Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2024, 01:45
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://mediafire.com/file/t2h0j8d157urq4i
Resource
win10v2004-20240802-en
General
-
Target
http://mediafire.com/file/t2h0j8d157urq4i
Malware Config
Extracted
redline
@soonumb7
185.215.113.22:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/1708-330-0x0000000000400000-0x0000000000452000-memory.dmp family_redline -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE 6 IoCs
pid Process 5736 Launcher.exe 5656 Launcher.exe 1092 Launcher.exe 5144 Launcher.exe 2276 Launcher.exe 436 Launcher.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 6 mediafire.com -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 5736 set thread context of 1708 5736 Launcher.exe 132 PID 5656 set thread context of 5620 5656 Launcher.exe 136 PID 1092 set thread context of 4504 1092 Launcher.exe 144 PID 5144 set thread context of 872 5144 Launcher.exe 148 PID 2276 set thread context of 3864 2276 Launcher.exe 151 PID 436 set thread context of 4300 436 Launcher.exe 155 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Launcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Launcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Launcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Launcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Launcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Launcher.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1336 msedge.exe 1336 msedge.exe 1264 msedge.exe 1264 msedge.exe 2440 identity_helper.exe 2440 identity_helper.exe 5792 msedge.exe 5792 msedge.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 1708 RegAsm.exe 1708 RegAsm.exe 5100 taskmgr.exe 1708 RegAsm.exe 1708 RegAsm.exe 1708 RegAsm.exe 1708 RegAsm.exe 1708 RegAsm.exe 1708 RegAsm.exe 1708 RegAsm.exe 1708 RegAsm.exe 1708 RegAsm.exe 1708 RegAsm.exe 1708 RegAsm.exe 1708 RegAsm.exe 1708 RegAsm.exe 1708 RegAsm.exe 1708 RegAsm.exe 1708 RegAsm.exe 1708 RegAsm.exe 1708 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5100 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
pid Process 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeRestorePrivilege 1428 7zG.exe Token: 35 1428 7zG.exe Token: SeSecurityPrivilege 1428 7zG.exe Token: SeSecurityPrivilege 1428 7zG.exe Token: SeDebugPrivilege 5100 taskmgr.exe Token: SeSystemProfilePrivilege 5100 taskmgr.exe Token: SeCreateGlobalPrivilege 5100 taskmgr.exe Token: SeDebugPrivilege 1708 RegAsm.exe Token: SeDebugPrivilege 5620 RegAsm.exe Token: SeDebugPrivilege 4504 RegAsm.exe Token: SeDebugPrivilege 872 RegAsm.exe Token: SeDebugPrivilege 3864 RegAsm.exe Token: SeDebugPrivilege 4300 RegAsm.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1428 7zG.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 1264 msedge.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe 5100 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1264 wrote to memory of 2904 1264 msedge.exe 84 PID 1264 wrote to memory of 2904 1264 msedge.exe 84 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 5048 1264 msedge.exe 85 PID 1264 wrote to memory of 1336 1264 msedge.exe 86 PID 1264 wrote to memory of 1336 1264 msedge.exe 86 PID 1264 wrote to memory of 2528 1264 msedge.exe 87 PID 1264 wrote to memory of 2528 1264 msedge.exe 87 PID 1264 wrote to memory of 2528 1264 msedge.exe 87 PID 1264 wrote to memory of 2528 1264 msedge.exe 87 PID 1264 wrote to memory of 2528 1264 msedge.exe 87 PID 1264 wrote to memory of 2528 1264 msedge.exe 87 PID 1264 wrote to memory of 2528 1264 msedge.exe 87 PID 1264 wrote to memory of 2528 1264 msedge.exe 87 PID 1264 wrote to memory of 2528 1264 msedge.exe 87 PID 1264 wrote to memory of 2528 1264 msedge.exe 87 PID 1264 wrote to memory of 2528 1264 msedge.exe 87 PID 1264 wrote to memory of 2528 1264 msedge.exe 87 PID 1264 wrote to memory of 2528 1264 msedge.exe 87 PID 1264 wrote to memory of 2528 1264 msedge.exe 87 PID 1264 wrote to memory of 2528 1264 msedge.exe 87 PID 1264 wrote to memory of 2528 1264 msedge.exe 87 PID 1264 wrote to memory of 2528 1264 msedge.exe 87 PID 1264 wrote to memory of 2528 1264 msedge.exe 87 PID 1264 wrote to memory of 2528 1264 msedge.exe 87 PID 1264 wrote to memory of 2528 1264 