Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12-07-2024 02:18
Static task
static1
Behavioral task
behavioral1
Sample
5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe
Resource
win10v2004-20240709-en
General
-
Target
5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe
-
Size
1.8MB
-
MD5
ad7686b6a3804dda1cb2b039efdcd54f
-
SHA1
d810885254abaf8d3ac93269209141833c45ce58
-
SHA256
5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181
-
SHA512
d795e4c224d9e9066822a009602dd38542f86021b994accf3cdc715e869d58bd9321b8c07d776848a2d5bea8607c347d15030861dc63fcb2392e87e3feb901f4
-
SSDEEP
49152:ESJakxgxf2S6nC4RK7lXR3JkyWm7YNcT8vlP:ESJxxgxf2SdMUOy/YNemP
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exeexplorti.exeexplorti.exeJJECAAEHCF.exeECFCBFBGDB.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ JJECAAEHCF.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ECFCBFBGDB.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeJJECAAEHCF.exeECFCBFBGDB.exe5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion JJECAAEHCF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ECFCBFBGDB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ECFCBFBGDB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion JJECAAEHCF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exeexplorti.exe8522cf744c.exe16b475fe86.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 8522cf744c.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 16b475fe86.exe -
Executes dropped EXE 8 IoCs
Processes:
explorti.exe16b475fe86.exe8522cf744c.exeexplorti.exeJJECAAEHCF.exeECFCBFBGDB.exeexplorti.exeexplorti.exepid process 3544 explorti.exe 956 16b475fe86.exe 4960 8522cf744c.exe 1120 explorti.exe 1492 JJECAAEHCF.exe 1396 ECFCBFBGDB.exe 2260 explorti.exe 3092 explorti.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeexplorti.exeJJECAAEHCF.exeECFCBFBGDB.exeexplorti.exeexplorti.exe5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine JJECAAEHCF.exe Key opened \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine ECFCBFBGDB.exe Key opened \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe -
Loads dropped DLL 2 IoCs
Processes:
16b475fe86.exepid process 956 16b475fe86.exe 956 16b475fe86.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
Processes:
5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exeexplorti.exe16b475fe86.exeexplorti.exeJJECAAEHCF.exeECFCBFBGDB.exeexplorti.exeexplorti.exepid process 3056 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe 3544 explorti.exe 956 16b475fe86.exe 956 16b475fe86.exe 1120 explorti.exe 956 16b475fe86.exe 1492 JJECAAEHCF.exe 1396 ECFCBFBGDB.exe 2260 explorti.exe 3092 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exedescription ioc process File created C:\Windows\Tasks\explorti.job 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
16b475fe86.exefirefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 16b475fe86.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 16b475fe86.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exeexplorti.exe16b475fe86.exeexplorti.exeJJECAAEHCF.exeECFCBFBGDB.exeexplorti.exeexplorti.exepid process 3056 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe 3056 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe 3544 explorti.exe 3544 explorti.exe 956 16b475fe86.exe 956 16b475fe86.exe 1120 explorti.exe 1120 explorti.exe 956 16b475fe86.exe 956 16b475fe86.exe 1492 JJECAAEHCF.exe 1492 JJECAAEHCF.exe 1396 ECFCBFBGDB.exe 1396 ECFCBFBGDB.exe 2260 explorti.exe 2260 explorti.exe 3092 explorti.exe 3092 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 4632 firefox.exe Token: SeDebugPrivilege 4632 firefox.exe Token: SeDebugPrivilege 4632 firefox.exe Token: SeDebugPrivilege 4632 firefox.exe Token: SeDebugPrivilege 4632 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe8522cf744c.exefirefox.exepid process 3056 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
