Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
09-07-2024 18:34
Static task
static1
Behavioral task
behavioral1
Sample
9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.exe
Resource
win7-20240705-en
General
-
Target
9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.exe
-
Size
2.4MB
-
MD5
286e26bd1701fc3054707a64e052edf3
-
SHA1
0f655ee5b95b7325517892f6f08a6ace4766000d
-
SHA256
9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739
-
SHA512
3e3854d2ba26fa1c83f23597d8c2d6856f333a05cfb9cb5def62c9cba7eeee8568acae472382d7b35d3ba8b4528e2bc6e9697ee2b90da7986eb9b5b2efd00ae1
-
SSDEEP
49152:tDpIhkMDWttqvSka/ZutDupLNFFRB07VO4UyHKybP5kpTLqUQK0qW7IMZ6T:pCK3qqV49ubgO4mppnHi7ILT
Malware Config
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
JJJECFIECB.exeexplorti.exeexplorti.exeexplorti.exeCBFCBKKFBA.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ JJJECFIECB.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CBFCBKKFBA.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeexplorti.exeCBFCBKKFBA.exeJJJECFIECB.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CBFCBKKFBA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CBFCBKKFBA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion JJJECFIECB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion JJJECFIECB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
explorti.exe8fe240d1ef.exe9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.exeCBFCBKKFBA.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation 8fe240d1ef.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation 9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation CBFCBKKFBA.exe -
Executes dropped EXE 7 IoCs
Processes:
CBFCBKKFBA.exeJJJECFIECB.exeexplorti.exe8e3cfdf6f6.exe8fe240d1ef.exeexplorti.exeexplorti.exepid process 3416 CBFCBKKFBA.exe 4188 JJJECFIECB.exe 1456 explorti.exe 1036 8e3cfdf6f6.exe 3508 8fe240d1ef.exe 5532 explorti.exe 4568 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
CBFCBKKFBA.exeJJJECFIECB.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine CBFCBKKFBA.exe Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine JJJECFIECB.exe Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.exepid process 1952 9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.exe 1952 9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 2 IoCs
Processes:
chrome.exedescription ioc process File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.exeCBFCBKKFBA.exeJJJECFIECB.exeexplorti.exe8e3cfdf6f6.exeexplorti.exeexplorti.exepid process 1952 9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.exe 1952 9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.exe 3416 CBFCBKKFBA.exe 4188 JJJECFIECB.exe 1456 explorti.exe 1036 8e3cfdf6f6.exe 5532 explorti.exe 4568 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
CBFCBKKFBA.exedescription ioc process File created C:\Windows\Tasks\explorti.job CBFCBKKFBA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exe9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
chrome.exemsedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.exeCBFCBKKFBA.exeJJJECFIECB.exeexplorti.exemsedge.exemsedge.exechrome.exeexplorti.exeexplorti.exechrome.exemsedge.exepid process 1952 9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.exe 1952 9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.exe 1952 9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.exe 1952 9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.exe 3416 CBFCBKKFBA.exe 3416 CBFCBKKFBA.exe 4188 JJJECFIECB.exe 4188 JJJECFIECB.exe 1456 explorti.exe 1456 explorti.exe 512 msedge.exe 512 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2996 chrome.exe 2996 chrome.exe 5532 explorti.exe 5532 explorti.exe 4568 explorti.exe 4568 explorti.exe 2564 chrome.exe 2564 chrome.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 2564 chrome.exe 2564 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exechrome.exepid process 2060 msedge.exe 2060 msedge.exe 2996 chrome.exe 2060 msedge.exe 2996 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
