Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
11-09-2024 10:03
Static task
static1
Behavioral task
behavioral1
Sample
e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe
Resource
win10v2004-20240802-en
General
-
Target
e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe
-
Size
1.8MB
-
MD5
d4a8074d0e6ec329e01d59e2c977bcc3
-
SHA1
2e680f12aed4c51ed2277082c3f8af9368f7f3cd
-
SHA256
e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3
-
SHA512
f670ea342da46e72001b55a7ec396638284baafeb6f7ee4c261d1323fbcf9cd9718eeeb2c917ac28d5a76939a7321895a277104ce654e6f037d477e72eb74e7f
-
SSDEEP
24576:GDyzKfdwfy9f1QEz/srIUP1VEv6UEfYW7GobWa+n1YvaANs57ttoMOzzD+yVn5Az:Gf13NQdTPXdNBbN+WvrseMOzzD+yLAY
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
svoutse.exe18f2852607.exe1513dc16ef.exesvoutse.exee9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exesvoutse.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 18f2852607.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1513dc16ef.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exesvoutse.exesvoutse.exesvoutse.exesvoutse.exe1513dc16ef.exe18f2852607.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1513dc16ef.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 18f2852607.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 18f2852607.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1513dc16ef.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe -
Executes dropped EXE 6 IoCs
Processes:
svoutse.exesvoutse.exesvoutse.exe18f2852607.exe1513dc16ef.exesvoutse.exepid process 3588 svoutse.exe 396 svoutse.exe 4120 svoutse.exe 4744 18f2852607.exe 3364 1513dc16ef.exe 3308 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
svoutse.exesvoutse.exesvoutse.exe18f2852607.exe1513dc16ef.exesvoutse.exee9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine 18f2852607.exe Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine 1513dc16ef.exe Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Run\1513dc16ef.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\1513dc16ef.exe" svoutse.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exesvoutse.exesvoutse.exesvoutse.exe18f2852607.exe1513dc16ef.exesvoutse.exepid process 652 e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe 3588 svoutse.exe 396 svoutse.exe 4120 svoutse.exe 4744 18f2852607.exe 3364 1513dc16ef.exe 3308 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exedescription ioc process File created C:\Windows\Tasks\svoutse.job e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
18f2852607.exe1513dc16ef.exepowershell.execmd.execmd.exee9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 18f2852607.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1513dc16ef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe -
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exesvoutse.exesvoutse.exesvoutse.exe18f2852607.exe1513dc16ef.exepowershell.exesvoutse.exepid process 652 e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe 652 e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe 3588 svoutse.exe 3588 svoutse.exe 396 svoutse.exe 396 svoutse.exe 4120 svoutse.exe 4120 svoutse.exe 4744 18f2852607.exe 4744 18f2852607.exe 3364 1513dc16ef.exe 3364 1513dc16ef.exe 4920 powershell.exe 4920 powershell.exe 4920 powershell.exe 4920 powershell.exe 4920 powershell.exe 4920 powershell.exe 4920 powershell.exe 3308 svoutse.exe 3308 svoutse.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exefirefox.exedescription pid process Token: SeDebugPrivilege 4920 powershell.exe Token: SeDebugPrivilege 4316 firefox.exe Token: SeDebugPrivilege 4316 firefox.exe -
Suspicious use of FindShellTrayWindow 22 IoCs
Processes:
