Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
11-07-2024 23:48
Static task
static1
Behavioral task
behavioral1
Sample
711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe
Resource
win10v2004-20240709-en
General
-
Target
711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe
-
Size
1.8MB
-
MD5
b5e7797b2a49edf96b67c1040b301e45
-
SHA1
bab8594d3af5eae8b2918c9d3a6c1811957c489c
-
SHA256
711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701
-
SHA512
46c8d1555ba6ace3f911df9a3c00d9802e3a021c3d3465c006b6f6d36e3e605f8ab74f3cb31ca77f7455a63859e9664e198246e1c2cb4994b695cb1a0ff4f0ba
-
SSDEEP
49152:HNOk8gUv3yUbpoJ5weZAFf3uHyGo++tonC:t98g01bpNb3uyoJn
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exeexplorti.exeGIJDGCAEBF.exeKKFBFCAFCB.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ GIJDGCAEBF.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ KKFBFCAFCB.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeGIJDGCAEBF.exeexplorti.exeKKFBFCAFCB.exeexplorti.exe711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion GIJDGCAEBF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion KKFBFCAFCB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion KKFBFCAFCB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GIJDGCAEBF.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b66da21b96.exe711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exeexplorti.exe40a9710281.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation b66da21b96.exe Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 40a9710281.exe -
Executes dropped EXE 8 IoCs
Processes:
explorti.exeb66da21b96.exe40a9710281.exeGIJDGCAEBF.exeKKFBFCAFCB.exeexplorti.exeexplorti.exeexplorti.exepid process 436 explorti.exe 4664 b66da21b96.exe 808 40a9710281.exe 5012 GIJDGCAEBF.exe 4404 KKFBFCAFCB.exe 3848 explorti.exe 732 explorti.exe 1828 explorti.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exeexplorti.exeGIJDGCAEBF.exeKKFBFCAFCB.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Wine 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Wine GIJDGCAEBF.exe Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Wine KKFBFCAFCB.exe Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
b66da21b96.exepid process 4664 b66da21b96.exe 4664 b66da21b96.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exeexplorti.exeb66da21b96.exeGIJDGCAEBF.exeKKFBFCAFCB.exeexplorti.exeexplorti.exeexplorti.exepid process 4424 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe 436 explorti.exe 4664 b66da21b96.exe 4664 b66da21b96.exe 5012 GIJDGCAEBF.exe 4404 KKFBFCAFCB.exe 3848 explorti.exe 732 explorti.exe 1828 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exedescription ioc process File created C:\Windows\Tasks\explorti.job 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
b66da21b96.exefirefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString b66da21b96.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 b66da21b96.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exeexplorti.exeb66da21b96.exeGIJDGCAEBF.exeKKFBFCAFCB.exeexplorti.exeexplorti.exeexplorti.exepid process 4424 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe 4424 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe 436 explorti.exe 436 explorti.exe 4664 b66da21b96.exe 4664 b66da21b96.exe 4664 b66da21b96.exe 4664 b66da21b96.exe 5012 GIJDGCAEBF.exe 5012 GIJDGCAEBF.exe 4404 KKFBFCAFCB.exe 4404 KKFBFCAFCB.exe 3848 explorti.exe 3848 explorti.exe 732 explorti.exe 732 explorti.exe 1828 explorti.exe 1828 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 2064 firefox.exe Token: SeDebugPrivilege 2064 firefox.exe Token: SeDebugPrivilege 2064 firefox.exe Token: SeDebugPrivilege 2064 firefox.exe Token: SeDebugPrivilege 2064 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe40a9710281.exefirefox.exepid process 4424 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