firefox.exechrome.exedescription pid process Token: SeDebugPrivilege 5056 firefox.exe Token: SeDebugPrivilege 5056 firefox.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe Token: SeShutdownPrivilege 2996 chrome.exe Token: SeCreatePagefilePrivilege 2996 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
CBFCBKKFBA.exefirefox.exemsedge.exechrome.exepid process 3416 CBFCBKKFBA.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
firefox.exemsedge.exechrome.exepid process 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 5056 firefox.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe 2996 chrome.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.exe8e3cfdf6f6.exefirefox.exepid process 1952 9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.exe 1036 8e3cfdf6f6.exe 5056 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.execmd.execmd.exeCBFCBKKFBA.exeexplorti.exe8fe240d1ef.execmd.exechrome.exemsedge.exefirefox.exefirefox.exedescription pid process target process PID 1952 wrote to memory of 4684 1952 9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.exe cmd.exe PID 1952 wrote to memory of 4684 1952 9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.exe cmd.exe PID 1952 wrote to memory of 4684 1952 9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.exe cmd.exe PID 1952 wrote to memory of 2284 1952 9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.exe cmd.exe PID 1952 wrote to memory of 2284 1952 9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.exe cmd.exe PID 1952 wrote to memory of 2284 1952 9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.exe cmd.exe PID 4684 wrote to memory of 3416 4684 cmd.exe CBFCBKKFBA.exe PID 4684 wrote to memory of 3416 4684 cmd.exe CBFCBKKFBA.exe PID 4684 wrote to memory of 3416 4684 cmd.exe CBFCBKKFBA.exe PID 2284 wrote to memory of 4188 2284 cmd.exe JJJECFIECB.exe PID 2284 wrote to memory of 4188 2284 cmd.exe JJJECFIECB.exe PID 2284 wrote to memory of 4188 2284 cmd.exe JJJECFIECB.exe PID 3416 wrote to memory of 1456 3416 CBFCBKKFBA.exe explorti.exe PID 3416 wrote to memory of 1456 3416 CBFCBKKFBA.exe explorti.exe PID 3416 wrote to memory of 1456 3416 CBFCBKKFBA.exe explorti.exe PID 1456 wrote to memory of 1036 1456 explorti.exe 8e3cfdf6f6.exe PID 1456 wrote to memory of 1036 1456 explorti.exe 8e3cfdf6f6.exe PID 1456 wrote to memory of 1036 1456 explorti.exe 8e3cfdf6f6.exe PID 1456 wrote to memory of 3508 1456 explorti.exe 8fe240d1ef.exe PID 1456 wrote to memory of 3508 1456 explorti.exe 8fe240d1ef.exe PID 1456 wrote to memory of 3508 1456 explorti.exe 8fe240d1ef.exe PID 3508 wrote to memory of 2564 3508 8fe240d1ef.exe cmd.exe PID 3508 wrote to memory of 2564 3508 8fe240d1ef.exe cmd.exe PID 2564 wrote to memory of 2996 2564 cmd.exe chrome.exe PID 2564 wrote to memory of 2996 2564 cmd.exe chrome.exe PID 2564 wrote to memory of 2060 2564 cmd.exe msedge.exe PID 2564 wrote to memory of 2060 2564 cmd.exe msedge.exe PID 2564 wrote to memory of 1204 2564 cmd.exe firefox.exe PID 2564 wrote to memory of 1204 2564 cmd.exe firefox.exe PID 2996 wrote to memory of 2732 2996 chrome.exe chrome.exe PID 2996 wrote to memory of 2732 2996 chrome.exe chrome.exe PID 2060 wrote to memory of 3276 2060 msedge.exe msedge.exe PID 1204 wrote to memory of 5056 1204 firefox.exe firefox.exe PID 2060 wrote to memory of 3276 2060 msedge.exe msedge.exe PID 1204 wrote to memory of 5056 1204 firefox.exe firefox.exe PID 1204 wrote to memory of 5056 1204 firefox.exe firefox.exe PID 1204 wrote to memory of 5056 1204 firefox.exe firefox.exe PID 1204 wrote to memory of 5056 1204 firefox.exe firefox.exe