Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2024 10:21
Static task
static1
Behavioral task
behavioral1
Sample
094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe
Resource
win10v2004-20240802-en
General
-
Target
094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe
-
Size
1.8MB
-
MD5
eb08ca426c0d2123f37fc72dd629dfb7
-
SHA1
a0e3043f563d7c1786c2abc250f32bac065ba94a
-
SHA256
094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0
-
SHA512
de957c52cf7b51efd2be72361978b4222285c7a69b013ec85e9766839b076581581bcbd2e198b2a2e3cc85d833b9c48b0ab09b221c291d069c89231f3429ca8f
-
SSDEEP
24576:3/sjMo3GYnO4WErKws4PflE44n2UAy8fiignIvY32HOzx/MbXM9KSK0ZBWEnxkQG:Pe9n1LW4PfC44n2Vhc30cKZ0nr0xs03
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
explorti.exe094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeexplorti.exeexplorti.exe094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exeexplorti.exeRegAsm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation 094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Executes dropped EXE 7 IoCs
Processes:
explorti.exee631a91209.exe6d36ec8513.exe79632d75dd.exeexplorti.exeexplorti.exeexplorti.exepid process 468 explorti.exe 1620 e631a91209.exe 4020 6d36ec8513.exe 2360 79632d75dd.exe 5940 explorti.exe 2092 explorti.exe 5936 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeexplorti.exeexplorti.exe094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine 094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e631a91209.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\e631a91209.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/1008-44-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/1008-46-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/1008-48-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 4796 094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe 468 explorti.exe 5940 explorti.exe 2092 explorti.exe 5936 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
e631a91209.exe6d36ec8513.exedescription pid process target process PID 1620 set thread context of 1008 1620 e631a91209.exe RegAsm.exe PID 4020 set thread context of 4804 4020 6d36ec8513.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exedescription ioc process File created C:\Windows\Tasks\explorti.job 094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
e631a91209.exeRegAsm.exe6d36ec8513.exeRegAsm.exe79632d75dd.exe094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e631a91209.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6d36ec8513.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 79632d75dd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 4796 094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe 4796 094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe 468 explorti.exe 468 explorti.exe 5940 explorti.exe 5940 explorti.exe 2092 explorti.exe 2092 explorti.exe 5936 explorti.exe 5936 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 2344 firefox.exe Token: SeDebugPrivilege 2344 firefox.exe Token: SeDebugPrivilege 2344 firefox.exe Token: SeDebugPrivilege 2344 firefox.exe Token: SeDebugPrivilege 2344 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exeRegAsm.exefirefox.exepid process 4796 094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe 1008 RegAsm.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
firefox.exepid process 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe 2344 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exeexplorti.exee631a91209.exe6d36ec8513.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 4796 wrote to memory of 468 4796 094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe explorti.exe PID 4796 wrote to memory of 468 4796 094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe explorti.exe PID 4796 wrote to memory of 468 4796 094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe explorti.exe PID 468 wrote to memory of 1620 468 explorti.exe e631a91209.exe PID 468 wrote to memory of 1620 468 explorti.exe e631a91209.exe PID 468 wrote to memory of 1620 468 explorti.exe e631a91209.exe PID 1620 wrote to memory of 1008 1620 e631a91209.exe RegAsm.exe PID 1620 wrote to memory