Overview
overview
7Static
static
3e275e8febf...37.exe
windows7-x64
7e275e8febf...37.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$SYSDIR/CEA_Crypt.dll
windows7-x64
3$SYSDIR/CEA_Crypt.dll
windows10-2004-x64
3$SYSDIR/FT...nk.dll
windows7-x64
3$SYSDIR/FT...nk.dll
windows10-2004-x64
3$SYSDIR/In...11.dll
windows7-x64
3$SYSDIR/In...11.dll
windows10-2004-x64
3$SYSDIR/In..._s.dll
windows7-x64
3$SYSDIR/In..._s.dll
windows10-2004-x64
3$SYSDIR/Pa...rl.dll
windows7-x64
5$SYSDIR/Pa...rl.dll
windows10-2004-x64
5$SYSDIR/Pa...rl.dll
windows7-x64
5$SYSDIR/Pa...rl.dll
windows10-2004-x64
5$SYSDIR/Pa...ns.exe
windows7-x64
3$SYSDIR/Pa...ns.exe
windows10-2004-x64
3$SYSDIR/Pa...64.dll
windows7-x64
7$SYSDIR/Pa...64.dll
windows10-2004-x64
5$SYSDIR/Pa...ns.exe
windows7-x64
3$SYSDIR/Pa...ns.exe
windows10-2004-x64
3$SYSDIR/pa...ns.exe
windows7-x64
3$SYSDIR/pa...ns.exe
windows10-2004-x64
3$SYSDIR/pr...RA.dll
windows7-x64
3$SYSDIR/pr...RA.dll
windows10-2004-x64
3$SYSDIR/stwebdll.dll
windows7-x64
3$SYSDIR/stwebdll.dll
windows10-2004-x64
3$TEMP/EsWe...it.exe
windows7-x64
7$TEMP/EsWe...it.exe
windows10-2004-x64
7Analysis
-
max time kernel
143s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 06:28
Static task
static1
Behavioral task
behavioral1
Sample
e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$SYSDIR/CEA_Crypt.dll
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
$SYSDIR/CEA_Crypt.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
$SYSDIR/FTInitlize_bank.dll
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
$SYSDIR/FTInitlize_bank.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
$SYSDIR/InterPass2000P11.dll
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
$SYSDIR/InterPass2000P11.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
$SYSDIR/InterPass2000P11_s.dll
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
$SYSDIR/InterPass2000P11_s.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
$SYSDIR/PassGuardCtrl.dll
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
$SYSDIR/PassGuardCtrl.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
$SYSDIR/PassGuardCtrlForYBXY/PassGuardCtrl.dll
Resource
win7-20240729-en
Behavioral task
behavioral18
Sample
$SYSDIR/PassGuardCtrlForYBXY/PassGuardCtrl.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
$SYSDIR/PassGuardCtrlForYBXY/passguardwin7ins.exe
Resource
win7-20240704-en
Behavioral task
behavioral20
Sample
$SYSDIR/PassGuardCtrlForYBXY/passguardwin7ins.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
$SYSDIR/PassGuardX64ForYBXY/PassGuardX64.dll
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
$SYSDIR/PassGuardX64ForYBXY/PassGuardX64.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
$SYSDIR/PassGuardX64ForYBXY/passguardwin7ins.exe
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
$SYSDIR/PassGuardX64ForYBXY/passguardwin7ins.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
$SYSDIR/passguardwin7ins.exe
Resource
win7-20240708-en
Behavioral task
behavioral26
Sample
$SYSDIR/passguardwin7ins.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
$SYSDIR/printCtl4RA.dll
Resource
win7-20240729-en
Behavioral task
behavioral28
Sample
$SYSDIR/printCtl4RA.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
$SYSDIR/stwebdll.dll
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
$SYSDIR/stwebdll.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
$TEMP/EsWebSocketKit.exe
Resource
win7-20240704-en
Behavioral task
behavioral32
Sample
$TEMP/EsWebSocketKit.exe
Resource
win10v2004-20240802-en
General
-
Target
$TEMP/EsWebSocketKit.exe
-
Size
2.0MB
-
MD5
03608817f4280e182fe17dcc532b78af
-
SHA1
3810abd4bab3e9b962c96019a2e73422c90fbc31
