Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
59s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26/07/2024, 04:45
Static task
static1
Behavioral task
behavioral1
Sample
9c860d91caaed7c18f0b1a613766240cc6e6a9dacd8dec70cf903db6f38988c5.exe
Resource
win7-20240704-en
General
-
Target
9c860d91caaed7c18f0b1a613766240cc6e6a9dacd8dec70cf903db6f38988c5.exe
-
Size
251KB
-
MD5
42cd439933caf2d0ed81f88510fa2321
-
SHA1
15c3244d95033e6db54424125c1304aad7d69a99
-
SHA256
9c860d91caaed7c18f0b1a613766240cc6e6a9dacd8dec70cf903db6f38988c5
-
SHA512
37d5c98bd248f5e38906ee38023423758c8441fb749a7ed1f7f6ddcb89239ecf635b9171af4553227768fa5b417c2d17d8cd94b10c0709dff34202153553c167
-
SSDEEP
6144:dGuRRUfBMnX33k9Y6vPMaaM+FKzVa7MjNT:dGURNCHPcbK5QG
Malware Config
Extracted
stealc
sila
http://85.28.47.31
-
url_path
/5499d72b3a3e55be.php
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
redline
25072023
185.215.113.67:40960
Signatures
-
Detects Monster Stealer. 2 IoCs
resource yara_rule behavioral1/files/0x000600000001c8bd-538.dat family_monster behavioral1/memory/3168-618-0x000000013FDE0000-0x000000014101E000-memory.dmp family_monster -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000600000001c8c3-690.dat family_redline behavioral1/memory/3576-700-0x0000000000B70000-0x0000000000BC2000-memory.dmp family_redline -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ RoamingKJKJKFCBKK.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ RoamingFHCGHJDBFI.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RoamingKJKJKFCBKK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RoamingKJKJKFCBKK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RoamingFHCGHJDBFI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RoamingFHCGHJDBFI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Executes dropped EXE 13 IoCs
pid Process 2644 RoamingKJKJKFCBKK.exe 2708 axplong.exe 2136 RoamingFHCGHJDBFI.exe 1668 explorti.exe 1940 c2a4594a7a.exe 1536 e9a6b26931.exe 3840 build.exe 3168 stub.exe 3304 crypted.exe 2052 5447jsX.exe 3148 crypteda.exe 3496 2.exe 3576 25072023.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Wine RoamingKJKJKFCBKK.exe Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Wine RoamingFHCGHJDBFI.exe Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Wine explorti.exe -
Loads dropped DLL 30 IoCs
pid Process 2604 9c860d91caaed7c18f0b1a613766240cc6e6a9dacd8dec70cf903db6f38988c5.exe 2604 9c860d91caaed7c18f0b1a613766240cc6e6a9dacd8dec70cf903db6f38988c5.exe 2544 cmd.exe 2644 RoamingKJKJKFCBKK.exe 2056 cmd.exe 2136 RoamingFHCGHJDBFI.exe 1668 explorti.exe 1668 explorti.exe 1668 explorti.exe 1668 explorti.exe 2708 axplong.exe 3840 build.exe 3168 stub.exe 2708 axplong.exe 1540 WerFault.exe 1540 WerFault.exe 1540 WerFault.exe 2708 axplong.exe 2708 axplong.exe 3976 WerFault.exe 3976 WerFault.exe 3976 WerFault.exe 2708 axplong.exe 2708 axplong.exe 3204 WerFault.exe 3204 WerFault.exe 3204 WerFault.exe 2708 axplong.exe 2708 axplong.exe 2708 axplong.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\c2a4594a7a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000002001\\c2a4594a7a.exe" explorti.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\e9a6b26931.exe = "C:\\Users\\Admin\\1000003002\\e9a6b26931.exe" explorti.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2644 RoamingKJKJKFCBKK.exe 2708 axplong.exe 2136 RoamingFHCGHJDBFI.exe 1668 explorti.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\axplong.job RoamingKJKJKFCBKK.exe File created C:\Windows\Tasks\explorti.job RoamingFHCGHJDBFI.exe -