of 1008 1620 e631a91209.exe RegAsm.exe PID 1620 wrote to memory of 1008 1620 e631a91209.exe RegAsm.exe PID 1620 wrote to memory of 1008 1620 e631a91209.exe RegAsm.exe PID 1620 wrote to memory of 1008 1620 e631a91209.exe RegAsm.exe PID 1620 wrote to memory of 1008 1620 e631a91209.exe RegAsm.exe PID 1620 wrote to memory of 1008 1620 e631a91209.exe RegAsm.exe PID 1620 wrote to memory of 1008 1620 e631a91209.exe RegAsm.exe PID 1620 wrote to memory of 1008 1620 e631a91209.exe RegAsm.exe PID 1620 wrote to memory of 1008 1620 e631a91209.exe RegAsm.exe PID 468 wrote to memory of 4020 468 explorti.exe 6d36ec8513.exe PID 468 wrote to memory of 4020 468 explorti.exe 6d36ec8513.exe PID 468 wrote to memory of 4020 468 explorti.exe 6d36ec8513.exe PID 4020 wrote to memory of 964 4020 6d36ec8513.exe RegAsm.exe PID 4020 wrote to memory of 964 4020 6d36ec8513.exe RegAsm.exe PID 4020 wrote to memory of 964 4020 6d36ec8513.exe RegAsm.exe PID 4020 wrote to memory of 1380 4020 6d36ec8513.exe RegAsm.exe PID 4020 wrote to memory of 1380 4020 6d36ec8513.exe RegAsm.exe PID 4020 wrote to memory of 1380 4020 6d36ec8513.exe RegAsm.exe PID 4020 wrote to memory of 2140 4020 6d36ec8513.exe RegAsm.exe PID 4020 wrote to memory of 2140 4020 6d36ec8513.exe RegAsm.exe PID 4020 wrote to memory of 2140 4020 6d36ec8513.exe RegAsm.exe PID 4020 wrote to memory of 1740 4020 6d36ec8513.exe RegAsm.exe PID 4020 wrote to memory of 1740 4020 6d36ec8513.exe RegAsm.exe PID 4020 wrote to memory of 1740 4020 6d36ec8513.exe RegAsm.exe PID 4020 wrote to memory of 4280 4020 6d36ec8513.exe RegAsm.exe PID 4020 wrote to memory of 4280 4020 6d36ec8513.exe RegAsm.exe PID 4020 wrote to memory of 4280 4020 6d36ec8513.exe RegAsm.exe PID 4020 wrote to memory of 4480 4020 6d36ec8513.exe RegAsm.exe PID 4020 wrote to memory of 4480 4020 6d36ec8513.exe RegAsm.exe PID 4020 wrote to memory of 4480 4020 6d36ec8513.exe RegAsm.exe PID 4020 wrote to memory of 4804 4020 6d36ec8513.exe RegAsm.exe PID 4020 wrote to memory of 4804 4020 6d36ec8513.exe RegAsm.exe PID 4020 wrote to memory of 4804 4020 6d36ec8513.exe RegAsm.exe PID 4020 wrote to memory of 4804 4020 6d36ec8513.exe RegAsm.exe PID 4020 wrote to memory of 4804 4020 6d36ec8513.exe RegAsm.exe PID 4020 wrote to memory of 4804 4020 6d36ec8513.exe RegAsm.exe PID 4020 wrote to memory of 4804 4020 6d36ec8513.exe RegAsm.exe PID 4020 wrote to memory of 4804 4020 6d36ec8513.exe RegAsm.exe PID 4020 wrote to memory of 4804 4020 6d36ec8513.exe RegAsm.exe PID 468 wrote to memory of 2360 468 explorti.exe 79632d75dd.exe PID 468 wrote to memory of 2360 468 explorti.exe 79632d75dd.exe PID 468 wrote to memory of 2360 468 explorti.exe 79632d75dd.exe PID 1008 wrote to memory of 4608 1008 RegAsm.exe firefox.exe PID 1008 wrote to memory of 4608 1008 RegAsm.exe firefox.exe PID 4608 wrote to memory of 2344 4608 firefox.exe firefox.exe PID 4608 wrote to memory of 2344 4608 firefox.exe firefox.exe PID 4608 wrote to memory of 2344 4608 firefox.exe firefox.exe PID 4608 wrote to memory of 2344 4608 firefox.exe firefox.exe PID 4608 wrote to memory of 2344 4608 firefox.exe firefox.exe PID 4608 wrote to memory of 2344 4608 firefox.exe firefox.exe PID 4608 wrote to memory of 2344 4608 firefox.exe firefox.exe PID 4608 wrote to memory of 2344 4608 firefox.exe firefox.exe PID 4608 wrote to memory of 2344 4608 firefox.exe firefox.exe PID 4608 wrote to memory of 2344 4608 firefox.exe firefox.exe PID 4608 wrote to memory of 2344 4608 firefox.exe firefox.exe PID 2344 wrote to memory of 2012 2344 firefox.exe firefox.exe PID 2344 wrote to memory of 2012 2344 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe"C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Users\Admin\AppData\Local\Temp\1000036001\e631a91209.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\e631a91209.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbdc14a6-c7ed-483a-ae8d-4a717918f9d9} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" gpu7⤵PID:2012
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2432 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d8cd415-f2c3-49b0-b35f-e100aaac4070} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" socket7⤵PID:2168