-
SHA256
211e3a7eac588949321ab2bafd1317a18b5c33f5064faff26f5b1d409d73e4d3
-
SHA512
aa1f690f29e893b61a2ae18eb364457aab7086ccfa6394bd46b60e94f6d7834f93b6a5e336a32dae251fb79db0a70265d3ca0703c19cd6d99314aecef6cfae5f
-
SSDEEP
49152:xQxqVOQPx6T4ooThi+cKS6aWM0A5sT4KV3Bm:xQxqVM4Xi+/7aW3wsNJg
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EsFtWebSocketKit = "\"C:\\Program Files (x86)\\EsWebSocketKit\\EsFtWebSocket.exe\"" EsWebSocketKit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EsHttpServer = "\"C:\\Program Files (x86)\\EsWebSocketKit\\EsHttpServer.exe\"" EsWebSocketKit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EsWebSocketKit = "\"C:\\Program Files (x86)\\EsWebSocketKit\\ESWebSocket.exe\"" EsWebSocketKit.exe -
Modifies Windows Firewall 2 TTPs 6 IoCs
pid Process 1556 netsh.exe 3916 netsh.exe 4644 netsh.exe 3376 netsh.exe 4992 netsh.exe 1596 netsh.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe EsWebSocketKit.exe File created C:\Program Files (x86)\EsWebSocketKit\server.crt EsWebSocketKit.exe File created C:\Program Files (x86)\EsWebSocketKit\EsWebSocket.exe EsWebSocketKit.exe File created C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe EsWebSocketKit.exe File created C:\Program Files (x86)\EsWebSocketKit\FirefoxMOIT.exe EsWebSocketKit.exe File created C:\Program Files (x86)\EsWebSocketKit\IActiveXCtrl.dll EsWebSocketKit.exe File created C:\Program Files (x86)\EsWebSocketKit\dh.pem EsWebSocketKit.exe File created C:\Program Files (x86)\EsWebSocketKit\cert.cer EsWebSocketKit.exe File created C:\Program Files (x86)\EsWebSocketKit\cert.key EsWebSocketKit.exe File created C:\Program Files (x86)\EsWebSocketKit\server.key EsWebSocketKit.exe File created C:\Program Files\Mozilla Firefox\defaults\pref\root_cert_setting_for_websocket.js EsWebSocketKit.exe File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\root_cert_setting_for_websocket.js EsWebSocketKit.exe -
Executes dropped EXE 15 IoCs
pid Process 2076 regFirefox64.exe 4520 regFirefox64.exe 3404 ESWebSocket.exe 4996 EsFtWebSocket.exe 2124 EsHttpServer.exe 4348 FirefoxMOIT.exe 3764 ESWebSocket.exe 5032 EsHttpServer.exe 4784 EsFtWebSocket.exe 3052 ESWebSocket.exe 4496 EsHttpServer.exe 4992 EsFtWebSocket.exe 736 ESWebSocket.exe 2768 EsHttpServer.exe 3696 EsFtWebSocket.exe -
Loads dropped DLL 46 IoCs
pid Process 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 2076 regFirefox64.exe 4520 regFirefox64.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 4348 FirefoxMOIT.exe 4348 FirefoxMOIT.exe 4348 FirefoxMOIT.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FirefoxMOIT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EsFtWebSocket.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ESWebSocket.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EsFtWebSocket.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EsWebSocketKit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ESWebSocket.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EsFtWebSocket.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EsHttpServer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EsHttpServer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EsHttpServer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ESWebSocket.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EsHttpServer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ESWebSocket.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EsFtWebSocket.exe -
Kills process with taskkill 3 IoCs
