Analysis
-
max time kernel
219s -
max time network
216s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
25-05-2024 16:26
Static task
static1
Behavioral task
behavioral1
Sample
New Text Document.txt
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
New Text Document.txt
Resource
win11-20240508-en
General
-
Target
New Text Document.txt
-
Size
24B
-
MD5
91561aacb9fc2e708028dbaaa64de308
-
SHA1
56b61342e3ff19c455b5f78b645a5c4402c1ea6f
-
SHA256
6668bc4691a6691ad316b338a5829e7de3612765c50ebe4e63344bf177332721
-
SHA512
1f3866af4a4f36ea8e367ebf9fd760cae9d27ac55fa1091de02ccf2436a304a0d3379b659d2c8ab616d6f18a0858c3eca5d11325d2ba8e6e208fc2f734831f89
Malware Config
Extracted
lumma
https://museumtespaceorsp.shop/api
https://buttockdecarderwiso.shop/api
https://averageaattractiionsl.shop/api
https://femininiespywageg.shop/api
https://employhabragaomlsp.shop/api
https://stalfbaclcalorieeis.shop/api
https://civilianurinedtsraov.shop/api
https://roomabolishsnifftwk.shop/api
Signatures
-
Drops file in System32 directory 3 IoCs
Processes:
mmc.exemmc.exemmc.exedescription ioc process File opened for modification C:\Windows\system32\taskschd.msc mmc.exe File opened for modification C:\Windows\system32\taskschd.msc mmc.exe File opened for modification C:\Windows\system32\taskschd.msc mmc.exe -
Suspicious use of SetThreadContext 44 IoCs
Processes:
Insomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exeInsomnia.exedescription pid process target process PID 3132 set thread context of 5004 3132 Insomnia.exe RegAsm.exe PID 444 set thread context of 4172 444 Insomnia.exe RegAsm.exe PID 2432 set thread context of 912 2432 Insomnia.exe RegAsm.exe PID 3164 set thread context of 3168 3164 Insomnia.exe RegAsm.exe PID 4804 set thread context of 4424 4804 Insomnia.exe RegAsm.exe PID 2832 set thread context of 2288 2832 Insomnia.exe RegAsm.exe PID 2704 set thread context of 3164 2704 Insomnia.exe RegAsm.exe PID 1852 set thread context of 2380 1852 Insomnia.exe RegAsm.exe PID 4804 set thread context of 5248 4804 Insomnia.exe RegAsm.exe PID 4196 set thread context of 5256 4196 Insomnia.exe RegAsm.exe PID 2832 set thread context of 5384 2832 Insomnia.exe RegAsm.exe PID 5152 set thread context of 5412 5152 Insomnia.exe RegAsm.exe PID 5240 set thread context of 5552 5240 Insomnia.exe RegAsm.exe PID 5324 set thread context of 5624 5324 Insomnia.exe RegAsm.exe PID 5352 set thread context of 5644 5352 Insomnia.exe RegAsm.exe PID 5288 set thread context of 5664 5288 Insomnia.exe RegAsm.exe PID 5276 set thread context of 5704 5276 Insomnia.exe RegAsm.exe PID 5400 set thread context of 5744 5400 Insomnia.exe RegAsm.exe PID 5516 set thread context of 5788 5516 Insomnia.exe RegAsm.exe PID 5460 set thread context of 5828 5460 Insomnia.exe RegAsm.exe PID 5496 set thread context of 5860 5496 Insomnia.exe RegAsm.exe PID 5488 set thread context of 5960 5488 Insomnia.exe RegAsm.exe PID 5584 set thread context of 5996 5584 Insomnia.exe RegAsm.exe PID 6068 set thread context of 4340 6068 Insomnia.exe RegAsm.exe PID 5116 set thread context of 5164 5116 Insomnia.exe RegAsm.exe PID 1852 set thread context of 5268 1852 Insomnia.exe RegAsm.exe PID 5580 set thread context of 5616 5580 Insomnia.exe RegAsm.exe PID 5244 set thread context of 5444 5244 Insomnia.exe RegAsm.exe PID 5524 set thread context of 5288 5524 Insomnia.exe RegAsm.exe PID 5700 set thread context of 5736 5700 Insomnia.exe RegAsm.exe PID 5884 set thread context of 5952 5884 Insomnia.exe RegAsm.exe PID 5660 set thread context of 5716 5660 Insomnia.exe RegAsm.exe PID 5492 set thread context of 5976 5492 Insomnia.exe RegAsm.exe PID 5912 set thread context of 6080 5912 Insomnia.exe RegAsm.exe PID 5208 set thread context of 5192 5208 Insomnia.exe RegAsm.exe PID 5216 set thread context of 5376 5216 Insomnia.exe RegAsm.exe PID 5676 set thread context of 5688 5676 Insomnia.exe RegAsm.exe PID 5548 set thread context of 5352 5548 Insomnia.exe Insomnia.exe PID 5692 set thread context of 5936 5692 Insomnia.exe RegAsm.exe PID 5872 set thread context of 5152 5872 Insomnia.exe Insomnia.exe PID 5608 set thread context of 5564 5608 Insomnia.exe RegAsm.exe PID 5676 set thread context of 1256 5676 Insomnia.exe RegAsm.exe PID 5904 set thread context of 5596 5904 Insomnia.exe RegAsm.exe PID 788 set thread context of 5576 788 Insomnia.exe RegAsm.exe -
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Modifies registry class 3 IoCs
Processes:
firefox.exetaskmgr.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings OpenWith.exe -
NTFS ADS 1 IoCs
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\Insomnia.zip:Zone.Identifier firefox.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1096 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exepid process 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
mmc.exemmc.exepid process 6384 mmc.exe 6920 mmc.exe -
