Analysis
-
max time kernel
144s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2024 02:00
Static task
static1
Behavioral task
behavioral1
Sample
'''.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
'''.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Lana_Rhoades_Photoos.js
Resource
win7-20240903-en
General
-
Target
'''.exe
-
Size
2.0MB
-
MD5
60b42e43178ad0ed1484e4afef56e740
-
SHA1
45d484903388cd149f9e2e5afbfe247c90a00031
-
SHA256
ed0cc4ec1b8de4c0e315f3caa855892f7ace7cccd3b8e98c7589316ef9fd1972
-
SHA512
1d397050fe7969993404ee0313ee071ec6a5bd316a40210c72404600057b9a7cca2c78302d28e9f576a42c74ddfec37856b7188c7dd64d173afce043d9b2bc7f
-
SSDEEP
49152:4VAbwcf0qplQ9rQ7JC+zQlQTLw9Lqb4tBr9mPrIdq1AT2v:0Aa+lQp85Q59mb47r9mDLm2v
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
setup.exesetup.exesetup.exesetup.exesetup.exepid process 1124 setup.exe 3824 setup.exe 8 setup.exe 432 setup.exe 3304 setup.exe -
Loads dropped DLL 5 IoCs
Processes:
setup.exesetup.exesetup.exesetup.exesetup.exepid process 1124 setup.exe 3824 setup.exe 8 setup.exe 432 setup.exe 3304 setup.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
setup.exesetup.exedescription ioc process File opened (read-only) \??\D: setup.exe File opened (read-only) \??\F: setup.exe File opened (read-only) \??\D: setup.exe File opened (read-only) \??\F: setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
setup.exesetup.exesetup.exesetup.exesetup.exe'''.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language '''.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 903609.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 2936 msedge.exe 2936 msedge.exe 3348 msedge.exe 3348 msedge.exe 4564 identity_helper.exe 4564 identity_helper.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe -
Suspicious use of FindShellTrayWindow 50 IoCs
Processes:
msedge.exepid process 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe 3348 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
setup.exepid process 1124 setup.exe 1124 setup.exe 1124 setup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
'''.exesetup.exesetup.exemsedge.exedescription pid process target process PID 3936 wrote to memory of 1124 3936 '''.exe setup.exe PID 3936 wrote to memory of 1124 3936 '''.exe setup.exe PID 3936 wrote to memory of 1124 3936 '''.exe setup.exe PID 1124 wrote to memory of 3824 1124 setup.exe setup.exe PID 1124 wrote to memory of 3824 1124 setup.exe setup.exe PID 1124 wrote to memory of 3824 1124 setup.exe setup.exe PID 1124 wrote to memory of 8 1124 setup.exe setup.exe PID 1124 wrote to memory of 8 1124 setup.exe setup.exe PID 1124 wrote to memory of 8 1124 setup.exe setup.exe PID 1124 wrote to memory of 432 1124 setup.exe setup.exe PID 1124 wrote to memory of 432 1124 setup.exe setup.exe PID 1124 wrote to memory of 432 1124 setup.exe setup.exe PID 432 wrote to memory of 3304 432 setup.exe setup.exe PID 432 wrote to memory of 3304 432 setup.exe setup.exe PID 432 wrote to memory of 3304 432 setup.exe setup.exe PID 1124 wrote to memory of 3348 1124 setup.exe msedge.exe PID 1124 wrote to memory of 3348 1124 setup.exe msedge.exe PID 3348 wrote to memory of 4372 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 4372 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 3856 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 2936 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 2936 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 4424 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 4424 3348 msedge.exe msedge.exe PID 3348 wrote to memory of 4424 3348 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\'''.exe"C:\Users\Admin\AppData\Local\Temp\'''.