Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
11-09-2024 01:26
Static task
static1
Behavioral task
behavioral1
Sample
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe
Resource
win10v2004-20240802-en
General
-
Target
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe
-
Size
1.8MB
-
MD5
3bcdaf8aa8a6f0ca2f613c8c14bc5a6e
-
SHA1
14e7cff2628e339009821bdb95673a40299149d0
-
SHA256
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a
-
SHA512
d4f38ebb5e8684ab8d267cbef2c2a227238636409cc41b03fa767e3ba83f324db47e93543dfdde302fa72847b728f4ba93aae10d58670efe0ada9ed051941579
-
SSDEEP
49152:GQlomvjK2/8k6ZJ8EBHJGCHONwoFCRUUoYk32nOg:15vjak6z84uszoYkGl
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exesvoutse.exed6c383d585.exe4c2f9460dc.exesvoutse.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d6c383d585.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4c2f9460dc.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svoutse.exe4c2f9460dc.exesvoutse.exesvoutse.exed6c383d585.exe6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4c2f9460dc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4c2f9460dc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d6c383d585.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d6c383d585.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe -
Executes dropped EXE 5 IoCs
Processes:
svoutse.exed6c383d585.exe4c2f9460dc.exesvoutse.exesvoutse.exepid process 2340 svoutse.exe 1464 d6c383d585.exe 652 4c2f9460dc.exe 5584 svoutse.exe 5636 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exesvoutse.exed6c383d585.exe4c2f9460dc.exesvoutse.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine d6c383d585.exe Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine 4c2f9460dc.exe Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows\CurrentVersion\Run\4c2f9460dc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\4c2f9460dc.exe" svoutse.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exesvoutse.exed6c383d585.exe4c2f9460dc.exesvoutse.exesvoutse.exepid process 840 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe 2340 svoutse.exe 1464 d6c383d585.exe 652 4c2f9460dc.exe 5584 svoutse.exe 5636 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exedescription ioc process File created C:\Windows\Tasks\svoutse.job 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d6c383d585.exe4c2f9460dc.exepowershell.execmd.execmd.exe6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d6c383d585.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4c2f9460dc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe -
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exesvoutse.exed6c383d585.exe4c2f9460dc.exepowershell.exesvoutse.exesvoutse.exepid process 840 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe 840 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe 2340 svoutse.exe 2340 svoutse.exe 1464 d6c383d585.exe 1464 d6c383d585.exe 652 4c2f9460dc.exe 652 4c2f9460dc.exe 3736 powershell.exe 3736 powershell.exe 3736 powershell.exe 3736 powershell.exe 3736 powershell.exe 3736 powershell.exe 3736 powershell.exe 5584 svoutse.exe 5584 svoutse.exe 5636 svoutse.exe 5636 svoutse.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3736 powershell.exe -
Suspicious use of FindShellTrayWindow 21 IoCs
Processes:
firefox.exepid process 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 1968 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exesvoutse.exepowershell.exefirefox.exefirefox.exedescription pid process target process PID 840 wrote to memory of 2340 840 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe svoutse.exe PID 840 wrote to memory of 2340 840 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe svoutse.exe PID 840 wrote to memory of 2340 840 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe svoutse.exe PID 2340 wrote to memory of 1464 2340 svoutse.exe d6c383d585.exe PID 2340 wrote to memory of 1464 2340 svoutse.exe d6c383d585.exe PID 2340 wrote to memory of 1464 2340 svoutse.exe d6c383d585.exe PID 2340 wrote to memory of 652 2340 svoutse.exe 4c2f9460dc.exe PID 2340 wrote to memory of 652 2340 svoutse.exe 4c2f9460dc.exe PID 2340 wrote to memory of 652 2340 svoutse.exe 4c2f9460dc.exe PID 2340 wrote to memory of 3736 2340 svoutse.exe powershell.exe PID 2340 wrote to memory of 3736 2340 svoutse.exe powershell.exe PID 2340 wrote to memory of 3736 2340 svoutse.exe powershell.exe PID 3736 wrote to memory of 948 3736 powershell.exe cmd.exe PID 3736 wrote to memory of 948 3736 powershell.exe cmd.exe PID 3736 wrote to memory of 948 3736 powershell.exe cmd.exe PID 3736 wrote to memory of 2168 3736 powershell.exe cmd.exe PID 3736 wrote to memory of 2168 3736 powershell.exe cmd.exe PID 3736 wrote to memory of 2168 3736 powershell.exe cmd.exe PID 3736 wrote to memory of 912 3736 powershell.exe firefox.exe PID 3736 wrote to memory of 912 3736 powershell.exe firefox.exe PID 3736 wrote to memory of 1968 3736 powershell.exe firefox.exe PID 3736 wrote to memory of 1968 3736 powershell.exe firefox.exe PID 912 wrote to memory of 2724 912 firefox.exe firefox.exe PID 912 wrote to memory of 2724 912 firefox.exe firefox.exe PID 912 wrote to memory of 2724 912 firefox.exe firefox.exe PID 912 wrote to memory of 2724 912 firefox.exe firefox.exe PID 912 wrote to memory of 2724 912 firefox.exe firefox.exe PID 912 wrote to memory of 2724 912 firefox.exe firefox.exe PID 912 wrote to memory of 2724 912 firefox.exe firefox.exe PID 912 wrote to memory of 2724 912 firefox.exe firefox.exe PID 912 wrote to memory of 2724 912 firefox.exe firefox.exe PID 912 wrote to memory of 2724 912 firefox.exe firefox.exe PID 912 wrote to memory of 2724 912 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe PID 1968 wrote to memory of 3404 1968 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe"C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Roaming\1000026000\d6c383d585.exe"C:\Users\Admin\AppData\Roaming\1000026000\d6c383d585.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\1000030001\4c2f9460dc.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\4c2f9460dc.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:652 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account4⤵
- System Location Discovery: System Language Discovery
PID:948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
PID:2724 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1860 -prefMapHandle 1856 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1be2a389-01ce-4cde-813e-dd7013d81023} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" gpu5⤵PID:3404
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c8a1311-2e3d-4bcd-aa58-a21b8ab917b4} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" socket5⤵PID:1060