8522cf744c.exefirefox.exepid process 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4632 firefox.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe 4960 8522cf744c.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
16b475fe86.exefirefox.exepid process 956 16b475fe86.exe 4632 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exeexplorti.exe8522cf744c.exefirefox.exefirefox.exedescription pid process target process PID 3056 wrote to memory of 3544 3056 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe explorti.exe PID 3056 wrote to memory of 3544 3056 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe explorti.exe PID 3056 wrote to memory of 3544 3056 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe explorti.exe PID 3544 wrote to memory of 956 3544 explorti.exe 16b475fe86.exe PID 3544 wrote to memory of 956 3544 explorti.exe 16b475fe86.exe PID 3544 wrote to memory of 956 3544 explorti.exe 16b475fe86.exe PID 3544 wrote to memory of 4960 3544 explorti.exe 8522cf744c.exe PID 3544 wrote to memory of 4960 3544 explorti.exe 8522cf744c.exe PID 3544 wrote to memory of 4960 3544 explorti.exe 8522cf744c.exe PID 4960 wrote to memory of 3564 4960 8522cf744c.exe firefox.exe PID 4960 wrote to memory of 3564 4960 8522cf744c.exe firefox.exe PID 3564 wrote to memory of 4632 3564 firefox.exe firefox.exe PID 3564 wrote to memory of 4632 3564 firefox.exe firefox.exe PID 3564 wrote to memory of 4632 3564 firefox.exe firefox.exe PID 3564 wrote to memory of 4632 3564 firefox.exe firefox.exe PID 3564 wrote to memory of 4632 3564 firefox.exe firefox.exe PID 3564 wrote to memory of 4632 3564 firefox.exe firefox.exe PID 3564 wrote to memory of 4632 3564 firefox.exe firefox.exe PID 3564 wrote to memory of 4632 3564 firefox.exe firefox.exe PID 3564 wrote to memory of 4632 3564 firefox.exe firefox.exe PID 3564 wrote to memory of 4632 3564 firefox.exe firefox.exe PID 3564 wrote to memory of 4632 3564 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe PID 4632 wrote to memory of 3680 4632 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe"C:\Users\Admin\AppData\Local\Temp\5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Users\Admin\AppData\Local\Temp\1000006001\16b475fe86.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\16b475fe86.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:956 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JJECAAEHCF.exe"4⤵PID:1832
-
C:\Users\Admin\AppData\Local\Temp\JJECAAEHCF.exe"C:\Users\Admin\AppData\Local\Temp\JJECAAEHCF.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1492 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ECFCBFBGDB.exe"4⤵PID:4180
-
C:\Users\Admin\AppData\Local\Temp\ECFCBFBGDB.exe"C:\Users\Admin\AppData\Local\Temp\ECFCBFBGDB.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1396 -
C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe"C:\Users\Admin\AppData\Local\Temp\1000011001\8522cf744c.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 25757 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b192c709-be1c-4313-abef-f0e20fe6ca8f} 4632 "\\.\pipe\gecko-crash-server-pipe.4632" gpu6⤵PID:3680
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 26677 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2bf5fd5-6f94-4c01-941d-f49026662952} 4632 "\\.\pipe\gecko-crash-server-pipe.4632" socket6⤵PID:3640
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3392 -childID 1 -isForBrowser -prefsHandle 3560 -prefMapHandle 3292 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {afafe5d6-a8e2-43d4-b536-b236c4f3d1c1} 4632 "\\.\pipe\gecko-crash-server-pipe.4632" tab6⤵PID:4344
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4036 -childID 2 -isForBrowser -prefsHandle 4032 -prefMapHandle 4028 -prefsLen 31167 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a1fdb5f-cc7e-400c-a17f-f0cc7f9eacf8} 4632 "\\.\pipe\gecko-crash-server-pipe.4632" tab6⤵PID:1612