Detects Pyinstaller 2 IoCs
resource yara_rule behavioral1/files/0x000600000001c8ca-737.dat pyinstaller behavioral1/files/0x000500000001cfc6-888.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 1540 3304 WerFault.exe 68 3976 2052 WerFault.exe 70 3204 3148 WerFault.exe 73 -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9a6b26931.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crypteda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 25072023.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9c860d91caaed7c18f0b1a613766240cc6e6a9dacd8dec70cf903db6f38988c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RoamingFHCGHJDBFI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c2a4594a7a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crypted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5447jsX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RoamingKJKJKFCBKK.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 9c860d91caaed7c18f0b1a613766240cc6e6a9dacd8dec70cf903db6f38988c5.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9c860d91caaed7c18f0b1a613766240cc6e6a9dacd8dec70cf903db6f38988c5.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_Classes\Local Settings firefox.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 axplong.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 axplong.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2604 9c860d91caaed7c18f0b1a613766240cc6e6a9dacd8dec70cf903db6f38988c5.exe 2644 RoamingKJKJKFCBKK.exe 2708 axplong.exe 2604 9c860d91caaed7c18f0b1a613766240cc6e6a9dacd8dec70cf903db6f38988c5.exe 2136 RoamingFHCGHJDBFI.exe 1668 explorti.exe 2156 chrome.exe 2156 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeDebugPrivilege 2628 firefox.exe Token: SeDebugPrivilege 2628 firefox.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe Token: SeShutdownPrivilege 2156 chrome.exe -
Suspicious use of FindShellTrayWindow 40 IoCs
pid Process 2644 RoamingKJKJKFCBKK.exe 2136 RoamingFHCGHJDBFI.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2628 firefox.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe -
Suspicious use of SendNotifyMessage 35 IoCs
pid Process 2628 firefox.exe 2628 firefox.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2628 firefox.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe 2156 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2604 wrote to memory of 2544 2604 9c860d91caaed7c18f0b1a613766240cc6e6a9dacd8dec70cf903db6f38988c5.exe 32 PID 2604 wrote to memory of 2544 2604 9c860d91caaed7c18f0b1a613766240cc6e6a9dacd8dec70cf903db6f38988c5.exe 32 PID 2604 wrote to memory of 2544 2604 9c860d91caaed7c18f0b1a613766240cc6e6a9dacd8dec70cf903db6f38988c5.exe 32 PID 2604 wrote to memory of 2544 2604 9c860d91caaed7c18f0b1a613766240cc6e6a9dacd8dec70cf903db6f38988c5.exe 32 PID 2544 wrote to memory of 2644 2544 cmd.exe 34 PID 2544 wrote to memory of 2644 2544 cmd.exe 34 PID 2544 wrote to memory of 2644 2544 cmd.exe 34 PID 2544 wrote to memory of 2644 2544 cmd.exe 34 PID 2644 wrote to memory of 2708 2644 RoamingKJKJKFCBKK.exe 35 PID 2644 wrote to memory of 2708 2644 RoamingKJKJKFCBKK.exe 35 PID 2644 wrote to memory of 