e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exefirefox.exepid process 652 e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe 4316 firefox.exe 4316 firefox.exe 4316 firefox.exe 4316 firefox.exe 4316 firefox.exe 4316 firefox.exe 4316 firefox.exe 4316 firefox.exe 4316 firefox.exe 4316 firefox.exe 4316 firefox.exe 4316 firefox.exe 4316 firefox.exe 4316 firefox.exe 4316 firefox.exe 4316 firefox.exe 4316 firefox.exe 4316 firefox.exe 4316 firefox.exe 4316 firefox.exe 4316 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 4316 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exesvoutse.exepowershell.exefirefox.exefirefox.exefirefox.exedescription pid process target process PID 652 wrote to memory of 3588 652 e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe svoutse.exe PID 652 wrote to memory of 3588 652 e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe svoutse.exe PID 652 wrote to memory of 3588 652 e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe svoutse.exe PID 3588 wrote to memory of 4744 3588 svoutse.exe 18f2852607.exe PID 3588 wrote to memory of 4744 3588 svoutse.exe 18f2852607.exe PID 3588 wrote to memory of 4744 3588 svoutse.exe 18f2852607.exe PID 3588 wrote to memory of 3364 3588 svoutse.exe 1513dc16ef.exe PID 3588 wrote to memory of 3364 3588 svoutse.exe 1513dc16ef.exe PID 3588 wrote to memory of 3364 3588 svoutse.exe 1513dc16ef.exe PID 3588 wrote to memory of 4920 3588 svoutse.exe powershell.exe PID 3588 wrote to memory of 4920 3588 svoutse.exe powershell.exe PID 3588 wrote to memory of 4920 3588 svoutse.exe powershell.exe PID 4920 wrote to memory of 1992 4920 powershell.exe cmd.exe PID 4920 wrote to memory of 1992 4920 powershell.exe cmd.exe PID 4920 wrote to memory of 1992 4920 powershell.exe cmd.exe PID 4920 wrote to memory of 988 4920 powershell.exe cmd.exe PID 4920 wrote to memory of 988 4920 powershell.exe cmd.exe PID 4920 wrote to memory of 988 4920 powershell.exe cmd.exe PID 4920 wrote to memory of 3716 4920 powershell.exe firefox.exe PID 4920 wrote to memory of 3716 4920 powershell.exe firefox.exe PID 4920 wrote to memory of 3408 4920 powershell.exe firefox.exe PID 4920 wrote to memory of 3408 4920 powershell.exe firefox.exe PID 3408 wrote to memory of 4316 3408 firefox.exe firefox.exe PID 3408 wrote to memory of 4316 3408 firefox.exe firefox.exe PID 3408 wrote to memory of 4316 3408 firefox.exe firefox.exe PID 3408 wrote to memory of 4316 3408 firefox.exe firefox.exe PID 3408 wrote to memory of 4316 3408 firefox.exe firefox.exe PID 3408 wrote to memory of 4316 3408 firefox.exe firefox.exe PID 3408 wrote to memory of 4316 3408 firefox.exe firefox.exe PID 3408 wrote to memory of 4316 3408 firefox.exe firefox.exe PID 3408 wrote to memory of 4316 3408 firefox.exe firefox.exe PID 3408 wrote to memory of 4316 3408 firefox.exe firefox.exe PID 3408 wrote to memory of 4316 3408 firefox.exe firefox.exe PID 3716 wrote to memory of 484 3716 firefox.exe firefox.exe PID 3716 wrote to memory of 484 3716 firefox.exe firefox.exe PID 3716 wrote to memory of 484 3716 firefox.exe firefox.exe PID 3716 wrote to memory of 484 3716 firefox.exe firefox.exe PID 3716 wrote to memory of 484 3716 firefox.exe firefox.exe PID 3716 wrote to memory of 484 3716 firefox.exe firefox.exe PID 3716 wrote to memory of 484 3716 firefox.exe firefox.exe PID 3716 wrote to memory of 484 3716 firefox.exe firefox.exe PID 3716 wrote to memory of 484 3716 firefox.exe firefox.exe PID 3716 wrote to memory of 484 3716 firefox.exe firefox.exe PID 3716 wrote to memory of 484 3716 firefox.exe firefox.exe PID 4316 wrote to memory of 1604 4316 firefox.exe firefox.exe PID 4316 wrote to memory of 1604 4316 firefox.exe firefox.exe PID 4316 wrote to memory of 1604 4316 firefox.exe firefox.exe PID 4316 wrote to memory of 1604 4316 firefox.exe firefox.exe PID 4316 wrote to memory of 1604 4316 firefox.exe firefox.exe PID 4316 wrote to memory of 1604 4316 firefox.exe firefox.exe PID 4316 wrote to memory of 1604 4316 firefox.exe firefox.exe PID 4316 wrote to memory of 1604 