Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27/04/2024, 17:07
Static task
static1
Behavioral task
behavioral1
Sample
acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe
Resource
win10v2004-20240426-en
General
-
Target
acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe
-
Size
1.8MB
-
MD5
3129fec389a088955fae72aa12b20ef0
-
SHA1
e4cc27027754574a6abdf0010333930016b37fb5
-
SHA256
acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75
-
SHA512
918ac19261d99d7ea7cc92bdf6e72a8caff90eb6241c650fe95cf0230bce9af8bc52231c0a7452244b88b6024b0061351520e57400952e4bf4191e67bc8139e9
-
SSDEEP
49152:r3/bnfCUYZWGdSbS36Q5DTFpcL4Mne/qMFZQK:rjnf2vFpcL1uFZ
Malware Config
Extracted
amadey
4.20
http://193.233.132.139
-
install_dir
5454e6f062
-
install_file
explorta.exe
-
strings_key
c7a869c5ba1d72480093ec207994e2bf
-
url_paths
/sev56rkm/index.php
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ chrosha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amert.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 13ee951efa.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 78 4968 rundll32.exe 79 1044 rundll32.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 13ee951efa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion chrosha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 13ee951efa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion chrosha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation explorta.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation ee00809619.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation chrosha.exe -
Executes dropped EXE 7 IoCs
pid Process 4688 explorta.exe 4812 amert.exe 2428 ee00809619.exe 2272 13ee951efa.exe 2484 explorta.exe 3068 chrosha.exe 3428 explorta.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine chrosha.exe Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine explorta.exe Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine explorta.exe Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine amert.exe Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine 13ee951efa.exe Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine explorta.exe -
Loads dropped DLL 3 IoCs
pid Process 1712 rundll32.exe 4968 rundll32.exe 1044 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ee00809619.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\ee00809619.exe" explorta.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\13ee951efa.exe = "C:\\Users\\Admin\\1000017002\\13ee951efa.exe" explorta.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000700000002344b-57.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 3136 acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe 4688 explorta.exe 4812 amert.exe 2272 13ee951efa.exe 3068 chrosha.exe 2484 explorta.exe 3428 explorta.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\explorta.job acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe File created C:\Windows\Tasks\chrosha.job amert.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587112625490842" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3906287020-2915474608-1755617787-1000\{E8B429F8-817C-4CC6-BB30-92DF7923D28C} chrome.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 3136 acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe 3136 acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe 4688 explorta.exe 4688 explorta.exe 4812 amert.exe 4812 amert.exe 2364 chrome.exe 2364 chrome.exe 2272 13ee951efa.exe 2272 13ee951efa.exe 3068 chrosha.exe 3068 chrosha.exe 2484 explorta.exe 2484 explorta.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 3520 powershell.exe 3520 powershell.exe 3520 powershell.exe 2364 chrome.exe 2364 chrome.exe 3428 explorta.exe 3428 explorta.exe 3248 chrome.exe 3248 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe -
Suspicious use of FindShellTrayWindow 63 IoCs
pid Process 2428 ee00809619.exe 2428 ee00809619.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2428 ee00809619.exe 2364 chrome.exe 2428 ee00809619.exe 2428 ee00809619.exe 2364 chrome.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe -
Suspicious use of SendNotifyMessage 60 IoCs
pid Process 2428 ee00809619.exe 2428 ee00809619.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3136 wrote to memory of 4688 3136 acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe 86 PID 3136 wrote to memory of 4688 3136 acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe 86 PID 3136 wrote to memory of 4688 3136 acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe 86 PID 4688 wrote to memory of 2332 4688 explorta.exe 87 PID 4688 wrote to memory of 2332 4688 explorta.exe 87 PID 4688 wrote to memory of 2332 4688 explorta.exe 87 PID 4688 wrote to memory of 4812 4688 explorta.exe 88 PID 4688 wrote to memory of 4812 4688 explorta.exe 88 PID 4688 wrote to memory of 4812 4688 explorta.exe 88 PID 4688 wrote to memory of 2428 4688 explorta.exe 89 PID 4688 wrote to memory of 2428 4688 explorta.exe 89 PID 4688 wrote to memory of 2428 4688 explorta.exe 89 PID 2428 wrote to memory of 2364 2428 ee00809619.exe 90 PID 2428 wrote to memory of 2364 2428 ee00809619.exe 90 PID 2364 wrote to memory of 2500 2364 chrome.exe 92 PID 2364 wrote to memory of 2500 2364 chrome.exe 92 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 952 2364 chrome.exe 94 PID 2364 wrote to memory of 952 2364 chrome.exe 94 PID 2364 wrote to memory of 3500 2364 chrome.exe 95 PID 2364 wrote to memory of 3500 2364 chrome.exe 95 PID 2364 wrote to memory of 3500 2364 chrome.exe 95 PID 2364 wrote to memory of 3500 2364 chrome.exe 95 PID 2364 wrote to memory of 3500 2364 chrome.exe 95 PID 2364 wrote to memory of 3500 2364 chrome.exe 95 PID 2364 wrote to memory of 3500 2364 chrome.exe 95 PID 2364 wrote to memory of 3500 2364 chrome.exe 95 PID 2364 wrote to memory of 3500 2364 chrome.exe 95 PID 2364 wrote to memory of 3500 2364 chrome.exe 95 PID 2364 wrote to memory of 3500 2364 chrome.exe 95 PID 2364 wrote to memory of 3500 2364 chrome.exe 95 PID 2364 wrote to memory of 3500 2364 chrome.exe 95 PID 2364 wrote to memory of 3500 2364 chrome.exe 95 PID 2364 wrote to memory of 3500 2364 chrome.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe"C:\Users\Admin\AppData\Local\Temp\acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"3⤵PID:2332
-
-
C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4812
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\ee00809619.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\ee00809619.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaef08ab58,0x7ffaef08ab68,0x7ffaef08ab785⤵PID:2500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:25⤵PID:2740
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:85⤵PID:952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:85⤵PID:3500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:15⤵PID:4916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:15⤵PID:1680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3600 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:15⤵PID:4924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3264 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:15⤵PID:4664
