Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2024, 03:30
Static task
static1
Behavioral task
behavioral1
Sample
6d466d1d251413c12eea858fb6632f05321720d64212b98b92b68a7190627261.exe
Resource
win7-20240903-en
General
-
Target
6d466d1d251413c12eea858fb6632f05321720d64212b98b92b68a7190627261.exe
-
Size
3.1MB
-
MD5
36cde0f98ab8a93df2c3134ab9771502
-
SHA1
d778b355d36d12d05562bed3f78af22c944eb575
-
SHA256
6d466d1d251413c12eea858fb6632f05321720d64212b98b92b68a7190627261
-
SHA512
a79ef6f322657769550e03f1734b88c1a3b330ec6523f5fa444066cea7bc1dfd2df41833d9c99380209f2e25d1685c81dbc9eee948aa30678ff8a54a3b4c5d80
-
SSDEEP
49152:og8DDIyU/xbvZJzwSmaOLxmeHpEeeJxs18eM9C:ogGDIyU/xbvXzwSmBtzHp8zs8eM9C
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
tale
http://185.215.113.206
-
url_path
/6c4adf523b719729.php
Extracted
lumma
https://founpiuer.store/api
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" d29be7edf5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" d29be7edf5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" d29be7edf5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" d29be7edf5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" d29be7edf5.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection d29be7edf5.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6d466d1d251413c12eea858fb6632f05321720d64212b98b92b68a7190627261.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 73b0de9fdf.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 808ede0696.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d29be7edf5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 73b0de9fdf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 73b0de9fdf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 808ede0696.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d29be7edf5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6d466d1d251413c12eea858fb6632f05321720d64212b98b92b68a7190627261.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6d466d1d251413c12eea858fb6632f05321720d64212b98b92b68a7190627261.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d29be7edf5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 808ede0696.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 6d466d1d251413c12eea858fb6632f05321720d64212b98b92b68a7190627261.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 7 IoCs
pid Process 4692 skotes.exe 3408 73b0de9fdf.exe 4396 808ede0696.exe 2740 2bba1c5b53.exe 5300 d29be7edf5.exe 4124 skotes.exe 1564 skotes.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine 808ede0696.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine d29be7edf5.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine 6d466d1d251413c12eea858fb6632f05321720d64212b98b92b68a7190627261.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine 73b0de9fdf.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features d29be7edf5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" d29be7edf5.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d29be7edf5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004008001\\d29be7edf5.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\73b0de9fdf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004005001\\73b0de9fdf.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\808ede0696.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004006001\\808ede0696.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2bba1c5b53.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004007001\\2bba1c5b53.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023cd4-70.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 5012 6d466d1d251413c12eea858fb6632f05321720d64212b98b92b68a7190627261.exe 4692 skotes.exe 3408 73b0de9fdf.exe 4396 808ede0696.exe 5300 d29be7edf5.exe 4124 skotes.exe 1564 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 6d466d1d251413c12eea858fb6632f05321720d64212b98b92b68a7190627261.