Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2024, 16:05
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240903-en
General
-
Target
file.exe
-
Size
2.8MB
-
MD5
2fd54006eccf616064ee4979b41760b8
-
SHA1
4bebf7fa013315bac837fd46b2485ff7b55f3216
-
SHA256
c38886a100f7154572ddbe90a5dd13abf091454cd5ba2defda9111fd6a743b65
-
SHA512
5097a3832f6e817fd3f1772c05e98a0648e51b6c7ddadeff6cff396e8cf38fb8834b4fc278021cbb9bb85e157770c018d7d3f943569d75312c48d653ea07f829
-
SSDEEP
49152:7HOBwBPmFd7W15DzNF7zb3S8n0q+ISi+Z+K:SBcmTk5re8n1Si+t
Malware Config
Extracted
lumma
https://clearancek.site
https://licendfilteo.site
https://spirittunek.store
https://bathdoomgaz.store
https://studennotediw.store
https://dissapoiznw.store
https://eaglepawnoy.store
https://mobbipenju.store
Extracted
stealc
doma
http://185.215.113.37
-
url_path
/e2b1563c6670f193.php
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 3f54d1bdbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 3f54d1bdbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 3f54d1bdbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 3f54d1bdbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 3f54d1bdbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 3f54d1bdbb.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ WS73QESDCSIV5YPP0A4BBGD.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9dd56ba41a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3f54d1bdbb.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ZHVZBLYIQ2B94PX940U3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3d5cf7a029.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ZHVZBLYIQ2B94PX940U3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3d5cf7a029.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3d5cf7a029.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3f54d1bdbb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3f54d1bdbb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion WS73QESDCSIV5YPP0A4BBGD.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9dd56ba41a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9dd56ba41a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion WS73QESDCSIV5YPP0A4BBGD.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ZHVZBLYIQ2B94PX940U3.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation ZHVZBLYIQ2B94PX940U3.exe -
Executes dropped EXE 9 IoCs
pid Process 2748 WS73QESDCSIV5YPP0A4BBGD.exe 2628 ZHVZBLYIQ2B94PX940U3.exe 2172 skotes.exe 2268 num.exe 4104 3d5cf7a029.exe 4060 9dd56ba41a.exe 3860 3f54d1bdbb.exe 4184 skotes.exe 4052 skotes.exe -
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine 9dd56ba41a.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine 3d5cf7a029.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine 3f54d1bdbb.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine file.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine WS73QESDCSIV5YPP0A4BBGD.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine ZHVZBLYIQ2B94PX940U3.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 3f54d1bdbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 3f54d1bdbb.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\num.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000336001\\num.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3d5cf7a029.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000349001\\3d5cf7a029.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
