40adff6642a22ec07893c0cb4319a08
SHA19215df5d470358c382c35c2820334a0b857e61c4
SHA256c0d0f99b8289c39cd7deabfff9ef4691c308217e897bcfafb52b8e5719e2691e
SHA5125c501496c811f172d06625eeee7b6e4bf112f8f8b48929ce841770801d81e74939b2ee84436310d1ce93b1b9f95dfcf8418fd8be21ee04723dea1eced22dac53
-
Filesize
212KB
MD508ec57068db9971e917b9046f90d0e49
SHA128b80d73a861f88735d89e301fa98f2ae502e94b
SHA2567a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1
SHA512b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf
-
Filesize
6KB
MD561ff03acb707493e818a93047e3161d3
SHA132512552f854669387a6689679c8833f03e1ac6e
SHA256d06ede1ca558ff073dec16a85b39186d4e3a662203c53280d9989ae71ea67285
SHA512a3f6ff79f909be92c96c8fed8eade3cab32e17403fd5f127f76811ebad78837d52a8a35e458e1e9d3f563444576cda784c72d0d713bb073c69aa1900a605511f
-
Filesize
8KB
MD5303ad8a575b2ac7f1e4bd6d8d925e431
SHA1051fea3fd5a32e57e260d7934b7f29c3a447ffba
SHA25624bec37f83971e7bca6004de39ecbda4750225f090a172d075957c96826fdd15
SHA512d17620a4cb9be8acf1d236f7e0d6966ba3ec1f8e1464a83d663d67c27eb558a70328df932b483ba96af37ace2c52ea8f676f0eaf321bc5ddff77ad468320334f
-
Filesize
2KB
MD5f3c4650518c34f3bd214be95e7cee21c
SHA1a8527f9d61d615dfb7c497f154f40e2d78471416
SHA256228fdf5428bb620aad3821c77d0f1bf68859a5a5f8a7d25a9bcfdb383396a1fd
SHA5129ee210cfdf715231f1bf8b83890329ba2648a3a7275e8fcceb7cbd89e4420d92f55d92e709b31dd64c62c084f7203b0e938252477b43de29c2e7b29334abdb2a
-
Filesize
1KB
MD5f58c23db4237cd227ecb9a917ede9a73
SHA10486ccc1c3fd24b8305d08169a07b70b5170bb08
SHA2564d524754361f805c5edd9b3b562d01a5654ac1782face9120cb37eb97be78586
SHA512291d697a7f38c12ffa61804539f8f554ea396cd68a47828fd33045b45d263ecd01bccf63cf4099fbe6d35b254239fff6fa3e8b0721b5b52648cc15e24dcebdaa
-
Filesize
1KB
MD5133b8fe612dcf710cd7399a1453bb07e
SHA107c2a42c51d250c090bf26ddc3d2b894a42e4376
SHA2569f97f571d76b095004de59eb5406a58dc3dc708c164e0fc5d79e5bb21eaa4576
SHA512a8254c5632113594109d75089b4184c3391c431c55c2b14cd11f0cc3459875f3eb86a4ca1b2a24f6f2607bfefa4ef9d1a963f879edb26c9b30954f7109fcdc39
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD563f49d009746ef0b968a4eb0d5a17a1c
SHA1e7f489a2193365b609b1bab66cd26dca50f06361
SHA25616872436ebe2f2a83ade7126f988c2f3df1e60574eb5b306d6eff6a02034209f
SHA5127c6dd4d588f046ad15253aaa3596e27766ea0cf606e78336f2186749edac97946279cc5b31728d4a8d89178f1f084d52202d8d5eb023030247ea01de4581b7bc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82