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\7zS06F5AE67\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS06F5AE67\setup.exe --server-tracking-blob=NTdiY2VkZTZjZjIxY2ZlZTE3NTFjYTIyZDc4OGQwYmJmYmIyODgwNzIwMWZiZWY4OTBjOTE5MmQ1Zjg4YTZmYjp7ImNvdW50cnkiOiJDQSIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYVNldHVwLmV4ZSIsInByb2R1Y3QiOiJvcGVyYSIsInF1ZXJ5IjoiL29wZXJhL3N0YWJsZS93aW5kb3dzP3V0bV9zb3VyY2U9Z29vZ2xlLWFkcyZ1dG1fbWVkaXVtPWJhX29zZSZ1dG1fY2FtcGFpZ249JTI1MjMwOCUyNTIwLSUyNTIwQ0ElMjUyMC0lMjUyMFNlYXJjaCUyNTIwLSUyNTIwRU4lMjUyMC0lMjUyMEJyYW5kZWQlMjUyMC0lMjUyMDIwMTcmdXRtX2NvbnRlbnQ9Z29vZ2xlK2NwYyZ1dG1faWQ9Z2NsaWRDandLQ0FqdzBhUzNCaEEzRWl3QUthRDJaWEFVdENvQUh4THN4V25PYW9maUNaVEJaYTM1RC1xNFRlb2tKS0dteWNGam82dVdaT09zQ3hvQ0Y1OFFBdkRfQndFJmh0dHBfcmVmZXJyZXI9aHR0cHMlM0ElMkYlMkZ3d3cuZ29vZ2xlLmNvbSUyRiZ1dG1fc2l0ZT1vcGVyYV9jb20mdXRtX2xhc3RwYWdlPW9wZXJhLmNvbSUyRiZkbF90b2tlbj05NzU3NjY1NyIsInRpbWVzdGFtcCI6IjE3MjY1NTkwNzAuMTA4MSIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMjguMC4wLjAgU2FmYXJpLzUzNy4zNiIsInV0bSI6eyJjYW1wYWlnbiI6IiUyMzA4JTIwLSUyMENBJTIwLSUyMFNlYXJjaCUyMC0lMjBFTiUyMC0lMjBCcmFuZGVkJTIwLSUyMDIwMTciLCJjb250ZW50IjoiZ29vZ2xlIGNwYyIsImlkIjoiZ2NsaWRDandLQ0FqdzBhUzNCaEEzRWl3QUthRDJaWEFVdENvQUh4THN4V25PYW9maUNaVEJaYTM1RC1xNFRlb2tKS0dteWNGam82dVdaT09zQ3hvQ0Y1OFFBdkRfQndFIiwibGFzdHBhZ2UiOiJvcGVyYS5jb20vIiwibWVkaXVtIjoiYmFfb3NlIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6Imdvb2dsZS1hZHMifSwidXVpZCI6IjAzNzBlZmUwLWE4NWQtNDA5Ny04NmY2LThhOGVmM2VjYjg3MiJ92⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Users\Admin\AppData\Local\Temp\7zS06F5AE67\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS06F5AE67\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=113.0.5230.62 --initial-client-data=0x324,0x32c,0x330,0x2e4,0x334,0x74daae8c,0x74daae98,0x74daaea43⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3824 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:8 -
C:\Users\Admin\AppData\Local\Temp\7zS06F5AE67\setup.exe"C:\Users\Admin\AppData\Local\Temp\7zS06F5AE67\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1124 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20241028020052" --session-guid=70563157-f6f1-4770-95d5-713ed75066b8 --server-tracking-blob="NTAxNjA4NTg4NmYyYjQ2YjA3ZTA5NzM3ZDI2NDlhMWJkMDkyNTFlMTAyNzNhZWZmNjEzNDM3NjI0MmQwYjU3ODp7ImNvdW50cnkiOiJDQSIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYVNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhIn0sInF1ZXJ5IjoiL29wZXJhL3N0YWJsZS93aW5kb3dzP3V0bV9zb3VyY2U9Z29vZ2xlLWFkcyZ1dG1fbWVkaXVtPWJhX29zZSZ1dG1fY2FtcGFpZ249JTI1MjMwOCUyNTIwLSUyNTIwQ0ElMjUyMC0lMjUyMFNlYXJjaCUyNTIwLSUyNTIwRU4lMjUyMC0lMjUyMEJyYW5kZWQlMjUyMC0lMjUyMDIwMTcmdXRtX2NvbnRlbnQ9Z29vZ2xlK2NwYyZ1dG1faWQ9Z2NsaWRDandLQ0FqdzBhUzNCaEEzRWl3QUthRDJaWEFVdENvQUh4THN4V25PYW9maUNaVEJaYTM1RC1xNFRlb2tKS0dteWNGam82dVdaT09zQ3hvQ0Y1OFFBdkRfQndFJmh0dHBfcmVmZXJyZXI9aHR0cHMlM0ElMkYlMkZ3d3cuZ29vZ2xlLmNvbSUyRiZ1dG1fc2l0ZT1vcGVyYV9jb20mdXRtX2xhc3RwYWdlPW9wZXJhLmNvbSUyRiZkbF90b2tlbj05NzU3NjY1NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcyNjU1OTA3MC4xMDgxIiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEyOC4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoiJTIzMDglMjAtJTIwQ0ElMjAtJTIwU2VhcmNoJTIwLSUyMEVOJTIwLSUyMEJyYW5kZWQlMjAtJTIwMjAxNyIsImNvbnRlbnQiOiJnb29nbGUgY3BjIiwiaWQiOiJnY2xpZENqd0tDQWp3MGFTM0JoQTNFaXdBS2FEMlpYQVV0Q29BSHhMc3hXbk9hb2ZpQ1pUQlphMzVELXE0VGVva0pLR215Y0ZqbzZ1V1pPT3NDeG9DRjU4UUF2RF9Cd0UiLCJsYXN0cGFnZSI6Im9wZXJhLmNvbS8iLCJtZWRpdW0iOiJiYV9vc2UiLCJzaXRlIjoib3BlcmFfY29tIiwic291cmNlIjoiZ29vZ2xlLWFkcyJ9LCJ1dWlkIjoiMDM3MGVmZTAtYTg1ZC00MDk3LTg2ZjYtOGE4ZWYzZWNiODcyIn0= " --desktopshortcut=1 --wait-for-package --initial-proc-handle=7C090000000000003⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Users\Admin\AppData\Local\Temp\7zS06F5AE67\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS06F5AE67\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=113.0.5230.62 --initial-client-data=0x31c,0x320,0x328,0x2f8,0x334,0x728bae8c,0x728bae98,0x728baea44⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3304 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller&arch=x643⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaef4e46f8,0x7ffaef4e4708,0x7ffaef4e47184⤵PID:4372
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1464,15889744443863013255,1129757977937346085,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:24⤵PID:3856
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1464,15889744443863013255,1129757977937346085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:2936 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1464,15889744443863013255,1129757977937346085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2592 /prefetch:84⤵PID:4424
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15889744443863013255,1129757977937346085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:14⤵PID:4444
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15889744443863013255,1129757977937346085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:14⤵PID:668
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15889744443863013255,1129757977937346085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:14⤵PID:3752
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15889744443863013255,1129757977937346085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:14⤵PID:3636
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1464,15889744443863013255,1129757977937346085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:84⤵PID:2760
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1464,15889744443863013255,1129757977937346085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:4564 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1464,15889744443863013255,1129757977937346085,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5680 /prefetch:84⤵PID:1880
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15889744443863013255,1129757977937346085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:14⤵PID:5032
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15889744443863013255,1129757977937346085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:14⤵PID:4464
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15889744443863013255,1129757977937346085,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:14⤵PID:3500
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1464,15889744443863013255,1129757977937346085,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6456 /prefetch:84⤵PID:1864
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15889744443863013255,1129757977937346085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:14⤵PID:5364
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15889744443863013255,1129757977937346085,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:14⤵PID:5372
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1464,15889744443863013255,1129757977937346085,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4244 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
PID:5588
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4052
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4264
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD5a7ace7a352ba4b229c3562e1cfb0f17a
SHA164b631fde52bd98bd358ae2e72274c1f2e8635d0