Suspicious behavior: SetClipboardViewer 2 IoCs
Processes:
mmc.exemmc.exepid process 6384 mmc.exe 6920 mmc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
firefox.exemmc.exedescription pid process Token: SeDebugPrivilege 1376 firefox.exe Token: SeDebugPrivilege 1376 firefox.exe Token: SeDebugPrivilege 1376 firefox.exe Token: SeDebugPrivilege 1376 firefox.exe Token: SeDebugPrivilege 1376 firefox.exe Token: SeDebugPrivilege 1376 firefox.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe Token: 33 4596 mmc.exe Token: SeIncBasePriorityPrivilege 4596 mmc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
firefox.exetaskmgr.exepid process 1376 firefox.exe 1376 firefox.exe 1376 firefox.exe 1376 firefox.exe 1376 firefox.exe 1376 firefox.exe 1376 firefox.exe 1376 firefox.exe 1376 firefox.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
firefox.exetaskmgr.exepid process 1376 firefox.exe 1376 firefox.exe 1376 firefox.exe 1376 firefox.exe 1376 firefox.exe 1376 firefox.exe 1376 firefox.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
firefox.exemmc.exemmc.exemmc.exeOpenWith.exepid process 1376 firefox.exe 1376 firefox.exe 1376 firefox.exe 1376 firefox.exe 1376 firefox.exe 1376 firefox.exe 1376 firefox.exe 4596 mmc.exe 4596 mmc.exe 6384 mmc.exe 6384 mmc.exe 6920 mmc.exe 6920 mmc.exe 5772 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 2636 wrote to memory of 1376 2636 firefox.exe firefox.exe PID 2636 wrote to memory of 1376 2636 firefox.exe firefox.exe PID 2636 wrote to memory of 1376 2636 firefox.exe firefox.exe PID 2636 wrote to memory of 1376 2636 firefox.exe firefox.exe PID 2636 wrote to memory of 1376 2636 firefox.exe firefox.exe PID 2636 wrote to memory of 1376 2636 firefox.exe firefox.exe PID 2636 wrote to memory of 1376 2636 firefox.exe firefox.exe PID 2636 wrote to memory of 1376 2636 firefox.exe firefox.exe PID 2636 wrote to memory of 1376 2636 firefox.exe firefox.exe PID 2636 wrote to memory of 1376 2636 firefox.exe firefox.exe PID 2636 wrote to memory of 1376 2636 firefox.exe firefox.exe PID 1376 wrote to memory of 4176 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 4176 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 220 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 4792 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 4792 1376 firefox.exe firefox.exe PID 1376 wrote to memory of 4792 1376 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\NOTEPAD.EXEC:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\New Text Document.txt"1⤵PID:2456
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1376.0.879002232\1864441663" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1676 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {298fe8ef-23aa-4164-a5a4-e5fa0ebd1d06} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" 1764 1b3c1bb6b58 gpu3⤵PID:4176
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1376.1.1602092645\1497421186" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a18fb154-bdd6-4fef-9c90-2414dc29aa6a} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" 2120 1b3b696f858 socket3⤵PID:220
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1376.2.1093486964\2073790665" -childID 1 -isForBrowser -prefsHandle 3020 -prefMapHandle 2828 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c18ea10e-dfd9-426c-b759-51149263bdb3} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" 2712 1b3c5a9f458 tab3⤵PID:4792
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1376.3.139370399\1247811031" -childID 2 -isForBrowser -prefsHandle 3456 -prefMapHandle 3452 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {089b125f-a1d1-428c-9d75-a6a370bc1699} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" 3468 1b3c6812858 tab3⤵PID:4292
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1376.4.994785636\1387813223" -childID 3 -isForBrowser -prefsHandle 3960 -prefMapHandle 3956 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {18399ab2-6e40-4805-9896-ab767b456a10} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" 3972 1b3c41dfe58 tab3⤵PID:232
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1376.5.1673545831\902324264" -childID 4 -isForBrowser -prefsHandle 4516 -prefMapHandle 4500 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {658f3958-c1e0-4c23-8138-fe27a3d0bad3} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" 4552 1b3c41e0458 tab3⤵PID:2272
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1376.6.109747258\1223570093" -childID 5 -isForBrowser -prefsHandle 4904 -prefMapHandle 4908 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7eb10e55-32e5-4f54-b389-b88d09e74de9} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" 4900 1b3c7ccce58 tab3⤵PID:2440
