Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
14-08-2024 02:33
Static task
static1
Behavioral task
behavioral1
Sample
284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe
Resource
win10v2004-20240802-en
General
-
Target
284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe
-
Size
1.8MB
-
MD5
48c24a152ce98431b83006650bc02fc8
-
SHA1
d76713abc3ba7c3fbe823fbefc49d30484ea6ad9
-
SHA256
284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f
-
SHA512
35296079dcf7a710a3aeda4e5eca0cb6998f2f1253da50a7393fa42ff26a98ee36d2ba79fbd0c0c513db2bd0c7958d29a4e7ddd70d58b27080c2fa17492147fb
-
SSDEEP
49152:wIQoAqAqx7YRidXvdrG4O1aTd49puiyvOED:wjoAqlYRipv84nd49puiyvOED
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
explorti.exeexplorti.exeexplorti.exe284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exe284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Executes dropped EXE 7 IoCs
Processes:
explorti.exee739d7e3e8.exe72353cd75e.exee806b8991f.exeexplorti.exeexplorti.exeexplorti.exepid process 4948 explorti.exe 3748 e739d7e3e8.exe 5084 72353cd75e.exe 2804 e806b8991f.exe 6036 explorti.exe 5220 explorti.exe 5820 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
RegAsm.exepid process 940 RegAsm.exe 940 RegAsm.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows\CurrentVersion\Run\e739d7e3e8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\e739d7e3e8.exe" explorti.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/2992-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/2992-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/2992-45-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 2664 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe 4948 explorti.exe 6036 explorti.exe 5220 explorti.exe 5820 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
e739d7e3e8.exe72353cd75e.exedescription pid process target process PID 3748 set thread context of 2992 3748 e739d7e3e8.exe RegAsm.exe PID 5084 set thread context of 940 5084 72353cd75e.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exedescription ioc process File created C:\Windows\Tasks\explorti.job 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
e739d7e3e8.exeRegAsm.exe72353cd75e.exeRegAsm.exee806b8991f.exe284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e739d7e3e8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 72353cd75e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e806b8991f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exeRegAsm.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exeexplorti.exeRegAsm.exeexplorti.exeexplorti.exeexplorti.exepid process 2664 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe 2664 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe 4948 explorti.exe 4948 explorti.exe 940 RegAsm.exe 940 RegAsm.exe 6036 explorti.exe 6036 explorti.exe 940 RegAsm.exe 940 RegAsm.exe 5220 explorti.exe 5220 explorti.exe 5820 explorti.exe 5820 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 2596 firefox.exe Token: SeDebugPrivilege 2596 firefox.exe Token: SeDebugPrivilege 2596 firefox.exe Token: SeDebugPrivilege 2596 firefox.exe Token: SeDebugPrivilege 2596 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2596 firefox.exe 2596 firefox.exe 2596 firefox.exe 2596 firefox.exe 2596 firefox.exe 2596 firefox.exe 2596 firefox.exe 2596 firefox.exe 2596 firefox.exe 2596 firefox.exe 2596 firefox.exe 2596 firefox.exe 2596 firefox.exe 2596 firefox.exe 2596 firefox.exe 2596 firefox.exe 2596 firefox.exe 2596 firefox.exe 2596 firefox.exe 2596 firefox.exe 2596 firefox.