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4680 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4656 -prefMapHandle 4668 -prefsLen 31167 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6a86f42-e721-43a5-a332-6204ce31eb1b} 4632 "\\.\pipe\gecko-crash-server-pipe.4632" utility6⤵
- Checks processor information in registry
PID:3348 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4044 -childID 3 -isForBrowser -prefsHandle 5332 -prefMapHandle 5328 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74452018-5927-41f4-9e81-301a79ab19f3} 4632 "\\.\pipe\gecko-crash-server-pipe.4632" tab6⤵PID:4908
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5516 -childID 4 -isForBrowser -prefsHandle 5596 -prefMapHandle 5592 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d306c4a-5024-408c-981f-fb82fb885e3d} 4632 "\\.\pipe\gecko-crash-server-pipe.4632" tab6⤵PID:464
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5712 -childID 5 -isForBrowser -prefsHandle 5804 -prefMapHandle 5800 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60498aaf-a6f0-482e-9b18-382b667d0a3f} 4632 "\\.\pipe\gecko-crash-server-pipe.4632" tab6⤵PID:116
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1120
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2260
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD59a1720bae506624f697df48ead857498
SHA15b4315dc3e01c03fcae7c1d36e4d5f3d79bf3329
SHA2569b81e8956df5f0e884659f6ba053a18b0ab0088e82d83acac8e43af0768cbed9
SHA512e1d3ea79c58b39de211dbdb37a1a9eb4d2a2ba1314b1046dcffb048d23c336ee2a5a6b6ccd49a4a25dc1ecdfdd9706da9151ea8de0f0549aeec63d03479645ae
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ehv06adt.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD543b447d90927e38b00f5ecac60f5bd8a
SHA1eca289a7c4b339c0cfd08b9cb6bf130522d611d4
SHA256345eb0fbd2ea12f1e27ab8b4b9813d579b6f994c6c7e82b66e8beca85be78b1b
SHA5128538520f723be21150a3179c5c8964186d8b3222033b9be855b3d2c89ca8431a3f00477d50071a3b478c09def6dc2abd6cae93243c2e166ab1822f69efa96fb6
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ehv06adt.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD57dedec898d10283833f4d5e5a6a3ea98
SHA1e7f09962a509ca6b591c93c109ed9ed1d9bbd202
SHA256c62d8ad7a2fa9de0a9d740a7057f54e1994da641d887429d14649809eb33d6f3
SHA512a961870cdbde27a62c8e3fe5935b3b232ce1fbfaa0b41e8a4c272eb75987d3fe3deeea1a6885b8c9afa1ebe2097ad1328212dbdb5a9c5c3499a4a1c871bd303f
-
Filesize
2.4MB
MD5b5f67083e086299287f0dfb2a7bef96e
SHA1dccf58d99cd7153859d1ad5a1c3f7e348e2ebbb7
SHA2561b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80
SHA51255c4f5d435a1a27e6c8e14c88e454da4dc2398076f4596a6f983184831db0119c58be9c82b8ddf5ef37265b65b5cea56e5963c871b2be0f8e88064224681d654
-
Filesize
1.2MB
MD537f0d7fac582e7e1592b3306f79143f0
SHA1fe09db964b98769ebf71d780de5655958a4b9dbb
SHA256dd8ed064fdd43873a7ece063734ef85a27549c4f2a90e05aeccf859c8c53ffbd
SHA5123a020bea5a33387ad5e15bf22bc9a81406885ed0c1d40eb9d257d110b34fffa86598af61ceaaf5756a685e7bf9aecc976d951823c46eb48106781ca6e6fc1126
-
Filesize
1.8MB
MD5ad7686b6a3804dda1cb2b039efdcd54f
SHA1d810885254abaf8d3ac93269209141833c45ce58
SHA2565842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181
SHA512d795e4c224d9e9066822a009602dd38542f86021b994accf3cdc715e869d58bd9321b8c07d776848a2d5bea8607c347d15030861dc63fcb2392e87e3feb901f4
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\AlternateServices.bin
Filesize17KB
MD5b3066a9e4e8dae6ad4b6d549f4cba42b
SHA119b99f5ded378a89560c2e8ca26ccf68fe504cc0
SHA2566218f13e470926c05c64fdaded093c1f969e0edc0c59b2acc14576e6c7fb5ae0
SHA51277b1bfedf97cc21289958cd35d42c391157c81ef203cb1900fae820fcc2c76450bdf09f8df2a8bbbfb6d068c8dcf31113395690a8c1cadb0fd85bf10cb8aa380
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\AlternateServices.bin
Filesize8KB
MD5636833065fe2497c72064055a218cdf5
SHA1f483bcac41fb67162c1a8b3cabbdcf1a15168f47
SHA2560a23e5f134dfce247bfaafc125ea3ef92de9ebb3ab688dec718d47be7f749745