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1376.7.830854621\1679214566" -childID 6 -isForBrowser -prefsHandle 5092 -prefMapHandle 5096 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f434e6f1-2b41-4003-9a75-76f70ec9e6eb} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" 5080 1b3c7ef2458 tab3⤵PID:2792
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1376.8.1361581615\1145923346" -childID 7 -isForBrowser -prefsHandle 5484 -prefMapHandle 5504 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {04581c3d-5f95-45a8-9d8d-57a878c90217} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" 5516 1b3b695be58 tab3⤵PID:2060
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1376.9.1026752147\1997710702" -childID 8 -isForBrowser -prefsHandle 5644 -prefMapHandle 5640 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ffd17a7-2118-4df3-96ca-8cbfc7a3101b} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" 5768 1b3c9873858 tab3⤵PID:396
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1376.10.857247456\1359565228" -childID 9 -isForBrowser -prefsHandle 4920 -prefMapHandle 4488 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea7629da-6bf1-4209-80c6-4f9cac8b58f3} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" 3752 1b3c78d3558 tab3⤵PID:2496
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4340
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4596
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:420
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:3132 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5004
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:444 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:1080
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:4172
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:2432 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:912
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:3164 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:3168
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:4804 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:4424
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:2832 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2288
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:2704 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:3164
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:1852 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:4504
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2168
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:3940
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2380
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:4804 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5188
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5248
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:2832 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5384
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:4196 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5256
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5152 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5412
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5240 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5424
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5472
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5552
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5276 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5636
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5704
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5288 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5664
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5324 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5624
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5352 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5644
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5400 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5744
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5460 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5828
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5488 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5868
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5960
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5496 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5860
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5516 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5788
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5584 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5996
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:6068 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:4340
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:1852 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5212