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exepid process 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe 2992 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 2596 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exeexplorti.exee739d7e3e8.exe72353cd75e.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 2664 wrote to memory of 4948 2664 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe explorti.exe PID 2664 wrote to memory of 4948 2664 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe explorti.exe PID 2664 wrote to memory of 4948 2664 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe explorti.exe PID 4948 wrote to memory of 3748 4948 explorti.exe e739d7e3e8.exe PID 4948 wrote to memory of 3748 4948 explorti.exe e739d7e3e8.exe PID 4948 wrote to memory of 3748 4948 explorti.exe e739d7e3e8.exe PID 3748 wrote to memory of 2992 3748 e739d7e3e8.exe RegAsm.exe PID 3748 wrote to memory of 2992 3748 e739d7e3e8.exe RegAsm.exe PID 3748 wrote to memory of 2992 3748 e739d7e3e8.exe RegAsm.exe PID 3748 wrote to memory of 2992 3748 e739d7e3e8.exe RegAsm.exe PID 3748 wrote to memory of 2992 3748 e739d7e3e8.exe RegAsm.exe PID 3748 wrote to memory of 2992 3748 e739d7e3e8.exe RegAsm.exe PID 3748 wrote to memory of 2992 3748 e739d7e3e8.exe RegAsm.exe PID 3748 wrote to memory of 2992 3748 e739d7e3e8.exe RegAsm.exe PID 3748 wrote to memory of 2992 3748 e739d7e3e8.exe RegAsm.exe PID 3748 wrote to memory of 2992 3748 e739d7e3e8.exe RegAsm.exe PID 4948 wrote to memory of 5084 4948 explorti.exe 72353cd75e.exe PID 4948 wrote to memory of 5084 4948 explorti.exe 72353cd75e.exe PID 4948 wrote to memory of 5084 4948 explorti.exe 72353cd75e.exe PID 5084 wrote to memory of 940 5084 72353cd75e.exe RegAsm.exe PID 5084 wrote to memory of 940 5084 72353cd75e.exe RegAsm.exe PID 5084 wrote to memory of 940 5084 72353cd75e.exe RegAsm.exe PID 5084 wrote to memory of 940 5084 72353cd75e.exe RegAsm.exe PID 5084 wrote to memory of 940 5084 72353cd75e.exe RegAsm.exe PID 5084 wrote to memory of 940 5084 72353cd75e.exe RegAsm.exe PID 5084 wrote to memory of 940 5084 72353cd75e.exe RegAsm.exe PID 5084 wrote to memory of 940 5084 72353cd75e.exe RegAsm.exe PID 5084 wrote to memory of 940 5084 72353cd75e.exe RegAsm.exe PID 4948 wrote to memory of 2804 4948 explorti.exe e806b8991f.exe PID 4948 wrote to memory of 2804 4948 explorti.exe e806b8991f.exe PID 4948 wrote to memory of 2804 4948 explorti.exe e806b8991f.exe PID 2992 wrote to memory of 1804 2992 RegAsm.exe firefox.exe PID 2992 wrote to memory of 1804 2992 RegAsm.exe firefox.exe PID 1804 wrote to memory of 2596 1804 firefox.exe firefox.exe PID 1804 wrote to memory of 2596 1804 firefox.exe firefox.exe PID 1804 wrote to memory of 2596 1804 firefox.exe firefox.exe PID 1804 wrote to memory of 2596 1804 firefox.exe firefox.exe PID 1804 wrote to memory of 2596 1804 firefox.exe firefox.exe PID 1804 wrote to memory of 2596 1804 firefox.exe firefox.exe PID 1804 wrote to memory of 2596 1804 firefox.exe firefox.exe PID 1804 wrote to memory of 2596 1804 firefox.exe firefox.exe PID 1804 wrote to memory of 2596 1804 firefox.exe firefox.exe PID 1804 wrote to memory of 2596 1804 firefox.exe firefox.exe PID 1804 wrote to memory of 2596 1804 firefox.exe firefox.exe PID 2596 wrote to memory of 4048 2596 firefox.exe firefox.exe PID 2596 wrote to memory