pid Process 1752 taskkill.exe 5000 taskkill.exe 2656 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\07A909A89FC6857FEAD7726BF955F1E4E8EDF922 EsWebSocketKit.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\07A909A89FC6857FEAD7726BF955F1E4E8EDF922\Blob = 5c00000001000000040000000008000003000000010000001400000007a909a89fc6857fead7726bf955f1e4e8edf922190000000100000010000000b5d296234cf132adc29bb6fec0549c6214000000010000002000000031c1dcb87b45e72861bdea4038e309f052fc83115c30da4cfb5fbfb6ea0ae7770f000000010000002000000098d78429350107d66f9d9a4b7bf2cc0a4d1c75cb2062d1d02fbbd2105dc9880b0400000001000000100000001711793f00ff2d2fb5144003374c02832000000001000000d5030000308203d1308202b9a003020102021100bd261f436c61432fd735c301bb7bfc05300d06092a864886f70d01010b0500307c310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d53616e204672616e636973636f311c301a060355040a0c13776562736f636b6574406c6f63616c686f73743122302006035504030c19746c7363612e776562736f636b6574406c6f63616c686f7374301e170d3137303932323031343134305a170d3237303932303031343134305a307c310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d53616e204672616e636973636f311c301a060355040a0c13776562736f636b6574406c6f63616c686f73743122302006035504030c19746c7363612e776562736f636b6574406c6f63616c686f737430820122300d06092a864886f70d01010105000382010f003082010a0282010100bf4c1314166876a6dd73a80cd1777394390922f9edceb0f2cce4a3ddff9641089c2a0649a6de8c6154db3236fc10ba3abe9a8856d218fff49265cafa950d82e94d2cb091a26db2b4eb90489a1f609581ab65da9858c3ccb77fd633e6b23dce343d423ea0318aed787db8435a108bd1336a20ee7ae38be7e9482c82570829da911fa7c74937d38930b78a1b2a6ede1bc07e7bcec5d6280e25bca71006418456e551598472181b8d7d7c475177b2258134d93daa51b7962eded0bd6624f642ff8458c2d76287cb19975a3ceb2671499655a110cfc250c3fe764fbc3d435d9386b78bf05f91c4491c63ff0b81aa98d2e9f42bd2bb6a95f21e8be826f2411c7c598f0203010001a34e304c300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff30290603551d0e0422042031c1dcb87b45e72861bdea4038e309f052fc83115c30da4cfb5fbfb6ea0ae777300d06092a864886f70d01010b050003820101000509d1f6bcdc17bdb0b3942023ed6d3518675193959c12d912ac9d4a7e5476781360c75ecf9d3ce96188840fe0bb14f7ec1c3d042d6c1d05106aee718cd5828d62674a8f3f9f6891ae16468d7273c0cbb928ee3dd98afe6e6965123f1451f13609029eceb15ad4b88a1102ce230a7311306f1c6c9a9d6318f909e738b006076e0c37e37e0e2f2de0bc6c7a0e6c105adc4876d8c84c9f825577a4021452f40d73aeabbf4667f67c29bb4b78c91e240bb4f2a7bf0300d81c8abace56e5e1e6c0a246fa9283e660515f355bb53ea43d704b17a4623eb73686643679a7ef3eee39a6a04c7d307810d8996c77d72abcbb3ef4658e069eec2138227b9186d8b3906912 EsWebSocketKit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\5B2CB7BC03D02624FC74258DF56BA16EF1AD7D93 EsWebSocketKit.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5B2CB7BC03D02624FC74258DF56BA16EF1AD7D93\Blob = 040000000100000010000000b6ada6ec197166ac670578e5179ea8d30f000000010000002000000027c5042bd2e1421369948ea130e4e7604817c0d13045932ed48a2cb10c8caa0c1400000001000000140000004b9d236fccf3dd4d028b0d1e2f732a102b0768131900000001000000100000002f27ccec88d8b37b4748eb029e5e86730300000001000000140000005b2cb7bc03d02624fc74258df56ba16ef1ad7d935c00000001000000040000000008000020000000010000000703000030820303308201eba003020102021458ec850fc4222148b495042df3060fec709d745d300d06092a864886f70d01010b050030143112301006035504030c096c6f63616c686f7374301e170d3231313032323031313631355a170d3331313032303031313631355a30143112301006035504030c096c6f63616c686f737430820122300d06092a864886f70d01010105000382010f003082010a0282010100acf048bf504d5458d7d5f423a75f344bdb725c6d3f66168de6ae5b6d2c1ddc1cf68b2f502c3289b4ad85fff349de511077c574ce25c1f70db80b5af9dc092e48922fe4b4fb1a0dd6aa55fbb35b6b24ab55cc84bc7d5eeaabb27a86a83b5f134c19e6f00b05dbed856645a4ae83f829b7d59e7f396826c05184f161ee5887d63e195070b589c4b51a9953e4112ef501439fb426003bae81bc99a4dd110aaf2122a345e53e96cbf195a365bd4ae7abce44f1e58