2708 2644 RoamingKJKJKFCBKK.exe 35 PID 2644 wrote to memory of 2708 2644 RoamingKJKJKFCBKK.exe 35 PID 2604 wrote to memory of 2056 2604 9c860d91caaed7c18f0b1a613766240cc6e6a9dacd8dec70cf903db6f38988c5.exe 36 PID 2604 wrote to memory of 2056 2604 9c860d91caaed7c18f0b1a613766240cc6e6a9dacd8dec70cf903db6f38988c5.exe 36 PID 2604 wrote to memory of 2056 2604 9c860d91caaed7c18f0b1a613766240cc6e6a9dacd8dec70cf903db6f38988c5.exe 36 PID 2604 wrote to memory of 2056 2604 9c860d91caaed7c18f0b1a613766240cc6e6a9dacd8dec70cf903db6f38988c5.exe 36 PID 2056 wrote to memory of 2136 2056 cmd.exe 38 PID 2056 wrote to memory of 2136 2056 cmd.exe 38 PID 2056 wrote to memory of 2136 2056 cmd.exe 38 PID 2056 wrote to memory of 2136 2056 cmd.exe 38 PID 2136 wrote to memory of 1668 2136 RoamingFHCGHJDBFI.exe 39 PID 2136 wrote to memory of 1668 2136 RoamingFHCGHJDBFI.exe 39 PID 2136 wrote to memory of 1668 2136 RoamingFHCGHJDBFI.exe 39 PID 2136 wrote to memory of 1668 2136 RoamingFHCGHJDBFI.exe 39 PID 1668 wrote to memory of 1940 1668 explorti.exe 41 PID 1668 wrote to memory of 1940 1668 explorti.exe 41 PID 1668 wrote to memory of 1940 1668 explorti.exe 41 PID 1668 wrote to memory of 1940 1668 explorti.exe 41 PID 1668 wrote to memory of 1536 1668 explorti.exe 42 PID 1668 wrote to memory of 1536 1668 explorti.exe 42 PID 1668 wrote to memory of 1536 1668 explorti.exe 42 PID 1668 wrote to memory of 1536 1668 explorti.exe 42 PID 1536 wrote to memory of 836 1536 e9a6b26931.exe 43 PID 1536 wrote to memory of 836 1536 e9a6b26931.exe 43 PID 1536 wrote to memory of 836 1536 e9a6b26931.exe 43 PID 1536 wrote to memory of 836 1536 e9a6b26931.exe 43 PID 836 wrote to memory of 2156 836 cmd.exe 45 PID 836 wrote to memory of 2156 836 cmd.exe 45 PID 836 wrote to memory of 2156 836 cmd.exe 45 PID 836 wrote to memory of 2748 836 cmd.exe 46 PID 836 wrote to memory of 2748 836 cmd.exe 46 PID 836 wrote to memory of 2748 836 cmd.exe 46 PID 2748 wrote to memory of 2628 2748 firefox.exe 47 PID 2748 wrote to memory of 2628 2748 firefox.exe 47 PID 2748 wrote to memory of 2628 2748 firefox.exe 47 PID 2748 wrote to memory of 2628 2748 firefox.exe 47 PID 2748 wrote to memory of 2628 2748 firefox.exe 47 PID 2748 wrote to memory of 2628 2748 firefox.exe 47 PID 2748 wrote to memory of 2628 2748 firefox.exe 47 PID 2748 wrote to memory of 2628 2748 firefox.exe 47 PID 2748 wrote to memory of 2628 2748 firefox.exe 47 PID 2748 wrote to memory of 2628 2748 firefox.exe 47 PID 2748 wrote to memory of 2628 2748 firefox.exe 47 PID 2748 wrote to memory of 2628 2748 firefox.exe 47 PID 2156 wrote to memory of 2132 2156 chrome.exe 48 PID 2156 wrote to memory of 2132 2156 chrome.exe 48 PID 2156 wrote to memory of 2132 2156 chrome.exe 48 PID 2628 wrote to memory of 2556 2628 firefox.exe 49 PID 2628 wrote to memory of 2556 2628 firefox.exe 49 PID 2628 wrote to memory of 2556 2628 firefox.exe 49 PID 2628 wrote to memory of 2260 2628 firefox.exe 51 PID 2628 wrote to memory of 2260 2628 firefox.exe 51 PID 2628 wrote to memory of 2260 2628 firefox.exe 51 PID 2628 wrote to memory of 2260 2628 firefox.exe 51 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c860d91caaed7c18f0b1a613766240cc6e6a9dacd8dec70cf903db6f38988c5.exe"C:\Users\Admin\AppData\Local\Temp\9c860d91caaed7c18f0b1a613766240cc6e6a9dacd8dec70cf903db6f38988c5.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\RoamingKJKJKFCBKK.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\RoamingKJKJKFCBKK.exe"C:\Users\Admin\AppData\RoamingKJKJKFCBKK.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\1000001001\build.exe"C:\Users\Admin\AppData\Local\Temp\1000001001\build.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3840 -