of 4048 2596 firefox.exe firefox.exe PID 2596 wrote to memory of 4048 2596 firefox.exe firefox.exe PID 2596 wrote to memory of 4048 2596 firefox.exe firefox.exe PID 2596 wrote to memory of 4048 2596 firefox.exe firefox.exe PID 2596 wrote to memory of 4048 2596 firefox.exe firefox.exe PID 2596 wrote to memory of 4048 2596 firefox.exe firefox.exe PID 2596 wrote to memory of 4048 2596 firefox.exe firefox.exe PID 2596 wrote to memory of 4048 2596 firefox.exe firefox.exe PID 2596 wrote to memory of 4048 2596 firefox.exe firefox.exe PID 2596 wrote to memory of 4048 2596 firefox.exe firefox.exe PID 2596 wrote to memory of 4048 2596 firefox.exe firefox.exe PID 2596 wrote to memory of 4048 2596 firefox.exe firefox.exe PID 2596 wrote to memory of 4048 2596 firefox.exe firefox.exe PID 2596 wrote to memory of 4048 2596 firefox.exe firefox.exe PID 2596 wrote to memory of 4048 2596 firefox.exe firefox.exe PID 2596 wrote to memory of 4048 2596 firefox.exe firefox.exe PID 2596 wrote to memory of 4048 2596 firefox.exe firefox.exe PID 2596 wrote to memory of 4048 2596 firefox.exe firefox.exe PID 2596 wrote to memory of 4048 2596 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe"C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Users\Admin\AppData\Local\Temp\1000036001\e739d7e3e8.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\e739d7e3e8.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2559a9b-bdb0-4ad9-a785-6d793f975726} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" gpu7⤵PID:4048
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecd797ab-eed8-415d-bdee-6d11099d75f2} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" socket7⤵PID:2376
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3024 -childID 1 -isForBrowser -prefsHandle 2996 -prefMapHandle 3060 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4413f9e1-deba-45bb-89a1-5a1b1ec407b7} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" tab7⤵PID:2500
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4124 -childID 2 -isForBrowser -prefsHandle 4116 -prefMapHandle 4112 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fd52be4-79da-4498-86d4-7597a79e3f7a} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" tab7⤵PID:552
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4976 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4852 -prefMapHandle 4972 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9891c3f0-f463-4718-9580-7743dc0746d9} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" utility7⤵
- Checks processor information in registry
PID:5276 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5568 -childID 3 -isForBrowser -prefsHandle 5532 -prefMapHandle 5488 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {baf8f874-53d6-4692-be81-fdac7b4b9be7} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" tab7⤵PID:3444
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5808 -childID 4 -isForBrowser -prefsHandle 5532 -prefMapHandle 5488 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fff4d9ba-9652-4855-96ba-dea0a0fa43ae} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" tab7⤵PID:1244
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5944 -childID 5 -isForBrowser -prefsHandle 5952 -prefMapHandle 5956 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {143f97c5-add2-4696-bad4-eecbdd4afd39} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" tab7⤵PID:2268