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 612 3408 WerFault.exe 93 4628 3408 WerFault.exe 93 -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6d466d1d251413c12eea858fb6632f05321720d64212b98b92b68a7190627261.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 808ede0696.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 73b0de9fdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2bba1c5b53.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d29be7edf5.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 1652 taskkill.exe 4708 taskkill.exe 220 taskkill.exe 2252 taskkill.exe 3264 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 5012 6d466d1d251413c12eea858fb6632f05321720d64212b98b92b68a7190627261.exe 5012 6d466d1d251413c12eea858fb6632f05321720d64212b98b92b68a7190627261.exe 4692 skotes.exe 4692 skotes.exe 3408 73b0de9fdf.exe 3408 73b0de9fdf.exe 4396 808ede0696.exe 4396 808ede0696.exe 2740 2bba1c5b53.exe 2740 2bba1c5b53.exe 2740 2bba1c5b53.exe 2740 2bba1c5b53.exe 5300 d29be7edf5.exe 5300 d29be7edf5.exe 5300 d29be7edf5.exe 5300 d29be7edf5.exe 5300 d29be7edf5.exe 4124 skotes.exe 4124 skotes.exe 1564 skotes.exe 1564 skotes.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 220 taskkill.exe Token: SeDebugPrivilege 2252 taskkill.exe Token: SeDebugPrivilege 3264 taskkill.exe Token: SeDebugPrivilege 1652 taskkill.exe Token: SeDebugPrivilege 4708 taskkill.exe Token: SeDebugPrivilege 3572 firefox.exe Token: SeDebugPrivilege 3572 firefox.exe Token: SeDebugPrivilege 5300 d29be7edf5.exe Token: SeDebugPrivilege 3572 firefox.exe Token: SeDebugPrivilege 3572 firefox.exe Token: SeDebugPrivilege 3572 firefox.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 5012 6d466d1d251413c12eea858fb6632f05321720d64212b98b92b68a7190627261.exe 2740 2bba1c5b53.exe 2740 2bba1c5b53.exe 2740 2bba1c5b53.exe 2740 2bba1c5b53.exe 2740 2bba1c5b53.exe 2740 2bba1c5b53.exe 2740 2bba1c5b53.exe 2740 2bba1c5b53.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 2740 2bba1c5b53.exe 2740 2bba1c5b53.exe 2740 2bba1c5b53.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 2740 2bba1c5b53.exe 2740 2bba1c5b53.exe 2740 2bba1c5b53.exe 2740 2bba1c5b53.exe 2740 2bba1c5b53.exe 2740 2bba1c5b53.exe 2740 2bba1c5b53.exe 2740 2bba1c5b53.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 3572 firefox.exe 2740 2bba1c5b53.exe 2740 2bba1c5b53.exe 2740 2bba1c5b53.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3572 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5012 wrote to memory of 4692 5012 6d466d1d251413c12eea858fb6632f05321720d64212b98b92b68a7190627261.exe 87 PID 5012 wrote to memory of 4692 5012 6d466d1d251413c12eea858fb6632f05321720d64212b98b92b68a7190627261.exe 87 PID 5012 wrote to memory of 4692 5012 6d466d1d251413c12eea858fb6632f05321720d64212b98b92b68a7190627261.exe 87 PID 4692 wrote to memory of 3408 4692 skotes.exe 93 PID 4692 wrote to memory of 3408 4692 skotes.exe 93 PID 4692 wrote to memory of 3408 4692 skotes.exe 93 PID 4692 wrote to memory of 4396 4692 skotes.exe 101 PID 4692 wrote to memory of 4396 4692 skotes.exe 101 PID 4692 wrote to memory of 4396 4692 skotes.exe 101 PID 4692 wrote to memory of 2740 4692 skotes.exe 102 PID 4692 wrote to memory of 2740 4692 skotes.exe 102 PID 4692 wrote to memory of 2740 4692 skotes.exe 102 PID 2740 wrote to memory of 220 2740 2bba1c5b53.exe 103 PID 2740 wrote to memory of 220 2740 2bba1c5b53.exe 103 PID 2740 wrote to memory of 220 2740 2bba1c5b53.exe 103 PID 2740 wrote to memory of 2252 2740 2bba1c5b53.exe 105 PID 2740 wrote to memory of 2252 2740 2bba1c5b53.exe 105 PID 2740 wrote to memory of 2252 2740 2bba1c5b53.exe 105 PID 2740 wrote to memory of 3264 2740 2bba1c5b53.exe 107 PID 2740 wrote to memory of 3264 2740 2bba1c5b53.exe 107 PID 2740 wrote to memory of 3264 2740 2bba1c5b53.exe 107 PID 2740 wrote to memory of 1652 2740 2bba1c5b53.exe 109 PID 2740 wrote to memory of 1652 2740 2bba1c5b53.exe 109 PID 2740 wrote