221bdd2cf0a364611271fd2c83da396e4289cf0ff56b9691371749b1d4b0c358f37c5f62da15133b19775487a17c1ebab90b1122f690708fc29b6fe0fc17d205d6049d4cdd8cc2057dc144d08310203010001a34d304b300b0603551d0f0404030205e030130603551d25040c300a06082b0601050507030130270603551d110420301e82096c6f63616c686f7374820b2a2e6c6f63616c686f737487047f000001300d06092a864886f70d01010b050003820101008fb9b28d4187eda354b68f275b6dd7a0fc3578814230a378a476c0aa73065e552c15b08058c06cbc6eb475d9c567f8740eb984bc6029e532813863e5daf46894b34d4b7d12c3d73f3ba304605a3b60199f773ec824280cc428a63b326dd0e2a15bb442153022f7c776fefea68182dd451e2e3e3c15e01628b0f349ddada030119b31017827042e49d765c079ddd584c0b8b09145e2d7ecee92c2832c1f2f9f5bd91357a890c633faefd7d1270994bfd07fab90b19323d358a7ea0327031b2b50dd965e6050f061256e5e231e526c59da97449cb6f721ea69abdb6e92fe2513230001500f17add84a5434ed657b621f6f0daf2dec22abe700c064642e87680094 EsWebSocketKit.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4272 schtasks.exe 4188 schtasks.exe 5024 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 3180 EsWebSocketKit.exe 4996 EsFtWebSocket.exe 4996 EsFtWebSocket.exe 3404 ESWebSocket.exe 3404 ESWebSocket.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1752 taskkill.exe Token: SeDebugPrivilege 5000 taskkill.exe Token: SeDebugPrivilege 2656 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3180 wrote to memory of 1752 3180 EsWebSocketKit.exe 86 PID 3180 wrote to memory of 1752 3180 EsWebSocketKit.exe 86 PID 3180 wrote to memory of 1752 3180 EsWebSocketKit.exe 86 PID 3180 wrote to memory of 5000 3180 EsWebSocketKit.exe 90 PID 3180 wrote to memory of 5000 3180 EsWebSocketKit.exe 90 PID 3180 wrote to memory of 5000 3180 EsWebSocketKit.exe 90 PID 3180 wrote to memory of 2656 3180 EsWebSocketKit.exe 92 PID 3180 wrote to memory of 2656 3180 EsWebSocketKit.exe 92 PID 3180 wrote to memory of 2656 3180 EsWebSocketKit.exe 92 PID 3180 wrote to memory of 3332 3180 EsWebSocketKit.exe 94 PID 3180 wrote to memory of 3332 3180 EsWebSocketKit.exe 94 PID 3180 wrote to memory of 3332 3180 EsWebSocketKit.exe 94 PID 3180 wrote to memory of 2076 3180 EsWebSocketKit.exe 96 PID 3180 wrote to memory of 2076 3180 EsWebSocketKit.exe 96 PID 3180 wrote to memory of 4520 3180 EsWebSocketKit.exe 99 PID 3180 wrote to memory of 4520 3180 EsWebSocketKit.exe 99 PID 3180 wrote to memory of 3404 3180 EsWebSocketKit.exe 100 PID 3180 wrote to memory of 3404 3180 EsWebSocketKit.exe 100 PID 3180 wrote to memory of 3404 3180 EsWebSocketKit.exe 100 PID 3180 wrote to memory of 4996 3180 EsWebSocketKit.exe 101 PID 3180 wrote to memory of 4996 3180 EsWebSocketKit.exe 101 PID 3180 wrote to memory of 4996 3180 EsWebSocketKit.exe 101 PID 3180 wrote to memory of 2124 3180 EsWebSocketKit.exe 102 PID 3180 wrote to memory of 2124 3180 EsWebSocketKit.exe 102 PID 3180 wrote to memory of 2124 3180 EsWebSocketKit.exe 102 PID 3180 wrote to memory of 4348 3180 EsWebSocketKit.exe 103 PID 3180 wrote to memory of 4348 3180 EsWebSocketKit.exe 103 PID 3180 wrote to memory of 4348 3180 EsWebSocketKit.exe 103 PID 3180 wrote to memory of 2024 3180 EsWebSocketKit.exe 105 PID 3180 wrote to memory of 2024 3180 EsWebSocketKit.exe 105 PID 3180 wrote to memory of 2024 3180 EsWebSocketKit.exe 105 PID 3180 wrote to memory of 4272 3180 EsWebSocketKit.exe 107 PID 3180 wrote to memory of 4272 3180 EsWebSocketKit.exe 107 PID 3180 wrote to memory of 4272 3180 EsWebSocketKit.exe 107 PID 3180 wrote to memory of 5032 3180 EsWebSocketKit.exe 109 PID 3180 wrote to memory of 5032 3180 EsWebSocketKit.exe 109 PID 3180 wrote to memory of 5032 3180 EsWebSocketKit.exe 109 PID 3180 wrote to memory of 4188 3180 EsWebSocketKit.exe 111 PID 3180 wrote to memory of 