4316 firefox.exe firefox.exe PID 4316 wrote to memory of 1604 4316 firefox.exe firefox.exe PID 4316 wrote to memory of 1604 4316 firefox.exe firefox.exe PID 4316 wrote to memory of 1604 4316 firefox.exe firefox.exe PID 4316 wrote to memory of 1604 4316 firefox.exe firefox.exe PID 4316 wrote to memory of 1604 4316 firefox.exe firefox.exe PID 4316 wrote to memory of 1604 4316 firefox.exe firefox.exe PID 4316 wrote to memory of 1604 4316 firefox.exe firefox.exe PID 4316 wrote to memory of 1604 4316 firefox.exe firefox.exe PID 4316 wrote to memory of 1604 4316 firefox.exe firefox.exe PID 4316 wrote to memory of 1604 4316 firefox.exe firefox.exe PID 4316 wrote to memory of 1604 4316 firefox.exe firefox.exe PID 4316 wrote to memory of 1604 4316 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe"C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Users\Admin\AppData\Roaming\1000026000\18f2852607.exe"C:\Users\Admin\AppData\Roaming\1000026000\18f2852607.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4744 -
C:\Users\Admin\AppData\Local\Temp\1000030001\1513dc16ef.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\1513dc16ef.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3364 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account4⤵
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- System Location Discovery: System Language Discovery
PID:988 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
PID:484 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1956 -parentBuildID 20240401114208 -prefsHandle 1828 -prefMapHandle 1836 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3106ae8b-fe53-4530-aceb-01626af1705b} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" gpu6⤵PID:1604
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08e8c00b-46fc-4fee-a518-62dfa45a9d04} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" socket6⤵PID:2088
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3076 -childID 1 -isForBrowser -prefsHandle 2948 -prefMapHandle 3060 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef84fb55-9420-489d-a3d0-87a151895ef4} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" tab6⤵PID:2460
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3532 -childID 2 -isForBrowser -prefsHandle 3540 -prefMapHandle 3536 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cca860ed-3b49-4ade-bb6d-1476d7cc6801} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" tab6⤵PID:4808
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4296 -childID 3 -isForBrowser -prefsHandle 4288 -prefMapHandle 4284 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9e022fd-640f-4ef5-90f7-d55a6421c1a5} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" tab6⤵PID:1600
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4956 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4984 -prefMapHandle 4676 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd1d9d93-b9c3-4551-b4f2-f5126f4e82b0} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" utility6⤵
- Checks processor information in registry
PID:5040 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 4 -isForBrowser -prefsHandle 5836 -prefMapHandle 5096 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a21a4150-03db-4f70-a960-c661c6ff88d7} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" tab6⤵PID:2224
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5972 -childID 5 -isForBrowser -prefsHandle 6052 -prefMapHandle 6048 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac21f1cf-ceeb-4430-846e-bbcd20b12be7} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" tab6⤵PID:1504
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6156 -childID 6 -isForBrowser -prefsHandle 6164 -prefMapHandle 6168 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d25424c-3a3f-4244-8fcd-3ac02e45d025} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" tab6⤵PID:2056
