Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-08-2024 06:16
Static task
static1
Behavioral task
behavioral1
Sample
3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe
Resource
win11-20240802-en
General
-
Target
3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe
-
Size
1.8MB
-
MD5
b34e3f1eba1a4c3c26104128f3df2e94
-
SHA1
e1e8b98be081cf73205e90c5fef03d7d19611590
-
SHA256
3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab
-
SHA512
dddf13d6bddf77ec846fe3e91296d28865e723b84f7331f333c4ccdba5372b4f5e2f6521d27e2d8381a4ea3bda7fa5516b70222b99b6ed7594428d8b3a470e76
-
SSDEEP
49152:t9QGsvc5L4WK5zkxy9fnSTt4M4YHCGeS:EGsvMLHyRyyM4YHFe
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exe3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exeexplorti.exeRegAsm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exe932baf1258.exeb5e47d0d6d.exe6612447c8f.exeexplorti.exeexplorti.exepid process 2944 explorti.exe 4872 932baf1258.exe 3660 b5e47d0d6d.exe 2468 6612447c8f.exe 5852 explorti.exe 1692 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeexplorti.exe3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\932baf1258.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\932baf1258.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/3264-45-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/3264-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/3264-49-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exeexplorti.exeexplorti.exeexplorti.exepid process 1088 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe 2944 explorti.exe 5852 explorti.exe 1692 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
932baf1258.exeb5e47d0d6d.exedescription pid process target process PID 4872 set thread context of 3264 4872 932baf1258.exe RegAsm.exe PID 3660 set thread context of 3636 3660 b5e47d0d6d.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exedescription ioc process File created C:\Windows\Tasks\explorti.job 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RegAsm.exe6612447c8f.exe3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exeexplorti.exe932baf1258.exeRegAsm.exeb5e47d0d6d.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6612447c8f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 932baf1258.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b5e47d0d6d.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exeexplorti.exeexplorti.exeexplorti.exepid process 1088 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe 1088 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe 2944 explorti.exe 2944 explorti.exe 5852 explorti.exe 5852 explorti.exe 1692 explorti.exe 1692 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 2696 firefox.exe Token: SeDebugPrivilege 2696 firefox.exe Token: SeDebugPrivilege 2696 firefox.exe Token: SeDebugPrivilege 2696 firefox.exe Token: SeDebugPrivilege 2696 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe 3264 RegAsm.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