40a9710281.exefirefox.exepid process 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 2064 firefox.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe 808 40a9710281.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
b66da21b96.exefirefox.exepid process 4664 b66da21b96.exe 2064 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exeexplorti.exe40a9710281.exefirefox.exefirefox.exedescription pid process target process PID 4424 wrote to memory of 436 4424 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe explorti.exe PID 4424 wrote to memory of 436 4424 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe explorti.exe PID 4424 wrote to memory of 436 4424 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe explorti.exe PID 436 wrote to memory of 4664 436 explorti.exe b66da21b96.exe PID 436 wrote to memory of 4664 436 explorti.exe b66da21b96.exe PID 436 wrote to memory of 4664 436 explorti.exe b66da21b96.exe PID 436 wrote to memory of 808 436 explorti.exe 40a9710281.exe PID 436 wrote to memory of 808 436 explorti.exe 40a9710281.exe PID 436 wrote to memory of 808 436 explorti.exe 40a9710281.exe PID 808 wrote to memory of 832 808 40a9710281.exe firefox.exe PID 808 wrote to memory of 832 808 40a9710281.exe firefox.exe PID 832 wrote to memory of 2064 832 firefox.exe firefox.exe PID 832 wrote to memory of 2064 832 firefox.exe firefox.exe PID 832 wrote to memory of 2064 832 firefox.exe firefox.exe PID 832 wrote to memory of 2064 832 firefox.exe firefox.exe PID 832 wrote to memory of 2064 832 firefox.exe firefox.exe PID 832 wrote to memory of 2064 832 firefox.exe firefox.exe PID 832 wrote to memory of 2064 832 firefox.exe firefox.exe PID 832 wrote to memory of 2064 832 firefox.exe firefox.exe PID 832 wrote to memory of 2064 832 firefox.exe firefox.exe PID 832 wrote to memory of 2064 832 firefox.exe firefox.exe PID 832 wrote to memory of 2064 832 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe PID 2064 wrote to memory of 3680 2064 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe"C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Users\Admin\AppData\Local\Temp\1000006001\b66da21b96.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\b66da21b96.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GIJDGCAEBF.exe"4⤵PID:3596
-
C:\Users\Admin\AppData\Local\Temp\GIJDGCAEBF.exe"C:\Users\Admin\AppData\Local\Temp\GIJDGCAEBF.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5012 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KKFBFCAFCB.exe"4⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\KKFBFCAFCB.exe"C:\Users\Admin\AppData\Local\Temp\KKFBFCAFCB.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe"C:\Users\Admin\AppData\Local\Temp\1000011001\40a9710281.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1920 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {651190fa-0923-4f0e-9387-3459c8832414} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" gpu6⤵PID:3680
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c71e442-b279-4eda-8dbe-77fde235871a} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" socket6⤵PID:2080
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3252 -childID 1 -isForBrowser -prefsHandle 3264 -prefMapHandle 2808 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a89bf59b-3478-419d-986c-bb171dc62c35} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" tab6⤵PID:4328
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4000 -childID 2 -isForBrowser -prefsHandle 3208 -prefMapHandle 3224 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {121360e1-c0f3-48c0-898d-c56868f94c6c} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" tab6⤵PID:1544
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4616 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4628 -prefMapHandle 4624 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e77805bf-0a57-4b89-acb9-e60f2e4c8d33} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" utility6⤵