4188 3180 EsWebSocketKit.exe 111 PID 3180 wrote to memory of 4188 3180 EsWebSocketKit.exe 111 PID 3180 wrote to memory of 4484 3180 EsWebSocketKit.exe 113 PID 3180 wrote to memory of 4484 3180 EsWebSocketKit.exe 113 PID 3180 wrote to memory of 4484 3180 EsWebSocketKit.exe 113 PID 3180 wrote to memory of 5024 3180 EsWebSocketKit.exe 115 PID 3180 wrote to memory of 5024 3180 EsWebSocketKit.exe 115 PID 3180 wrote to memory of 5024 3180 EsWebSocketKit.exe 115 PID 3180 wrote to memory of 1556 3180 EsWebSocketKit.exe 117 PID 3180 wrote to memory of 1556 3180 EsWebSocketKit.exe 117 PID 3180 wrote to memory of 1556 3180 EsWebSocketKit.exe 117 PID 3180 wrote to memory of 3916 3180 EsWebSocketKit.exe 119 PID 3180 wrote to memory of 3916 3180 EsWebSocketKit.exe 119 PID 3180 wrote to memory of 3916 3180 EsWebSocketKit.exe 119 PID 3180 wrote to memory of 4644 3180 EsWebSocketKit.exe 121 PID 3180 wrote to memory of 4644 3180 EsWebSocketKit.exe 121 PID 3180 wrote to memory of 4644 3180 EsWebSocketKit.exe 121 PID 3180 wrote to memory of 3376 3180 EsWebSocketKit.exe 123 PID 3180 wrote to memory of 3376 3180 EsWebSocketKit.exe 123 PID 3180 wrote to memory of 3376 3180 EsWebSocketKit.exe 123 PID 3180 wrote to memory of 4992 3180 EsWebSocketKit.exe 126 PID 3180 wrote to memory of 4992 3180 EsWebSocketKit.exe 126 PID 3180 wrote to memory of 4992 3180 EsWebSocketKit.exe 126 PID 3180 wrote to memory of 1596 3180 EsWebSocketKit.exe 128 PID 3180 wrote to memory of 1596 3180 EsWebSocketKit.exe 128 PID 3180 wrote to memory of 1596 3180 EsWebSocketKit.exe 128
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\EsWebSocketKit.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\EsWebSocketKit.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\taskkill.exeC:\Windows\system32\taskkill.exe /f /im ESWebSocket.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
-
C:\Windows\SysWOW64\taskkill.exeC:\Windows\system32\taskkill.exe /f /im EsFtWebSocket.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
-
C:\Windows\SysWOW64\taskkill.exeC:\Windows\system32\taskkill.exe /f /im EsHttpServer.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"2⤵
- System Location Discovery: System Language Discovery
PID:3332
-
-
C:\Users\Admin\AppData\Local\Temp\regFirefox64.exeC:\Users\Admin\AppData\Local\Temp\regFirefox64.exe /init /cert C:\Users\Admin\AppData\Local\Temp\cert.cer2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076
-
-
C:\Users\Admin\AppData\Local\Temp\regFirefox64.exeC:\Users\Admin\AppData\Local\Temp\regFirefox64.exe /init /cert C:\Users\Admin\AppData\Local\Temp\ca.crt2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4520
-
-
C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe"C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3404
-
-
C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe"C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4996
-
-
C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe"C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2124
-
-
C:\Program Files (x86)\EsWebSocketKit\FirefoxMOIT.exe"C:\Program Files (x86)\EsWebSocketKit\FirefoxMOIT.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4348
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /TN FT_ESWebSocket_A8B1F6F5477B /F2⤵
- System Location Discovery: System Language Discovery
PID:2024
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /TN FT_SWebSocket_A8B1F6F5477B /tr "'C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe'" /sc MINUTE /mo 12⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4272
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /TN 1FT_OneEsHttpServer_B8B1F6F5477B /F2⤵