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5232
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5268
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5116 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5164
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5244 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5564
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5620
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5444
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5580 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5616
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5524 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5288
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5700 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5736
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5660 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5716
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5884 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5952
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5492 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5976
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5912 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:6080
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5208 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5192
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5216 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5376
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5676 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5688
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5548 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5352
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5692 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5868
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5936
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5872 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:6028
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:96
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5228
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5308
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5152
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5608 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5564
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5676 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:1256
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5904 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5596
-
-
C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"C:\Users\Admin\Desktop\Insomnia\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:788 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5576
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:6384
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:6920
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5772 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Insomnia\Themes\Insomnia.json2⤵
- Opens file in notepad (likely ransom note)
PID:1096
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ca52aa53b6dc75b565896128eed64ae4
SHA12348a96b879c03a785e56379abfec1fb9bdbb6ac
SHA2563b47c96e926dc843f5b52e8d88ab3fa80f4d4689f217c5e8e07ccd7d26ef005c
SHA512653ab06fb2a81fd297a438aa22f0eccaea78a500d360d94fa62b2a75075b47263f76eb0ddc4494591c80a4f5d8e5ece38734290924ca47ca0b692a3be7d69a94
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\16FC9DCFDAE3F84629A75E7FC24C2D2BD5E10A6A
Filesize15KB
MD5b50ba5d642824c12fad56aa46b02ccb4
SHA11eaf2656f32ac8a4eed8b2feaed2bc524a5f69af
SHA256f32d0851ce5fb9b4bd23dc057158670bc059cb9c49466d3a36a43e936441b8f4
SHA5124a406a0b465697afd2e2d71b8aeba799367b670ee0fc2df25816e2f8d687fdeeab279da5b2516467f7d288425cc444a84328884b0196e76143ca9c1dc99a5e75
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize7KB
MD5c460716b62456449360b23cf5663f275
SHA106573a83d88286153066bae7062cc9300e567d92
SHA2560ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
141KB
MD59048685615ad760b4f9b63d376161515
SHA1a4a6ce977bcbfe363fefe07fa799a8887c49287a
SHA25615ef6191e18d72a490c3ccb3d4845cd253c0d727690d7fb3b96bd7e5da7c1db8
SHA5127058423ae9b7b0a106057dd51e5158dae395a3dbfd46fe59e8744877723edcc953a5cee77500f86efaf71fa3e81071da0b086a81a4d1cbea8a65c4f6275b2e20
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD50e02fe88f7e951adb6a05114461e6f36
SHA1f90b30df8ca363d1562cad7cb1e70eb036653676
SHA256432c6b7f51e4ee12fbe5451d9d1e31af349110b7105b0628cce53615f2415a03
SHA512690840fb3c18cb1dcb96a59524d7249726a272e1fb0b2ab875413c0ad9ac2cc58688bb92fb53afb8b49141c0e3955fd197e15c8f47489ff3abff1eeb4b07a256
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\abbc7540-50c5-4783-8cfa-e568e0d978a4
Filesize746B
MD530510b02e99c62f8cf2cb9fc329e0593