- Checks processor information in registry
PID:264 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5560 -childID 3 -isForBrowser -prefsHandle 5544 -prefMapHandle 5536 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e777aaa-d887-4d5d-8d39-b1d1247f7c09} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" tab6⤵PID:4392
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5688 -childID 4 -isForBrowser -prefsHandle 5428 -prefMapHandle 5420 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e83da92a-829b-44f3-b442-ae2b195d00dd} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" tab6⤵PID:760
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5880 -childID 5 -isForBrowser -prefsHandle 5800 -prefMapHandle 5804 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d675d0b-be28-4514-870c-cace9ed1df4d} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" tab6⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3848
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:732
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1828
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD574510e15b366af53b490af878824f0dc
SHA19eec6602911af765e28f9fca7a7409d84a055e0d
SHA2563414c126bb7254d8a5be6c4cddbad6bb23ff843264aef5a69349bb0fbe77a697
SHA5128b196bf4ff6bf27bf80cab8f87a45dd57dc1f7ec830c20e62bff7aaf7ea1df0b31514b9ab00b04817087b5d91dc24b25a02b5232fe86e796f49ad0ada6bf2d1e
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD5ed1818043dda8ba02e7b3128137793dd
SHA1ca0423826e1b806a891eba9be037863a8112cbf1
SHA256c6c5d56f7090afb9982294b23641147be98461c350c35fd4dc1b5348445d8295
SHA512edc6c6b540fdd4ab84803a583e09cf8f8435e61fbc742d7af6faac87afcb0b55f7d2432407ca178e41a31965048c6f2b840da32c60bd5c58d19ac7653b837c06
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD5518c8facd6ddf8b92171f9d563950744
SHA14bccc92d6be7f89f291c03562f227adab9b11de3
SHA256c96cd99f2ffbde20506ff2dec3237a0673f240dffbb564ad9e8f5819287967c5
SHA5123e3c4a0cea34777ae69ddd953e5f4af50d70301ede8fd2905ae8083caf3220af488e5d51080158c2e72d7a43d770dc71f704dfd95aea87fe3aa4c4acac61fdb7
-
Filesize
2.4MB
MD57ccebfe91b4c5b3c8feec467941c3557
SHA1a3ddf2da7133f6b2478eaaaccf98c3fe12e6db69
SHA25641fe619fbe5a96e2be0cc43ca6e2ab6712b2914b5dfa08cb2ee4f5a43248bbe0
SHA5125b09099bfea89b8d14ce2f610b0471d536d56a53bc580b3315a7c81a99511809495e75a93185728b906a4bccbbef9f3cbe0bc899bde44cfbbdaa455b80673635
-
Filesize
1.2MB
MD5c405ccb4db5e6b3603e8d263acf6efec
SHA1a7af8499340084c5fc9084fac7403fc7d1d14e98
SHA25679bf5e36c3bd475045d5e2c4472530299e3352d273ded288f79930bdceca179f
SHA512cbd990037ce94951b50567cdb605f2e886239aeac56a313be1b3cdd7654648a8ca59ca1c1a1d5adc7ef35a58801518afd68775dcc04314db7e8c27eb3ac8b396
-
Filesize
1.8MB
MD5b5e7797b2a49edf96b67c1040b301e45
SHA1bab8594d3af5eae8b2918c9d3a6c1811957c489c
SHA256711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701
SHA51246c8d1555ba6ace3f911df9a3c00d9802e3a021c3d3465c006b6f6d36e3e605f8ab74f3cb31ca77f7455a63859e9664e198246e1c2cb4994b695cb1a0ff4f0ba
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\AlternateServices.bin
Filesize17KB
MD59188bec7c37664c50c79ed50f9de8fe4
SHA18230cc3c971fbd241d16e8d6fe96985291c8e3fc
SHA25658584260e9b37d32e8295fe6ad8b16b8d5c0e6199d63362344748a7ff62801f2
SHA5128b5fbfea99755ceee6abe87ee1c042e187b616f158051677f31a3da6848a63bc53a6ab68e7fa8c53b4f6b08e54d50e6452487e1cbd3127de646ea0a581af3f52
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\AlternateServices.bin
Filesize8KB
MD5a403a36335fed5cdb4386d265ad43722
SHA1bffb2a40d7562aec00da46b45c980ebd0501f4b6
SHA256c1b7a0b968458940a0058e44e693bbf7ea9ec7ffe5df3f49dec9cd3007880b9f
SHA512f3171fd9fd3f32dd22afab47fe912b8299b8dc726c649b729ed4b38b69416d488dfb5d57af364cf36fbfef91fcc403f2e85a2326ac646f9f5a92d1c95b2a2621
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\AlternateServices.bin
Filesize11KB
MD5fe3e60e82d70ccfb657ef2a221e1487b
SHA19c66b16e8fb2b477d7ba0edd5eeeddefd1a1f886
SHA25663887b8e1afae6db2ef63db96caa377126a2a7ef3be99ce5d26e1a4682f1006c
