Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-11-2024 01:34
Static task
static1
Behavioral task
behavioral1
Sample
97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe
Resource
win7-20241010-en
General
-
Target
97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe
-
Size
1.8MB
-
MD5
94e2520fb2ad7d11fa21d869f8284d76
-
SHA1
45169f35a44a07dbe216e8cf10a2710c4f5af136
-
SHA256
97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2
-
SHA512
e3f3f0ff13c8ecc047aec62ff9de747212be620e72bae593532e804102998c3958fb690f311bf64de7ddb4f212e38599d28ba7c6e67b93ea6048e2b56caf2eb1
-
SSDEEP
49152:bvWFqWLcgZ4gMDDMdJvLLQrhuIBFo1Ogb8ElSk3:bo/cySMk9Fosg1lB3
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://processhol.sbs/api
https://p10tgrace.sbs/api
https://peepburry828.sbs/api
https://3xp3cts1aim.sbs/api
https://p3ar11fter.sbs/api
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" cea97313bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" cea97313bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" cea97313bf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection cea97313bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" cea97313bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" cea97313bf.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6f4f4b7171.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 963121fd9b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cea97313bf.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 963121fd9b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 963121fd9b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6f4f4b7171.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cea97313bf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6f4f4b7171.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cea97313bf.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe -
Executes dropped EXE 8 IoCs
pid Process 2020 skotes.exe 4796 6f4f4b7171.exe 2220 963121fd9b.exe 4432 8be93dd6b4.exe 4076 cea97313bf.exe 4376 skotes.exe 4584 skotes.exe 5076 skotes.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 6f4f4b7171.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 963121fd9b.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine cea97313bf.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features cea97313bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" cea97313bf.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6f4f4b7171.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006791001\\6f4f4b7171.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\963121fd9b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006792001\\963121fd9b.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8be93dd6b4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006793001\\8be93dd6b4.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cea97313bf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006794001\\cea97313bf.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023c6c-67.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 4496 97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe 2020 skotes.exe 4796 6f4f4b7171.exe 2220 963121fd9b.exe 4076 cea97313bf.exe 4376 skotes.exe 4584 skotes.exe 5076 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cea97313bf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f4f4b7171.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8be93dd6b4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 963121fd9b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 864 taskkill.exe 4984 taskkill.exe 4764 taskkill.exe 4972 taskkill.exe 1988 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 4496 97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe 4496 97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe 2020 skotes.exe 2020 skotes.exe 4796 6f4f4b7171.exe 4796 6f4f4b7171.exe 2220 963121fd9b.exe 2220 963121fd9b.exe 4432 8be93dd6b4.exe 4432 8be93dd6b4.exe 4076 cea97313bf.exe 4076 cea97313bf.exe 4432 8be93dd6b4.exe 4432 8be93dd6b4.exe 4076 cea97313bf.exe 4076 cea97313bf.exe 4076 cea97313bf.exe 4376 skotes.exe 4376 skotes.exe 4584 skotes.exe 4584 skotes.exe 5076 skotes.exe 5076 skotes.