C:\Users\Admin\AppData\Local\Temp\onefile_3840_133664427841135000\stub.exe"C:\Users\Admin\AppData\Local\Temp\1000001001\build.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3168
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3304 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 1086⤵
- Loads dropped DLL
- Program crash
PID:1540
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000003001\5447jsX.exe"C:\Users\Admin\AppData\Local\Temp\1000003001\5447jsX.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 646⤵
- Loads dropped DLL
- Program crash
PID:3976
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3148 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 646⤵
- Loads dropped DLL
- Program crash
PID:3204
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000005001\2.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\2.exe"5⤵
- Executes dropped EXE
PID:3496
-
-
C:\Users\Admin\AppData\Local\Temp\1000009001\25072023.exe"C:\Users\Admin\AppData\Local\Temp\1000009001\25072023.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3576
-
-
C:\Users\Admin\AppData\Local\Temp\1000010001\pered.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\pered.exe"5⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\1000010001\pered.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\pered.exe"6⤵PID:3392
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000012001\2020.exe"C:\Users\Admin\AppData\Local\Temp\1000012001\2020.exe"5⤵PID:1008
-
C:\Users\Admin\AppData\Local\Temp\1000012001\2020.exe"C:\Users\Admin\AppData\Local\Temp\1000012001\2020.exe"6⤵PID:3612
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000014001\gawdth.exe"C:\Users\Admin\AppData\Local\Temp\1000014001\gawdth.exe"5⤵PID:3224
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "6⤵PID:2372
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.execlamer.exe -priverdD7⤵PID:2396
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\lofsawd.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\lofsawd.exe"8⤵PID:3948
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\RoamingFHCGHJDBFI.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\RoamingFHCGHJDBFI.exe"C:\Users\Admin\AppData\RoamingFHCGHJDBFI.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\1000002001\c2a4594a7a.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\c2a4594a7a.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1940
-
-
C:\Users\Admin\1000003002\e9a6b26931.exe"C:\Users\Admin\1000003002\e9a6b26931.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1C66.tmp\1C67.tmp\1C68.bat C:\Users\Admin\1000003002\e9a6b26931.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"7⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7799758,0x7fef7799768,0x7fef77997788⤵PID:2132
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1284,i,12026919024987128374,2336862283504977221,131072 /prefetch:28⤵PID:1124
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1284,i,12026919024987128374,2336862283504977221,131072 /prefetch:88⤵PID:1128