PID 1204 wrote to memory of 5056 1204 firefox.exe firefox.exe PID 1204 wrote to memory of 5056 1204 firefox.exe firefox.exe PID 1204 wrote to memory of 5056 1204 firefox.exe firefox.exe PID 1204 wrote to memory of 5056 1204 firefox.exe firefox.exe PID 1204 wrote to memory of 5056 1204 firefox.exe firefox.exe PID 1204 wrote to memory of 5056 1204 firefox.exe firefox.exe PID 5056 wrote to memory of 4108 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4108 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4108 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4108 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4108 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4108 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4108 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4108 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4108 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4108 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4108 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4108 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4108 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4108 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4108 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4108 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4108 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4108 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4108 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4108 5056 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.exe"C:\Users\Admin\AppData\Local\Temp\9e12b808314ab31153be5ca2472dde413e0f3d8c0fdb038261397d7a4881b739.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CBFCBKKFBA.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Users\Admin\AppData\Local\Temp\CBFCBKKFBA.exe"C:\Users\Admin\AppData\Local\Temp\CBFCBKKFBA.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\1000006001\8e3cfdf6f6.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\8e3cfdf6f6.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1036 -
C:\Users\Admin\AppData\Local\Temp\1000010001\8fe240d1ef.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\8fe240d1ef.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DAB0.tmp\DAB1.tmp\DAB2.bat C:\Users\Admin\AppData\Local\Temp\1000010001\8fe240d1ef.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"7⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fff20a4cc40,0x7fff20a4cc4c,0x7fff20a4cc588⤵PID:2732
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,6535715248491338807,17000198434901317190,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1916 /prefetch:28⤵PID:4612
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2052,i,6535715248491338807,17000198434901317190,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2116 /prefetch:38⤵PID:3196
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2284,i,6535715248491338807,17000198434901317190,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2480 /prefetch:88⤵PID:2408
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,6535715248491338807,17000198434901317190,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3176 /prefetch:18⤵PID:2948
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,6535715248491338807,17000198434901317190,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3364 /prefetch:18⤵PID:5144
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4620,i,6535715248491338807,17000198434901317190,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4656 /prefetch:88⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2564 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"7⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7fff209046f8,0x7fff20904708,0x7fff209047188⤵PID:3276