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 4972 taskkill.exe Token: SeDebugPrivilege 1988 taskkill.exe Token: SeDebugPrivilege 864 taskkill.exe Token: SeDebugPrivilege 4984 taskkill.exe Token: SeDebugPrivilege 4764 taskkill.exe Token: SeDebugPrivilege 4960 firefox.exe Token: SeDebugPrivilege 4960 firefox.exe Token: SeDebugPrivilege 4076 cea97313bf.exe Token: SeDebugPrivilege 4960 firefox.exe Token: SeDebugPrivilege 4960 firefox.exe Token: SeDebugPrivilege 4960 firefox.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 4496 97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe 4432 8be93dd6b4.exe 4432 8be93dd6b4.exe 4432 8be93dd6b4.exe 4432 8be93dd6b4.exe 4432 8be93dd6b4.exe 4432 8be93dd6b4.exe 4432 8be93dd6b4.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4432 8be93dd6b4.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4432 8be93dd6b4.exe 4432 8be93dd6b4.exe 4432 8be93dd6b4.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 4432 8be93dd6b4.exe 4432 8be93dd6b4.exe 4432 8be93dd6b4.exe 4432 8be93dd6b4.exe 4432 8be93dd6b4.exe 4432 8be93dd6b4.exe 4432 8be93dd6b4.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4432 8be93dd6b4.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4960 firefox.exe 4432 8be93dd6b4.exe 4432 8be93dd6b4.exe 4432 8be93dd6b4.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4960 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4496 wrote to memory of 2020 4496 97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe 86 PID 4496 wrote to memory of 2020 4496 97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe 86 PID 4496 wrote to memory of 2020 4496 97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe 86 PID 2020 wrote to memory of 4796 2020 skotes.exe 91 PID 2020 wrote to memory of 4796 2020 skotes.exe 91 PID 2020 wrote to memory of 4796 2020 skotes.exe 91 PID 2020 wrote to memory of 2220 2020 skotes.exe 95 PID 2020 wrote to memory of 2220 2020 skotes.exe 95 PID 2020 wrote to memory of 2220 2020 skotes.exe 95 PID 2020 wrote to memory of 4432 2020 skotes.exe 96 PID 2020 wrote to memory of 4432 2020 skotes.exe 96 PID 2020 wrote to memory of 4432 2020 skotes.exe 96 PID 4432 wrote to memory of 4972 4432 8be93dd6b4.exe 97 PID 4432 wrote to memory of 4972 4432 8be93dd6b4.exe 97 PID 4432 wrote to memory of 4972 4432 8be93dd6b4.exe 97 PID 4432 wrote to memory of 1988 4432 8be93dd6b4.exe 99 PID 4432 wrote to memory of 1988 4432 8be93dd6b4.exe 99 PID 4432 wrote to memory of 1988 4432 8be93dd6b4.exe 99 PID 4432 wrote to memory of 864 4432 8be93dd6b4.exe 101 PID 4432 wrote to memory of 864 4432 8be93dd6b4.exe 101 PID 4432 wrote to memory of 864 4432 8be93dd6b4.exe 101 PID 4432 wrote to memory of 4984 4432 8be93dd6b4.exe 103 PID 4432 wrote to memory of 4984 4432 8be93dd6b4.exe 103 PID 4432 wrote to memory of 4984 4432 8be93dd6b4.exe 103 PID 4432 wrote to memory of 4764 4432 8be93dd6b4.exe 105 PID 4432 wrote to memory of 4764 4432 8be93dd6b4.exe 105 PID 4432 wrote to memory of 4764 4432 8be93dd6b4.exe 105 PID 4432 wrote to memory of 368 4432 8be93dd6b4.exe 107 PID 4432 wrote to memory of 368 4432 8be93dd6b4.exe 107 PID 368 wrote to memory of 4960 368 firefox.exe 108 PID 368 wrote to memory of 4960 368 firefox.exe 108 PID 368 wrote to memory of 4960 368 firefox.exe 108 PID 368 wrote to memory of 4960 368 firefox.exe 108 PID 368 wrote to memory of 4960 368 firefox.exe 108 PID 368 wrote to memory of 4960 368 firefox.exe 108 PID 368 wrote to memory of 4960 368 firefox.exe 108 PID 368 wrote to memory of 4960 368 firefox.exe 108 PID 368 wrote to memory of 4960 368 firefox.exe 108 PID 368 wrote to memory of 4960 368 firefox.exe 108 PID 368 wrote to memory of 4960 368 firefox.exe 108 PID 4960 wrote to memory of 928 4960 firefox.exe 109 PID 4960 wrote to memory of 928 4960 firefox.exe 109 PID 4960 wrote to memory of 928 4960 firefox.exe 109 PID 4960 wrote to memory of 928 4960 firefox.exe 109 PID 4960 wrote to memory of 928 4960 firefox.exe 109 PID 4960 wrote to memory of 928 4960 firefox.exe 109 PID 4960 wrote to memory