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://mediafire.com/file/t2h0j8d157urq4i1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0b8e46f8,0x7ffc0b8e4708,0x7ffc0b8e47182⤵PID:2904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:22⤵PID:5048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:82⤵PID:2528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:12⤵PID:4184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵PID:3928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:12⤵PID:4588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:12⤵PID:5032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:12⤵PID:3296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5448 /prefetch:82⤵PID:3836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:12⤵PID:2344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:12⤵PID:2496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:12⤵PID:1544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:12⤵PID:4436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:12⤵PID:2080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7108 /prefetch:82⤵PID:4924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7108 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:12⤵PID:5128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:12⤵PID:5596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:12⤵PID:5604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:12⤵PID:5872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:12⤵PID:5880
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2080
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1080
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5760
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Software 2024\" -spe -an -ai#7zMap12694:88:7zEvent269861⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1428
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5100
-
C:\Users\Admin\Downloads\Software 2024\Launcher.exe"C:\Users\Admin\Downloads\Software 2024\Launcher.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5736 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2284
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
C:\Users\Admin\Downloads\Software 2024\Launcher.exe"C:\Users\Admin\Downloads\Software 2024\Launcher.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5656 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5620
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding1⤵PID:3996
-
C:\Users\Admin\Downloads\Software 2024\Launcher.exe"C:\Users\Admin\Downloads\Software 2024\Launcher.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1092 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
-
C:\Users\Admin\Downloads\Software 2024\Launcher.exe"C:\Users\Admin\Downloads\Software 2024\Launcher.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5144 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:872
-
-
C:\Users\Admin\Downloads\Software 2024\Launcher.exe"C:\Users\Admin\Downloads\Software 2024\Launcher.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3864
-
-
C:\Users\Admin\Downloads\Software 2024\Launcher.exe"C:\Users\Admin\Downloads\Software 2024\Launcher.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:436 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4300
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
2KB
MD554758638183b1f0e9b1310fb17c026c6
SHA1f8ac3d78496f44bba9f68b40cc463964b7ad4eb9
SHA256a77066557f80edcdb12a4c7588a3c88bbb282ee30f93dc6b4f7a71c0b93a342c
SHA51286e7762c96643b55cd8fcf674aa85dd4ec11b2c6019d7e936461dc81a702b95136e7a352b63028b8e6d975b06c3edcbc62506e5ce8c3ae31801a14abc6460a6d
-
Filesize
152B
MD5111c361619c017b5d09a13a56938bd54
SHA1e02b363a8ceb95751623f25025a9299a2c931e07
SHA256d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc
SHA512fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2
-
Filesize
152B
MD5983cbc1f706a155d63496ebc4d66515e
SHA1223d0071718b80cad9239e58c5e8e64df6e2a2fe
SHA256cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c
SHA512d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD58d65fa3de59f7a525713b75bd6bcba2e
SHA1db96f71303ca36fc09e16201536bbc8ce2ec3059
SHA256e56bfc78427095cca2468b1b2005fa7be7dd4d8f01d22d6d1240feee4eea3b66
SHA512f0beff5e76886a714d3b43be5a22371b1d7404af279928400a0e9a23ff431a4f28629602cc2dc5375f80cf8166b9c6fe49213311563bed11e8be97ce2307780b
-
Filesize
36KB
MD50ed3bbd8305cfacb7b1d75dba2d9fa27