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1564 --field-trial-handle=1284,i,12026919024987128374,2336862283504977221,131072 /prefetch:88⤵PID:1420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2220 --field-trial-handle=1284,i,12026919024987128374,2336862283504977221,131072 /prefetch:18⤵PID:2924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2228 --field-trial-handle=1284,i,12026919024987128374,2336862283504977221,131072 /prefetch:18⤵PID:1544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1296 --field-trial-handle=1284,i,12026919024987128374,2336862283504977221,131072 /prefetch:28⤵PID:3788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1400 --field-trial-handle=1284,i,12026919024987128374,2336862283504977221,131072 /prefetch:18⤵PID:3920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3548 --field-trial-handle=1284,i,12026919024987128374,2336862283504977221,131072 /prefetch:88⤵PID:2564
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"7⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2628.0.829426283\1241693378" -parentBuildID 20221007134813 -prefsHandle 1240 -prefMapHandle 1148 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {53d64d01-9518-449c-96a7-32d6cbe8a0c9} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" 1316 109f1c58 gpu9⤵PID:2556
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2628.1.1795958066\2143421624" -parentBuildID 20221007134813 -prefsHandle 1520 -prefMapHandle 1516 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {09ad77de-fcd7-4f3c-9b46-4e4686b8ffc7} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" 1532 40ec158 socket9⤵PID:2260
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2628.2.726460304\1957080131" -childID 1 -isForBrowser -prefsHandle 1840 -prefMapHandle 1860 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 728 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {12e14f1b-a77b-4191-9ed9-b73f5820fde3} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" 2004 19c8da58 tab9⤵PID:1340
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2628.3.1594345388\873092378" -childID 2 -isForBrowser -prefsHandle 2628 -prefMapHandle 2624 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 728 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {665a234c-f064-4ca1-a070-16180fd432b7} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" 2636 e69058 tab9⤵PID:2076
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2628.4.586618909\1683540277" -childID 3 -isForBrowser -prefsHandle 3928 -prefMapHandle 3924 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 728 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {514438c3-5c56-4ff9-b36f-eca4978e8027} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" 3940 20177258 tab9⤵PID:3180
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2628.5.1835074000\304990876" -childID 4 -isForBrowser -prefsHandle 3916 -prefMapHandle 3912 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 728 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {538bb6ab-fe74-4b88-9f02-85098e8a7194} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" 3904 1eb6e158 tab9⤵PID:3188
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2628.6.916990419\171722074" -childID 5 -isForBrowser -prefsHandle 4216 -prefMapHandle 4220 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 728 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d65047c0-bfea-459d-b11a-b95063cd9e8b} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" 3968 20105f58 tab9⤵PID:3224