to memory of 1652 2740 2bba1c5b53.exe 109 PID 2740 wrote to memory of 4708 2740 2bba1c5b53.exe 111 PID 2740 wrote to memory of 4708 2740 2bba1c5b53.exe 111 PID 2740 wrote to memory of 4708 2740 2bba1c5b53.exe 111 PID 2740 wrote to memory of 3068 2740 2bba1c5b53.exe 113 PID 2740 wrote to memory of 3068 2740 2bba1c5b53.exe 113 PID 3068 wrote to memory of 3572 3068 firefox.exe 114 PID 3068 wrote to memory of 3572 3068 firefox.exe 114 PID 3068 wrote to memory of 3572 3068 firefox.exe 114 PID 3068 wrote to memory of 3572 3068 firefox.exe 114 PID 3068 wrote to memory of 3572 3068 firefox.exe 114 PID 3068 wrote to memory of 3572 3068 firefox.exe 114 PID 3068 wrote to memory of 3572 3068 firefox.exe 114 PID 3068 wrote to memory of 3572 3068 firefox.exe 114 PID 3068 wrote to memory of 3572 3068 firefox.exe 114 PID 3068 wrote to memory of 3572 3068 firefox.exe 114 PID 3068 wrote to memory of 3572 3068 firefox.exe 114 PID 3572 wrote to memory of 2888 3572 firefox.exe 115 PID 3572 wrote to memory of 2888 3572 firefox.exe 115 PID 3572 wrote to memory of 2888 3572 firefox.exe 115 PID 3572 wrote to memory of 2888 3572 firefox.exe 115 PID 3572 wrote to memory of 2888 3572 firefox.exe 115 PID 3572 wrote to memory of 2888 3572 firefox.exe 115 PID 3572 wrote to memory of 2888 3572 firefox.exe 115 PID 3572 wrote to memory of 2888 3572 firefox.exe 115 PID 3572 wrote to memory of 2888 3572 firefox.exe 115 PID 3572 wrote to memory of 2888 3572 firefox.exe 115 PID 3572 wrote to memory of 2888 3572 firefox.exe 115 PID 3572 wrote to memory of 2888 3572 firefox.exe 115 PID 3572 wrote to memory of 2888 3572 firefox.exe 115 PID 3572 wrote to memory of 2888 3572 firefox.exe 115 PID 3572 wrote to memory of 2888 3572 firefox.exe 115 PID 3572 wrote to memory of 2888 3572 firefox.exe 115 PID 3572 wrote to memory of 2888 3572 firefox.exe 115 PID 3572 wrote to memory of 2888 3572 firefox.exe 115 PID 3572 wrote to memory of 2888 3572 firefox.exe 115 PID 3572 wrote to memory of 2888 3572 firefox.exe 115 PID 3572 wrote to memory of 2888 3572 firefox.exe 115 PID 3572 wrote to memory of 2888 3572 firefox.exe 115 PID 3572 wrote to memory of 2888 3572 firefox.exe 115 PID 3572 wrote to memory of 2888 3572 firefox.exe 115 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d466d1d251413c12eea858fb6632f05321720d64212b98b92b68a7190627261.exe"C:\Users\Admin\AppData\Local\Temp\6d466d1d251413c12eea858fb6632f05321720d64212b98b92b68a7190627261.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\1004005001\73b0de9fdf.exe"C:\Users\Admin\AppData\Local\Temp\1004005001\73b0de9fdf.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3408 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 14924⤵
- Program crash
PID:612
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 14724⤵
- Program crash
PID:4628
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004006001\808ede0696.exe"C:\Users\Admin\AppData\Local\Temp\1004006001\808ede0696.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4396
-
-
C:\Users\Admin\AppData\Local\Temp\1004007001\2bba1c5b53.exe"C:\Users\Admin\AppData\Local\Temp\1004007001\2bba1c5b53.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:220
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3264
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4708
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f4ecc70-e2e7-4fdc-adb9-f913e0a6794e} 3572 "\\.\pipe\gecko-crash-server-pipe.3572" gpu6⤵PID:2888
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1b700e1-17b5-4a68-ac67-652d723c90a1} 3572 "\\.\pipe\gecko-crash-server-pipe.3572" socket6⤵PID:3168
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3156 -childID 1 -isForBrowser -prefsHandle 3188 -prefMapHandle 3004 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a5ab89c-8b50-48f3-8d32-b1f982984445} 3572 "\\.\pipe\gecko-crash-server-pipe.3572" tab6⤵PID:3076