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,3981097314971267565,2871749771893865131,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:28⤵PID:4748
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,3981097314971267565,2871749771893865131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:38⤵
- Suspicious behavior: EnumeratesProcesses
PID:512 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,3981097314971267565,2871749771893865131,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:88⤵PID:4120
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3981097314971267565,2871749771893865131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:18⤵PID:3644
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3981097314971267565,2871749771893865131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:18⤵PID:3224
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3981097314971267565,2871749771893865131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:18⤵PID:5132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,3981097314971267565,2871749771893865131,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:28⤵
- Suspicious behavior: EnumeratesProcesses
PID:668 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"7⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0d7c141-d9b6-437a-8d50-9e706039e401} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" gpu9⤵PID:4108
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2440 -parentBuildID 20240401114208 -prefsHandle 2432 -prefMapHandle 2420 -prefsLen 26675 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f472ed2-6d2d-4aef-a1c0-9da49f95a757} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" socket9⤵PID:3928
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3180 -childID 1 -isForBrowser -prefsHandle 3084 -prefMapHandle 3328 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb6ad897-b9ff-409f-8d9b-3e6a3b9d0094} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" tab9⤵PID:4324
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3788 -childID 2 -isForBrowser -prefsHandle 3780 -prefMapHandle 3204 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cee88e7-b202-4075-b42b-eb2ad3853a3f} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" tab9⤵PID:1064
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3704 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4440 -prefMapHandle 4492 -prefsLen 31165 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2a37330-e53d-43a9-980c-f963be00dd73} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" utility9⤵
- Checks processor information in registry
PID:5576 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5352 -childID 3 -isForBrowser -prefsHandle 5320 -prefMapHandle 5404 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {095a5b27-01fc-4b7e-83c4-76bf0af9c48f} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" tab9⤵PID:5804
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5508 -childID 4 -isForBrowser -prefsHandle 5588 -prefMapHandle 5584 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecd76a0f-6c21-4e2e-8595-df6b3c231484} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" tab9⤵PID:5812
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5776 -childID 5 -isForBrowser -prefsHandle 5304 -prefMapHandle 5224 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fa5c758-68f5-4aa3-824f-8c01d59845d6} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" tab9⤵PID:5860
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JJJECFIECB.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\JJJECFIECB.exe"C:\Users\Admin\AppData\Local\Temp\JJJECFIECB.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4188
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3764
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5844
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5532