SHA256662e5b1f41d1b0e9908f0047b292548837471d9503b46060f1a2c84a678501d5
SHA512550d24b96618678b06961ce9b8d55cc8ac8df6dad457844302bba693abb27784e8ec0302bc7635b4e99d6c10f93d05eb651fb33279df87b552763a5dad040306
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_0F90096E7DCB862ED66CE39084FC7811
Filesize727B
MD5f92f0494102f1f71e6e3ffc015b38de5
SHA128c85b17496bb0f8955f30df145bc5d00d82781c
SHA256627fdaa7e770c890adfa5a2cbeef2f04112f76b32cca4b92254eec26eec166ce
SHA512d709ac533d6bff0b5bb115d98fd6838049a6eb6463a6b7a3e43989fc6403ea2f070b7a73def839f40366c8441584bd393593f719d467336aba7cd7df91b53835
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize471B
MD5b9fd62a72a2f6a16a2de4292e8e6fc27
SHA103717f814ab6968f77399543d39fab015cf53d72
SHA25600a7eb032faccfbcb6c8c260d2ae747b2c4b86e87664ac4581eae29fedc507e2
SHA512d889b3deb9b1893a8b49b19d8d15026ea83d5175dd5564ff73d79e9591fe970b67880f9f67d39c84769fa04e47b84d8069b043eafa50162569ba3c890226d54e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD5fb3ad0052022397d5a1c8b766288d0ec
SHA1cf5024fddad85a4d7c15336aefe9da80b7d42cda
SHA256050e59f261304198054be1e0205f2570c07f4e51e87e2c6109e660ef3120fde9
SHA51259b0bd85d438a8372b05824d86521f882d2c22fd4946a9bf58c9630925714f671f45a1d0aee2f8497a1480f93c9afaa8b1d14de29f9c03e9ecc82923146496df
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
Filesize471B
MD55f2459962e06db56120ef2cd42b4de48
SHA1e26adbf4927b99e67ecf188c981c30e6431def3d
SHA2568bf7dc6bcc7ef2c1efb57891252b66e3e1614a5fabdbcb13da9d42bce772d53d
SHA51286a20c02710d9d79ed59e479a9bbfb5d7dc42765a2446a30bf29535f11447168713144d20b7571078332032b8c157f51037e8aae549760436d93b5eee863ff92
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD58e13702405f6b3b99ac5c208dd79742a
SHA167907226e6588ad633ac22c6637bceef01bca026
SHA2568524b6881851b3beedbbe06cbde3a5e336a9055deb6ba91ee86c15d157a849a0
SHA5122eb0d32020257ef1d793ead32bdc74e373a46e8fe3f05f3fb091af0c295db2a60fc533f99fa20e60786d2b63eecd35097fbe6ff3214a8b50daff856c3d42a6b1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_0F90096E7DCB862ED66CE39084FC7811
Filesize412B
MD52c6e1437bc47631936846e313a9d183c
SHA19ca8aa4b01e4e970674fbd139cfac044c402f73d
SHA256e2f885aaab984abe530bd1fe8b92a51172835c617c1368682f2bbe268d567f15
SHA512f6bee19e1aba5ef2a1168d07353fd0b8da6bec2269433605c1c5998ee5ba4ec43535f49b638fe3ccae5ce4528098f9f5c62659aa7908a2204630aed1faab7224
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize400B
MD5c5736a7f3d86973e0189685427196d68
SHA121382512fe6aded0f4f44cfcc90d1591d26e6b5e
SHA25662f7598e7f56a350088835f176cb9381c0cecf77f7755b4e78a1422c0d34e2e1
SHA51277cb5f8bd01e4aac10e5772283b006dde39aca98f8bcdfc4be8206a034f470e3bf546cf57ca13442b3239ac339ec6f8bc43e321a9d33ae54fa234d1438b691c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD59e9cbf8c42d966c56dd4067b5dbae286
SHA1de0e8a756bdaa3b23323f6dec60925d013f3aa23
SHA256e4bb4534ce1f057e6fef71e7fcbb77248cc818217caf0c99be57520739cd7ccf
SHA512dbbe0288b9a411d479db92952730169b0e427e2f8b21cd6d41de26bd2ca4991f5045deb7eaf540820f2a556d2e93ee738d805987701490f0ba85f3484feceef6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
Filesize412B
MD53d6e7c9a662cb0a6a67794027343e4c8
SHA19a403f3e91fd5889f6a3a9122927c6faf020d87f
SHA256f910b3322c8d866838398bee4f721430f07442dc03756348015e7ec0093f2b37
SHA5121beda8d9cfffdb7b5b34d4e1a5a70475dbc539ec8f5e3a4dba34c9744c215566e5c65a25c9a5b1db1b2ed81632b7ee0849996925cb43e964a4b16893f6b6f3fe
-
Filesize
11KB
MD5277e5013fc654370226dd1bea8bf7344
SHA13a0322b9eb82b559f492be5345ad14972214ed4b
SHA25693d298aa0be23ac7b73be0e8f03ffb89d3d51d6f206e9d2a7fd120e062d184cb
SHA5121df0463cf5126336184284a23d64151284fe14d240f360d8159e48e1019394e4767cbf26ed901f7a8dfffac8f3404fd2af22fc2e06fcbf9ac1174fb8658a573a