-
-
-
-
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:580
-
C:\Windows\system32\taskeng.exetaskeng.exe {FAC0982B-CB4F-4522-915E-2DCB9539526E} S-1-5-21-3450744190-3404161390-554719085-1000:PDIZKVQX\Admin:Interactive:[1]1⤵PID:2080
-
C:\ProgramData\vqsemb\wvwmvno.exeC:\ProgramData\vqsemb\wvwmvno.exe2⤵PID:1780
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89KB
MD5c19392d2220e7b6993189adef57e457d
SHA107b94d8adbaa9cab4f388c4968c3cfe134b2d39c
SHA256d748a31116202aeccb80945432b656af326ff231e8d2a118bed0962935d473e7
SHA5124c097edaf92a4ad286f19433882c7d7d7c5f72a0061b9f3378a9c7369f19fc7cd683913a05ce0918af49b6606677da0dde1a6a2de2da08696d47d3e164a27001
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
20KB
MD5881f4b1fa6fbdaed746a0c98aa1daf56
SHA1ab7f852096e586d0de61bde201ac2f82085919e7
SHA2567f34024a4af8d7ef17744fd40b973fcc8ddc07638f67352203e19eed1d731046
SHA51262e2ac1cea546443b376c1f8953cb84bc0128139f50928ecabbbf601f0fef20a241e09535d217789c70cfa16c4e2038920305f5445ddc8687e8fdc06673adde8
-
Filesize
6KB
MD5fd841a30fb95f10ca26c578564a3f64b
SHA12262fb8b423a84619cc1bad627fa599d0636542c
SHA256af9e5e42634ea162e9ed4c1e9c4723f86fe5d459cce597bfc1d9be12e297867d
SHA51278853df8b371b861522a0298620808a3a40df97f669f562e1eb6b1236efbab10846f5c0d361d137bb3bd3d6b7fd1d6aed2695c13056e60954d6ee15526cb7127
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
312KB
MD5760b9d3addc0d14aeb9f8e0f7bba1526
SHA19b6a2d652fcbcc5e02052cc23b655d2dc8da8f37
SHA256e00b7082e0f32cc585b1bb438592ca60d460188451e7acaaa4cf0235dd39bbf9
SHA512647fe2c29c726aa37a8f1fecd27698f528f9173dea1bb7972476bc648fdc917b31bf09e45857c1578f958c4c20beb3554a41284caa70e08d6d272e20802523fb
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\activity-stream.discovery_stream.json.tmp
Filesize25KB
MD54d594457b01921512ba3ff8b2032dc4d
SHA1f17379e3fc347c91b024797125cc3d6ccd752427
SHA2561388068be778e2690c1b0b277cc2447809fe72d198b45a2fe5acb29fc31ababe
SHA51202eb02ec7828751889c1f839f55c96761d5e3c6b34af3c1a87c89fff00c8d83333db9cd19d31b30775faf2e5c264d65d5129427bb223fa2b2dd34d0f4de066c3
-
Filesize
10.7MB
MD5c8cf26425a6ce325035e6da8dfb16c4e
SHA131c2b3a26c05b4bf8dea8718d1df13a0c2be22ee
SHA2569f7be9bf913d8378f094b3f6416db9aa4c80c380000202f7cfaddadb6efc41b4
SHA5120321e48e185c22165ac6429e08afac1ccfdf393249436c8eac8a6d64794b3b399740aa5b2be23d568f57495d17e9220280ed1c2ea8f012b2c4021beb02cbc646
-
Filesize
250KB
MD5278d770f363da10c7f7eb1a9c653ccf0
SHA1ec9750e81d7b55b67d774a6db510478658c90d3e
SHA256e188132c1d115a2f78c5da36d56f178f1a6586106b62341c4f942993512abeec
SHA512346e56db7b0039d19d766b9ba81a78db05f1bd5ea8c38efbc6b2dd52bb3c9be4faf39825c41ce0dcb1cd7d5225fddc40ca68d34574d8322820070e69c4489b80
-
Filesize
944KB
MD5371d606aa2fcd2945d84a13e598da55f
SHA10f8f19169f79b3933d225a2702dc51f906de4dcd
SHA25659c6d955b28461cd8d1f8f8c9a97d4f7a2e741dd62c69e67f0b71ecb3f7f040a
SHA51201c5b0afd03518406fa452cbb79d452865c6daf0140f32ad4b78e51a0b786f6c19bba46a4d017dcdcc37d6edf828f0c87249964440e2abbfb42a437e1cfd91a4
-
Filesize
392KB
MD55dd9c1ffc4a95d8f1636ce53a5d99997
SHA138ae8bf6a0891b56ef5ff0c1476d92cecae34b83
SHA256d695267de534c2c99ec2823acc193fdbec9f398b0f78155ae2b982457ff631aa
SHA512148d1b324391c4bb63b152a3c91a586b6821c4f5cde2a3f7afa56ad92074672619554fba3b2baca9802ff1ed9b42081574163304d450f7ccf664638599b23c2a