of 928 4960 firefox.exe 109 PID 4960 wrote to memory of 928 4960 firefox.exe 109 PID 4960 wrote to memory of 928 4960 firefox.exe 109 PID 4960 wrote to memory of 928 4960 firefox.exe 109 PID 4960 wrote to memory of 928 4960 firefox.exe 109 PID 4960 wrote to memory of 928 4960 firefox.exe 109 PID 4960 wrote to memory of 928 4960 firefox.exe 109 PID 4960 wrote to memory of 928 4960 firefox.exe 109 PID 4960 wrote to memory of 928 4960 firefox.exe 109 PID 4960 wrote to memory of 928 4960 firefox.exe 109 PID 4960 wrote to memory of 928 4960 firefox.exe 109 PID 4960 wrote to memory of 928 4960 firefox.exe 109 PID 4960 wrote to memory of 928 4960 firefox.exe 109 PID 4960 wrote to memory of 928 4960 firefox.exe 109 PID 4960 wrote to memory of 928 4960 firefox.exe 109 PID 4960 wrote to memory of 928 4960 firefox.exe 109 PID 4960 wrote to memory of 928 4960 firefox.exe 109 PID 4960 wrote to memory of 928 4960 firefox.exe 109 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe"C:\Users\Admin\AppData\Local\Temp\97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\1006791001\6f4f4b7171.exe"C:\Users\Admin\AppData\Local\Temp\1006791001\6f4f4b7171.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4796
-
-
C:\Users\Admin\AppData\Local\Temp\1006792001\963121fd9b.exe"C:\Users\Admin\AppData\Local\Temp\1006792001\963121fd9b.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2220
-
-
C:\Users\Admin\AppData\Local\Temp\1006793001\8be93dd6b4.exe"C:\Users\Admin\AppData\Local\Temp\1006793001\8be93dd6b4.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4972
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:864
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4984
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4764
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3cb22844-9f46-4b3c-a321-be540a44449d} 4960 "\\.\pipe\gecko-crash-server-pipe.4960" gpu6⤵PID:928
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {013be6db-c07e-46d6-a92c-d5f5d581e042} 4960 "\\.\pipe\gecko-crash-server-pipe.4960" socket6⤵PID:1224
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3208 -childID 1 -isForBrowser -prefsHandle 3320 -prefMapHandle 3096 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31520a3c-c83e-4120-b84b-7d4e20fd4056} 4960 "\\.\pipe\gecko-crash-server-pipe.4960" tab6⤵PID:3580
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3732 -childID 2 -isForBrowser -prefsHandle 3728 -prefMapHandle 3724 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2063e640-839c-4ffb-8f41-1072b24d5fc1} 4960 "\\.\pipe\gecko-crash-server-pipe.4960" tab6⤵PID:1584
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4464 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4404 -prefMapHandle 4408 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aaaeee30-7211-4787-a998-106d535f3a2f} 4960 "\\.\pipe\gecko-crash-server-pipe.4960" utility6⤵
- Checks processor information in registry
PID:5304
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5432 -childID 3 -isForBrowser -prefsHandle 5528 -prefMapHandle 5460 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fed4b6bd-3b63-403d-a6da-985a66c40611} 4960 "\\.\pipe\gecko-crash-server-pipe.4960" tab6⤵PID:2696
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5448 -childID 4 -isForBrowser -prefsHandle 5680 -prefMapHandle 5684 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {264edeb7-515c-4307-a000-65158683ba9b} 4960 "\\.\pipe\gecko-crash-server-pipe.4960" tab6⤵PID:4860
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5872 -childID 5 -isForBrowser -prefsHandle 5944 -prefMapHandle 5940 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b74f1fd-4725-4dd5-8bdd-d0bfdca492a3} 4960 "\\.\pipe\gecko-crash-server-pipe.4960" tab6⤵PID:2084
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006794001\cea97313bf.exe"C:\Users\Admin\AppData\Local\Temp\1006794001\cea97313bf.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4076
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4376
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4584
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5076