-
Filesize
152B
MD5a0486d6f8406d852dd805b66ff467692
SHA177ba1f63142e86b21c951b808f4bc5d8ed89b571
SHA256c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be
SHA512065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a
-
Filesize
152B
MD5dc058ebc0f8181946a312f0be99ed79c
SHA10c6f376ed8f2d4c275336048c7c9ef9edf18bff0
SHA256378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a
SHA51236e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize192B
MD57ab3796f2ba9648a0f5c8fe20c729b2f
SHA1d7af5bb5568ebcec112a020a453df6ffa86336bb
SHA2562e00e4f422f4ebca2aa1db878eaef9790f0743b8ff8e4c42a5ba23101d13e9d8
SHA5122a2e273f211a0896c219ed3b2908b91644e6c4f9fb9bf1c72c0f8c32d7df16a126161b3bd174c49b3f4d7d52963b313371579fc90fb4a5314e810b934716d3be
-
Filesize
1KB
MD539c535c2c68ab9dcfa05f37100139a0b
SHA13a43b99d1029c6e59ee244c42a2a0b40bda5bfbc
SHA256dd1a6971452df16e7a4247947b877dc3a3cc3c5204ef4183761ab73741a033c7
SHA51249779416ec1beff561cdc978406da9c731b8e21af76e0625e5fcc9e473c4712e466321516bf1677808adc85a803f35b0636dffb7faa82d11199ad6196e6ca0ce
-
Filesize
5KB
MD5d01982d278bc1473451966d424ee7813
SHA1ac24c30a3e6bcf4be73cad6899a05a3ba381cab6
SHA25695d1485898eae6b823970a4a64d16c37993c82bdced75b4efa4396a16111febc
SHA512a9d558a3eff805975c19dae921efef5d6b8eefbdbfaa30ceb30626d18750feb0813c0cc122b184754776573748a7e06c3983ee65e9199f55645f132331948f9b
-
Filesize
7KB
MD51434e536115abfacf15484d139f6cef5
SHA15066f07fa4310c4d9595dd7d726143615091315d
SHA2564841893873a1af17ae13394855d3ad923e370a07630f59ac5ef4b6aee545cda7
SHA512d1afd2426b9f6fd5435e69ba9b18fbc1c4b687f720a02de8b6d081987f0b222ec0498a89d5b322d5b66b99b50d82649235d99b0348c55fef7d9992348c942ef2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD56a74fef4e6304a43cbb2f832c2b29d49
SHA18b5fb7bb0d328d8ff89eec3920144e24c5e4c49e
SHA256bc4eea65fed9b0e137a88a9485c32666da952b303f3ac7f3ab73da264e0f63bf
SHA51219782ccf7e3d950a257dc93d1b7aca4b94fdc509d4077253eb2c1a1ce2f2a502af07274e379c8d5a78f14416ecd40e448c1e8f796302d08619af440692f44f26
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ea41.TMP
Filesize48B
MD51d82566bea3cf0182a5611b6002b3b52
SHA14df93b7a8067c0a1001f82be46c3a478e61a6eb8
SHA256b656c5c63825e5d3d5badb2fb0f6d0d05783721d32a0cb14c42f8e4e6bd7bfda
SHA51263f9e4d90c2355cf710b241c6d443fe1d095a90ea1455516d3d0151d62530003063b909dca095a31dcc0965bdbe59a6deec9e1faaec3324ef7a42c7ba18038be
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD578e6f9c54f44ee462dac39829b28c4a9
SHA11b06c359b33f965b15075f89566426a5ce60bad8
SHA256e27b78034594a0a94ea5533f18c80cb90cb9bc5936db772d169da08762fff8dc
SHA5129522724e800bc72e9722556b3da437d4589f2b990cc500e3ec6cd7c3e0cb1173ff8dcad93a5fd6480b00ad6775df5e9b62c62e73cbe7253be860bcd6ca0927d3
-
Filesize
5.1MB
MD5c3ad19d69141fa707540087edc297679
SHA10bba92b6e3371770989ef3597a9192d16b4feae2
SHA256ff7ac32388dbd9ad3ef945b0e71518c2d869b9d9cc8fbbd14d3b0665850b0933
SHA51228648a5c8c44def983cbdc4f6b48dc97d5fbda2a2f8ac3d93f85476f3492bc18986be97a5954e27fff1206779736b0ed90df1a04c35f30e1c182b6435cf33f2f
-
Filesize
4.6MB
MD5af4d7038964957d0316e5cc585dcc65b
SHA15adf3de24387ba6aa548787586cca5c6186fddfa
SHA256bac6f2f2f872837ceecf54e7ab04e620e5e0a951029e93920977bac0a2b0fe03
SHA512b76b889e3ef159a363a85b0db84a67d478a04b1737b14582877622dc07fd12fb5dd20171d0f178bad1c7d9b77aebe76edee59ca9e5b8c75d983384e6dab33fa4
-
Filesize
40B
MD591f20233c4a2d30e3df9c8b8197fe1e3
SHA198eb15912a41007747f93487f99aa702c487e82f
SHA2563b21fd8412480f338511ab27e54b52e79b79d7274018baac2d33ab829379f38c
SHA512f16492220ebaa31d91e7e4da88ca89d9631322baca6a1885e6da7c4e4080fc8c5a9418457930f3ab6d3e3492166ce9df2056d30afb88581b2411f9df8d3f60c0
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e