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
264B
MD57c84480de6d9a5b6eafdf4957a69a10d
SHA197a708ab327a1299d04db7cd1582884af52dae6f
SHA256dde4c1170b6b5f3e7a03a57dc90ad1460b224caa7514c191bea6fbe092abc40b
SHA5121aba56e37db67bfe13b9e716988cfdb2ee9175d0e8843d01514461dea01033b06dee33a7104bb9fd87f7c9578a4dd884240419302b4a4338730409046f98d2d8
-
Filesize
3KB
MD59a36ce2e5cb372d43f8c522688e849e0
SHA1a4f2407d04c226acf7160c774a1617003082d13b
SHA256d99650da6e0c0fdfc6a3672ef327467061e1c4434a97d0f99493c6fd89615385
SHA512d341b053efd453b9474b0d4915c751ce65ca48e142bb5417452746f53832e75eb35549dd4b59855fb96b7f59292156a08d645bc1489df470a8bf1fe3bdd6ea08
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5312e2d00630cd4d28ca67df8b9ac0587
SHA18d18cceeb35fee81730c27575e9b106f7bad064f
SHA25609e434cb2df0e16158074ea6fd65ba9291882f4ea89833eddbdb8dbcc441f3a1
SHA51262a5330f89abc1a8cc8f36b71c07407f33f5933b81a02123c07d36bd1681b967693370baa82dd486d620d2733bf01475c9c1de0cc97bbf16c1c7016b3c880e80
-
Filesize
8KB
MD5a88a7ee47e75537c7454452d5d9ffcb9
SHA15927b97c4a5c9bb50cf1f2d106c0730e550150cc
SHA2567c9d71a989e093c5ea20db954e39c0e484382872e8e5f983591b29cda9f76f90
SHA5128aaaec999e4f006a8a17d853ccba33120bbc3ea6bab4c60e26f1a2ee55b753d4a020aa85d5b7bf5c1eb007b23b058a75fa803ce6dd3b06f954c0677d142db799
-
Filesize
8KB
MD5fec3efb1ea7f20692752360421fc3827
SHA1fa2369ee5c31a0aab60cf43b871db4da16c35ce9
SHA25677084794b94ee6fa68654177c7e9c585afbbce71c0b7de9554ce75b21324b181
SHA512345ee7530436a3454b77d32e9e4cea747c83781b4df6e991bb60f4384df8fea98b0cfdc0ebe568aacfd6102243418ac365531b0211efc8e177a65e9f37629e97
-
Filesize
8KB
MD5c60203b1b681c19c6126c1cc84405bcf
SHA159ed4a546d8bfd6e30c485807c966401291745e8
SHA256168035565faaa0e1fcbf4e7743bca0cac2a45a04c3abbbd697183f438f25b328
SHA5124efd3846f264aacadf6fc119209415b4e1d6de56c8c9adbc27a5471a31368fd8ba3ea94bf1d33e5da7653ec1849a07505b4b12ad7d0ce993dddbe7976474dbac
-
Filesize
8KB
MD53566c8f746702c28974d54e5a9dcad03
SHA146b7865091341751d94ea3d0f06276534b306514
SHA256557c123fcf861e1e6402c1e6758ae2915f6c3a13a1d9718243f00635c2dd0996
SHA512a5a2bd93d082b451531aa26140746003c52169f3820550f017005aede3c0dc4df8759d6624149359f137643e2c4e0880293619ad68534eb0a7bb953391e95fc8
-
Filesize
8KB
MD59e9bd4fb4763c666e4e2442e0657bb69
SHA194fe74320a39f8eb9bdd37095b9adfbce9eb5278
SHA256e7a7922231fcdd9615c3dca563000956c3a91b99103eac52f396ec08fd9643b4
SHA5126f65e36b44fbf865f25573005d69f8cbc5fdeeb7c35fa31ee144dfb8ecb39559c9b4ddbc28e0b24ff91b61d8738c5482ef1f3b935fd73810b9e1428d90191d89
-
Filesize
8KB
MD5ae281a82832e8bbe5e43758bf3a5509d
SHA137c932f167a60a047e3637791bc1f19c407fabe9
SHA2561b8ba608f79dd69128facd83cd7f935bc3538c5fe3915ab96fc0f9a375396a9f
SHA512e13dd9248064dad0481b69130924d87ac0e221e855a2a8a084bf94680cbd1bcfa030b183896a17ebca78861ce745d5ef4e5b325ea3954e8d49ee3968ef847418
-
Filesize
8KB
MD5f26ce8b7585eb748b0dfb0b7591b9b16
SHA1d465109b533157a813385eaedc7d8f3d50d1e495
SHA256f54ccbb1aa5f71acc956c1f79eaddcb197670cb15af774a797eaaaadda275800
SHA51208a3cb9c98505c20523a6f68058e790cbb814989b9a635b71dd241a981fa7bec7a798f9cf649ba151579f0a3b859112f202127be63cf4568be6ca1763f9d4b8f
-
Filesize
8KB
MD52979ff75dafe2e428de829939555aa81
SHA16664f5ff42f23df3ef5db7ae8aaf6db716f933da
SHA256935e2c2649385f750c6873556d24c4f899fb60beb1c9b63957a43cd5506dbbfc
SHA512eb8ae99a5508f66a4a206a20c9b5d634be16c1d0c8d71e085c6a7387e6bdc09c088b1abe3083529084ca702ac52c39e450fb1481ea42c9d341902ca5d717a0c2
-
Filesize
181KB
MD52f394e903112abbbf77fd6dd3cb66f55
SHA16c9ec3d93f7ef7d02703c0df65f0475bd6df5337
SHA25646e7fccbc05d45332ae52401ea8a41deac68ba1f8c5023858bede841d9d6b509
SHA512d6dca5b03be9602dccc426a64a5cfde3b9b8415b39a62fb746e0c4f28530bb838a50cd27a59a011eb1ba5e109e56e8518fb370c80d5f20bfb882141ee49aaded
-
Filesize
181KB
MD562c253094610edb00769e66e31592d05
SHA1d9bb59babd3e498d0dc451dfa440123fb0912219
SHA256316e29a903c4e4ca57c0668b8888313be5b623b83a3efa8631c318766bb6bdd5