firefox.exepid process 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exeexplorti.exe932baf1258.exeb5e47d0d6d.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 1088 wrote to memory of 2944 1088 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe explorti.exe PID 1088 wrote to memory of 2944 1088 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe explorti.exe PID 1088 wrote to memory of 2944 1088 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe explorti.exe PID 2944 wrote to memory of 4872 2944 explorti.exe 932baf1258.exe PID 2944 wrote to memory of 4872 2944 explorti.exe 932baf1258.exe PID 2944 wrote to memory of 4872 2944 explorti.exe 932baf1258.exe PID 4872 wrote to memory of 4488 4872 932baf1258.exe RegAsm.exe PID 4872 wrote to memory of 4488 4872 932baf1258.exe RegAsm.exe PID 4872 wrote to memory of 4488 4872 932baf1258.exe RegAsm.exe PID 4872 wrote to memory of 3264 4872 932baf1258.exe RegAsm.exe PID 4872 wrote to memory of 3264 4872 932baf1258.exe RegAsm.exe PID 4872 wrote to memory of 3264 4872 932baf1258.exe RegAsm.exe PID 4872 wrote to memory of 3264 4872 932baf1258.exe RegAsm.exe PID 4872 wrote to memory of 3264 4872 932baf1258.exe RegAsm.exe PID 4872 wrote to memory of 3264 4872 932baf1258.exe RegAsm.exe PID 4872 wrote to memory of 3264 4872 932baf1258.exe RegAsm.exe PID 4872 wrote to memory of 3264 4872 932baf1258.exe RegAsm.exe PID 4872 wrote to memory of 3264 4872 932baf1258.exe RegAsm.exe PID 4872 wrote to memory of 3264 4872 932baf1258.exe RegAsm.exe PID 2944 wrote to memory of 3660 2944 explorti.exe b5e47d0d6d.exe PID 2944 wrote to memory of 3660 2944 explorti.exe b5e47d0d6d.exe PID 2944 wrote to memory of 3660 2944 explorti.exe b5e47d0d6d.exe PID 3660 wrote to memory of 3636 3660 b5e47d0d6d.exe RegAsm.exe PID 3660 wrote to memory of 3636 3660 b5e47d0d6d.exe RegAsm.exe PID 3660 wrote to memory of 3636 3660 b5e47d0d6d.exe RegAsm.exe PID 3660 wrote to memory of 3636 3660 b5e47d0d6d.exe RegAsm.exe PID 3660 wrote to memory of 3636 3660 b5e47d0d6d.exe RegAsm.exe PID 3660 wrote to memory of 3636 3660 b5e47d0d6d.exe RegAsm.exe PID 3660 wrote to memory of 3636 3660 b5e47d0d6d.exe RegAsm.exe PID 3660 wrote to memory of 3636 3660 b5e47d0d6d.exe RegAsm.exe PID 3660 wrote to memory of 3636 3660 b5e47d0d6d.exe RegAsm.exe PID 3264 wrote to memory of 4056 3264 RegAsm.exe firefox.exe PID 3264 wrote to memory of 4056 3264 RegAsm.exe firefox.exe PID 4056 wrote to memory of 2696 4056 firefox.exe firefox.exe PID 4056 wrote to memory of 2696 4056 firefox.exe firefox.exe PID 4056 wrote to memory of 2696 4056 firefox.exe firefox.exe PID 4056 wrote to memory of 2696 4056 firefox.exe firefox.exe PID 4056 wrote to memory of 2696 4056 firefox.exe firefox.exe PID 4056 wrote to memory of 2696 4056 firefox.exe firefox.exe PID 4056 wrote to memory of 2696 4056 firefox.exe firefox.exe PID 4056 wrote to memory of 2696 4056 firefox.exe firefox.exe PID 4056 wrote to memory of 2696 4056 firefox.exe firefox.exe PID 4056 wrote to memory of 2696 4056 firefox.exe firefox.exe PID 4056 wrote to memory of 2696 4056 firefox.exe firefox.exe PID 2696 wrote to memory of 2160 2696 firefox.exe firefox.exe PID 2696 wrote to memory of 2160 2696 firefox.exe firefox.exe PID 2696 wrote to memory of 2160 2696 firefox.exe firefox.exe PID 2696 wrote to memory of 2160 2696 firefox.exe firefox.exe PID 2696 wrote to memory of 2160 2696 firefox.exe firefox.exe PID 2696 wrote to memory of 2160 2696 firefox.exe firefox.exe PID 2696 wrote to memory of 2160 2696 firefox.exe firefox.exe PID 2696 wrote to memory of 2160 2696 firefox.exe firefox.exe PID 2696 wrote to memory of 2160 2696 firefox.exe firefox.exe PID 2696 wrote to memory of 2160 2696 firefox.exe firefox.exe PID 2696 wrote to memory of 2160 2696 firefox.exe firefox.exe PID 2696 wrote to memory of 2160 2696 firefox.exe firefox.exe PID 2696 wrote to memory of 2160 