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:396
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4120
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3308
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yel8o60i.default-release\activity-stream.discovery_stream.json
Filesize23KB
MD5b14e75716b0ce5dc2de6713f2ac26f7d
SHA1bc4f8b2611fb5a23383aad3ae17acae2024e8f47
SHA256b6c7d7ffdb71cc4dd2d65515a3878216f8569a68720ee95f89a4f75d4225a1f8
SHA512ff6d3e9f21aca22c1bcfdca20dfbd030c993fb55f4bf134c96f45e607069610d708dc536201f4619dc139251edb95046c0fd915d20c81f04619f652f82424eb1
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yel8o60i.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F
Filesize13KB
MD526b417013658f972c83ce8b82a16a902
SHA15d243fa0c7cd09aea0a050c3729223a3aed5b319
SHA2563e19a94ea184107800444b1fdc5580cdf498173ee513c53e4ab27ad5e47f08a3
SHA512c41fa29c256e3fd8986b39d638898782bef0775eb0fdef5a05cb6405a5f18d78a1d2141f14bbd502f5a70178f78f13a6be05444742a3a0c279b88ba74dceb4f6
-
Filesize
1.8MB
MD5d4a8074d0e6ec329e01d59e2c977bcc3
SHA12e680f12aed4c51ed2277082c3f8af9368f7f3cd
SHA256e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3
SHA512f670ea342da46e72001b55a7ec396638284baafeb6f7ee4c261d1323fbcf9cd9718eeeb2c917ac28d5a76939a7321895a277104ce654e6f037d477e72eb74e7f
-
Filesize
2KB
MD5e05e8f072b373beafe27cc11d85f947c
SHA11d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
1.7MB
MD5250051046eae3713ed1af118169d9227
SHA166ecbbeffdbb6bae912fc9f21b52faeac7b73d49
SHA256c1d2816e557482077a88b8e23581cd82a92dfca70fd1e7ceaec4ba3adbd7d136
SHA512a9a49aaf7e56466ec9cbdf86564ba5ad875d8233f12b26c718dc163dfb7d9e139891e5a422eca933e41c3bc19d5dc62d47606e23019fb0cce8f281a981a82d1e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\AlternateServices.bin
Filesize6KB
MD5efe6be126ca36f4a6a3559c2d34b7028
SHA1a4770321504f5366888166e92853916893f16fc1
SHA256f7934123470d3566ab280b15d90ea9d17565807c8aebb270701bff32ecee8351
SHA5125d37a676fa9d921c06a71efb1738a5e83aa74c122166b874dfde6549e84a557c8e19be516807dac279e20e04776d96daf4fc44252f17b08780521d9ae3c3a11b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\AlternateServices.bin
Filesize10KB
MD570820ccd1f8e453832caab944451b261
SHA10eecfc4ce7fb3744a1ea65f461133165549628bd
SHA25668076ffe9b29838b1d4c94de72c3248ad7e82348c539015fcd73919b9dc8f853
SHA512a20e35282d28d45d4e3803e72662f56a13426f0d5a7f4326b1547a6588a6718ac22e2161bc3b80f0fce1e58bf1688a4e63f7394d4a06c34c26bae98a0816a8f4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\AlternateServices.bin
Filesize15KB
MD59d7a58cf35eb8bd0c1b6d8e04894805d
SHA1d643f87c0b485ce24e95746770a6919f54be1d38
SHA256b33439be40bc53ff49474030e879df654a48da6e6bec447bba3fb27a0d0ed754
SHA51212965837694c4113295c84d70a7832bef62d1c01c58195f22aa8c92c2372c6ea2f029a040c1929abc6e286eb9daf69bd0d9c8d3a7de86c2ab5395d4f3c3be38d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD51b5127d1bb6924ca22750b5924547a59
SHA1a589956ccdebe26c0631825b30ea33abaffdc578
SHA256be99840bdf1555d77cd753c22d551be4936d34bac72c8f548c43737e2d1ed9f5
SHA5123e747a372f6dc5c8f8d4a6ffee8ec2a2a6d0b79591ee249445440729a5022446343eaa8a27083fb2dd080506eaf50f8413552dbf563444fe9bc1761782ed7f34
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD540c1b1cabffe8172b76634d9ab9b774c
SHA11d59e7ad454814e36c3ffb6641179b9256eaad6c
SHA256454a04a6856de1069cc338d8af9fd750c3f39704a4141770fba7e04ddcb93fa1
SHA512facd1bb5025974ce365e2acab78b8707f171fefffc39ce81bb45d3bc3cb7ee4b809ef70c8e0d502cfe9b745efd9f26f41f13836632a70d8fb82942c875dd7cca
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5da5958fd1cf87aeef3a6ae813b2aae1c
SHA13230fee9493cd9ff4a7bcefda69d53d656420254
SHA256120dd23ec5892e7caa17ddd1148d702fdca6f4357700baeb1aff3014d2ba1401
SHA512785c1ee60b1ead6708e312323f981f64c1bc1eefe28939d8097355795dd3dee5d9190d35cbf06fb0b74d9b16f0f3ed2845f2dcf25258b6a1b5c1c2a963a5e522