- System Location Discovery: System Language Discovery
PID:5032
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /TN 1FT_OneEsHttpServer_B8B1F6F5477B /tr "'C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe'" /sc MINUTE /mo 12⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4188
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /TN 2FT_TwoFtESWebSocket_C8B1F6F5477B /F2⤵
- System Location Discovery: System Language Discovery
PID:4484
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /TN 2FT_TwoFtESWebSocket_C8B1F6F5477B /tr "'C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe'" /sc MINUTE /mo 12⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5024
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name=EsFtWebSocket2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1556
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name=EsFtWebSocket dir=in action=allow program="C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe" enable=yes profile=public,private2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3916
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name=EsHttpServer2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4644
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name=EsHttpServer dir=in action=allow program="C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe" enable=yes profile=public,private2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3376
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name=EsWebSocket2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4992
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name=EsWebSocket dir=in action=allow program="C:\Program Files (x86)\EsWebSocketKit\EsWebSocket.exe" enable=yes profile=public,private2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1596
-
-
C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe"C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3764
-
C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe"C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5032
-
C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe"C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4784
-
C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe"C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3052
-
C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe"C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4496
-
C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe"C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4992
-
C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe"C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:736
-
C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe"C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2768
-
C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe"C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3696
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5e88fcf35be36ccf3fa8ca6d441be74ac
SHA12fa310e1b8a0a1474b73c66c34a6feec2aa47c0f
SHA256bb07c4b20e879b1feb42d8206f95ddf6c012871d8f5fe9773b47089f7772a712
SHA51278cb8de754863f34e5add22e22e1307b51298462abd585c410e520e10f56502564e548189df3abd506b878640cfbf14ad4df4c11091f463b81231a2505ab7f59
-
Filesize
2.5MB
MD517ab752429d2e81d75cb6f09fb0583bc
SHA186dd820cce0902abbb1a840b0a1668b8938e6ae6
SHA2563120f4bcc4b6e0d7ddf8245a51604219bdaa01ed94890ca0705c5588a1a254f6
SHA512b0e5260997b52c6449506a911d5bc0605fb1293d4c6fa69dd70e27152327e6466437fdda0ab00b4112985b424893667fe97f2d95457affc3e42df88db9210532
-
Filesize
2.1MB
MD5f766dace38bac14936a1b955661b6876
SHA144b99d1eda89d91f022387168460dadd3e6409c0
SHA256ea44506c86426feed0ac905a1e23f02ed20c7a33623bec9c8fc0a0986a3f02b0
