Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
10-10-2024 08:58
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://njrat download
Resource
win11-20241007-en
General
-
Target
http://njrat download
Malware Config
Extracted
njrat
0.7d
HacKed nigerian
hakim32.ddns.net:2000
127.0.0.1:5552
0836ad3f4f2a3225437e173723805851
-
reg_key
0836ad3f4f2a3225437e173723805851
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 1608 netsh.exe 1376 netsh.exe 4004 netsh.exe -
Executes dropped EXE 2 IoCs
pid Process 3172 Server.exe 2576 tmpB3D5.tmp.bat -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB3D5.tmp.bat Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NjRat 0.7D Danger Edition.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ilasm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 30 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell NjRat 0.7D Danger Edition.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg NjRat 0.7D Danger Edition.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 NjRat 0.7D Danger Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0 NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 NjRat 0.7D Danger Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" NjRat 0.7D Danger Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 NjRat 0.7D Danger Edition.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" NjRat 0.7D Danger Edition.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\NjRat.0.7D-main.zip:Zone.Identifier msedge.exe File created C:\Users\Admin\AppData\Local\Temp\Andex.bat\:Zone.Identifier:$DATA NjRat 0.7D Danger Edition.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4904 msedge.exe 4904 msedge.exe 1132 msedge.exe 1132 msedge.exe 4976 identity_helper.exe 4976 identity_helper.exe 2284 msedge.exe 2284 msedge.exe 3960 msedge.exe 3960 msedge.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe 3172 Server.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3172 Server.exe 4832 NjRat 0.7D Danger Edition.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
pid Process 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: 33 3060 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3060 AUDIODG.EXE Token: SeDebugPrivilege 3172 Server.exe Token: 33 3172 Server.exe Token: SeIncBasePriorityPrivilege 3172 Server.exe Token: 33 3172 Server.exe Token: SeIncBasePriorityPrivilege 3172 Server.exe Token: 33 3172 Server.exe Token: SeIncBasePriorityPrivilege 3172 Server.exe Token: 33 3172 Server.exe Token: SeIncBasePriorityPrivilege 3172 Server.exe Token: 33 3172 Server.exe Token: SeIncBasePriorityPrivilege 3172 Server.exe -
Suspicious use of FindShellTrayWindow 59 IoCs
pid Process 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 4832 NjRat 0.7D Danger Edition.exe 4832 NjRat 0.7D Danger Edition.exe 4832 NjRat 0.7D Danger Edition.exe 3172 Server.exe -
Suspicious use of SendNotifyMessage 17 IoCs
pid Process 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 4832 NjRat 0.7D Danger Edition.exe 4832 NjRat 0.7D Danger Edition.exe 4832 NjRat 0.7D Danger Edition.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4832 NjRat 0.7D Danger Edition.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1132 wrote to memory of 4940 1132 msedge.exe 77 PID 1132 wrote to memory of 4940 1132 msedge.exe 77 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 1572 1132 msedge.exe 78 PID 1132 wrote to memory of 4904 1132 msedge.exe 79 PID 1132 wrote to memory of 4904 1132 msedge.exe 79 PID 1132 wrote to memory of 3976 1132 msedge.exe 80 PID 1132 wrote to memory of 3976 1132 msedge.exe 80 PID 1132 wrote to memory of 3976 1132 msedge.exe 80 PID 1132 wrote to memory of 3976 1132 msedge.exe 80 PID 1132 wrote to memory of 3976 1132 msedge.exe 80 PID 1132 wrote to memory of 3976 1132 msedge.exe 80 PID 1132 wrote to memory of 3976 1132 msedge.exe 80 PID 1132 wrote to memory of 3976 1132 msedge.exe 80 PID 1132 wrote to