Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-08-2024 10:04
Static task
static1
Behavioral task
behavioral1
Sample
e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe
Resource
win10v2004-20240802-en
General
-
Target
e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe
-
Size
1.8MB
-
MD5
ba37a189ab35239217ccdd4f4766c71c
-
SHA1
3c0026b03213b6aa832f7e6221f1ebc601066898
-
SHA256
e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765
-
SHA512
03940a1b0310e5a37931e531f4c65a53c9adab784c527e50065f5e22f10687d8f0f260a1c51453e4ffe780205c4bdd8603cac3a72bc461acb3c8ab6a20bee474
-
SSDEEP
49152:cokvS72lZo7r7awCDiJBW/U4os6bWW9fUNB/oL/kaRbmwJ:Lkuh73awC6QU43BI+VoTkabn
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exee57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RegAsm.exee57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exeexplorti.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation explorti.exe -
Executes dropped EXE 7 IoCs
Processes:
explorti.exea61151bbb9.exe39022e5fcd.exe4fb177122a.exeexplorti.exeexplorti.exeexplorti.exepid process 3068 explorti.exe 2932 a61151bbb9.exe 1724 39022e5fcd.exe 2312 4fb177122a.exe 5740 explorti.exe 2888 explorti.exe 1776 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeexplorti.exeexplorti.exeexplorti.exee57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a61151bbb9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\a61151bbb9.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/3992-44-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/3992-46-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/3992-48-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exeexplorti.exeexplorti.exeexplorti.exepid process 4996 e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe 3068 explorti.exe 5740 explorti.exe 2888 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
a61151bbb9.exe39022e5fcd.exedescription pid process target process PID 2932 set thread context of 3992 2932 a61151bbb9.exe RegAsm.exe PID 1724 set thread context of 5048 1724 39022e5fcd.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exedescription ioc process File created C:\Windows\Tasks\explorti.job e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exeexplorti.exea61151bbb9.exeRegAsm.exe39022e5fcd.exeRegAsm.exe4fb177122a.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a61151bbb9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 39022e5fcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4fb177122a.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exeexplorti.exeexplorti.exeexplorti.exepid process 4996 e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe 4996 e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe 3068 explorti.exe 3068 explorti.exe 5740 explorti.exe 5740 explorti.exe 2888 explorti.exe 2888 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 3524 firefox.exe Token: SeDebugPrivilege 3524 firefox.exe Token: SeDebugPrivilege 3524 firefox.exe Token: SeDebugPrivilege 3524 firefox.exe Token: SeDebugPrivilege 3524 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3524 firefox.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 3524 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exeexplorti.exea61151bbb9.exe39022e5fcd.