2696 firefox.exe firefox.exe PID 2696 wrote to memory of 2160 2696 firefox.exe firefox.exe PID 2696 wrote to memory of 2160 2696 firefox.exe firefox.exe PID 2696 wrote to memory of 2160 2696 firefox.exe firefox.exe PID 2696 wrote to memory of 2160 2696 firefox.exe firefox.exe PID 2696 wrote to memory of 2160 2696 firefox.exe firefox.exe PID 2696 wrote to memory of 2160 2696 firefox.exe firefox.exe PID 2696 wrote to memory of 2160 2696 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe"C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\1000036001\932baf1258.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\932baf1258.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4488
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1792 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb1dc20e-1ca4-4fd3-bdec-d73b7b585d78} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" gpu7⤵PID:2160
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {041fc072-0cf1-4ed4-b6b7-133e44c45fd4} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" socket7⤵PID:3664
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1476 -childID 1 -isForBrowser -prefsHandle 3256 -prefMapHandle 3160 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b76077f7-19b5-4a96-af81-3e4afd5ef926} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" tab7⤵PID:3752
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3700 -childID 2 -isForBrowser -prefsHandle 3316 -prefMapHandle 3252 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7300565-5987-48eb-82b2-54fafd3f308a} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" tab7⤵PID:2024
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4520 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4512 -prefMapHandle 4508 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b211136-c42f-4a43-8926-ef39a4ba8636} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" utility7⤵
- Checks processor information in registry
PID:5456 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 3 -isForBrowser -prefsHandle 5548 -prefMapHandle 5544 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d72064cb-b222-42ea-b647-a0e9d637be6c} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" tab7⤵PID:1816
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 4 -isForBrowser -prefsHandle 5420 -prefMapHandle 5044 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31c638dc-ef57-4094-9d49-80990fd16383} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" tab7⤵PID:1424
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5912 -childID 5 -isForBrowser -prefsHandle 5740 -prefMapHandle 5596 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51b1165c-2f29-4d9c-a654-be2c0ca5a7dc} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" tab7⤵PID:1076
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6368 -childID 6 -isForBrowser -prefsHandle 6328 -prefMapHandle 6332 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96bb004a-c15d-4e82-b8b6-068765411f89} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" tab7⤵PID:5320
-
C:\Users\Admin\1000037002\b5e47d0d6d.exe"C:\Users\Admin\1000037002\b5e47d0d6d.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\1000038001\6612447c8f.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\6612447c8f.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2468
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5852
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1692