SHA151f00e28bb2e32c943f376b0bcc48a1ad68bf96e
SHA25614da09cea431d67fa6bcf37e885d61d3a1eab97bb9a3ee408d8d6a5dfcdea873
SHA5124c05c1fb6651ff7616fcd3275a2adbb73b965c63b8adad2b0c0cca6f58748d91f9836dbece8a2ab8d6674ec29695fa77dd1000034c79a64bc8ef9fac32f429e7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\b2342834-33bc-4dcd-bb8e-3a251471d157
Filesize10KB
MD595eaca144ba4ee867fdf1a5126e3f6a1
SHA1cb9c102eee71913adda4a0a6f176e3c9ec48323a
SHA25631d7c4d16ebd5c876a0c0b6ec52bfdb1e209cb9b28dc8e1100f9f469efa6a2e8
SHA512a5ec6ab5cf9ed398025b070c641cabe85374023f30e165e59f7b03e0b49cf694c916e5f258f2f6393a8b29279cad53f8e5d33401ae75d10110a1d348ebcaebbd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD55e418b84f110e68561b58323fb3ff238
SHA1c641317cd3cb259b4738a0940a852880f35a75b1
SHA25605d9f1d4c528407a53245288d8cf2a752db6a398675f710a4398569b1241c8d7
SHA5122461ce3a31b8d771ab4ba978b05d9dadde3ca477aad7f38118ff65407b2b8d8178235382978b82d6d3ac85697f4afeea217c1556d92e41a797d3bdee4fd63de1
-
Filesize
7KB
MD573e45e4fdf02cfd9ee940374c1c7529a
SHA17cbdfc48f2318ec41b6368acfad4e54551c74680
SHA256791b354e89f6c7c96547295c87af8b3c6e1d3b1eb33e09db61c59541aded1b68
SHA51277b1efc8102a0ab7c8994eed09f4427d53c3e4e8056a98718ac83cefd5f6f275f058700c6e62b11748c1259a2bcb1136c63d9276c570ce5c38899c90b001181a
-
Filesize
6KB
MD53bc240d2cc7e4e957823d233a23e2584
SHA17c8f81f2b1c26fb1c96cc43a7528ad554dc10a78
SHA256da90b7dcb8febabde63d0dc30e91baa31a83c4ff516ab94205b306a312c19a3c
SHA512ac4537ee5b8b25f232eb2b7dd89dfdeb48d66cf6dd86dc8ac61c26fa9174ab4d1227db44b56f23604833618c43ba7914128fedf9750fa0e839eac10782d25163
-
Filesize
6KB
MD5c9bda9a9c86979d093c0b92ed2ce2c88
SHA17fedf8956b6a50969529ed56a7bbdcc71d683336
SHA2566c105230842b332b3e67edb0accedd65e58cfc2e5b698a282fa607d8a3892183
SHA512f5e5152283f1dd9f82a74d66491acfef293857e877a137e249bded670bcbcb9a5eabb1ba994fe3e378b2321e54d507b9cacc9f1cee62618139236ae62297ac81
-
Filesize
7KB
MD5357fb8260fcacb513dae5fd704990192
SHA131d72dccf9572789ed104ff2558bc41541298013
SHA256e53ee6d1e697cc655fff6e368627f59e33ed993e3634536175928354ffff2276
SHA512629f374c5f7dca969bf2db1d86965ef36922d33769e6d8f572fd417f04198511e006a4a5e466b330b1073ec03ade3df107f458127160e13589968b0d8f3da0e9
-
Filesize
6KB
MD586a095355036624a389abf02117afc56
SHA1b4f3c72ef947e2ee02176ee4e726e451ac974308
SHA2562caa183b5cf94ec8b2035d303b0e6f15de8a43e11bb3db3609088c26a7f36733
SHA5124e915d71c31c4caa5df98204e1275c25f24b29dad9061d6afcb03e5cd91d82931214b1d99a4911a6c85b035f1619ba5ace0e3bdd204c3bfbc5eb75ce5fda0c67
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize7KB
MD57c91e45f5ecad99885347c36d2b52806
SHA1e0720cd8f17c0d7467f1db5efca300d0700fe892
SHA256c4161a2d1791d2a722a94ee66d2d62ea784956b0f1eefdbf4fc64212a41848b3
SHA51249d96add42cd5b5a2e6436080e1546e66f9ddbe23c295102e7d50db7cadd425f1397a7c43bc7c78148f4c5ae6618b918d92a96e76b1b3b0f862b9132005f8dd9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5439d98f1b9629a4ce41ba6da687d9492
SHA1c61e838cd19d107607a370c16b545385a83361fc
SHA256fbc489e8d6c2a0e5b760525bff150d588a56f3a45ee3cca4e92612687e024481
SHA51286380221701541bf54a5f170963342889430e9e9d7c2b27c56555ea4139839e44dbd7bda397ddcc36522fd3ca6cb93f97463078d4050b11b6a381def02bc3e37
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize6KB
MD5d27780968cda22d3d849fa8e23d3cdf8
SHA18b237b126027826cac12f6947dc085824a1d6616
SHA256aea3efe91b7faf7604dea7f2ac70948a9fdd7495311d8b8c4d505073339d0d20
SHA512812d2feac1df82736a2d16b6bf3a938c129a40788154d5fe47391a6160b5400788ca3c41711d14201421f1db2ea63bad59a83f2dfed09df5db9411a6e097a0c3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize7KB
MD5eac10ddcbe016fcfa76ee64ef45fe72d
SHA1d0c050c826bd7857035c7e6c20e57b0bfcd248db
SHA2562fededbf236aa4c6b202f07ed55592eb8f8a64594fddd7952cc67d569cca893d
SHA512bbe14511ca66a30cc1314fc71688d1e5704ca5d71b6674a9989bbae57f4d946ed2eeae5b880ae01f1a536bd0c0990f1a7a2b713076870bf5172bc2abb33053e3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize7KB
MD5a5c6771eb3e74469c5867af85e346c6d
SHA1d48bc3f37099f126db890a84d89ea9b0772c63d6
SHA2564d5609f371089b18ad7926aba6901a01eda673e7643fd3bf3003e8effc76ed6e
SHA51270b937121cece9d401ca43e9b7a48fea7d1f44c67fd267bb56372ac853c4b735afd88024369bbbb820f5e9ec244b9756ab09f546b41c5483a51945af87aacbe3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD5637e42544bf4e4e5c858d87fceb302a2
SHA11d747ea0d89437cd39d02c76ed70df3b7c505ee1
SHA2565a519846989ec4eed303d9fe8b5554410b502177bb6b4199c6cf25290a4913c2
SHA512bde691d8015773707c4445155ba1ad419033c335bb11ca325b9c249e8aed83fefd096bab28806213ad368508e2a5be362c4a5a8038dae40246a8bf0a246cb8cb
-
Filesize
385KB
MD5feebd99c1391865bf83ff4d5ee6559c3
SHA1c527f1e92dcf14dc1905b659b0cae3c305be2e20
SHA2566280581909b1e41fe0130ed982b8cceca1ccc4f16d293983790a0497c2f2a24e
SHA512790fe81dbc88e7284447de6caa0c776434922301dc96f5147be3d9b14640660a0de9e057f47d86d0d6b7801d6693ceb06ee73a4a670c7ce91dfb681bad12b001