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 4996 wrote to memory of 3068 4996 e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe explorti.exe PID 4996 wrote to memory of 3068 4996 e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe explorti.exe PID 4996 wrote to memory of 3068 4996 e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe explorti.exe PID 3068 wrote to memory of 2932 3068 explorti.exe a61151bbb9.exe PID 3068 wrote to memory of 2932 3068 explorti.exe a61151bbb9.exe PID 3068 wrote to memory of 2932 3068 explorti.exe a61151bbb9.exe PID 2932 wrote to memory of 3992 2932 a61151bbb9.exe RegAsm.exe PID 2932 wrote to memory of 3992 2932 a61151bbb9.exe RegAsm.exe PID 2932 wrote to memory of 3992 2932 a61151bbb9.exe RegAsm.exe PID 2932 wrote to memory of 3992 2932 a61151bbb9.exe RegAsm.exe PID 2932 wrote to memory of 3992 2932 a61151bbb9.exe RegAsm.exe PID 2932 wrote to memory of 3992 2932 a61151bbb9.exe RegAsm.exe PID 2932 wrote to memory of 3992 2932 a61151bbb9.exe RegAsm.exe PID 2932 wrote to memory of 3992 2932 a61151bbb9.exe RegAsm.exe PID 2932 wrote to memory of 3992 2932 a61151bbb9.exe RegAsm.exe PID 2932 wrote to memory of 3992 2932 a61151bbb9.exe RegAsm.exe PID 3068 wrote to memory of 1724 3068 explorti.exe 39022e5fcd.exe PID 3068 wrote to memory of 1724 3068 explorti.exe 39022e5fcd.exe PID 3068 wrote to memory of 1724 3068 explorti.exe 39022e5fcd.exe PID 1724 wrote to memory of 5048 1724 39022e5fcd.exe RegAsm.exe PID 1724 wrote to memory of 5048 1724 39022e5fcd.exe RegAsm.exe PID 1724 wrote to memory of 5048 1724 39022e5fcd.exe RegAsm.exe PID 1724 wrote to memory of 5048 1724 39022e5fcd.exe RegAsm.exe PID 1724 wrote to memory of 5048 1724 39022e5fcd.exe RegAsm.exe PID 1724 wrote to memory of 5048 1724 39022e5fcd.exe RegAsm.exe PID 1724 wrote to memory of 5048 1724 39022e5fcd.exe RegAsm.exe PID 1724 wrote to memory of 5048 1724 39022e5fcd.exe RegAsm.exe PID 1724 wrote to memory of 5048 1724 39022e5fcd.exe RegAsm.exe PID 3068 wrote to memory of 2312 3068 explorti.exe 4fb177122a.exe PID 3068 wrote to memory of 2312 3068 explorti.exe 4fb177122a.exe PID 3068 wrote to memory of 2312 3068 explorti.exe 4fb177122a.exe PID 3992 wrote to memory of 4380 3992 RegAsm.exe firefox.exe PID 3992 wrote to memory of 4380 3992 RegAsm.exe firefox.exe PID 4380 wrote to memory of 3524 4380 firefox.exe firefox.exe PID 4380 wrote to memory of 3524 4380 firefox.exe firefox.exe PID 4380 wrote to memory of 3524 4380 firefox.exe firefox.exe PID 4380 wrote to memory of 3524 4380 firefox.exe firefox.exe PID 4380 wrote to memory of 3524 4380 firefox.exe firefox.exe PID 4380 wrote to memory of 3524 4380 firefox.exe firefox.exe PID 4380 wrote to memory of 3524 4380 firefox.exe firefox.exe PID 4380 wrote to memory of 3524 4380 firefox.exe firefox.exe PID 4380 wrote to memory of 3524 4380 firefox.exe firefox.exe PID 4380 wrote to memory of 3524 4380 firefox.exe firefox.exe PID 4380 wrote to memory of 3524 4380 firefox.exe firefox.exe PID 3524 wrote to memory of 3012 3524 firefox.exe firefox.exe PID 3524 wrote to memory of 3012 3524 firefox.exe firefox.exe PID 3524 wrote to memory of 3012 3524 firefox.exe firefox.exe PID 3524 wrote to memory of 3012 3524 firefox.exe firefox.exe PID 3524 wrote to memory of 3012 3524 firefox.exe firefox.exe PID 3524 wrote to memory of 3012 3524 firefox.exe firefox.exe PID 3524 wrote to memory of 3012 3524 firefox.exe firefox.exe PID 3524 wrote to memory of 3012 3524 firefox.exe firefox.exe PID 3524 wrote to memory of 3012 3524 firefox.exe firefox.exe PID 3524 wrote to memory of 3012 3524 firefox.exe firefox.exe