SHA512a2ecd128f701373aaf36608591389c0ed0344ace75977e18d1f182ace7ab29e2fe77ded0be1b99c0c3bcbf7ce69f47a81024b8295a3a46b328285e3001af01bc
-
Filesize
11KB
MD59a590cb3153cda5c560af3afc5c67baf
SHA1d56cf9ea58a43278dd48f732c5d950d96650caa5
SHA256865d3733291d9c4e919e3643abb6176e0bf0a4ce13d8df65c3742aadd27c7899
SHA5129081d7ca670e7a7d6b5966e75055e125ff72e874c7e3aee2978b03a723cc86bff13be65e98edbb4742b622896001e08809f975cf051c6fc37177aae38bea4648
-
Filesize
152B
MD554f1b76300ce15e44e5cc1a3947f5ca9
SHA1c978bfaa6ec6dae05464c6426eaa6cb3c3e2f3b7
SHA25643dec5d87b7ee892a3d99cb61f772ba403882ac0772423f36034e84244c1ca24
SHA512ac26e5676c675be329eb62b5d5a36a0e6014ab8a6366684b0fc2a59ae5f061f596f462b82eb4e9f135d2235a0cbd4af96680d234eecc873a8397fd81507d277a
-
Filesize
152B
MD5c00b0d6e0f836dfa596c6df9d3b2f8f2
SHA169ad27d9b4502630728f98917f67307e9dd12a30
SHA256578481cd359c669455e24983b13723c25584f58925b47283cb580019ef3142b1
SHA5120e098ab5f5772fec17880e228a0dccbbaa06dc1af14e0fd827f361599c61899fe07d612a7f7b049ff6661d27fdc495566dd20fc28ceed022b87c212bf00be5da
-
Filesize
38KB
MD5c3aa6e31c125d83fb2eabcc9e33843dd
SHA1ad91b78e1a9853ee876b77b82f75100ff5690d11
SHA256c32b5cffb8ac92df9bd9340b75b8d0772a071af36df5b27879e45f6112f9b5b4
SHA512897efddeb2d96e24aca43385cfb86a065034c4bb045c2e2b7391572e0ddd4a820b70fa83854de5048d7b7316fc9fa2f078924aab62206a7a135aaf91176a4c6b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize240B
MD5bf245445cbdb881148b6c28854b612d4
SHA144d38d170b8543d666efa265fe9d7c945b4a8fca
SHA2564648eed068e0664703b22eacf5cb3877a6b345f17a71d7dc862dcbc4d74303e0
SHA512c856836ec240dab875fad0b5147331fdeaf5f3047c4ad4f51a4bdaad8ab75e9f16ba3418ec4f5ec287e2ed40302ad68b25ee43fcb2f4a34e3fb26529e91710df
-
Filesize
1KB
MD52f4cf2fbe24fb0fcc763c3b245c3bdbf
SHA152968cbdcda098f3ea97e48748bcf3ae4ee91bb3
SHA2564bb2f93d8cde7df1d5fd9bf84b23a1849c78414de6b91dbcc8d476d4d8ab5760
SHA512ba99a2511c9d8d1701119a2b9fd79f6e06f70436f46e89fea4950104586f180d17c5c01bf9ee07a789e35eda04f60c3290f3d689ee2ade29f9f30cb4dc2b2747
-
Filesize
6KB
MD5fae8417bbc59a721fe3a71ef6b3487f9
SHA1fbca5082ace87c42bbb11d2730e6afbcfcd543e7
SHA256703456bb4c93384207f61cbc8ed56a19e452763e13d96f9b0b57257124f405c7
SHA512b06d6b4bb2ae3dc263fdfcea657003152da991f565b03d8633ef3aac15f6bb5ef459366b14793594e6c6b3b759672aa87422dee6fe49a1b144a89477198c42fd
-
Filesize
6KB
MD519213054fadd6cac8911afb9c48f8d1b
SHA16e14b8c586b822af1bc3f1f8c87171b9243c385e
SHA256e78e7320e2187a3ea0f923fa31eeefd6c123d4812f42d650884394c7b31358f2
SHA512a1fc1a5f35508d3ac5f3caf2695d2e67e4b5d49f25c4e5437e1899dec3b3d55d375de059e85dea34185b18ac2e141c0991b093422879968aa1b2fc1d7aed8000
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85t3rifc.default-release\activity-stream.discovery_stream.json.tmp
Filesize21KB
MD55f5699fd1807c2f7e0232ac4bbcd4af8
SHA1f3628e7d8f184db0950b3af2961e17ba58875dd3
SHA256165dd4f4f10845fba987a1468f9f3548ba830c7d5b00b7234a216b5dc124e331
SHA5128c6b6522bda4f51537f3149aacb6e4d94f42c9e283db5b8b3bb129e8faf93252f3eeb6980d3cb7853399ba0d8667faac8701e166c3c0d5acf3b0b233f68d67b3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85t3rifc.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD54af257197404a66f2c54a051d8c43f55
SHA1c09241126b17e15d191a3d16e1c6c9a30dc0013f
SHA256bdf21367a1da2f555137abc3e721181fa7f4f64363a3bc3f7d412a966f5a8741
SHA5126226fd10c882f8023c058c8e4ddef736fa11f28058c51a84e200302b4d9a824527bc5512bfa1bae20f65860bf417dbe44d6bf10009bdac699306fc3c7da5c7fd
-
Filesize
2.4MB
MD5c03d62f485ea79a178992f22c713c4a5
SHA1aa16eb2b07a4b91b44c9e484923eb8bbcaf893d0
SHA256546b5457cd26c9230fc49a456197aeeb761241adc2dd2774c37b1d3189968cb9
SHA5123051d67889704c3adfe2748612d88b40acdde17b3fcf54ef8ae7466bd38b121db130300b53c9db9a981292507cf830d99bcd86ccacf320ec0198faa40af043fb
-
Filesize
89KB
MD5bc08b445116ecc06852a929a5d302c4a
SHA1a78aa42220b90d47b4cf63119e6082f06b295f57