memory of 3976 1132 msedge.exe 80 PID 1132 wrote to memory of 3976 1132 msedge.exe 80 PID 1132 wrote to memory of 3976 1132 msedge.exe 80 PID 1132 wrote to memory of 3976 1132 msedge.exe 80 PID 1132 wrote to memory of 3976 1132 msedge.exe 80 PID 1132 wrote to memory of 3976 1132 msedge.exe 80 PID 1132 wrote to memory of 3976 1132 msedge.exe 80 PID 1132 wrote to memory of 3976 1132 msedge.exe 80 PID 1132 wrote to memory of 3976 1132 msedge.exe 80 PID 1132 wrote to memory of 3976 1132 msedge.exe 80 PID 1132 wrote to memory of 3976 1132 msedge.exe 80 PID 1132 wrote to memory of 3976 1132 msedge.exe 80
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://njrat download1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb603b3cb8,0x7ffb603b3cc8,0x7ffb603b3cd82⤵PID:4940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:22⤵PID:1572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:82⤵PID:3976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:12⤵PID:2756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:12⤵PID:2760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:12⤵PID:884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:12⤵PID:4572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:12⤵PID:4296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:12⤵PID:2260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:12⤵PID:3308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:12⤵PID:3980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:12⤵PID:3464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:12⤵PID:3276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:12⤵PID:2760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:12⤵PID:2336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:12⤵PID:2756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:12⤵PID:1976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6600 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3020 /prefetch:22⤵PID:4304
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4036
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4620
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2780
-
C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\NjRat 0.7D Danger Edition.exe"C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\NjRat 0.7D Danger Edition.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4832 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /alignment=512 /QUIET "C:\Users\Admin\AppData\Local\Temp\stub.il" /output:"C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\Server.exe"2⤵
- System Location Discovery: System Language Discovery
PID:5008
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004D41⤵
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\Server.exe"C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\Server.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3172 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1608
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\Server.exe"2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4004
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1376
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB3D5.tmp.bat"C:\Users\Admin\AppData\Local\Temp\tmpB3D5.tmp.bat"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2576
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD57e21e86ad00ca799ef7f046333f26f1f
SHA1db1b6848bc5e9a9ad3324b2f55e43c7cf41ff6ed
SHA256e0c014a75d3c2f4de49f888b99e2c662f3b0d4f42a3902db1324867194cc3344
SHA512362dfbcdaa0bbb09ccdc3f4301b70d8433d88aa256d5fb4b07944a3907aef0f9e254737e32dac0440bd0cfd70ea38334eb40a55c5b6e962d79449df2feb4919b
-
Filesize
152B
MD5554d6d27186fa7d6762d95dde7a17584
SHA193ea7b20b8fae384cf0be0d65e4295097112fdca
SHA2562fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb
SHA51257d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7
-
Filesize
152B
MD5a28bb0d36049e72d00393056dce10a26
SHA1c753387b64cc15c0efc80084da393acdb4fc01d0