SHA512637d91bdfea20595194aadca756c67630e1050b1d92b6312130337e4de5967c1065e6fc7fffb7f155a0be354ff69242a3a948ad48a9c0203c2b1189253013045
-
Filesize
192KB
MD5a8a03f59c3ff20982ca3d04d060945b4
SHA1dcc22655fca69c3717252684e803137a5bc57958
SHA2560c40a25506e4478e446e0da3216a5cc3a91841183b5cffbb1bf371bdfbfe82a1
SHA512625c46cbb350b95b6010662f778e72feb39f43b45fe4719cf5378f04b8cd188e4be48514cb6f8a9300344e14bbc70a3ec1b2ec226d31c89e7bd098adb2fb9940
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD50bb8ccb5d1a927c927382ae95ebfd56e
SHA1996c1b82af46ec480651d41a0c015643f38a85b9
SHA25612e3c844ed8bd0104f0280b5bfbe860e635141e8a74ac5d0fe003d3ff22ea256
SHA512d4b8e23b57e91d0cba98ab071582e51700445c498c72210b4b1c96b09e8ea16e51f39a4f807d253d7c797987fe5b925d03cf334ad575e127edbc92ed2f0adf84
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5c40d9dd23e66f12a123228b0982f910f
SHA1f8115f076f381053051a039089719a4a97a3f0ed
SHA2565612dc1fa4cac95aef60901e1137bc7b939c6c0ce021f673580064912ee7bb8d
SHA5123abcfe89798db7ca8ab35465bb020aab590b8b90dc4c7f5c93ad997aeea1394cf489d7466bfa27beda7a2740094aa104b25b1c94d6521e86b1267d31612cb43c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\pending_pings\4088a9a9-39fa-4e2b-8390-244d65018c25
Filesize27KB
MD5f1c5ae019acebeb3302d0220383ca546
SHA19d406c5993f2684c92e9a87aef1181f3ea2842aa
SHA2567b51247552e27f7a52f00a9276ddc951d02966b7275216e851a11d68723c9a8d
SHA512e0d2db43dfaf7f711d9390275c4df6354de9d22fa22b0aacfeaab6e7871a83804cd4af79e2a9f0aeb300f1c2f952560282187da4540d384adff4b6a84776e25c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\pending_pings\a17ffd4d-a02e-4689-8ac3-cab358c8281f
Filesize671B
MD53135731354e4d14eddf97363bdc43c20
SHA19ed5717e370bf0b55bec9821c733276caf6555a3
SHA25656e3039c59b61fa3287e8f372518ffd20b9ca96d7951832412665cd321ee3185
SHA5123e83fc0c55bfeb1cd2f5c9dd9a86b3355b05e54d2edef9a619bdaa518c7ae0543368a5c18fd707f51995ca4b1b900950e4af155ad9bd58edbb70debd4892eda9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\pending_pings\ec14f1a7-27aa-484d-9a25-41db783fdd37
Filesize982B
MD54ff893e0280e52af5db0951fc177de95
SHA1e4b3d0d455c551ed1bb21d171fc0fac02ddf604a
SHA256fb9b547784a55b5cb41b17d41e9ae78e705cbfa070b8cd45ba0ed12a2c319f9a
SHA51295fcfb54ec2c60e19a9bb203c6e44b9b11ecaf696d85cd7a216a730fe18cbf66b46028c5a6c6e805981cf87ab35ef560e052c9d04533c889daaca45d51682a5e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
992KB
MD522f1ee15ebee390695aa3daea3efb421
SHA15e7c6d663bcce8a989e2c7215d780e61727d7732
SHA25614f8e26b14d3220a4ca1805c7db0e4236425ea2ceac08789bdc1001975d63e1a
SHA512f8e39e7061bc81d7fef1d42280f42b2b1084c50aa24851ee244d5a2ad6fac9d5db5a1dff0baf05ca401121e881173b90c8fe7bdfb468a5f2b387fa2a65559900
-
Filesize
12KB
MD58f522ab8d24542f683356d38ec3e4731
SHA16f541dd7c5cd3b81866d919b4fe56548a9297ad3
SHA256e7e6ede4bcdec346d99d88733efc3a7a98577f8f2bc61267700950fc83505a01
SHA51230492232d1ed516c0381b3bbd5afc4d4f1416a901b60d6d691673782ab610b25deae2da51299dc2f9e38d016496cab230473071e4b4355f2a6b8340ab623b530
-
Filesize
16KB
MD5ed405399fefcdec31a676e22b243dcfc
SHA15049c6b185fe8b4b32dcef5b2ad88a4878860db4
SHA256c51d6b50d41d0d6238bcfc5aaeb22f59caa82461c2a81cf2fc3ad785f622ccc5
SHA512efba9abe20640decb374e42824f98cb6e2399020d5fb134b9e9675283d37129d4710a531930e771085d58c03fc5a6437166d65a012d90ce9716a0a2f110ee02d
-
Filesize
11KB
MD5af2f128de4caeb92342ddb2d9ee05f61
SHA1ea590a7e733f7a073d87c17e32ae0594c19f03c4
SHA256aae9dd3c3fc7552c2d8248387d5b3cda95ff22871606febab68549a49a7afc6e
SHA51294ac6fd589a7e5861a7d80684737eb4b98a0e8b9a265a69cf5db2beda5c350e0c76e6d9f28cfc5b35c4f5d03885a6015d8ebaa199be489b7be433ef9d909c6f9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.4MB
MD56adf54f651a2543adf38ebedb1e8315c
SHA100b35f799396b7a9387d13e37b84bd72de974da7
SHA256af7c043bca25db8aac2ea1d67b9c2aa2a62943f1d96d59e6bb6cb467a0cda0ef
SHA512f36553c7d087b6ef98a9502dbceb7ac94c5edc676f8af7a2737b9e4b5b219d570d0fdf457d3da64e63de06a0cd4dc9f2916ae5a23e573c9ec71155f226188a95