SHA5123c35536226078d305fd557a92c132e1b28a2ba420270a0f10eb3e9849655e5b471b40c71f6ee03c98845c12eb656e3c4b57ab5b6b80c45d7e0942d78baf6186c
-
Filesize
91KB
MD5a391daff8d9634979d0105b47a4138bf
SHA129f15a6f0b60d31ceca9fb2bfff7347ab8534ddf
SHA2569d2532c5e809ee72ef1f277d1161073f8501f1b1d814627fbd62ae0447ccca1a
SHA5123d299217a3f50b53c208d0265b8ce349d66661e5de451ac8050148710ee6931517667dd2562245764c1f104c568c877f4a984bec313169cb0475ed0347b96e0b
-
Filesize
1KB
MD52c4f4a547771e088e61346836dd1cfb3
SHA133cd72b6e1f1157d6a536a75bad6d4e0d91c5b86
SHA256040072b3367930ac96b7bfc1f7366272ee9c18e85f5110119a4d7d07556eb296
SHA512661266cf2c936e63558d6cd66d4fe51e4325287b293bb6bd06cae282bb14a31764baaed9914d79ec3a8e03d8c89f17180cc58da1384efcfb9c8df4c54f8644a9
-
Filesize
1KB
MD59d537451e919743026967da200358440
SHA15a782f53bf8b9f487221e6d7e3b528612ae6883f
SHA25627544f1e19e23eb009dbe88006b010eac236d54c3de73cc26b1ffe0372cef59a
SHA512344d275eb14330dbcdf490eed437c12312b7e4f5aae02229d702fe07040a94b73bd15b0c1e99f03207444404f2c7d3b3192a674d13700cfd454ef6a660ef4a69
-
Filesize
11KB
MD5959ea64598b9a3e494c00e8fa793be7e
SHA140f284a3b92c2f04b1038def79579d4b3d066ee0
SHA25603cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b
SHA5125e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64
-
Filesize
6KB
MD508e9796ca20c5fc5076e3ac05fb5709a
SHA107971d52dcbaa1054060073571ced046347177f7
SHA2568165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af
SHA51202618317d6ab0302324aae4d3c5fca56b21e68c899e211cfa9412cf73820a1f931e56753c904fd7e510c638b4463aedbfe9536790279e096ea0387b67013e0c4
-
Filesize
26KB
MD58e83b78d2e265d29a6751df565646da6
SHA1f9a54b5f68d75a68391ebe8e56f2d4e6cffd6f69
SHA256cd7b928678e0ad3c6a325103aaba21d00d4bac58fdf726f38c282f4f93def1b1
SHA5127243a2487675b2f223747b77548be6fb337f3d92c82ec854becf422c84005096ed16e27d1ab7c6784f0b7bfe215c90eb65f0e2da07ec31eb38219b48d4c54424
-
Filesize
11KB
MD5301a9c8739ed3ed955a1bdc472d26f32
SHA1a830ab9ae6e8d046b7ab2611bea7a0a681f29a43
SHA2566ec9fde89f067b1807325b05089c3ae4822ce7640d78e6f32dbe52f582de1d92
SHA51241d88489ecb5ec64191493a1ed2ed7095678955d9fa72cccea2ae76dd794e62e7b5bd3aa2c313fb4bdf41c2f89f29e4cafe43d564ecad80fce1bf0a240b1e094
-
Filesize
68KB
MD5dd3a47083df04500bbed296cad50c17a
SHA18479a361c83ff6a1aeec222409f630d10b97abab
SHA256057301b32288b473d16d494fad6a933f1d80bda5dedded6700dcfb98c0997ec3
SHA512074715818bde2c659c34c87cfe251e634365ab6b309a2150b1a50ba97291148286789c70d3f2ab7f0a09a3f7119f90fac814590f1b49b88126df4eafaf86eb0c
-
Filesize
99KB
MD5f9d5e26985f3373c0cf6c81fc77282aa
SHA1eb583db51757159aeac8f763eb47769e00a1697e
SHA256563a0662dc1fe246cd228a822d11ea3d00a7582b382e991c2aa6efa1d8e44407
SHA51285b5ab236ef0977e879638e6fbd0d7157bc030c5e5f63151a6373bd024e48228ab970b220a993ce59481b922ac9bb9891a9c69109d5bb29020d27bc4eca51e99
-
Filesize
45KB
MD58b26d23ed0026eaf0a58b3a082195ae2
SHA15b97c588f10cf7cf81fb6364247a94d59db0f908
SHA25639e74e20de6b3be080f1454293546a50d0ef2f3a78b96b23c02bb35003a62833
SHA5125853af3874fc4fa2a93b1f8ef3e42a78ed6451a13476696fbff188311099addbd9dabd87688a1c2bba75c8f57624aa5913cc37659d753969e20cdbd073854ecb
-
Filesize
224KB
MD5ad3e3ec0bd71bc67c751e7c81390ff1f
SHA10f9d0a62dafb24ab956f122777aa7d9656a0ac02
SHA256ddf258bc97c1946f1c16e55aa78e6cce67db9514c003535a43720da21b896762
SHA51250eb0b78d888446593fc6fd69afe468519dfcc1343ab4eb561f58c61b50b196381fdd33f763647d4ad5cfff81c7a1bff1b7f3f2ce5f98df3faeff112cb5eac40
-
Filesize
288KB
MD5903d48d613698850b9647b3301b55310
SHA16e4100663fe8b3cb64ac172f43f945b7b1e3098e
SHA25637cf1fc5394f3dbff8ac8803507557ea3ae8b447b4f0e863242395a34faef561
SHA512f0171970806362474f06e1cc9b9151d76db6ac6a1ea5bebdabd60fbaa6ae787b426a9ffaac8f410217ee77443396b748cbddc86637d4154c04eee8ec11febc52