SHA165c9ecf65161a115bab70d3c15d7020663237ac8
SHA25632eede3c12b6c9d2489eae37fa3fce4c301fae05ad1d9d562d300d45e1a5721a
SHA5125902cb25b73bfd1d9d71bf74af1945581c3d329c3a68869dbd1755701821f8e1b3e99291a22fc72a7a9e64967d9ff634a3cb739d87a67b6e250b2d9b06488e1a
-
Filesize
5KB
MD5201640be1d7d3015cd4764d3ad20ac11
SHA11da4e09125fd1d4014f188802d7fa202eb32021a
SHA256bf13ccfee5e2666fdda4717a6fa11be7e9df2b39ec1d8ed018a6fe0402ad2cda
SHA512c9a87cfdf6797e3638e261d15a20755636202300e901f693abbb7f9329399a5c63b19ead1d3994de0698f70df52029cfab74f8b104c4beba2fa6c17e7ec093ad
-
Filesize
11KB
MD5a9ad15490e6f85b9601f372a474ec2d9
SHA155ae1ff2957ee3df4f10a64203327122f790dc3e
SHA2567abcc8d37acf0e15cf1a54a69aed2b90441bf8434ee08a66004b1b04e2fe27cd
SHA512840a9b098f74897e05af189e97005cb34928964cd58726c994c18cbc6181d5cfb63ddec45bdd608db70e7c828f053f11bec54f213873deb86c0ca2453e5b686f
-
Filesize
11KB
MD57041ca9a120815aa2cbbff9de641277c
SHA14dd723a31e793c5c27ae9633b2f9e16a3e6ca1de
SHA2566a327591cb7be325fcaf2e43332f37b670c985dfd116a868796623b59bc74b92
SHA51243d4f6a900714dfae1d2c1d363a4cc38fc6c3582da67d2a58bbd824d1fd1f3521963c0fbbbd04e90c931754c5d0e4bddd5a708ff376ed2c30922a9aa84e5c19d
-
Filesize
2KB
MD5ece831b7d7ec7055303067155fa91b72
SHA160110352361a0ee2e32c9ab01d805cac52225e78
SHA256a1921362c67744cd3f4563fff1f090ce1769f18bb72e27268b349f33e5dbc0f1
SHA512e82ad706e36b193d9783a8af0fc3705df5d6b46e198018fb499b14e3ebc497f0436fda74311c86492b761f5ffee587b03c3f444772321d5dfe7156e7447b233d
-
Filesize
2KB
MD51be2d95578f78294065d455e0481ac35
SHA19300f9f5fe57646959425096882d54ce247ebf1a
SHA2564939ed8fef1b6e9555413b664e2669c34bc0313352665790be94789f811768cb
SHA5121ff80b7c3ede527f32d39ebf970d568b3e75a7d8fd00ca2c40c21519a8c4f1f3b61c69f6a3f69a4699b8895441786393ff60e9de1f9e0f7bea98431d5df7a115
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD508e64e24ebfe546c896fb577bfdd304a
SHA18b5066963b382e38cefd202ef809f6cadac92519
SHA2560fa90a633e2c247f95f728618f33802fcee7dc11673de2bc6cc3bcdcdf6f3cb3
SHA512f8ca157b18c151e3477be11b4d8e4ce973e5bdf05fb46cf1a1ed5e61063d470c69918d0fe870d6eddb3753d9133db6a526686363fa8fca60960414e73e546d0d
-
Filesize
10KB
MD52108b547aed188a214ffb8f69c52c57e
SHA166ed824a0320f6c19e27e3180adc40e23dd6e3a7
SHA256492ad8f6917bea333afe74ff900034657b60fdbd1dced3415b9385a2fd3abab8
SHA5123367689d8659a89f0ecb2d9e85ad266f7a4c462a004331be73d86aa2ae330118f8993ae8ad20d838f1dcd98000ff43f7ebfc3fc2fb4638e10fbfdcf198ec20d0
-
Filesize
10KB
MD55fbe954152236913e863a1e6fd94834b
SHA10585ef9f606d8bb098734fbfb0632be72dd0f74e
SHA256c9ab7d2dee0f2c5b944e50f6c011a5669a8c62f9436c1aec2327100beebf76c9
SHA5128162d4e8b9e7a68c143f6aa965a72c860bca8b05dcb2896c3e446cf73c39e33bfdaa0d6a3e3869c8a2802ea70391e65c216f255809ac1b32a202c78ce727d87f
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4182098368-2521458979-3782681353-1000\76b53b3ec448f7ccdda2063b15d2bfc3_ea0aa4d6-aa48-4733-9e64-85ab59ce35b0
Filesize2KB
MD50158fe9cead91d1b027b795984737614
SHA1b41a11f909a7bdf1115088790a5680ac4e23031b
SHA256513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a
SHA512c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676
-
Filesize
2KB
MD509605592a467273df4b1b4645781a8d0
SHA18dfaef01c2f5d2c2d99bfe1dccb634168b4909d2
SHA25624505e98db3b90c15ded1936c1cd6bdd452d408dd48d41f94295906a7e047664
SHA5128b78363160d8d32fd7676dceb310536ced9e9e02f73c9a6f56c3a526d179031cd00783a440b5d1f386fc27f9ca59f684689f4f0b3392d850e4aa3ebec73ffb60
-
Filesize
11.1MB
MD57020223d2faa5cf2fbe21d10fce6ec2a
SHA1086262c13a19d1cab6faaf43bb36751b2603388b
SHA25648d94c328f2ba267b87e182a84cca9e5ea1704987e5c4db0930a5b54693da677
SHA512406544e40c19b9711a3046fbcbd911491bc99ef2e6b50cc022005d3507859d65cf886a149843b60e534a98b9fe876b649c0b8385cd1ad0bb9edd09479e6fd53f
-
Filesize
313KB
MD5f40c5863142a0d6044f2c77716376bf7
SHA1530a0ea2cb3d50b3bf1570d628ec1606474e454e
SHA256975e53ebc3dc0fc9d9e54d85fbf8355920196967d9d715e1d153de1880638a5b
SHA51253efb3e40fec85e429f9271516d1f9d49176ab0c03d3061725e3f2ffea4570f60867b423146eda87fdd86d66fde5cb67e33ce93acc15b45860b8819d1e772239
-
Filesize
2KB
MD5005fd4b8d22884279a8bab98d2152d08
SHA1beaa4a1d63386b1c1d3da6c014ac6bfd9c429c69
SHA2567d6e2c8ee5f2f4e31072389d337a182db97b987bda3f7ca1dec51903cc8e3bf1
SHA512a44bbeb069719787a717514dcc3f1b28f9f47098c16e16f5b6c7c0618eb3793f935e037644b5a32ec82aa9221333034ca1589c447af83a7f9aa3f2de39ff1db5