-
Filesize
1.4MB
MD504e90b2cf273efb3f6895cfcef1e59ba
SHA179afcc39db33426ee8b97ad7bfb48f3f2e4c3449
SHA256e015f535c8a9fab72f2e06863c559108b1a25af90468cb9f80292c3ba2c33f6e
SHA51272aa08242507f6dd39822a34c68d6185927f6772a3fc03a0850d7c8542b21a43e176f29e5fbb3a4e54bc02fa68c807a01091158ef68c5a2f425cc432c95ea555
-
Filesize
233KB
MD5d43709707f93ec0597ba320484814f59
SHA1d1458cbb256025af089c3d1a77847f831f940eb7
SHA2561f0a7f31ccf957096dd4df68ec2c5ca1b1e3dc68faf251546eacbe344c101ee6
SHA51216a40dbb3026fcc748b445b792e879c890585dec4586bcda94873cb45506982f9cd12029483ed27498b49e96ddda71f8d131d34b59235fe02a3679c5fe39565b
-
Filesize
304KB
MD5a9a37926c6d3ab63e00b12760fae1e73
SHA1944d6044e111bbad742d06852c3ed2945dc9e051
SHA25627955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b
SHA512575485d1c53b1bf145c7385940423b16089cf9ab75404e2e9c7af42b594480470f0e28dadcddbd66e4cd469e45326a6eb4eb2362ccc37edb2a956d224e04cf97
-
Filesize
10.9MB
MD5faf1270013c6935ae2edaf8e2c2b2c08
SHA1d9a44759cd449608589b8f127619d422ccb40afa
SHA2561011889e66c56fd137bf85b832c4afc1fd054222b2fcbaae6608836d27e8f840
SHA5124a9ca18f796d4876effc5692cfeb7ce6d1cffdd2541b68753f416d2b0a7eff87588bc05793145a2882fc62a48512a862fa42826761022fed1696c20864c89098
-
Filesize
12.3MB
MD595606667ac40795394f910864b1f8cc4
SHA1e7de36b5e85369d55a948bedb2391f8fae2da9cf
SHA2566f2964216c81a6f67309680b7590dfd4df31a19c7fc73917fa8057b9a194b617
SHA512fab43d361900a8d7f1a17c51455d4eedbbd3aec23d11cdb92ec1fb339fc018701320f18a2a6b63285aaafafea30fa614777d30cdf410ffd7698a48437760a142
-
Filesize
898KB
MD5c02798b26bdaf8e27c1c48ef5de4b2c3
SHA1bc59ab8827e13d1a9a1892eb4da9cf2d7d62a615
SHA256af41b9ac95c32686ba1ef373929b54f49088e5c4f295fe828b43b32b5160aa78
SHA512b541aeedcc4db6f8e0db0788f2791339476a863c15efc72aef3db916fc7c8ab41d84c0546c05b675be4d7700c4f986dbae5e2858d60ecd44b4ffbcae2065cfc4
-
Filesize
2KB
MD5de9423d9c334ba3dba7dc874aa7dbc28
SHA1bf38b137b8d780b3d6d62aee03c9d3f73770d638
SHA256a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698
SHA51263f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401
-
Filesize
37B
MD528151380c82f5de81c1323171201e013
SHA1ae515d813ba2b17c8c5ebdae196663dc81c26d3c
SHA256bb8582ce28db923f243c8d7a3f2eccb0ed25930f5b5c94133af8eefb57a8231d
SHA51246b29cba0dc813de0c58d2d83dc298fa677921fd1f19f41e2ed3c7909c497fab2236d10a9ae59b3f38e49cf167964ede45e15543673a1e0843266242b8e26253
-
Filesize
16KB
MD5e7d405eec8052898f4d2b0440a6b72c9
SHA158cf7bfcec81faf744682f9479b905feed8e6e68
SHA256b63a0e5f93b26ad0eeb9efba66691f3b7e7f51e93a2f0098bde43833f7a24cc2
SHA512324507084bd56f7102459efe7b3c2d2560f4e89ed03ec4a38539ebb71bccdf1def7bc961c259f9b02f4b2be0d5e095136c9efcd5fc3108af3dc61d24970d6121
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
4.3MB
MD5c80b5cb43e5fe7948c3562c1fff1254e
SHA1f73cb1fb9445c96ecd56b984a1822e502e71ab9d
SHA256058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20
SHA512faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81
-
Filesize
18.0MB
MD51cf17408048317fc82265ed6a1c7893d
SHA19bfec40d6eb339c5a6c2ad6e5fa7cebc147654c5
SHA2561352ad9860a42137b096d9675a7b8d578fbc596d965de3cb352619cbe6aaf4e9
SHA51266322d7cb5931017acaa29970da48642d03ce35007f130511b2848b67169c1dd4167f1e5a31e5e1dfe5f7122846482bdb878b5cd695ac58009033fd620813a0f
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
1.8MB
MD57ee40006aa6ed8c7cb35c73f51975947