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6132 -childID 6 -isForBrowser -prefsHandle 6140 -prefMapHandle 6148 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {433e9818-88db-4f79-a4d0-807bfba26619} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" tab7⤵PID:4900
-
C:\Users\Admin\1000037002\72353cd75e.exe"C:\Users\Admin\1000037002\72353cd75e.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:940 -
C:\Users\Admin\AppData\Local\Temp\1000038001\e806b8991f.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\e806b8991f.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2804
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6036
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5220
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5820
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
207KB
MD52b845ae9efa4fee06f704f96b9828fdd
SHA1c3ebc546d88d08c19fb65ba086d153aae2fe46fe
SHA256da122348356834ca10d6bf9efa9cf352ba2db2e851699f981753e126cae9e508
SHA5127f1631de67e75bf5b8e08f33b7d3c5cc07b843b48ae8fc40b36cf9698538fca79f2b1cb496d2018a4d93459cc6b83d2cd3d052b1d72997694fa6221547de85c3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\seoxtri5.default-release\activity-stream.discovery_stream.json
Filesize41KB
MD516d1f94e7f3e8c2ce31a89d36f7f1074
SHA1ab1c70cbbd572ab8620ac5365d2fc27ebd8d0af7
SHA256220a29913faf0f9dfba73116883000d467ec71249e674a44191b7796641977a1
SHA5120f759516ebf76229b4d6571291549254eeb10369d15f4a18dfbf96ae4437bc2429eff4276ca245b7fd0dfe97641f8db20f70781ea53beed4d80011fa99b1a252
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\seoxtri5.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5eb92fb68283908c41685c5383c389ce5
SHA1fda7497fc49d493d2bff7aae388f2de95c113a15
SHA256586d984dbdc78b3257da504fe4e6059a9f42b5d903807e59d07177c36f38505b
SHA5126f4906762b1056a9893369d58b16b08b03ba7bf2c0753b13ca951751bc4391884c51f57973d1e4c47c7ee73db4c818b413aa79f507b1ddf43dad100a3b7ff88f
-
Filesize
1.8MB
MD548c24a152ce98431b83006650bc02fc8
SHA1d76713abc3ba7c3fbe823fbefc49d30484ea6ad9
SHA256284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f
SHA51235296079dcf7a710a3aeda4e5eca0cb6998f2f1253da50a7393fa42ff26a98ee36d2ba79fbd0c0c513db2bd0c7958d29a4e7ddd70d58b27080c2fa17492147fb
-
Filesize
1.2MB
MD58af76706f6ecb73d3ed8680a5e2cdc0f
SHA13668dbf5a57164102d1b0adea941316fa55f47fc
SHA256922c12d506652b85601064eb571333ef395c88e201acfd6f2a4b69ee13eae5f9
SHA512ea7f1cd1b32705e3f80a0f050ca9630505604343099e787fb57aa5cdcfee1b75218eb252519e6854ad368513e4af0756256ae7443c8dae93c9cd08829aeab3cd
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin
Filesize10KB
MD5ca2c4b56da08997d456a75c8766bf5b7
SHA11e75390a4f650da198dd8faae44e1b8babd12233
SHA2563f585015e836e627fcdaf115a67215cfddd68fa7bf252cc29655e526f26ce9a5
SHA5120f57b862dbddd5e930c19c40eb4638737bbecd883bc1b5450e739bcc75f4a95e06c5d8aceebdbfedaacc88fececbe79cc373db0f4ef82da3e740f4a55b7f0d7c
-
Filesize
384KB
MD5caadc88cfc1a8addb4a9e3e451034ba6
SHA1a53f17e4a19179f22eff0fd4a12643490a3bd212
SHA256e442950dcd2246a8aee282ba9323605c1cca3a9fd928b613ecbb9bc7c4e469db
SHA5123995347462de1d14c862be1d386664f3eedcf6644777549f6cbc18aaf1471174c77d6fb635bbb67a1cc89867aaeea3e63995446648ea849efbf7628c562e4391
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD55088020ca7a406e2660725717bcab2a4
SHA14eea11f62bcf25effff082a402c1debf0cfc3bab
SHA2563c763e69d1d89728d7b5a131972e5cf1eb50899eba2c305a6fdfb22b062f3afd
SHA5120fe7587e6155125a1841b3946ec7b53f93afc70d46a85d633e03aefa46bdd0a98e0cf83d0a576ae8fbf21515162da99ecffbcf9c71e15805b84d52d9c5ffd4ff