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1572 -childID 1 -isForBrowser -prefsHandle 3456 -prefMapHandle 3356 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d623736-4001-42f1-a230-e3ec92ec2ed3} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab5⤵PID:2976
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3080 -childID 2 -isForBrowser -prefsHandle 3596 -prefMapHandle 3592 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f3c4509-3ea7-42f7-8330-c5941022a208} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab5⤵PID:1816
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4272 -childID 3 -isForBrowser -prefsHandle 4264 -prefMapHandle 3204 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d231df13-1cc8-4660-a64a-9ec385da9dd7} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab5⤵PID:1708
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5044 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4908 -prefMapHandle 4988 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {137a2190-03dd-4a75-a0c7-d7ac66f26d8d} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" utility5⤵
- Checks processor information in registry
PID:3336 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4804 -childID 4 -isForBrowser -prefsHandle 5792 -prefMapHandle 5824 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c419c312-11f1-4dbb-a635-c75727b53603} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab5⤵PID:6072
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6024 -childID 5 -isForBrowser -prefsHandle 6016 -prefMapHandle 6012 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2e01d23-e6ed-4f0a-9620-9decff81a330} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab5⤵PID:6084
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5928 -childID 6 -isForBrowser -prefsHandle 5920 -prefMapHandle 5916 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {66f01f80-81e2-44b0-86b3-af21cefd32b6} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab5⤵PID:6100
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5584
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5636
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\seoxtri5.default-release\activity-stream.discovery_stream.json
Filesize24KB
MD5f78ef1944027a9c36fbfa80a3f535076
SHA1fb69ce2ac1ab7ab784d5c79c192abb74f5f54192
SHA256ecaa0653dd19ff5a00d3924a0e77f80d43c39ef867f359de0a4a53060be182c6
SHA5122228ce5f7629d0c3ff32b66614446e0a694dc136a8a962f1eefb182c907e574bf2899ffa4b07aae6c10ea69f7c817ffcc130f774f1ea3e490a1b2992845fc080
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\seoxtri5.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F
Filesize13KB
MD5053126903f986f4040329526718782c8
SHA16829c8dcce54263173160217111bb35cf371996d
SHA256b781aae9e887cf9246efff20c4e903cbf9da77b268247095da903fdba559f96c
SHA512963822dac385baec38fa47e827dbf7b3aa14a59a1d584970685f8154fdc806355d742889147943d7cb24eee2d308ee303b8af2277f657e4cbbf8b27431cce2ed
-
Filesize
1.8MB
MD53bcdaf8aa8a6f0ca2f613c8c14bc5a6e
SHA114e7cff2628e339009821bdb95673a40299149d0
SHA2566eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a
SHA512d4f38ebb5e8684ab8d267cbef2c2a227238636409cc41b03fa767e3ba83f324db47e93543dfdde302fa72847b728f4ba93aae10d58670efe0ada9ed051941579
-
Filesize
2KB
MD5e05e8f072b373beafe27cc11d85f947c
SHA11d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
1.7MB
MD5ce4bfa9c358165bde9bb408a2cb57b89
SHA1e7d7c6e20a558cdbb8ca0a8614bf48a1bdb60396
SHA2568b715b6ede4282228d035a69684c3e67328cef609504a7353c5151aa8ffafef9