SHA1223245e83e674a755381e7f3c536ac8551cbe7bd
SHA2562e7580236e05ddb3682265f0a79acc7a85eb0b4fdcb4bf061e4c3e8c16594aa5
SHA51218e255869aca96f4b31d8fc82b070ed1a8477f70d83ab286012ffbb70dfd0611f77b927ba2824e1c35f78199fd9c6e4894ef09975ba11e9bf4357043abc267a6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5833b416a65464db0325cee920ede145e
SHA1935ac1710006a6b8539547dab9335f9a25839853
SHA256210d2ec06c2cd56c145d72eb1116db996b522bd2156cb6ee9cc19e2bbcec6d91
SHA512fd984824536e8d6e9b775479f0da4f8c7cc8ea7da426994813e2cb21b19d77ecca8c1917bb06fd6b443b780d551d022a120b00078a9bc3708286f4707aef425b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\pending_pings\905623d1-5885-436b-98aa-842ee546deb7
Filesize11KB
MD5a04799f3010c847943d48e66bd771c11
SHA1b57b2d350c28193e9086d7bbe57b4a1892b0561d
SHA2563ce2431233ea2f6cf9153c5919a7b7b5b299ee99c408ceaf75f74a1bf05e1241
SHA512c56fd701a5b00a1b5ab4eb3753b4bf368a3f7a5ee74819450ae59a4f65cf8ae9d650f604a575177e7d9c62db25f1ce828000c15c92ec69f8fe2616b371ed6baa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\pending_pings\e36f14a4-776b-4cb4-8770-3133f07ee446
Filesize745B
MD55cd24b6ba41e1c15a7e9a6e85513665d
SHA174b05f45f3b45fcbde0628269b4124d7037af122
SHA2569b296a25495229ac9481e1f4f651cd1de046aa52e7e317cacc041d700aab7894
SHA5124ca89220fc779b6baaf8819678214d9b580b41b2ec93ce9a109cdbe7ac332bfdea610f303e589b9450382979b876056f79d28d98482bb875aec272c73d3b2e9e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD51ac142374a354a83697375babbb7c822
SHA1b8852e87a052a394a277bae6aec0051317505884
SHA2562e055f554e647081ab103001f20a4adf212a88a149d6faaa72af10023d71721c
SHA5127db0219d0a22850a5a921ff8a7c353a8d3b5fc6f96ac7b7f48fcbe23ce97f0767a5cdb8007ae04347b64faf2c1d1a52b5390c28c4ab39b080fe3aae4f7b57348
-
Filesize
7KB
MD5a7f187af76cc1947a41b0098bea5250b
SHA1d4241df2af2367d889c4e4f6435b6c1989fa2472
SHA256dba1036e35934cd01cd5507d071fb04b1ba627bcb86c9c9354218b731e346b35
SHA512126f5f0068db6220c20497d28cdd3cd04ea1c9fa7d47a798187040754113b4b1dc910e3bf5f6dcc8186a1869a21103019aae298833398048be98fc7ac4aae1c2
-
Filesize
7KB
MD544e97695f123939094609bb3fab3a4ac
SHA1ec7e6350bd989b6ea683fa3c3461120171ce8285
SHA2564d00f1c04bc7704f218bd3c5e6d9e2241ebcf79a00ead2aa2a4c68db41d96c2f
SHA51246c9938c616d99c62dd5cf71755191621ea20b93df3d75b0e69ec16ac61d7932e2e08b97ca16dceb48d26b0d9364f8899dae1de6f2d83089e81f66878532c6f7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD59d2186b5517708c014ed587244dcd206
SHA16b2fb1ad5807b83a743b4e44bd968c13a7ebe14d
SHA256e8fde1b6a341e2fd72220499c9b1693d6b0c3f3f7de4a24f0f439a00841d5549
SHA5129a7d4068e230b4c684d99a1c338291593b7d5ee3e0c295d31155533e4ce5ed2805d977cf0dc84a5d3fd0665d5b7496d0a8cab7b665c9f1e47981962a4db60166
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD55104e00925b6bd9ca2ed2f1ef1cb7a1d
SHA16d043514e372939635f579864d745d697f1d5323
SHA256fdc56b9c9bcb9dbbfd9f201e382f2b04d1808d2d1277e7117e1c3d86cbb6c4c5
SHA5127572544a31290b60f0df1d9646655a9897d639074508986478df447a548ea19ca314d171b0b2437523aaf0acf5cebf1aebe0170dd0accc40e21aebb4294e9bea
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1.8MB
MD58ebbd22d60e7fd824fd2b8c28ca97a1c
SHA145b7897f3c44fcf4a1e3601cb51d7cba33dbfd90
SHA25691242ef08ea048b5cd5979f109f7378a6384781dd7f8580023304fabbb9d4033
SHA5125e958e062773e30fa4349c9e50118eac818cd151a60fa8c0738217b2e33c745107f245bd7dc196e8eea2e5273e114766e547a3af649c47892c52debead0254e6