pid Process 1408 file.exe 2748 WS73QESDCSIV5YPP0A4BBGD.exe 2628 ZHVZBLYIQ2B94PX940U3.exe 2172 skotes.exe 4104 3d5cf7a029.exe 4060 9dd56ba41a.exe 3860 3f54d1bdbb.exe 4184 skotes.exe 4052 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job ZHVZBLYIQ2B94PX940U3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WS73QESDCSIV5YPP0A4BBGD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language num.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3f54d1bdbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3d5cf7a029.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dd56ba41a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZHVZBLYIQ2B94PX940U3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 1408 file.exe 1408 file.exe 1408 file.exe 1408 file.exe 1408 file.exe 1408 file.exe 2748 WS73QESDCSIV5YPP0A4BBGD.exe 2748 WS73QESDCSIV5YPP0A4BBGD.exe 2628 ZHVZBLYIQ2B94PX940U3.exe 2628 ZHVZBLYIQ2B94PX940U3.exe 3988 powershell.exe 3988 powershell.exe 2172 skotes.exe 2172 skotes.exe 4104 3d5cf7a029.exe 4104 3d5cf7a029.exe 4060 9dd56ba41a.exe 4060 9dd56ba41a.exe 3860 3f54d1bdbb.exe 3860 3f54d1bdbb.exe 3860 3f54d1bdbb.exe 3860 3f54d1bdbb.exe 3860 3f54d1bdbb.exe 4184 skotes.exe 4184 skotes.exe 4052 skotes.exe 4052 skotes.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 3988 powershell.exe Token: SeDebugPrivilege 4988 firefox.exe Token: SeDebugPrivilege 4988 firefox.exe Token: SeDebugPrivilege 3860 3f54d1bdbb.exe Token: SeDebugPrivilege 4988 firefox.exe Token: SeDebugPrivilege 4988 firefox.exe Token: SeDebugPrivilege 4988 firefox.exe -
Suspicious use of FindShellTrayWindow 22 IoCs
pid Process 2628 ZHVZBLYIQ2B94PX940U3.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe -
Suspicious use of SendNotifyMessage 20 IoCs
pid Process 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe 4988 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4988 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1408 wrote to memory of 2748 1408 file.exe 88 PID 1408 wrote to memory of 2748 1408 file.exe 88 PID 1408 wrote to memory of 2748 1408 file.exe 88 PID 1408 wrote to memory of 2628 1408 file.exe 89 PID 1408 wrote to memory of 2628 1408 file.exe 89 PID 1408 wrote to memory of 2628 1408 file.exe 89 PID 1408 wrote to memory of 3988 1408 file.exe 90 PID 1408 wrote to memory of 3988 1408 file.exe 90 PID 1408 wrote to memory of 3988 1408 file.exe 90 PID 2628 wrote to memory of 2172 2628 ZHVZBLYIQ2B94PX940U3.exe 92 PID 2628 wrote to memory of 2172 2628 ZHVZBLYIQ2B94PX940U3.exe 92 PID 2628 wrote to memory of 2172 2628 ZHVZBLYIQ2B94PX940U3.exe 92 PID 3988 wrote to memory of 1236 3988 powershell.exe 93 PID 3988 wrote to memory of 1236 3988 powershell.exe 93 PID 1236 wrote to memory of 4988 1236 firefox.exe 94 PID 1236 wrote to memory of 4988 1236 firefox.exe 94 PID 1236 wrote to memory of 4988 1236 firefox.exe 94 PID 1236 wrote to memory of 4988 1236 firefox.exe 94 PID 1236 wrote to memory of 4988 1236 firefox.exe 94 PID 1236 wrote to memory of 4988 1236 firefox.exe 94 PID 1236 wrote to memory of 4988 1236 firefox.exe 94 PID 1236 wrote to memory of 4988 1236 firefox.exe 94 PID 1236 wrote to memory of 4988 1236 firefox.exe 94 PID 1236 wrote to memory of 4988 1236 firefox.exe 94 PID 1236 wrote to memory of 4988 1236 firefox.exe 94 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 PID 4988 wrote to memory of 2696 4988 firefox.exe 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\WS73QESDCSIV5YPP0A4BBGD.exe"C:\Users\Admin\AppData\Local\Temp\WS73QESDCSIV5YPP0A4BBGD.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2748