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5f936e41f331f3bcfa5479fc12569dfa0
SHA10fbf4b66a04ac0c756b85e79df9aff371a0e46be
SHA256c607af07435b71602537fbe78096da145867130ab1dd1e33f0c3a4bda2524217
SHA5122d21e55033462c4330fd42c52664d8cf6a01c4421a046a2ef37451024e76844b81e3fc4be7b22d5541079d7b0922ee8c24970ccc2e0bdc50bd5c4dd742fd6d50
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\activity-stream.discovery_stream.json
Filesize42KB
MD55f624a740e2578f5ff8f81e9b8f5d5d5
SHA145dc0f40a4771c598538fb8e643dbd5e534657de
SHA256534ae1497b0aff8c42591a68c68655379a3e52ab4465c84e92714401e62c9a80
SHA512ac6acf30300cf49b1fe0e309cc36b0d436a381cf58daf05aed28b0b6ae9e9bebe2b5f6ad6d88ef47332fc500471ebd510705058376ab01148dac5810349cc55f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD538bf05ead9edad097fbc3a93af5cb01e
SHA19f3b8b980472b6c86265200d772e37cda0117d4a
SHA256fa81a0bfd22fe365c5ec155054f7bdc4711a244c8453bdf498c2cb2e1c8d4d6e
SHA5126d6b9b77172827170a602a2ad89a2196e3bd10ef91e18e9dd0fb070b4892da8a3dd9d250012c2c2522c8732f0d3ebc6db94d086b15f216af73e99f23969de3a0
-
Filesize
1.8MB
MD5b34e3f1eba1a4c3c26104128f3df2e94
SHA1e1e8b98be081cf73205e90c5fef03d7d19611590
SHA2563e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab
SHA512dddf13d6bddf77ec846fe3e91296d28865e723b84f7331f333c4ccdba5372b4f5e2f6521d27e2d8381a4ea3bda7fa5516b70222b99b6ed7594428d8b3a470e76
-
Filesize
1.2MB
MD52cf4fe66d4e93a2aa66cfffdf7b9d55c
SHA1c94b44c29812518331d7981984b45d35af5bb77b
SHA2565e53e477950bf652646e1faeee7507c6db804d3d0dd19046f0832f7d778af835
SHA512bf86555ad8838deb7c94bacd2d0ac41d5af5ea1693ed31f515e7ef73b4e258e78ed92653cd216b01009b64abc1811e9f7a903b6d24d0827de60d4623dbf4ed73
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin
Filesize8KB
MD536e8b8f12fdd95d693e2ae4002984d6f
SHA1f3cff6c4f8e5233c97d7fc7d010e6a888481255d
SHA256fbd5b26b901bae1712cfa57f44357c13cbf8f76eb6fb76a2c32a4ec791ab8a28
SHA512d6b918bfe786c08990cbda12ce49c80d70118a5b04792c5d859acd85866b415b3ad6196158182177421ab2e8058cbadaa8dcb8261e8456e81abe7281d309f67c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin
Filesize16KB
MD5f44dbafb337930c2b6f32088f5ea0bc5
SHA1ccbeaaf4615323f1abe6ec2fdd93c71c6f843979
SHA25674e63004e9267c349f1b43974bdf94bd080b2dafa1fe1fbf4350ebc5aec42aaf
SHA512172d2c986375791381c7f871f14a009abd63b9fc553cfb793d16d8e1b60a4cc0b774e56270b0ff0e60f12519d3f2d870139373bf8979fea756a2c070ad69271f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5da72355134417c6f46cd75aa9f0c79a6
SHA1380a3204446f5c0177c67934c8161343857a4ae3
SHA256ec7082221b42398c4310acfaff34e62ce01fc195e15af837cebadf42d3a3d973
SHA512ff71a42d2630cc71a8d887b1c92a010189af8ea760c60bb10e0f4f3952ef04e92a7678df4df48dd6989eb3b476594b10d00f182d16a6588ddbf9ce615be696f1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD57ada35fe796574074fd6271417f3bffc
SHA1b8592fc2be2909f0e068ec1c7eea39576aa4a265
SHA2561f55eb3939c52aa8849f743da469b816f643cebf86906d89c773fcd56fbad3a1
SHA512415f49478360278a65cd4429b658d2ddfa319480777280d2846731b85bd9332230615c02ae979bedf63e278e9c406e7935090f75d4aed0bc0fc2cdf2ebfc15c1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5524901f1946e68f0dd61d446388d4ed5
SHA1ddfec1500ca3a8f602ea6a4302580a56432f3991
SHA2564c6ca20d348956840fa2d86688435daff195b5c75865a218c0d6894582a79190
SHA512cde125e073608bf529eacef18bd357870190b61f5011197dd8251db6e5b532de08557ef162b00eb8f307f78898750c2e111c910f571fc2cf068cf3a0df8c745e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\2baa8ef8-94b8-481c-b78f-9c7ed64f917f