SHA5123ace12ec036ff30834223176f3b8f917e62e853afb7cf7735d426be5cb2d02cfc39b0ce2879a162dcfb7f32003f7f954a81ad527e247a2b424dcc1a11af5f6f3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin
Filesize6KB
MD5f2661c5253e21a672b06c382959ce84f
SHA1ff3c7a572fc24339a13497076bcdbef87e75ea67
SHA2565853d172447e9bf5a6082603346c1bc508ee7ccdd3ae6b359b2ca229870a54b1
SHA5121a04fc19a23d142d6be05aa894802d347d5b702b7064dd3b7fca35f4f9c5b0de0513f69b622b034a71139da1228cdf35ba4aaf1f415ada3f46aacdf2442ac8f8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin
Filesize10KB
MD5278b21bc12005e1b974d168549615e27
SHA1ac346a6a056af44eeac2315c7b33a9f4bb22af7e
SHA256950d46e6e6f4f8779b1e97bddcfca43e250844942f49ecbced60fbca172f2d32
SHA512d32a48db4017fb36e2d6fc9305bdeaf4e15f3468f4e591d0882ec853dda1c93a326f031021b27c4192c177acf3a5c2efcb61bdf028984188ba144c3fd79dd626
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin
Filesize13KB
MD576cbdf57f5d735ba411dd898a0fbda94
SHA1e855a4294f26d1fec882fa70cf8ebae69c82744f
SHA2567bd4aa140f9d06c345480b624131046d7274a1001f8ff40ddd2369b1c17568cb
SHA512736abf55f6d0fd49d77a299770d38c0144aef2b41e1c70d639f159c87825bf52c4d507c70898b3f86f593bbc393626285d6367cf2e5a601749c49166e0dba0d0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin
Filesize15KB
MD58b94d64a22485271dc9c85e52b7db6ee
SHA12686cbfd75e097787008b5eabcfcd21e2d7f5b80
SHA256cfd4e0398ce9e830569551318f0df81db6955332faf623eff36a4646d230b84b
SHA512ffa822174baa05e3c4edc29063b73bd9b3c460eef12b4d682ec8cbea70fb9c6033e4cbb68f7d43b7d22c7cd93a54efacec6fc84cdcdf1a264ab2ef147ad451c1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin
Filesize23KB
MD53ddf6839dc10bf0b989db75a81282d75
SHA16a70b3638ba7f60108821b9fc989c56eaa39294b
SHA2564c79f2836b38ca67097c2354770ff0788c41e23fc2f4533325469b804ff90cf6
SHA51272c7215819ec218bee711f2dd696d82eccf5cb1959d3f2673b14df6ea8a2e49b06f84220f2f2d9eaa524fc5a6cac5417429f54c77a04571e1c43af75753f0f19
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5338db648db6aa5339259a43ba9687e0f
SHA12a4dac4bd5b48f4e514d43241b4d4b72265fb90b
SHA256c8a7b08a17bfb7da09886bf6c0a094aaa2cb49f53629fac8e445f1b32556c68d
SHA512ff4b4ed9eee29a0382e2a05009bb74d43033476c8b5b737ff8b1d6330a5234bce07b9903bb28ad803edd68aa409af8d239360ee129fe64c9c868b5d8c2b5e39a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD56c4ff4025194d841084c7e2b483b7723
SHA148b84acd28fc95822dcc40b20b20dab4c45ee713
SHA25638748588ac6fa391c913e3ab7f8d333ea98a9ff1cecf0439bb040334dfe1e4b4
SHA51242262db7a94bae0d8048d0943d23428e001d3aaae0dc24a2f374f8efd6146fac2d1ce20b714b899fa2d0bc460d5a7c932b303db80f6b40885ad02e706ac069e9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5453ccfe1b9d80a610bd06b744683084a
SHA1a5d09a125cce2e152b4f57c608ed565ae944a20a
SHA2566f0ee7023bf954018fa3b6ac39b7b4ed50d6814c082aad052fc048a7a5b373dc
SHA512b91fbd43ee8e1f7f8ee97276c2f879236e2d19ebe29e7862abb6ebf8a9e4b361f2d06a2defa3facade60deb2b333cf3401f2bcb25d644c61cf64d07e277bc576
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp
Filesize34KB
MD5c161d0d750d5d7f73083312e332ab2c8
SHA1027c31c43eff3db6a9d875bbeb8f832bbed1df99
SHA256e39e2453e6c4f6dca7970eaa850553d72b71b9ff3762a4a21378a5f70f955489
SHA512c3c2f72f7e0c963406944e8e51446af100b54026cd80b64494a7b5226744b353e8a3f68d68724a81d0036b41acbad631159fe526c0bd230d7ad8a43857ba2d27
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\pending_pings\cc57f411-b2b4-422a-8869-d1d79d0b62d9
Filesize659B
MD54b382e37448e885aa299d69916ee19d7
SHA12b473169b67b3f8f50cf403c3d565901b6f87abe