-
-
C:\Users\Admin\AppData\Local\Temp\ZHVZBLYIQ2B94PX940U3.exe"C:\Users\Admin\AppData\Local\Temp\ZHVZBLYIQ2B94PX940U3.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\1000336001\num.exe"C:\Users\Admin\AppData\Local\Temp\1000336001\num.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2268
-
-
C:\Users\Admin\AppData\Local\Temp\1000349001\3d5cf7a029.exe"C:\Users\Admin\AppData\Local\Temp\1000349001\3d5cf7a029.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4104
-
-
C:\Users\Admin\1000350002\9dd56ba41a.exe"C:\Users\Admin\1000350002\9dd56ba41a.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4060
-
-
C:\Users\Admin\AppData\Local\Temp\1000357001\3f54d1bdbb.exe"C:\Users\Admin\AppData\Local\Temp\1000357001\3f54d1bdbb.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3860
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"4⤵PID:1416
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -f "C:\Users\Admin\AppData\Local\Temp\PNQON4VI35X271AL8FWH9.ps1"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd3⤵
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1896 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {784842f2-c736-40df-81b7-3298e77817c8} 4988 "\\.\pipe\gecko-crash-server-pipe.4988" gpu5⤵PID:2696
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e863d54-4c65-4cd7-b30c-6c6d0d1bb4c5} 4988 "\\.\pipe\gecko-crash-server-pipe.4988" socket5⤵PID:3812
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3360 -childID 1 -isForBrowser -prefsHandle 3492 -prefMapHandle 3516 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d4ec14b-8ca3-4caa-9f56-3f731531d9e5} 4988 "\\.\pipe\gecko-crash-server-pipe.4988" tab5⤵PID:3480
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3020 -childID 2 -isForBrowser -prefsHandle 3688 -prefMapHandle 3684 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51d88174-cb22-4797-b59a-64bc52d6f9ea} 4988 "\\.\pipe\gecko-crash-server-pipe.4988" tab5⤵PID:4512
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4528 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4712 -prefMapHandle 4792 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b149b37-48c3-411e-869d-62bae5af4ed1} 4988 "\\.\pipe\gecko-crash-server-pipe.4988" utility5⤵
- Checks processor information in registry
PID:4940
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5384 -childID 3 -isForBrowser -prefsHandle 5376 -prefMapHandle 5372 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67e64b21-c33a-415b-94ce-395af441cc0b} 4988 "\\.\pipe\gecko-crash-server-pipe.4988" tab5⤵PID:3644
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 4 -isForBrowser -prefsHandle 5352 -prefMapHandle 5392 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {907847bd-3b60-4d3a-9ffc-4bbb6f14769e} 4988 "\\.\pipe\gecko-crash-server-pipe.4988" tab5⤵PID:4976
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5788 -childID 5 -isForBrowser -prefsHandle 5708 -prefMapHandle 5712 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {493ad646-6d74-4b9a-a75b-6d706092459d} 4988 "\\.\pipe\gecko-crash-server-pipe.4988" tab5⤵PID:5012
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4184
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4052