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4144 -childID 2 -isForBrowser -prefsHandle 4136 -prefMapHandle 4132 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b2410b2-b1f3-4335-8109-b6bff7ca9c05} 3572 "\\.\pipe\gecko-crash-server-pipe.3572" tab6⤵PID:3608
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5008 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4972 -prefMapHandle 4936 -prefsLen 29197 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98bccd1c-8d35-4e72-8740-02106131c47c} 3572 "\\.\pipe\gecko-crash-server-pipe.3572" utility6⤵
- Checks processor information in registry
PID:5696
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5316 -childID 3 -isForBrowser -prefsHandle 5284 -prefMapHandle 5288 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf6893fa-2099-421d-8362-405617822da7} 3572 "\\.\pipe\gecko-crash-server-pipe.3572" tab6⤵PID:6052
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5416 -childID 4 -isForBrowser -prefsHandle 5424 -prefMapHandle 5428 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e082d8f-15b4-47f7-8c1e-359c13abb021} 3572 "\\.\pipe\gecko-crash-server-pipe.3572" tab6⤵PID:6080
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5712 -childID 5 -isForBrowser -prefsHandle 5724 -prefMapHandle 5720 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {abaeb067-5bba-4947-8f25-ef7cbc3cc288} 3572 "\\.\pipe\gecko-crash-server-pipe.3572" tab6⤵PID:6100
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004008001\d29be7edf5.exe"C:\Users\Admin\AppData\Local\Temp\1004008001\d29be7edf5.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5300
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3408 -ip 34081⤵PID:3516
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 3408 -ip 34081⤵PID:3136
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4124
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1564
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\activity-stream.discovery_stream.json
Filesize24KB
MD581c1f3c4536800f3f9c33498f3da3d6a
SHA13f50644167af401e21a03019e53ea48faf16ed33
SHA256145ab6a2128ca0e2b95ed8ecfa0eae21a436f42cb8ed43bbe5b59104649847e5
SHA512c6c25a6bb5b0a056a476153407b83eaf5bab236bf8dc49f9228d955ab64c951e83d93b97c27eb1715b0ffe513319c2afbd43b65d249f4e44d832348f8fed2752
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99
Filesize13KB
MD58642bcff7c0b89c8531e7e11c385d555
SHA1debe62910739c44c56d27e787ecd482283557b75
SHA256199f1b2da1a04cf6f0c45edfa3dfb0463050fce8cacf5b6d9dde4d46de832058
SHA512cf2ffff4669e833cf62068d2c12f2012ef01e4e34283e8680ad0e8c3c4455daad6a0f2ffd1afe55993c0e07ada6e4ae6b1cd727ad3a609239f7e2df5ceb92223
-
Filesize
2.9MB
MD5cf60ed449e8668f8ee28985018351b0d
SHA14558c970a77f0650c06992b958fcae59153aa70c
SHA25663cf66b3f95e4d1c2e5032967b691eb371046bac41ddbb9166e9b146a090421e
SHA512bfb123fc0fcfcca329d5feb416e7d55ca02f52189bbe52876de8e9d7312a2b45c6432228b194ea3bd1b1fd4a9b6df76c7c90e6f6c5e52e5e9f56abe6ae544e26
-
Filesize
2.0MB
MD53080c431ba635ab40c0bea78645be17e
SHA1e38d82e5f7d12fd180c18ddfd7cdbb5b3fcda553
SHA256dda1026bd3b7331d8bcd84d9766fb1623bf48d879905444c2809e09766729b06
SHA512740d68d68eb267c33777bf0517e856ce8b800d74f0f1a08f983ffbfd5cb015a4ea0e2793713ef3b2dbae74f588d5ff5ff4f90ce43894452b398799f5a678ba6a
-
Filesize
898KB
MD5fbc125173c935d3a74aa2a1a3908cba2
SHA150c7d961cd3ff761854439944ee304e11f0874e8
SHA2564f895492a98dbdfbb6c02c2bcded323ce363511d183e0d4fc3e9ec856445fe2f
SHA512a237225cca9330fde86e7107628642dedfa5c2ddec7226615ca8396114455129f98a4db6fd3b18198f1e3918193d965cf4ee0635a20dbd0e736931261bbf0ac3
-
Filesize
2.6MB
MD502d2fcab91e6dc7756d9be5317c9506b
SHA1a10aa93039af20fdacb0f04d2d357f4f60bcc2fa
SHA256d42846ac158ea49c2efd90ef76a56c0bceac96158a215415187d4164f4a2161a
SHA512024de5d18f13e68f273bab3e350dd035c6398ea4888ca7bb249b681400dcb4d20604fdaaddfc2b45ef111335adcc5abe630d97b7654cddd2131902390496a19c
-
Filesize
3.1MB
MD536cde0f98ab8a93df2c3134ab9771502
SHA1d778b355d36d12d05562bed3f78af22c944eb575
SHA2566d466d1d251413c12eea858fb6632f05321720d64212b98b92b68a7190627261