PID 3524 wrote to memory of 3012 3524 firefox.exe firefox.exe PID 3524 wrote to memory of 3012 3524 firefox.exe firefox.exe PID 3524 wrote to memory of 3012 3524 firefox.exe firefox.exe PID 3524 wrote to memory of 3012 3524 firefox.exe firefox.exe PID 3524 wrote to memory of 3012 3524 firefox.exe firefox.exe PID 3524 wrote to memory of 3012 3524 firefox.exe firefox.exe PID 3524 wrote to memory of 3012 3524 firefox.exe firefox.exe PID 3524 wrote to memory of 3012 3524 firefox.exe firefox.exe PID 3524 wrote to memory of 3012 3524 firefox.exe firefox.exe PID 3524 wrote to memory of 3012 3524 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe"C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {53b10569-353e-443b-8d87-fe8beda409b3} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" gpu7⤵PID:3012
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {908b47df-111f-45bc-bbdb-4fd8b4799bcb} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" socket7⤵PID:1904
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3080 -childID 1 -isForBrowser -prefsHandle 2832 -prefMapHandle 3048 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8e0b43d-74fb-42a2-bece-4180b7edac8b} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" tab7⤵PID:2212
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3692 -childID 2 -isForBrowser -prefsHandle 3688 -prefMapHandle 3684 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3460065d-4b5b-4d7b-a670-13d35a59dcaf} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" tab7⤵PID:4908
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4556 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4548 -prefMapHandle 4544 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {edce8c0d-d719-4f4e-ab48-dc4ea405a7ca} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" utility7⤵
- Checks processor information in registry
PID:5460 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5404 -childID 3 -isForBrowser -prefsHandle 5412 -prefMapHandle 5340 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed66ce30-4785-4c86-b17c-de13de5a3038} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" tab7⤵PID:6120
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 4 -isForBrowser -prefsHandle 5636 -prefMapHandle 5632 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f1a4c70-08d2-48ec-a207-2fe773fc1f1f} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" tab7⤵PID:6132
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5540 -childID 5 -isForBrowser -prefsHandle 5792 -prefMapHandle 5800 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebf58567-3e44-4b33-9159-5c8f61986fdb} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" tab7⤵PID:2668
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6332 -childID 6 -isForBrowser -prefsHandle 6320 -prefMapHandle 6328 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a432dbe5-8439-4bf3-8396-482cbe72e8c9} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" tab7⤵PID:5248
-
C:\Users\Admin\1000037002\39022e5fcd.exe"C:\Users\Admin\1000037002\39022e5fcd.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\1000038001\4fb177122a.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\4fb177122a.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2312
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5740
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2888
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