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\activity-stream.discovery_stream.json
Filesize19KB
MD59695f38bea31bcceca4ef969e6c69f7a
SHA13dd3e856c17061d3fe077f43f906ee7379b86859
SHA2564eb98f740e318d9ff6f73f1a19b0342ac8ba27610d2417ec211c99c424573a76
SHA51207dcd9156fdf697752d8d90606cfe737d2737c03833de239a6a32600c561fedb2da7abb78f686e5668721a3e68247e79b053f50882fe32b7e1cce911e10a430b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\cache2\entries\0305BF7FE660AF5F32B4319E4C7EF7A7B70257A3
Filesize13KB
MD50b833f18b8b8befe82b865f42ff07155
SHA149bb8ff493eaa4c4c2046b87e38963a6c090b1d6
SHA256dc92167bb759b05a58eac722cfbfe3a55045061b483b309124e11196de355abe
SHA5120e2c9c20cd2c9b667db4129f83c029b005aaa33e32f41156059b8b8bc7b62a3490e61f7dd221345e25885dcd54ccf73e60f4373711fdcb6a4982aef035892e3e
-
Filesize
307KB
MD5791fcee57312d4a20cc86ae1cea8dfc4
SHA104a88c60ae1539a63411fe4765e9b931e8d2d992
SHA25627e4a3627d7df2b22189dd4bebc559ae1986d49a8f4e35980b428fadb66cf23d
SHA5122771d4e7b272bf770efad22c9fb1dfafe10cbbf009df931f091fb543e3132c0efda16acb5b515452e9e67e8b1fc8fe8aedd1376c236061385f026865cdc28d2c
-
Filesize
2.8MB
MD52fd54006eccf616064ee4979b41760b8
SHA14bebf7fa013315bac837fd46b2485ff7b55f3216
SHA256c38886a100f7154572ddbe90a5dd13abf091454cd5ba2defda9111fd6a743b65
SHA5125097a3832f6e817fd3f1772c05e98a0648e51b6c7ddadeff6cff396e8cf38fb8834b4fc278021cbb9bb85e157770c018d7d3f943569d75312c48d653ea07f829
-
Filesize
1.7MB
MD5113687df6ca6e8c095e3e825c96dc913
SHA1a0ac404cf93307659109b7f2562a94872367c9cb
SHA25624a8e73da64f6db65d5efeea2cec3cea1c4e84047be81f624ab99da95352e5e8
SHA512cfffb14cf7ab7a86dd2d24bc40cfadd25a43bba0125c2c9ca7a98a454922a7f1164f554fdbdb8b008f303eb2dba09db6d697dd46b371004540a7e2539462bdfd
-
Filesize
2KB
MD565d1b33f6758ea511e3ed01f2cb74e53
SHA1efa0e4d34c0d9bc719ef98ed5e145d8e50164916
SHA256233dc91536e57adbb2153512f56f098db701e43a7768508c9e9f290c952f1319
SHA5122772e2659aa2ffb6f86b1198d2a1652d7cb7a07ccfb249a96f7cb649594ba5ab1cc44389d505c9aca9f6ad9afda59d2abc565db5ae89b77f675155afe069103d
-
Filesize
1.8MB
MD5c624b00a72136d050eef71725725bf69
SHA17d840eef1b45eac617a1e4edb336cb57d66af662
SHA25663956c5f5dc0bf055f901d4663b0714668654ef4f15002db5b5fb30fb9cb7ed1
SHA5126e7d4a6d95b50ca97df05604e33b11bcf911198704711d49c8f0e7d7246e13bb61eda8a44373416afa69a36c57285c80bd9137f9b36c249bc1c39076d3d2fbb9
-
Filesize
1.8MB
MD579ca7361906a5892d57b7d01f1821438
SHA192f3437c94cdf864a163355b66ba7fd3edbc0873
SHA256c62fe595a10754207aacf8f8b1dedc66da50bedbd171b2f5c1aa1ca10b850b05
SHA512889d8d3e686371b673f8f78fe3504bd5d191aefab3e7f5def36369d403ab93d5115be3f952b41ba6571844e3895303cc3d418656dcdde26d5cdbcf2cff13027f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
Filesize7KB
MD5cabd7f4d55ae3ca23f48ebde81eda114
SHA15dc368665935bd2b2c28fcdf4f1b0be415dbf9da
SHA2567255ee60f8604595a0e7863b61a765fa33e58bb13029e160a0a456ad84a429c8
SHA51208074d69f11fe98ad6ab6791fa52f18da4faa788ffeecd0730b15514515c780af43391c1c03e70e07c3967c7827b6f2b0ab9b3d4ac9cc37f8ebdd38ea6a7a4a3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
Filesize13KB
MD50534bf57687c846202dbb4729a6ca8eb
SHA152572677ce063c0addea36f84abd58a1e695dd02
SHA25625b15f564c0122f1eb5ff2f89d6b1ede2070289063c828811c9bd8b912be4582
SHA512cd7cabd1fefb0f84c620f3e27fa1ba7c569631a9616e2349a65a31959554a9aa03f4ad6edab5a7ec014505c664f9c9940bd615b5263753accec0ec0909744a42
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5f29e58a09e05ea5653b8a2f2f1237b13