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2764 -childID 1 -isForBrowser -prefsHandle 2768 -prefMapHandle 3084 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {700a5215-2532-494c-a0c9-e438b53eae32} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" tab7⤵PID:4144
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3428 -childID 2 -isForBrowser -prefsHandle 3332 -prefMapHandle 3404 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4001de8b-0514-4295-b660-ce2dbdae939a} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" tab7⤵PID:2496
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4720 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4712 -prefMapHandle 4708 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9fa91c7b-a5ae-4647-8609-1934515261d9} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" utility7⤵
- Checks processor information in registry
PID:636 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5484 -childID 3 -isForBrowser -prefsHandle 5564 -prefMapHandle 5560 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0731a7e-10eb-4ddb-b5a0-584ac6200d72} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" tab7⤵PID:4324
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5600 -childID 4 -isForBrowser -prefsHandle 5608 -prefMapHandle 5472 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {621e3b1a-5c3c-4a46-8100-7b08a9169e51} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" tab7⤵PID:3640
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5816 -childID 5 -isForBrowser -prefsHandle 5828 -prefMapHandle 5832 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0c3f063-338e-4997-8ca2-cb3ef26c47a1} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" tab7⤵PID:4224
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6364 -childID 6 -isForBrowser -prefsHandle 6252 -prefMapHandle 6216 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {204a64e3-0cea-4cc1-8551-d49c72a9d2de} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" tab7⤵PID:5408
-
C:\Users\Admin\1000037002\6d36ec8513.exe"C:\Users\Admin\1000037002\6d36ec8513.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:964
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:1380
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2140
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:1740
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4280
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4480
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\1000038001\79632d75dd.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\79632d75dd.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2360
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5940
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2092
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5936
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
330KB
MD542252158d16167520a95adeab3eb15f4
SHA1cf1786aa94bf1de5b0157a50d6d102847144960d
SHA256d6f650af3380f2f251bb9b008939c070c9af647dd0b5ecb08e1f585142efe092
SHA51246efad99f2bc8b4f08cf8c86fdff9d8b973e06c01ca14e822e3720760dc8622d75411b566efec18387ca9c7b8ddf7dff43dffeaa1318f4e8b92ef28914d40897
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\activity-stream.discovery_stream.json
Filesize36KB
MD5858f928ec5bea0fe145fa92663289fe5
SHA1f3a663846cb14d1baa768c8d2069e2c93ee0ff22
SHA256c379c384be7a147e877574f0e98045630b221b30db661c70da17fa252ccbbec7
SHA512cf73b9a492e739787ad4417289881d0a4e4bfeb8fc89a1bbe9b80e9cb6bc533ed252f9f0a116a4278df70654aad52394efbf4af4b5d9e10a98f94edd7df7b9de
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5b642abdabf46d51d9fcd18b7765efc11
SHA156efa5543726b355e5b96fdae2f563289e0950d5
SHA25660f389c39a7e0f7849de9829e987b8641845cda1e52d7e0ead4077feb1e53daa
SHA5121a3adc79fdaae0afbbd17e2415e673bc741fffc80126851c18efbbc6a6f13a2df44ceff0969f01003cc431f46c0604315e5a6d8f54565564d9ec5b7695033f76
-
Filesize
1.8MB
MD5eb08ca426c0d2123f37fc72dd629dfb7
SHA1a0e3043f563d7c1786c2abc250f32bac065ba94a
SHA256094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0
SHA512de957c52cf7b51efd2be72361978b4222285c7a69b013ec85e9766839b076581581bcbd2e198b2a2e3cc85d833b9c48b0ab09b221c291d069c89231f3429ca8f
-