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\pending_pings\032ecb65-6105-4e17-ae69-50608ec76f78
Filesize671B
MD5178b1660cc11b9a5cae2919187c9c48f
SHA17f9ad01888c2ec9428130370f85a7f1cdaee06ed
SHA2569613004b3eade4751ac2001d85f1956062671411e3b64c05138a5ba9264f0d6f
SHA512128a5fe55eb8c04b0b6ce2fbcccc2c098a2b9caded5ad647a056ee18d3044f62c964ee254b465a018da38fda44a1825d9ffa95316dd9647972dff46401ade08e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\pending_pings\26aded61-1876-4091-9756-d85e3ecae5c6
Filesize25KB
MD54d78117cd66d043e059b0cf267fb36a3
SHA19ab1c9a61708537bb25d61b3a7fdddd429cb4abd
SHA256a69e114308e09733c03c22079093ce6607ede28caf675e03dac72b9e4883d496
SHA512c51b06124ca38c344018170fe96edc85f2dc76ffade8b92171905133dbc1660e9180d86453a60fcd59b391ab23df2cc289027b97ce1378b9f81031663ca9ce6a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\pending_pings\e73451d7-9fb1-4326-9260-fcab15a96fa6
Filesize982B
MD55090a22b12e50af46d6fdc975a11c085
SHA1321a30dbc22349894379598d90258dc144308d50
SHA25610ff5cc032028a83e0a8cbf26dcc5442122093c54e096f54b2410e8af6cf4ee6
SHA5127f9fef2d0c5fde94e0a4dabf6b130cf9d40091ed55c8f7b05e577c2dfb179de35fef915dfdc5bbe76ec65be366e4b4b6cac6be4946049c3f033556f2fdee9631
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
14KB
MD5b0dd15b8d7960fa1999ac8f6accfd1d8
SHA1f346881b9f2f09896aee7bcb29a6adeebfd28d76
SHA2560d0eb2e3738ca079dcc56504f2ceffa3eb9bb2a335352326d6a72e8ea4a72b4c
SHA5120ff8059e180b6918aa930714b73a760a71b38e814a92964d2645d2e40027b2d7de100c66b5f1a586919cbaa105860c1fd16ce027ff7cabaa40dd6ceef72c1db5
-
Filesize
13KB
MD5fe0812bb3c7c96ed3fc67561b0c7030f
SHA15c23d7ba1ccf930746a1e43f9018cd0c9731dbf2
SHA256cb828e1312c9a221c87d95d31eadc2be439bb36ed695efa72309ff8c602c2d4e
SHA512816a55df95f4f78887043e31d5123b1806981cd555605c84f2eeced683f2f5beca256a7d52b575c134a7d21d9f2d8ec987e6e0219f4f1f0e6fbfd49175211810
-
Filesize
11KB
MD5f3b9e67d8ba9cd321f316faddf4322de
SHA16759c202f4da5529c649170276dde88193488f9a
SHA2564d8603b6e289a92485eada8d00d9a758dc1c9148a9e8557f691b9e8fc8c7805e
SHA51292ee838a0f284c8a096e3124067e65297dda3400783809c187492512f2dc924ddcfec8ebb04b7ebd0bc246f40476051d84e3e9b94ea6310fe776ea402ca39a5f
-
Filesize
11KB
MD50bac391e05bf047a49288056251c6b2c
SHA179d2c355433f80d809cad38c24b77f18c62f0c78
SHA256511067d8d7a855de91e23337e28a4bc606aac436c31eb5adff400d3f04811e3b
SHA512538bfb7b56066a7cec9ddfa6c0d126ab861825e4332733d135d21af1eeb62353bab82dbab3d56a064fded60ef7fa5b3fe1735a665cb57f81bbe40055b91d28d6
-
Filesize
11KB
MD5fd8971b62ef982111dc9b82c3b861bd1
SHA11ccca3fe8dac40b2ac4e8aca0bd3fcef752b56fe
SHA256734e6361f1d97349c946f7ba0b417ca685ae7825cca5d0cb9d4c36a5bb1aa158
SHA512b4591938dff49922b91df0d0670eb9ced0f6f6e3ad9bc7da6700ab75084c346373345ee9e42865bc9105e9f3feec89684a451b9c4a1aede076cc4bc3880bfe82
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\sessionstore-backups\recovery.baklz4
Filesize1KB
MD584f2b2e93646cd21111b6286712c1fd5
SHA1438c376170023620b3426fbc8371adf97815a43f
SHA256eac61b437355763849bcca97f1290ba3b18c6147214300608b05a1a9ef7d0bd7
SHA5126f080b067927df1258ac93c57ce0ac12d73f6d7f7d385961a646da0f58ad521c97359e174fdd47b2712042adbfab685be4bd6b4fca19f0a3938298cd8ac57d4d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD539faf7af58c8bf1460c45aa32815c995
SHA1e308f00e2dd232e31dbeeea46022f30e769f92f5
SHA256b44e38a377ab2d3935bdc55de39bd716a355e4b4936655387d1fe5640bdcc8c8
SHA512ff020811cb4e72b02fbc7bd7896447e665aea1cd96b4c215770ffff9600789fdf45deb61509b4186e65cb9d5ed0d63a8b75ea79aca8f0c14ad734f0f69a434c5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.4MB
MD5ac7abe26b446842d30b6e37856a08f50
SHA15e53ef274ec31b81bf13cf546580d040f96d19ad
SHA256aaa8309ed40e915bc27df3e06b515fa868899954d219bac7e41bf16f1f8ebc27
SHA512459ea72867745c9bc4dcbff7b5657314b2fc6a56c304885c5f53449c32858feb3cab2d7ed35aead2ccd70fbf67748f4d50525b96a0c1f58a007f58d60cf658fe