SHA256684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1
SHA51220940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2e58adaa-fdb3-4e78-aced-57775e02d9bd.tmp
Filesize934B
MD5aa4646192e9384b80a0eca399ef5e8de
SHA159e8d5c260f77415dfc2a97e9a4654133f8d4c3b
SHA2562a6be8f750a33a3915771a14ca92f502a153efc36bfca66564c9b9d239156026
SHA51227bd7ad6b21ccd58062ccf22d34a9ae9f8dd96b3f17948855035b09c93baca8c99c8b7feacbdbc2e4285f5fd0f537e522df80fd02227e5c65589a6fbc7a052b6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD532c620825be2b5130879a67e5f2b0ff2
SHA12fa31fe84087d88614bf6f4c5dc33338673e9351
SHA256bd934f943bfd43e0f438c66fa70cfaf3d119831686c83da2275836c5dfd8cbf2
SHA5125bbb6f1e1cf68e0634211a489aa1a48275c647a069d3174a3df07cc090edaf6f22928d0052557370fea1c15672d533b973ed5feda1af8b89bc4dd729e036610f
-
Filesize
5KB
MD5bc5c0d398a0511b7a42c14824c8636f0
SHA1572003a065cfbf53840be836086c758a09adb093
SHA256967f74bc2ff7b2c70c81b5af916a4756d93d3fb1463fbfbc1cdba2737bbff28f
SHA512f47d78673779957d6edc078f96d4973919f567062ac9594d85986529faf9b04e56486be3122d15b01ef174e99fefc7d270cc0619dbeb1c5bdf9a86a0ac98b62e
-
Filesize
6KB
MD57dc69ca213a9e2cf2e03641fa6c4cdfc
SHA18657c6f0f95da493c22efce35c450322b783a470
SHA25614d68ed0f9c1ad01004508cf86a167a6534b206b34f47a6b276147cb0ebd9273
SHA51290721278b6b9b607e14d81f0f913a6a36a982d7435f4bec1acefd8b215565fc4d00d2c6595d7071c556b1d705dfea52fae6c3cbcc2f6c0329618cb5113cc920d
-
Filesize
6KB
MD5ed19fdac807463b65cac6a54b2e21586
SHA17fc2008e4b7bc62a35aeafdc9c820db255e70109
SHA256279f544c9294db349ffd93186488122cde94ad6577477a18014c6d433c6e5eba
SHA51232a65b337782b80e97b4911eb48584561fa80654dfd7c17fcd06b2244c001e72922ae5df32d28c02f7328961bea296b3b436a06b93dba631fb3f42bbea376b3a
-
Filesize
1KB
MD53a09d43e1250807709ebb2e2a2e05cd5
SHA1a92f937c18d6bff0bf3d6759b7c771f4a83c4044
SHA256d8137eb8bff1c87f4327762fa1b62d176ca8e61b94420923b4d8f67b9722230c
SHA5129633e65ee19e6ce62182adf1548c2ac0a8ffced9c64f2ae6e760292423289f967d5b84dae4ac2e18fba7f7bdcef4c6da65566ef2cbc1c5b54fcd516096d07795
-
Filesize
538B
MD51d8ac4a6cd290331d97ea20ec44cf83e
SHA1f1d636e4b4a2746c6dca033f4203d654e684bfdc
SHA256a0b6d19ab502b9c57f3f16ba743a9ee117ac10ae4a11f54cbbd33b37da817e34
SHA51256ea4407906da3879868b09ef5546f0600459d3b6e6d1750386623bcf0a87d97e0c28c53cecba6ba29c1a5228a5de461a0d379cb4d640bff12b7e2989346cd3d
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD552ed5fe92793a1ba46a4a5a868e18427
SHA1403e2a4f258d2d6b511a16b11d91bec9d1ad989b
SHA2567d65bb50932e712abc58f1ef8896637cc84ff527b72a29b439c57d7b862e84eb
SHA51219d6d98cf3f87e089e40f1c91cc2d9aeb3673f53277349b29e5049ab40d263d2d5186df650d7b23d3c6670cb04349aca970e72eb4fcdec0317ba096cb499dbae
-
Filesize
1.2MB
MD5df592e3010f358e6567d6a8cb670c0fc
SHA1d7418e80c9cf525746b36257bbca4fe9bb1c5e26
SHA2562abe44f0da7ba97eb8d4fa5f984671798c37b165d10cd99865fa80562aabe5e8
SHA512d8d5c7e839d8a64e82094255d06bd735cccf45819f942d0a490d47c476f223da01d63c9bb4ada2a8cb73c98c2e9733e22e29b1addf78a76c1cf34f1683714041
-
Filesize
100KB
MD56032ce8ceea46af873b78c1f323547da
SHA18c5bd4a70e0f21aeba41c07976ace2919b64fd80
SHA25619dc8c66d04d1a1d781e59107e2a1db5fd6288761c9dfd0c6909e533e79d04e7
SHA5123ada1663cb730f43b44e32ceade5d0b9cae20d1c20001691a1d226d99c82510e001581f67f5131d6c21e0e0cf98e5089c3d0f22a6a1e3347053ed73304ccc6fe
-
Filesize
48.8MB
MD580d3d5163cafe75e0f2d1666a4c65414
SHA1b94d1e8abcf337c888f403e4e7563c896fa7d51c
SHA256d96bb6e66aef5a2901a0bfb80df3382d79cdcf60c9916badf27b456244bc6929
SHA512d606abeacdb158dfdfabd89d7e3c12800704faa499821d01494899d5c36d93d2cc540d8747633535e148abffba4ac8c1fb3016fc03535c3d75cf74edd34daae3
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
93KB
MD5fa3ea0aa07413e8eaaa8710f01793f4c
SHA112b34aaa807a1a4df1c40a8bf92406f92ba544af
SHA25655036215e4eafb301092afb13bf50a9cfff4715dcb31ab392760d31b8f94cf84
SHA5121f89a482efadeb219af32e74a72334372436cb1d2cb4e56e5a00b7d8053453e16db557483b26add98fa6be7bf9fdf65dc558b8eac9ce669f325cbd5f1e3ed9c3