PID:1776
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5cb4e84cce0305faa0a43117b20174638
SHA15e0b5ea5e872486aaaaa28379ea08611f4a93a91
SHA2565d3fbab87e5beaff194ad29e919aff1306fd5be2eb1beefaac069ffd5472e537
SHA512a8be13a3d14c11f91b3d7feb7b5fc05aea026e00c1df8d01aef30e27da6441bb3734c406ffcd235fff7c4113b0bfe251cb7aec2620864d6689f6b2b8a37ce42e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD508dba28ffe764e378bc2ee63af7f5d03
SHA1e33b5bc1362f23dacbecfbe8d66a458204ec0ed7
SHA25691d56b6c8c9b691e0c78a363f2284ab1da0783d36832a79bf047dd2d78262740
SHA512344cdb90f24c4dc67f28d5ca3495e8e3c9043b1011453d3633a17741241ef32cee8e61f93c029d50f7301fc63c59b995866f63f7b46c4398ac2dd6eb7623e337
-
Filesize
1.8MB
MD5ba37a189ab35239217ccdd4f4766c71c
SHA13c0026b03213b6aa832f7e6221f1ebc601066898
SHA256e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765
SHA51203940a1b0310e5a37931e531f4c65a53c9adab784c527e50065f5e22f10687d8f0f260a1c51453e4ffe780205c4bdd8603cac3a72bc461acb3c8ab6a20bee474
-
Filesize
1.2MB
MD57df65683dbced3f7291eb39076e2e5e8
SHA171713f2fe64b7750c91bb5cf5f430bc4cd98fe1b
SHA25604b82fddffd0735b575f82f9ae450409fe93496a86dfc5eef2f93e22e5f3be0d
SHA512179aa98c467a961acac274b6f0a2e8f907304a82dabd53019de273255942e90debeb1948f1e293476a922391f17b695ca8ff2620320db3d61ecf19a3cc650c36
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin
Filesize7KB
MD51f079efc979e7873660a3955f6920818
SHA187553de4b660fb664cb5d0e2ef18567b52ea7a29
SHA2561ebfa38b9d69898160b9f0c9e0ef9b853262306e02960f6e1599e173c9db486b
SHA512855480f1b79a48fd7c7a2fbc6eb1e0bb4a34baee66fcfdc16e981c12fcbd66dd7bd75c2d4b710cf217cf7094ed29ba0276115eb7644d1fdc7705b4513e944b26
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin
Filesize10KB
MD5f588ebec450e1781afabfb79ce95d573
SHA12a87b2945454615ad2a04c1492a82785cdb43626
SHA256f1c7e962ebcac90f9b61aa0e303cd5ad18b403185ef08d98835991165b7a1f7b
SHA5122484f9c227aaf51bb734f13f9b9de1c780940208722a167e653dedae302153ef5e79ea5a687ed0230b85eb443ab15e6474f6d39468a628541d5bab842c179e9e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD53d5fb85e9d4c1946b6d6f5f61431571b
SHA101cfc43c86ff3cb704ede782e79d36c0cda99fd9
SHA25693595e306df6e6ed23f5793b4a9bfa7e42bc335b73525548b02cbe15ab975b08
SHA5124f9a0d37a7922ffddd190c9e4c25e1c510edb3c0de319458cc393ba5d7248a64006fb3e9bf1e822743e50a0a813ead2b8ad6da05047b3cbb8d569d892270b520
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD54b66a15bcf04bd4b53911cb21356faeb
SHA1f74455fb4ccb7a36391fe0310b0af859a0bec7ea
SHA256822a7fe2f1f753cac8625c2b52fd5009f0ca8277d94989434d47228031dac4b1
SHA512e81da112bd8962da18e925ff16c1d3585481f221d70707756c7b67432dd47790a26dc76879aff2ac4e8863a494a6677a0ed4eea03d991486d36afb4ffe81396d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5767d6625fad78399d2d3088e674dd4ae
SHA1db46e7db47c46e619d5bf3ddd835d06b5c36b055
SHA2560ad73a4bd2071c0c1c17ec1b50d4220a80383a74312f4f84f8343bbee624757d
SHA512023dada7e59cc2d1b34126bac8d6b2c7c5734c2b9d0f5fe8a5cef7bf9606d620fabacea0bfdcacffc15ee188d84f7408118ecd7cdd005dcb7fab4254a9757e05
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD58fccdd8ff8893fab6babbde2100eab7b
SHA1f21b47491d557a2e518728d57e8c42c3014abff4
SHA256b378650c9a01154724784a19fb2b93985b78f8c67a8a8f16b2a2ab4b2182cba4
SHA51270ff740a42049b70daaedf94a07b7d6670b5acd9e360db4d411849f94a91a17a4cda8aa06bece87661415c533bf796093c13779704fab666f9d48e1741f51a28
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\0975f2bb-3992-43dd-9be8-7306509d3b57