SHA256b4e013057e720a5cdaca35abd6c68779ca8158e81e028125fc24ca8451175359
SHA512d75320e074451a668cfe52d715742a26887b3af8787c667e6b450c7cee76e17459e22a3053284135d06c0692c3fd98cd898f5adb78b7907bf2baedb634ed2d44
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\pending_pings\dfe68154-a62b-4dd5-b6c0-cea2286ee4ed
Filesize982B
MD5d0532e9d0eca481186b5d1c7723a88f3
SHA1573380008203806495f6a85bc2145a017fbfb8ca
SHA256b32a1ff758240486f87380f6dfde7f31d67090965e814fc27e16de07754c4a1c
SHA512759cfae958c225d25107d52394140551c76b772baa56640799026a26d5dcd370fbaecc644dfa5ae6a530190eceb4d0708cd7ee81c046437b1ce182dd05ebfcae
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll.tmp
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
13KB
MD5742a5365ea6b32c2064d1a7aa867f8bd
SHA1360d389bd5f2b0258649662baea7d21aa3ef49c5
SHA256ea7b7c3f6995019d46dcd547f83fe537ab7eb3ba3ddefaf07f8e75daa9dd3aa3
SHA5124ecb04f7253e5cb1ec2771acb1355ee3a57ec47f535d0a72b3abb3c8a9986900307f744828f76503d484d8cd988bcc227b0352c0fa93dfb222a8e32f4ceed622
-
Filesize
11KB
MD5d859b0d0178c9cddb8bd0fb18fc39c29
SHA1800202f1c546372f3392c368598560a9c118241c
SHA25683597ced29a8c7eab843464ea1f320c8057e808f76a08127416d21ac982bdcf2
SHA512c2cd3bf4de6b29b1883f7b9526073545570ca2756e50188861816c4442abc93f904f2b30de2e4974dcf368aff2c4ca96b048a7d6d23cfb28fdb0d97dc9f29e1d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\sessionstore-backups\recovery.baklz4
Filesize1KB
MD57da0a609352773988e0a2144939842af
SHA10876926c34a5e3c73184323e1b089ab890be7c36
SHA256fe420dcfcda92d0956eae2dbb6636c51a19b0c8df89d65abef28ae6e6c1bbe89
SHA51228f6b637fa552d523dae24b06d193efcbb6e171d6afcc90001e749dd576f7d8093dfaf12bce63b9da92187f4efadb7c3a7fe2627ef47337136d711412f93c884
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD572cd9b72cdb056aa2208c557dca4b170
SHA1ebe809613b1dac3aff449723646018277eb8895a
SHA256d0a4b316aa1159f87cfed25a7600c37232a2d060412b97faa12250ae3546b788
SHA512c706861893f5e15a5f1f828b0ce2fb85dbcb63c5c7771721764bad9d6f1dd3fd2afd573b7394f4ac0085fd219847d00b9476c3615b2034d8fd1b62b0aaed9947
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize376KB
MD50e1fb6d6893b822ae74a7499ef841326
SHA194a60b863fee10065313a822a1307e9a12a1812f
SHA256de32cbc4eb8e234509de6b725892f3d9568ca3984858f88d0b365a9637637a73
SHA512b36033dcd472868902b05c94f5e53f518381d49fcf93e8f114fcba043317794744b9a26bee24ec906590b9fd2df4a8dc6ec5cf7e032c137d8cb7811820a0f41c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.4MB
MD5cba1db20a5b811a4bc23e21439e36dbe
SHA148648946c5806b9c7257dbe6911f1771ab40f653
SHA256ea544cda49c0a5de46d7a6574766bbdecc4da8f0ba6d1c532514784dc56a8f79
SHA51280e1fca64a2112892c5b7c502cf68a0cc024c2155e3c890dfc209ac790d4a47860a3baae338f3e9a0daeca6fe9cf966a7ba466bd39e1ca0b202a76fc029ac827
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize2.0MB
MD5a02ce5d91776840c982c9bf8cc4b9bde
SHA17e1a6240681d634e819f897c87808a6af7babe02
SHA256189749174905ce0c94de1f691b457d26d0b5b0e986a2b1dc6011a33d9bbf69c7
SHA512504ae854b00d6893743d0a1bf744eb07f4a1bf4a617a2e0d0677ef28d4e73c43122010f95622eae616918646c1d1fe35a07eb793b87ab949084562adfd58a5da
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize9.7MB
MD5adba886a81996af21e20cd361bb61b09
SHA1c341446c252798eeaed56de9acd2a4bdd54de391
SHA25614bcb8456ff7124b94f6b606e3d570a71286f468e2d2dd15d269cba396213759
SHA5125c858f2447e6bf0c41c4bbcd8793d2ee09b8de798e3f06f925d1173eac8d277709543806400d8dbb6c68a29df813d9a376aee2bbddd54b8bcba7e3c2232eb4a1