SHA512e3bf4094856c5471798ca15db3ea6c07572a1fe792c3d1954e2fd2ed765bbbd3f9c1031b165f36826fdf591864fd8956f1577b57d8ddb2ebe97367c74c375242
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\AlternateServices.bin
Filesize11KB
MD54a6eac83f105180d0392df1730321066
SHA192f2ba6f7115efce48ece69e035e11ab66c206b2
SHA2562b33dce41d91e0b2ab0011ffb0bdd6b9c6d5121c7183665d3cb4e27d10828561
SHA512add7e0009e4f64ecf25770eb2595e1cb7000368329e845bc1e28b928edc4be2f69aa89f4afcefa17b5c83a73251a17179cb46e6630cce24cd35c47cf4155b035
-
Filesize
256KB
MD56917a7698218d0c8a94c9cd6150872cb
SHA143015f615203a220f1413dae611292825df8a83e
SHA2562a129e7cc6ad8419ebd887be216fca453965303d31742989baa97ca316420aa9
SHA5127ab6d66d8fdf91dafc23970ddba15b755bd9bec2ad26a8ab6cf11ea27fd147b79741364cca72ca21167ac967670fde29b887c17730952944f76ce973628d09b8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD5bcbf3ae8eb93e7a419b1c3a83dee31ae
SHA1bc8b105bdf794f8f00cb2b5c4e6fa4949f3800fe
SHA2566a916977e4f29b7539872cdb6bd1299d2891df7975f6a375e00d670958fb04a4
SHA512b486e7092e6e3610a38f86c4375a5e914964a1f567a1e2e3d77547ef92c29f8166500ff2faf1089d05d348e0adbc52c1fa3131350bb92762184ddd5a9e2f149e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD57a70248477e1a6715ebae29db42558c4
SHA110a991979e225ae72786a979422f7fbddd400b68
SHA2566fa75cc76ee6878722dfc13f84a04c7dcd324546dcd85c35365dad57ce6fcca3
SHA51209662c2975638cb78a54d18373247b540223fa73e458fbd5998e1920edcc8d8adeb5195e1dc3be852a79a54c375640f58432324a269c19870fcb724b1fea6fd6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD567887669eb3bd941f0846dddb85cc003
SHA1492e0791c2acc94683134a74aafc09c66f190694
SHA256c8a914dd2f272dc7d2fc2067ef63f7ebf89c0f519d64ce213117430d46b9c7a3
SHA512000b09820f676d4e90a89de103c449954a51bcb652ffca275a014b8a96ea1bb7ea761b4d4fab1b863877e18a4831baea3b1bf79dc5f627a9d07e9a87b57468a6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\pending_pings\2d8f2432-bbb3-4191-91c2-86cd08183a3e
Filesize659B
MD5614d4058fc207933439d60ed068b5a4f
SHA1461e835319bef3ccb91a49ba34eabefca1b43ea6
SHA256c84b3c64497bf34079d4071d5130d3d51c4f7d5f38df6374b5929e6dee0a4254
SHA512ba6394a8d66bcd0cb20b95de5a1b517afcd6cd7e58d236c8df37d8a683aa051842908c6816bb6d5a64628e5b4339505a85ee79277a817202fc52146607a8c961
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\pending_pings\656ca0b0-0bd3-4a4d-8b65-b0236c09c1d1
Filesize982B
MD5cf97017dd90bafc1027d322eb7b209bc
SHA17969cede1f199d467155072a1ebee8572df30a88
SHA256371a9f3e6f499e8cc0e4b8c8b6754726080391b7c6a324b0c83820089198fa30
SHA5124c266ec6ac248e672452443804bf0fb68fc13483a4b46bf844dfb4b37382409bbda4c765a18c00b69e8aaf2c3ccaec264cebeca043d751bc43bc01ceb2497d87
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
992KB
MD5e5fa70d53ca1dc02d078f03b22b2e789
SHA18c0a9459b9670b4450107685ee738138486d89b3
SHA2562a9d8c02d908d4ca473ecc8b3e3bdf8c41d492f0da02738e918c6652ae0d715b
SHA512017b05d4b63286be7e9fcb1456dff17dee683eab2e092c158485e405a765ed117e7dda985073277bd888f560c18898eee132ba9a15bc57fc7c4bd81d91469789
-
Filesize
12KB
MD5436cbf785bfce9cfc2928405ed416c69
SHA103697db9f483b619311124b7aa1e3fc62e2bb3c9
SHA2568784f46d6fbadf6ee45b4a5a5e858c097a232b21c866aee861c9a71b00ba4f95
SHA5121484bd63fffabfa0ee98c27f5933ddb071060b90dae22d20f831be214ca2ea51aeb8c89dbc466df58938ef78acc814695f9739ad611eff1118d2eaed37b8c39d
-
Filesize
16KB
MD569c479678464f6e4029a369f0ea641a4
SHA15dc46710273b9b7b1f9a3d02e0065cccf3aa47ff
SHA25681ebb59fdb0fea0e318e7ad302710dcfbef5344288fa356e7688ef44ed443650
SHA512c7aa87fee7e24dbfabff83ce5eaf3f5cc45a8c168aa5a5697e7a360f3c320542353a2eed4be24666a57d05f4519a56e4bbc60a9a4a1aa780a608ef5d2c5b6812
-
Filesize
8KB
MD532eff4d71deca0b14cea47da90c32b4c
SHA1a585c38c6b2632ec9151d13c26190ebba0c37ca2
SHA256daa0a7f91cf8accab8f7dda4fbe862dcfe0040d20f655f7b38f147f23db16e50
SHA51230a7e884cd2f547c8302e3ed98e48e7e9a1b31397fa6828e5f45220c363e7f445f993d4243f7529766f5099ad1f6750f2b64c2f321d3c38cc10e9794458a9f40