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3328 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:85⤵PID:2708
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:85⤵
- Modifies registry class
PID:1584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:85⤵PID:4244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5088 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:85⤵PID:1840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:85⤵PID:3276
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:85⤵PID:2176
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:85⤵PID:528
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:85⤵PID:3048
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1912 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3248
-
-
-
-
C:\Users\Admin\1000017002\13ee951efa.exe"C:\Users\Admin\1000017002\13ee951efa.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2272
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:3568
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3068 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
- Loads dropped DLL
PID:1712 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4968 -
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵PID:2484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\906287020291_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3520
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1044
-
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2484
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3428
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD50497563e275b32e342da1989bb2cf6f2
SHA1c594939a57800487a989bc09bc9e3f899db59aea
SHA256e6524423b5e5e0da456fe7d8272a30bd8e878e70854f23674998534202c77c6b
SHA5127a2f7713ab7cfa24717f17a9e4e781ccd80b52841c6d1f5e4fa0690bd37077eb32d8bfb9ad67a319de3fc0ea11f2694423edb395fd9aa5183f4606f07d125295
-
Filesize
336B
MD5a0af34e1f3aef14293b37c023846051e
SHA17dae01f48dda550c2639ae8ee047f97be06c753a
SHA256ac42fce4ecbce007d54cfd4ea4e18d2b90ec1cd45728b93b6b55bf455ec4685c
SHA512876f3dbf4e95482c23118b139d5d1b5b84cb3f85f2246a4ed8d4b6929f5ea0f23921f3163eb9526f2f1f4eb668e0cf4f45f71ca312ae9816614a2606b67bc21a
-
Filesize
2KB
MD5250c3d32caabdefb4ed3592e94ca7305
SHA1ac91942901e13e01e5c67d475e4cb33df1a2ed87
SHA256861caefe1da6ad956b582ee7c0dfc80ad6fb79e2c6487d19cd4c8c0f5808b2ad
SHA512dfa5aaac198167fbd6c9bd15efbfbb50502bc63581692e4d03bdb29ada48fc12f70ccd21fac6d7d425428a171134104b185791d4376915824f27d2f5d88ac2d2
-
Filesize
2KB
MD5b0846907d836874276fd1e06bc63ff6e
SHA121c7454f2d241e9bf71530e6bae6ec07d0444838
SHA25621d91ef290b92e8413d621c2f3460690fe09094aed1fe525349da8efab81ecfe
SHA512153c03576f41c184399e83357ebc974fa1f082fc4543ced0f654f6c8f36414948e283ce2a8673d0ae51d14a67d9e7c10cc69a1b07e61802708e57b04fe3ddd18
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
524B
MD526b12922fa214dcfc52200f46a0b422e
SHA1238c0e30bdef8f685e7c81f47ac92631ac86a004
SHA2563eaf9b3cd8ac1e9d83598af9065c476b0aad990330cd19299d4795e9bdb35ba8
SHA512666ea9b0d91df8a1d80eb692e90aacd3cc0fe8e83965d420e53a4aa2d6d76bebd71ddfd8bd274e9836a9562613a9854d8cdf07b8f2527dd1e70ab7abda022d5b
-
Filesize
524B
MD56bb6a44739a10e9c36fc4d7fad840df1
SHA169b97c2272b129ce55936657870c2202cb0c10d2
SHA256deb4350b5c985cb6ea6b6f47a5d0986957e46fd778ca110ebee6f633f857b5db
SHA51283e5df19852e65366f3445ae9f3bf047a581247d0a5a0bcce394fcaa0508b0b1fc11f77a740d022c51f362af4f421d8630373098b78f58ad3abd390ae85855e5
-
Filesize
7KB
MD52ace7fa8c3801d3316408c915478e826
SHA13a272b13151206dfe237d9a6f0a092b82a037eea
SHA256cc6e249e219d0fe38bb698dd8551db2f4e58a9e7a397f4e9881c2e8bb8829c48