Filesize
1.3MB
MD52028fc2da0953fc19cceaf906d78edf5
SHA1c1f5339f185dfa30385c0bb16a4a4a0a90e1d436
SHA25689356f70821a7561ebd4c88c6d3c4610591154fd07804ac903e53ef3817887e4
SHA5128e993895e854c302594a2246beaf87c9418ba174bfaba2b03834d56af71f32b53d65c55dbe11fb1acd660c551eaf1f17d6a8585d5892f4a83aca308ee5084399
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\AlternateServices.bin
Filesize10KB
MD5739db4a439b77d470c70757edfbfd2c5
SHA1ab804607687ab2437151f2151259a2a5fa7ec6b4
SHA256944f19c66837039d0106dc6da2271f32fd7c95dc18fa257ab51075838164ee23
SHA512d187308a261ab74991284bead2c2d6f3e4b205f3cffcb51dc3104b96c9b9f201f3ca562db402a5bc05a69bf836edb8b3a319f7eca9b3977220fc12fac4401c07
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5d5d2cf18ce4b5ea963f8229acf75d3cf
SHA1481f4193a0a99698ad022a59102a938eeaac8e9f
SHA256833d53fa8fb30a844a49c7982ce14bdd1afb07c6b05145d7816067541ff87931
SHA51242408a81fc7ac6ab27d59d48abe88adde74c7c0c0c3999dbba63808c2723128602d636e5f9b46d22d63374571e4a67de20844a405628a2c61c504613f88b35fb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD57bc65505d22593472a9bd636bad18911
SHA11673db16bed0553e96e70e1c259aa824991828c0
SHA256a1376356f89d87153b56201bb7031792c86a94b75d466f98906ad49967df651b
SHA51207bb0e51d0193ed9d6cd256f5ec0d37df4b1b0a267e821a40b5b9d8d4b1d6e742b4dc0110e17c3556cf04b2e0dea336e5d721f9ebd4b43a8f052d5fdac201beb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD520b1315a1638684593e1aaee88e0741c
SHA102a5ff0d7253dec4ae5d03d0bdb62df3db878907
SHA256a3e7c4c2bc53f9768042ef722f9dfa8a94c0ce58e5152a0c4d4ea56d37ee2a7e
SHA512ce38c5a6eed816b67e153b2dda242bc68d82a0283940c1d85800fe412e7c4163b0cf7a2106e873d58d394d2cf41402cab1671a5ffac3a352ef8f9def9661191a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD54254599bda5890800a42e493ccc3adce
SHA114801c08a7869e2fc91f448e417ea10763c06563
SHA256f83581d541e438707baaca1a0e076c1af85f17dbd3d07335da315d95ab932d01
SHA51295687ea9cd88848a142fbe4eea542a6efad7649fc45c9c16c1c14839ffb031567c5f218ef1d2776a1f532492b4ba3d397b2e608d9aa368f522fa23a082286172
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\5e900987-9821-4e98-a85e-93f5938fa8b1
Filesize671B
MD5de07ab266c27538500668c727a5c5dbf
SHA149b1defcea38cd00333042c6299ff8ed2deff9bb
SHA256b5bac9c4e797a1d63036a54ea2049fbe2d2774f3a2a08daa159648a4d9073057
SHA512f67035aaaebcab2afb722f365252bfb2ec155dd049d62bb10a77f4c34b58711c6bd1b8cca45249848df8b6c4f2c6a021b7a422be77b02268bd41ca63287d17ac
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\5f912f65-362a-4c7f-8299-ea7c23531074
Filesize982B
MD5185114dba4f72ca61cb58bf153b271e4
SHA1b1705d094ea67a543731545c75cad083956cf3e3
SHA2561c9a50c4aa3a7e47ddb92c968cc006a0fb458898aa3e8204142363fb86dc235e
SHA512d7e4ea75eac83a85515e855dfaa60dc2c7f62edfff0cd1da9a2995c444d10f22a68ae9a84cc4218d6aaf367584e0936486992ce6de0eda1274a73423c0a4692f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\f4c9efb8-f132-4d87-92c3-7419aa3c8f58
Filesize25KB
MD570138a7114c68ab31bf5b8d98f374288
SHA187bc121e539a67936508117eac629c728b1765c5
SHA256b099c7c70ca3cd6a4f5204b7418906b4bd11dea10b802f0560505693b1c61270
SHA512f93107719f9b4a6e109d58f337a8e2666ae20f11aac7673ba4b06a63b463d53dc4fe1b1b92200f548aa4249a4bee8cff9ec49f696dbb9b3872c34ed23a317757
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
13KB
MD55ec26a4d3d350e7010d29fb98f742f3b
SHA1bcb38d3b5ded783fbf3398c21e69ae2c0af3faa9
SHA256bbdd620e41c9463c7a7ce0a2eadf43c8d2261694fa011becbbc11e6853239a40
SHA5123ba28ada06e4d5dd2974741d2d623ab1cdac3dcd720d91922bc135efbbdcff276e5657eeec50dd2f375593f8306f404351764827961eafc1a25af7b9a7c4b11b
-
Filesize
16KB
MD50a71be70bde36b00857507fb44ca528a
SHA10fad2d0ab52e6aca30087f3580c6a8d06a3c6443
SHA256b15219d46c4a1e2167f370046a1c19e7c62090267e77c0b1d59ad181bc2b556b
SHA512d4bffd9d7742638dc8d10a180c970cc2e3a3ab9b4e4e081486585b0ddc0ced904f97856aaf3bdc2fcbe1530a094520136f46d01e3db77f93653fd07236c2c63d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD587e14aceb3df85cc2d2a9aaac3b1548c
SHA1cc1d6e5dcf8ee92acaa146f289fa0eb6ff7aa472
SHA256cd019bf9a27ab9febd32c7ab9067fe89e50e118419263f111201c120f2103b79
SHA51249cd604339362c8296bacb26ff3bbe8dad05b1ca4c9b44e8bb46a964d0e9562386a56c5c14930452d3465e77db4f82bb09307ae3dc66a76e6a9250552155d01c