SHA512a79ef6f322657769550e03f1734b88c1a3b330ec6523f5fa444066cea7bc1dfd2df41833d9c99380209f2e25d1685c81dbc9eee948aa30678ff8a54a3b4c5d80
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\AlternateServices.bin
Filesize10KB
MD51105f768973ac0e078a3cb9a4251011d
SHA1c9e3831d0f234ce29ed6ae5a36a239744a005dc1
SHA25692fa2fabc032b75602b39b1e14ce3a3d0fe9754ce5530c267ca732caf2916bed
SHA5121b6973e0cc9204667cf6845e17e55b32dda5c11ec080d84b054a0d78e9123af2102579a9a2d5e9777d28b01204a42e6ddb551cda2b59ac283aa7834e9008ad98
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD5330b293df5f18679050ebc3fbeceff89
SHA13905838555f469da6432e895c1144df198b19026
SHA25670d4ff40a18967b78cffe2639f059b66e161a03f55fd467c4792a60422c64622
SHA5122c453967388deff121916dd6c1436d13038467f893e191e750b55a1773a1d349896bbb38df07f6af74e95428d98058b27cd96bc3ae616b2f7503ce5ca01e6808
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD5621f8aaa3255a4ff374ecfb0506a048f
SHA15c643311460a24b51af3183932a3fd57834bcb38
SHA25639061d1a989f2a630714f6dd8c63709b702fc96b57db90d4f1099a8d6daef35a
SHA51212da862b0c04ec1e705d2507e29d306c069d2d7e34840adbe161d1a5fe96ed03717bf97d0074240293f6f1348237edb8dd5df63d4b841676a6969950dde0c75f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD51c4b4d24b2480a380545790ccaf4ae6c
SHA1302354703c29567ac1315eecc9d5396c7eb26ff9
SHA256fa2567762b37bb0ccc7aae891f20f960e6aaaccb96d549d3ca40a72cd115d878
SHA5122bde5064178daea0a01c855070cca8119f3f161380912a1e0b53617b654c4a4858c626f8081b345366cd679494df6da583762bab07e59d6e1bc5b60ee5432b9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD566c54e26ad93de663c5c599fa2a8ee1c
SHA1bbde1ffc0cd0ebd53c50a9a702265cc543900db8
SHA256a031f23aa0015d57f150f38d367f9c6a60f161c68b5930ce453c292eda0e57ab
SHA512599a1ffa95b4f74005e2d923dbb691b1810606e2c642073833a53006ecaea5c7d675c70ad6b4a785acfe26f667662f4a86648d2e2581f2edd5595a71a4bc58cf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\1ad40603-4166-4ee8-895b-c71b54133c78
Filesize659B
MD5b8b5cd7fec501a17f303c712408a81c5
SHA14b46f7299e35af62de797509ac4ec12ffbb9b28d
SHA256b52eed310319cf0c45f35cfc537fe83511de62c61867cf91365ac21ca1c82ec3
SHA512bc76ee7ba89c6a4e683844c19e40f90914be4f16b8d04cb9e01b1075d8ea9253066ae1297aa1e496a3236337063db2aea850fd5f0f1dd601edfba950a15ea186
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\ea59762b-a745-4347-9eaa-a09c4dc11c24
Filesize982B
MD5896bcfcb4014b9a6e13aa749af772d20
SHA1b405a7eabfa2c063b019f7067c0278a1c6b77b0a
SHA2568870fc8db1a8797cb810b863f18253cc6981cacb6c4abca55f7e85d190263a80
SHA5122f12bbd324a1ab5010a5220db21097b5e3962beae76a4f519dda880e87ef9e04d33240671fea2b4d2a15864c51f4eba1e3ac2d8de39c15350bab1e57d302e55e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
15KB
MD5d37ab32790b54ae655f9241173866fdb
SHA14fa019b8320664f7bab962caca0020c6c80ae2dc
SHA2563e9eaf46abf06ce0f853c37d51b9054441425825bd378e005758829134ae6019
SHA512522739ea48799a9a8f66a517f7ef2d635b94ed9c07826a11cc79b27fb87fa9022d3dc259bea51b9574957048a7a17655650af8b5e9943ffed5b49af87a04a507
-
Filesize
10KB
MD5af7c56583731a842d840aa90f148256e
SHA19d32424d0cd8ab5feeb263ce13f79723ccc0d8a2
SHA25621a211fcd9fb0c6b9691e625cc44e7597529e1c586426812a4f6538a97449df9
SHA512d5503f9ed2d0a6cc3dd5870e3e37e2b5f0b1cf91335f5d51d4f017f821b24908154013894250172f1d90b72442b247116ab04cd27650c8135de905a023eb401b
-
Filesize
10KB
MD5c55da435e0ea2d56496ec05dbaadf4a3
SHA1a08300672d26574852bccce93b7310807c2a81e9
SHA2567ade460705fc0d50924af73cdd6afb776b3722325174ba724df314209d5da1c3
SHA512729e222fd129e8a9e7af05f7c8c88c579076205ea6e2dc3048ce83add418dc2f038e5a75bf2bd8a200a30d3730dab135a42d4875f5addf4c7777544b81232219
-
Filesize
11KB
MD5ced9ae941e1e91d11df8077a4ed0391a
SHA119501a08895c81902c841c85097086ff14864ce3
SHA25614b687dd39022c2d2ace97f7778768fad39ccad23c92cf4c7d89d3a6d2b60003
SHA512baa0ed301989056da5b8fd637231ec1e6c332e36b45057bc42917a5afaf85f1087f9dfe3941b4be27374f4873e1a1f6993cb40700c18b786859d4b145dbd961f