SHA512e6c7f013b2c8fe61dec25850482eb01306e4385daaa10ad875287e244e2a675646479d4c3e693978dbdbf8dcb4a1863be433967187d8c01fca4cb279cf15c6cb
-
Filesize
16KB
MD539cf350c7920d55f5193ea22895bef79
SHA1c6af73e251271330020eec298968e97c48ae75b7
SHA2568161026454fdb4453e41aa50cd792c07c6c4c7947bae52f34908a94d32dff73c
SHA512da0bd7434df05d9ef969d72a238eec1575e5146971feb97308659ded6557b3ae6bfab964ff8015cfb574c57f52ae934b679072e37453ff58702d9d05096da5a4
-
Filesize
258KB
MD5da3e7a3197597c7ee9b1e7786383c2be
SHA13fd387638f59ab2aba88cc3579fa501925f681d7
SHA256a9e580ef45add2b18588159dd7908fd98710f4bc2455782011b4239d22280c9e
SHA512b660d2b65bcaf946ad4e631c908ebc3cb3a418100c31f3f917bafacc232f1a05482b25666045b42b87e432d22def333df18829418d3bc0ed0efd235f468f531f
-
Filesize
258KB
MD5ea64c51b3f5e4a25b4c67f4a78103e20
SHA124c459e78c751be7e21fc3dad73345b551bb6897
SHA25665e7ced6b2b448f75f0efbc8129b46d1df9e4d0494498cc86ff6c070fbae13a1
SHA51201cc7a024e81ddef984c99a7a3cc9e87be7d80ee58cb0433eb05d584e744cb9d70ad78e83c7ea477492438605544ab74c1b4cc138f54cbd35aa5b0540af41ed1
-
Filesize
131KB
MD533955c0c4cb72786e37ceb31947fa8a5
SHA184c7b106fe1667dfb044b148902673da6a93e619
SHA256c77f1e58f9b1e31745f567d8a8f7dd01d7e75b3199952d4d447ad01f6aafee66
SHA512b12601cc80c68b9b5b9ce11b7e422686e4816cb724bcca9a6b640a0d156e96ab19006dd325b14a9bde919c94ffa94743a4b7b0605c097a3b0386949702a1a019
-
Filesize
279KB
MD5a7e0bf1f789de3fc13b861b1949b0943
SHA16d3e90d7eaf14adfce866f6bfaaa42be2ca5d8c2
SHA2562647da1a7e8ad11f2ec19e3799f7e9ff71a8649381668c870f0da88d5fe4c875
SHA512e22f97b6bd09ff65d7d84349e28fb2416e94e39c38f98af3877fcd0263bbcdeac0e1328ad6691b722becdf02ed482bb842ad5c75d1ca8e69cff36883242dfff4
-
Filesize
98KB
MD53c2a602fe42ebe2b9f26c6e6ff6d6031
SHA1530bf9768e3f4985dc71a3631fc085ee6fbd9422
SHA256bd1ba2722cd885e1a7fdcca19cd0f19353fa04bc88873f43e4a5ab8c41a1ea92
SHA512a7063b16283bbd4b5b7efba3cc49d4d0d3baadc9dc5c50ff8f6aff09f8bab54c05ef4ba98ac93de4a0bd36b8ceb5a4932f45a3a1d00113c710311222f7b0d062
-
Filesize
94KB
MD506f8e2b020ae7c826ce6beffa82f8880
SHA1828309b0861490a62f74f51adba14703911dc892
SHA25613a69800f955140cd7850825cf63b0fda66efa066ae10342876db6c4df4c1f77
SHA5127c2edb10419d79e222567232fd5d186d50fe0cce952bec78fd11e373e2236667bf6adc64397a99614e7bfe5ba3a4a3f4f561ca2518ab84a0ca813345d53fd6d7
-
Filesize
1.8MB
MD573d73c48859fc7aa4fd78d9a57f859d6
SHA1c1f71ea0692d97c653ff5a5ecbc03fd02173fe05
SHA256d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876
SHA512f0634be539582016c03e83f3ca58d613fc16abcc0a9c320321f455234a8f2dc1c199fc52187abac5e4cbbe7b7907afdaa89813f50cbecd611f7e870ee7f8e979
-
Filesize
1.1MB
MD5fd12e45487d406d9bf958e2c07c45083
SHA1ec6e3d877be9af04e131fa9583014479f1d1a51d
SHA2565aafc97f69d699210d0978a093626279ba36c9b9b533ddfc38f90f464bc11527
SHA51240b1c3d71ebd7cafb3858d063e6f0fcf3821f60226c5a84d523555178f3b435f53b0a6cacefb1d38a39ab752e7bd76653c208c9e3874c646aca3067bf402acd1
-
Filesize
1.8MB
MD53129fec389a088955fae72aa12b20ef0
SHA1e4cc27027754574a6abdf0010333930016b37fb5
SHA256acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75
SHA512918ac19261d99d7ea7cc92bdf6e72a8caff90eb6241c650fe95cf0230bce9af8bc52231c0a7452244b88b6024b0061351520e57400952e4bf4191e67bc8139e9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
109KB
MD5154c3f1334dd435f562672f2664fea6b
SHA151dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA2565f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA5121bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841
-
Filesize
1.2MB
MD5f35b671fda2603ec30ace10946f11a90
SHA1059ad6b06559d4db581b1879e709f32f80850872
SHA25683e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705