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD5a715e411d0ee7349aca85f6993a77908
SHA1efc4ca2e0e31ba9fe733ac9967e726ddc339815b
SHA256abf778f5fbd27067410be1854d0c8e2cd0fdf553405feac26a6cbe66bfd525b2
SHA5125eff29ab72c697302671a55108de105468aa5174383f6edcded85f47b17114b3138da5a7d090b9580ad0846f352dd4fd5d4d877a64691729159985d34e6faffc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD5c1582c81c84a1bd3f36db23d84f64d45
SHA18cdbb8ecc8e22646c1715ccbb228f76686bf03d7
SHA2564c3cabf710c75dd61bf972bc971883ec0f6f267ccdfb7a839b6c32f4769ae00b
SHA512a3a32ce6771b960ce5b60024baa17d4d5aeb0e84b551f67e028a783596548c5baeec7dd1b0bef3e02eaf33a6ac72e8a02e2a923ab4e64e84e63aa1fc8122b54f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\pending_pings\09601f96-9a8e-4fdc-86b3-282849d4fff4
Filesize982B
MD5d6a47061eab5acc62a5167e2bb731595
SHA167ce135d6e2a58a98ed5963f9d437906937ed86b
SHA2560280335868c4f371fa7233ac4e6a41998bd93147e0f457b494fe1ed37ca4d204
SHA512d0b93e4d35ebbe5383592724baf8d95f6181f7a96fc9a7918eea655a00a3573fefc5e2d0668d9fa35bdd71d01bbde8ab46ae8180e8787425ab938dcbdbbf7fa8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\pending_pings\44ff73d5-ee94-4c05-b82f-6fe196543212
Filesize659B
MD57a7d1b0f8a19acf4852bddc98341b2d1
SHA1b9af496737fa3d4839008e1993f2b097ee8e6f93
SHA256b90ee40c7fd6fa96fd96f060937e12c966d16f197f5c90839959d19453634838
SHA512540e3e9ef4560610423aa9d18669281846b549d7d04c317311ae033bded46a4d39a06417f18debbbbc04f4552566c7051717097f47c6b8aa9c3238197baa094e
-
Filesize
256KB
MD597c1441748d6cc3e5a7030cda7543975
SHA1f5598a45b101a5404126cd27fbb7f4b70861ee32
SHA2562015b584b844b091d6a6280d45e9a589ea0feacf5f4b19bdd4cc21c60dbaaf91
SHA51229d358ec7725038c6648251d8b9c32f3a40458e9c97926e0000ab42f0369b96d1ba5216eeb7c35800c740633dfd3b1e6e6aa73859644bdb9cdccaf2a3516bcb9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
1.3MB
MD5e60b5df9fda1a7fe66a16c64637a5ffe
SHA17275806abf4d302aefe33090f8d00367b4afb0bd
SHA256bd98230098f4ac47a00a6e2b007142019347961018dca0c5dedec193c18afa00
SHA512ac796c8b560666ac8b945855dc381bf36f5ed03890a693ec692804d71e3feb33df274dc52ea8ccb169680c9a432710adf647339c534d5ccd45cfbfa9120e5057
-
Filesize
11KB
MD5b8e69225dcff894207f7217c76ed2aef
SHA1b7e181ccb776e5f02087d1965d6db638fc27c050
SHA256f2ae905ebb3aec8bf0f42d54ba257b9cc00010268bff18752d244183eb4ee837
SHA512da249b0931afb68b69c9af507f7f108e688ad0098568f16c11bb83d26dfb1a70b70da3eadb1c0e44b0975a5ed34e42f092e9748504588d9e6b7e66d1e91e2cc6
-
Filesize
13KB
MD541781e6a4c3d2a8aa1cdce77f70bf127
SHA157085ebdc659315845a67bf073028850c2cbe72c
SHA256766a02d75ec73e40df8eed00ddf57d39ea8569623be668b689bf0944b522558a
SHA512134dc2b22b0bb9346dd616881749cb6bc496650e926795d4e5a41ec8b9c1faf2a2f65059460bb8e91d0d4577dfcbe5ceafb797da715ef0090cf0ae268e6db353
-
Filesize
11KB
MD5ef63d22499a52df473520eec3bb3a057
SHA19b53006981e9ac26edc28c2a3c2926839965bb6a
SHA25668192470417054c5fb750bb7cfb6b89cb18dc0537c09906f82dff8376d3b958c
SHA512563b368db5a042f6a27a4a605863c3d10bf2ddcb85b61fca9342320c43f03428b483a7c5617ac0a369f8ed29161a8d7eba33bf6a05181e56b8d6bc9408bf46f9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.6MB
MD5ca17f9cfa124a0a598a9b335caadd661
SHA1ee133183d10d45f6a6825c7799572b3d02c9ca01
SHA2569b72fdacab3ce760ded0c790939be7894e05a433d3fcb5baa4548cb146bc1acc
SHA512039112fbe4883cb6bc343df57322634dbd0fa3161f50e465e78a508e5c9f55bf82696a20f9f71bac56e7c7d91c4b8345ffb29a44c0c52316b2de08d21d58ce3c