SHA1cf75ef2d647e703ee8f85ec65b25724c51027637
SHA256c19793324fc6292c9326a41fdb71a79471d433e82202c31bfaffc262bef14893
SHA51233c4c62e8879a664efdd62f8566262e249aea0e2d248d22b0508f9a3db05ece4770322c1e9e97c74b8b5f99dffeb0d86b7add6e01e46f14bd4f8a68ccae2cac9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5d89aceac59cf57a011305fe4887902b7
SHA117f39cf79ca860815382323bda81cf17752566ce
SHA256f601031013775964efd38a20098011ba028864e09bf329d0205fb02b5cd72368
SHA512e0db3b8c3084d285917208b51e57256b64ef19406743df9d4eb697e90814de5b9ebc7ad61a046f5af9191da998c7743ae7f8c8f69777eaf55264e4390651abe7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5370c8b9d92d4984f2668938f67f1bcb6
SHA18c6504c5e18485f42a4ff17c84b5340483c7f78d
SHA256436c3e328a511e6fdff269a62d9f0fcf34e33220e4a9c9fd05c1b111dd923709
SHA512aa2af2356e590de7e00416e54557c044931ebe342dfc118bb2bcbeefb9eb8595224bcfc6d64361257ff0495167c7a187e561a1ac482b6fa605e5e795c07f699f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\0f7f96a6-afdb-4d5a-a55f-9f62cc6ec8b1
Filesize671B
MD5706cf5940d318fe1f7b32aeeaea4c8e6
SHA1e035370fe95df0d6cfac4ab7c265f66c6fb6144b
SHA2568bd9adc2b6c3213c84c0d18823c693652ca218d4505a981a3a517b6900e52600
SHA512aff1c6e7f020fd2843bbf47a95978a129d3cf9ccacd9c230dee8751bffe5f6d2b03d04a3c685ad4468431165e0d9c92022e1943b02e1adc4236ee2fd5e8da7d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\54290ea1-0361-4267-8340-8ef0a358ce83
Filesize982B
MD5098dc0631b73ae28298d8e43de80c461
SHA1e669f4965f4cbef26f9c78726f55a72cccbec95a
SHA2565193d8cef68353e5d0b61b5a91b297cd53764077f47549970172e29a70a62fb6
SHA512ef38f31777907ed69247f4685c805ac3e6a6866e7266b6626c6c5e987a601acefd54fc7a45af20458c4922ff2385cee95c62b66bdd56d4651956f806195195d1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\e4308f11-3da1-4970-9a0d-a2e26b99729e
Filesize26KB
MD5ea349e3a267390550b448fa6950fbf1f
SHA1b96b8962940bb35ab87924db0fe4be3076050054
SHA2560ab4263e5ed148babf3f1386fdcecd8bac3d7a4aea1d2ec8da46aff43807c63f
SHA51284a3f1841efdd35c923ea292cbaf90b1010f42a150d6a73b42f5822b45d950f96629f52b279b90e3c1280d63a4296e79910f7aa0b38227c09f446ded83af358b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD5b134aa9503094b885ad399151f63b5a5
SHA144a8acf959dc004b28f47d36ab3f8d2baca38f82
SHA256a90bd371731b74e4f0a5ebb3e815125655d627a9c3e0e5b70645cad58b4ed5e4
SHA512f009e288de7172be9bdcb6cb738776b52adfb71c8505492de1d67fc6f4410a079c0c3cbe76abdc9656d1e1c995d151521b75130da2cda5aced93822b2d5b384d
-
Filesize
16KB
MD5eeeb4bb663cbb4eff65cb0a010e57782
SHA1407cf9ace2d980948edd9846a0ff8b30bd407ac8
SHA256ae182730b9fa85802c9bc3190cb030e10c54d0df5964246543263339fcb2b794
SHA51200a67177897bda23d0ca2c09728910b3b9af601c81ae5ee310609ef10b90bafbd8489a1d4fe0a2e04fa5e46c579bea70ea971e28a3bd7bd5dbf2c9a90634b1ab
-
Filesize
10KB
MD550905dd04afad1b12524ee9990565525
SHA1755dbc93e2d4a94607b639ab7490355d8246c28b
SHA256489e6b6e6243ac17a8e53c64b23862f442de73d6b2b6786c038c63a98dd852f9
SHA512c07c5fd38a689158faa647f665f832ce5ef04da76f0d19c48102177df3fc8a57b8f751ebc37f0207b48d6bfa9a69f443a0c9214640acd71a52f0cba48af14247
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize2.3MB
MD530b19b821de17c3760945beed059d843
SHA1b0390c9bbd43b766a0dbb23fd68775044e1e2dd8
SHA25672bac5c4cb8b462df9cbc00efc244574bc7ae6676e102b3884fd58547921bea5
SHA512ffbcbc3da7307842d72df69c6fefafc82bed495702d20880c3cdd79031c1a81f14a5636bfe195a26b12846a353512a3d1128c65e4d4c68fdbfe5cd889ac496ca