Filesize671B
MD52a2fd16826e40d64bc8cf6b3f7aa98a5
SHA108f7d7a40daaff4f16f5617bce9c6bd0924312c3
SHA256312d6c4caa65b0da681c8f2709d77a49be99629d1d2788ed73a2a09d5f963f89
SHA512b5fe2313efc4ad5133c2db0881eba91d791b6585c829f40b093c54eeb1cd1d200a334063ba1ea1575d4c969fb57e71e38df69ff192fa2dd83b266179eebc6f71
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\a0ca079d-ac41-42f8-857e-cd16370226f1
Filesize982B
MD52464ace660d2d6a90d569d4049f79632
SHA190822031963d3d8679a219b57874dafb0f0b3799
SHA256bd233b01a116dbd4ab246549f2727ca40f7d7f6f5d578fa5b1d59874c9d29a09
SHA512438b478b39fde3907a2274483a27e0fc05288dd3a34bab128fcabf77676228568aec2c22d7cf99e0cfbf165a23cd69304521b29402429f9c07620072468ccf20
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\e0b806c7-5bb8-47f3-8d40-1bfce8262526
Filesize26KB
MD5efc2ef733b62fd0532906bed3964465f
SHA142f42be3b76aa87c051182fbf181441c8a0848e7
SHA2563f85db1f1c29a3919c7bfe234a804b9de6d07635736cebb5a6dd5bdf974221cf
SHA51249f1c3ab49f04423d29c8bccad26e8002a96c7e9bb1839140d9452e6dbb96abaec7b5e880cb350df338a7c0c780402a50a593ba5c5eb53bbafe06453c9db8306
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD514ae2b32897950492f8b17186401881e
SHA1348f3fdf158529aceb909d5cc57ad0a25cc137dd
SHA2562cfa42ead3d1ef00072a83be11ddf23b35eb4b92981cda75ecd6c9c35a9fd295
SHA512175432c3874743b3ebc95e36aa201db454800f1b0326aed49e72be0be9ae6a0d6cccd6cf800154f8cf65effea279f24fbe15a0a45eb8d16f209304f34966d0b8
-
Filesize
11KB
MD59cef77bdb452024343c21dc50685763b
SHA18e2debf848b0c2fbc58dbfcd2b3b1aae7661936b
SHA2560e14720cd683b00c5140facef81e9212090f14296c334097f8d9caad077283b2
SHA5126c666942a1c77ec7a453416605685e9b2283a3c40bcffa38cbc76220ab5af9f14b00f5e63c8c52083368563b2ec2873eb8c282d2be8a8e1e86e2a845b3361368
-
Filesize
14KB
MD58afd8541067bb2f6d3824fcc49ed0c5f
SHA1b2172f68349c0956c020f623ae20fda398380f72
SHA25634b88e759d9e873989b84f1a7b5485a9419751f42ca4f46bf08463d92155b86e
SHA512f43edf496d1a19ae07c0997935865ecbf05a9df946ea611f4c1d245fc728234b913c31c2562265827a0610ea12f28b4e23d9778141e1fe07f5292b7cbe95531a
-
Filesize
11KB
MD5ad0e022ad6ba3ebfbc00d07f0a9c3128
SHA1ce274907ae4636e1435d60d38f11fb64fc9d002e
SHA256599f106d0de476239e1e21d9092d77001071fc605f4cad6378f1ed32a16b1c52
SHA5120725bd3a6094b52a113c73f69507e3f760b08c546689ef00af1192763151f1b0da1e2f4cae8f7540bfa3969c83763d1dc099aa298a6b357abaaf973256057760
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD53bae7052e94705cfa0214625785f2515
SHA1e115e02d01b5bcaa6434ef8ed4d3dfe3bbe7b258
SHA256ee37644618433d3e55080fbe5696db73d44f6716248cdb451fc7811cf1cbcc4e
SHA51232610302e2215e7884e19eef4de1eb0ace5c12a786dd5fda9d9cef52c833b554281c467086076c631af3601ab336d4f7cc5cf8c0bea77d6feb0b63647040b751
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.3MB
MD557c9a00cc0faa63c53b34d64b9cb3d72
SHA17983195faaa80510dfc38de1a43bab54316ffffc
SHA256652a38eb6abd6a31bb712db9db7ae229a0f2da2aaf28c825ddda1ee7325c8c2e
SHA512ed81941b01b54ebcb19fadc44590dd544ae050b389941698642b930dc0cefe2e9be1d904038f141fd0e03eb7630d0e757e1162a4224172419358ef252fa14e59
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize2.6MB
MD56084632116cbab7181e591fb695d8fc1
SHA16fe6de8932d9a4288a6de8c39302f7149d5a9e0f
SHA256cbf234e5116b798d9cacbf4b240eb7f4ab61832a2e7cd9523dda7704c4bb00c3
SHA512797b376d9eaab5192eaf34367297d057b71815767bf8e1c02a50c9d5c1b9f777a3373518fd238b6f1cab862a84963a67f43131ba9f4b5c02ded3b809d52747b4