Filesize671B
MD5691e600950a67cd09ca7e96769794314
SHA1ae91aa4cbe428e600c3be8318cf2650b93aa7276
SHA256858412a26fa0d4a5a6945d900bb140051361f4e7aa9893467b85fa0bb1c8bc5e
SHA512b8f7f8652753ff36ef7552f6f9706b18c8f7ae19ef91d6048b27511c9e31e091bb7f13537c93f8501254ea5e4d8197d8e9fa2deff669ae9a8aff87dce72a9da4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\6a1d8bf8-3a07-4757-a19f-f3133c94eae1
Filesize982B
MD5495e1dbbee1a08edd6b6b103954d7235
SHA1c2dfa11ba59530d363d604e84833160af6fe6c72
SHA256cd91f9bde596138f4e0890514ae9378f13e80910881007f1a44a9b73caaec039
SHA512da4bea8b0fb782b760858125c6472b5fbb06cd87feaecccca6adeea3939c4cf7e8a4bfc6f638e9506e747cf4faa1a7ef67e48a62e52e7b63b2838bcebe37de91
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\d33dadb7-eee4-4a0e-9b30-ded8a0786280
Filesize24KB
MD5bcba3ed7218d18accf30e1b4d683d17c
SHA157e06de39a3ae6a1cafe6bcc57448342dc849d8d
SHA256c51a604647e7f4b0a289d785d8effabcb76102bf699eb906ed3fc3ad7d553501
SHA512b6624dbce10633face38c5380a077a5c94440410ff006cf3637fcc59e1f8597aac8cfb962a548bbb147823dd6827900f2793188e33b4d10be459e8fcad8e9847
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD51c21ecf24d173b3776d01039dcf6889f
SHA1b7e95db3e860d1eac8f8dcab9b2ac24ab118fd84
SHA256e024589ce99fcc550b4ac9b5963e348c764e695654e74a3dd5bdf18d4c127592
SHA5124c672a3dcd09d3dfaa2d0d7258fb5d9c27cd4b0e2752b49902afd2852477f9019bf7c62d0bab3d267d6cd7655edae15596431a3bd7b7896df422932797deb0ec
-
Filesize
16KB
MD5a3f64e29073f0f63eeb818bf92a37f9d
SHA1b87013fe5e41696305b829ede21a7d91653c8b05
SHA256ecaf58bdd02a287c76318e6e509dd488badba87d966304e8a860bc6d42567d12
SHA51249af20f0d42abbaa7056aee19ce7eaf2630bd84d40a400af1f4ab2b2f52f867f01fc8d1253906833fbdfe3f86c042962396e9e9500c727b36ce38c140aa245e8
-
Filesize
11KB
MD51fa65a1cc2307a0f7eccd6c35f1a112e
SHA16d2a61347d1416c34c55ce34b36f8e0cfb531633
SHA2561f232843ac6cb7e7fdc16ae77a610a22e30a52a8743a59056d5dea33a0ed3256
SHA51247be80f600de784bd9cc755d9fb65c7c5efdb92826ea54db85b206a45e9a2bd8e47e4540b6317773a55421d6c10e81b8e608805eb8c1101c8ad68f8c2217fc26
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD52b1dc1dfc2f0420f202cee8165eb2ca4
SHA1fcdbfc3d4ecbe8da3c3a7bc57091446181ca6073
SHA2564fab050fad87571cae0d4487fc7ca199988f844c81a4c03eeab46e9c98295e71
SHA512ece6cc42a22a97722685bb90ccc138f1c007872a5e4de739412643d8cf689772074fdb733a45606c2f6af98ea18dfcd1aca0799058f51a065af676f12300812c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.4MB
MD5827edb85f6311531bd92c0759f6066bc
SHA11cb38a8ee563d3f06252e0b9a480b6778c2a1bfe
SHA25643478d65fa92be3b59ad5567fb1f2a6ea23a7b9893a0174a1b18877ea0c24193
SHA51246f419ecd2411a7cc2108849a95a9bd46ef4471d6815985d0562da597119f1b6983b02504af6636e5f5f8a9b552eb9a09fe68b74903cdc789f0723e4556a9afc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize2.9MB
MD5264967061c6c639beb3fec862bd9be1e
SHA1088db4bcd9a9fbf016cfabc6dc14c1a78778632e
SHA25665a0a5d5b7af203c4291fff3b0bfd0571fa61d032e8b0c54d99d98885da65e7f
SHA512f7a1af2707be785b2aad777cd45cfe4a87f7031eaf3ff1bae4b99f56ab54a684abcd72c6979c6aa8b0a31e6e2c2c3410dea99e2dd15c75221a52076afda81c47
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize2.9MB
MD5f0283c776137921f82be493579ac72a7
SHA142cd0b34b602ff578ac3214d78c76eb09d38533a
SHA256537b35b9a349404157d1c1c8af9506b9a284ace3cb4abf009ddb06f989c9655d
SHA5129618ea7b6531199958a225f93f3e5850b982ddd7dbfc6a090f9467e224a1c9b6a8813b3cefc4a6b142768970937794e38c7976e657ee2e526851af349fec63ed