SHA2565b232254dd2d33eb576516116977c884fba81d5a8427f742a73655f9e076efc6
SHA512657a21d453112fb909be4005e0cab1ebf467840e275a159eb535b486432ffa0bfcc60da92475b26f08a0ea481c927654520a43163e04e34324551cb3bfd69fdf
-
Filesize
1.8MB
MD58bc520e6b221e7998eb73c10c830fbd6
SHA18a825403f8bff789c60e4dfb67ead847c957b0d4
SHA256506ecb56dcf6b280d4f553a0fb009ba1760251e411916ab715701b53ae8fe943
SHA51258d087c499275776e155cb38782f3eca9bdcb516a5707023eb60f31e99ace240076f59ce0c1fc8b7c7382583edfa0f29a68fde23c891a6f0d28de0d3703c94d6
-
Filesize
2KB
MD5de9423d9c334ba3dba7dc874aa7dbc28
SHA1bf38b137b8d780b3d6d62aee03c9d3f73770d638
SHA256a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698
SHA51263f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\AlternateServices.bin
Filesize10KB
MD554ba98e4c32ce2e014adce58fa93016e
SHA1cabb3d9d2f7f2bdc6028410c5d5ec35dbc0303f0
SHA2560317f57dbe15c2e18a45cc74d49289d84f0fc3f468f6f15015845839024f03bf
SHA512bca697aed0aa196fa11b747038f0bac89a68e12cc31b35e919ce1c2c07b55097526c2725e83189134b1625ecaebb3918e700728a8d0ee6f3457108c6c46f8f2e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD50502b258ef15fe61fb5f857e87a00dce
SHA1eedd1f9ea4e2289a74655f616e11020ea93f9adc
SHA256730de91aa79cd0286e76be1fbab3c283ff663d6ea56b909b8ddde6c96464e97b
SHA512565602448d4691e5b605c3111bb8e88b3496ed6b25282397077532889bbcafa65141fbe865cd5f1db122d93d7aea4b963dddd07f5adf1c10169bbd88dfed3b29
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD546c3a6b9e8819c38bbd89eb4d6718592
SHA17033201d958e4f9c481a6d822f45ac685d8700e3
SHA2561aebf8aba1a06fac95906a5c93180d9c2298608e596748eb21c47650ae690ee8
SHA51201cd534cc0dfe21babe1f53311a45f5e01ee49f174a6864ea3e2635dabd20fb030cf2c0f90acfd2244d749cc0b52572c75f22d02ad6f93bdbd9253aca28b261b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\pending_pings\ca89f734-bf44-4b9a-bcd9-06515d93eb51
Filesize659B
MD5d1b9cb05b177daa25f4d86955c6a2b0b
SHA1fe56b51274dd11182b7d4145623565dbdd86896f
SHA256fe23acdbc4298b6a3c7f6a0e96c6921a4a023a84db05cf4a717da6187218218f
SHA51222e8b1d2d214ee02593950688106bf5c7321762b001628d0fa167a2b930e40b8e0bc9763d275520563e335f0f90c73df941540beb582f909ecda3bdadaaca4a5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\pending_pings\ccbf108c-5df6-46d9-811e-52ebd4428a05
Filesize982B
MD54f8554ce74b4424b1d42f42b79c5541e
SHA166655565b1c1c081116db1de5bd395b8f1664d3d
SHA25611c300dc931aed5d24dd848a90055e90664bb5f4a6d79022c9f8898063a85e25
SHA5126e7db16b85de80c7424bd2603a8d5cd45b12873c21a07d7ba3264ccfe24f48dfa7dd2d183029a6fd1d185ecd73021a7e81794f4dc8815b4374fd4beccec95497
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
8KB
MD5f27780f33076ab823b0e514e1645ca37
SHA15d0321b7df1dacd86c6efa22e9e10a16deaa0bf7
SHA2562bb29e8e6eb57a33cde2d907de4f3b786e4634a05a53dc32a921d40112f9164d
SHA5120ae0bd04ecca176c135bf3d9c2e466356f99f22e862adb327c03814f0cfb023001c68e68671108b7a731335a57e96cd1aff71cdf15eb45bb1e949fb0f0d9cfb8
-
Filesize
10KB
MD5dec67a255c20ea03c7c359c289f024e0
SHA18583193b915503b1752619f85ef4bad70b4e2604
SHA2562f459b9431850a8416f93d11372de3477a1b811d754deae061240dbf7ebb03a0
SHA5128a085839f415f0df4ca5383b97d524a9a682eddd4d909d2385bbadb9a5622dc593553f67f0a7b9eb7832eb51232c3d7e35d3be2c0d8bf0b286b0ba25fb1795f8
-
Filesize
13KB
MD5ce911f03100e2b328afd85c30c8641e8
SHA1781911da15e29d300e1842eb23b5f6800af13a3e
SHA256a9e41cb6f27e67e2bd3c03c03d219784866c35f634484002089d7936931f7c6e
SHA512d9f544ebc806bd8f3689a843caf1dd026d149a9803dabc934a72fcb42b67bd7bd78ba208253a67cea5fccd163c62932afc8859b9815e4bcf781bcefe0b07ff7f
-
Filesize
8KB
MD5cf5a9093ad8d09334ef68d9a636a033b
SHA16b3dc1ffafbb3658785b1ef02069b7a28d59c56a
SHA256481bb922c4eab0da8df533ad78e2c9c90cbd813ca23ca1052120f64edf00ef2b
SHA5125d0f42b962d3183a88628e5157580a0201630758b3411343fb4cb78909d8f79822f85422ce17a2879b7d2d8e41c949c05891cc8c850a1272400d9838e1ef7ca4
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e