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\activity-stream.discovery_stream.json
Filesize22KB
MD5cbf25c0975e74add8faf703807b4fffb
SHA16dd3c458dfa5fac920866f3efa9bb67ffbd85539
SHA2568e15f318e309114c4aa12e81af2c4448ea62188c69c67fc94118ec19b7c75165
SHA512c029602b8440d9d1c1e10e14d5430e8e66a3537c4b5a0342bb08633052b5f3e1b011fafcb9762d236d87c1c23ea12e5492a3506d7a6e3adde9ea335bbccdf723
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
Filesize13KB
MD5b17e67d6ef5a569d7609081fd9966a42
SHA1a51b9b272812a18e07a1f0b7003fa0970c5a5056
SHA25686441e9d083a21cd20ea0377d3773db60cf2a8c79be06fbdf5abe41cc13daad3
SHA512d5e47b36faea9228fc41562efb13ca15c00ca77552081af74d9cc01de1e9df05df7d90fd4784df4381426b612270a2d20e8d6f8ec92311b30bc6da8e35ab1f7a
-
Filesize
1.8MB
MD5f99ff5e64815a0f5c12d7ac3c308dcad
SHA142b69c5c2e32df7181e790663ec59cb3cd3e5e3e
SHA256cc667d24c723a4963225b68b04bb90c6436ccfecd456c8cc1d3eec80d3ff4d9d
SHA512984ca41dff503250b2378e9346bfdf99c693c20c7ba9442fd78c0db9408f31aba9e4659da33ba94ba5fd987bbe4b8d1f801a930827a90265b839663fe45ee29c
-
Filesize
1.7MB
MD595ad97385b91f97050fca22fff1b6bab
SHA1b0f4c4aec176668bac77216d2efe0cbb10d37d80
SHA2567b68bb0343f8acf2af19c2fc63e6a355568fa71f1c7f3e9ff1f7bf79bf5d6549
SHA512c568d9ed1f2f7912cb2b9858490e7caa89d6a05d6ad94e3d5bd65d0e9a7139b73bb63b25ede53d2581c63e07ab738c48f9c3d0cbcc6d4bb53f63f0bfb5c143fa
-
Filesize
900KB
MD551c4368c9fcb43fbd1d93f2c95ba919c
SHA10de7b1c6f766938cc1a29c9cc992df31f380cddb
SHA2564ffe84b5b7895bbe8836fc734d6c45d5d927e90ba0a2a3919b5608cfa4c73cec
SHA5127b02cf1ba377af7c2e9f782d28090e8204f955c8210fa7fdcdfcefee6e5b41beecb9abdc1e8a88edb8f3d55ed2a00c0e9eeae71a90389782fe76778257a7e6fc
-
Filesize
2.7MB
MD5d7f9844997596607f37d9d3bf1a39571
SHA1e2c08ed0a08f4b0fd1c661d850548f7604fea49b
SHA2568a9cc77a61796a39c27d6318213c9bde4a3ea8229f3829091d60c4d4280bab49
SHA512123a5d965a13ccbdb8bb1c9d1932932e1359c5b19aa7b3f9af4063fd42cc748bc3c3c0c1a3b837e721f5b012e7685f93d2640a719a5ea08e47f38f8d41d17d02
-
Filesize
1.8MB
MD594e2520fb2ad7d11fa21d869f8284d76
SHA145169f35a44a07dbe216e8cf10a2710c4f5af136
SHA25697c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2
SHA512e3f3f0ff13c8ecc047aec62ff9de747212be620e72bae593532e804102998c3958fb690f311bf64de7ddb4f212e38599d28ba7c6e67b93ea6048e2b56caf2eb1
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
Filesize6KB
MD587c3bc80fc37dbc6a105497ffb966b12
SHA1224d4393ba6def9fb2c7d18519fe19cf77423e13
SHA2563de4de84ab7904508effe26ab7c1070b38131aac3982f21102e911b2d468c0fe
SHA512da8624a4a20c27f17a9ac05e627641af32376d6de07a50194f1f37c0f7646c7d8a474a02be00276288b501d0550cc03477b91de61d81f3a91c8c5e3cc36b8073
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
Filesize8KB
MD58acd4606b361b60beb38d4f962e07568
SHA1f80596f2ab2cfe74476e6bbf969d6ef27850a8de
SHA2569cd10fba9a37b7769ee9b66d0e3b91399c8bf5d5c605f9743e02d09c2cf18ae0
SHA512358f97d15ab2f21e99a739f3d5ea6c8e644d2198e9e6a897fe9484513c07c25982a9a5e9b23f68770034cbce3f5b18371eb1b93c003e0967d6f9f21e4b7616fd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD57866a20be7ab1eeddbe920ff0c63af32
SHA1993b0e96dfceea33bf726096ccb1b52f2272a565
SHA256303418b9609b4d1a9e264205c141c3d511cfa1a9054638ac6ca45a0907bc6382
SHA512a3a4ae6f344d313cc963cbe42ff0751528645552fbd62925e057377afe21eef6f858ad6fb6da6c8fe328c0a8943501527e71cfc9088884317c302ef59bf943c3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD54b88a9fdd428d67f70d17eefc310d9ea
SHA13aff44abd8e39e0622c055b5dd072b2457449513
SHA256b0a4f8e936d6028bb29a9cab38436be51a80e79b5358af5ac39e83b7c17b8958
SHA5127a68fc275709ad4c2ce9afad47eacdea6afaa701e8c2a658166a9fdd1a4c749aa65bfec898b0435db80590efbecde48cf302f215e32161d9dd562eac1925971b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5e105616564e0955d0c83592176188aaa
SHA17262a97beadecb4b88989318101347fea455f308
SHA2565ce02c27b598aa982e688519ca0dd201c66ffa5a13fc31dfc075d232e2a40124
SHA51203a491cefc49459eab352ea3fc77ad8beaff8b6583a6f0be1fed35d967490a1adf844a013068020778da29666bb8abcd5c36ee4a8ee01a2dcc775e6bfbf7e221
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\32c7d86c-8034-4495-ad81-62d33abcebfc
Filesize659B
MD59e1f5dd03b9867a2128c10ef4aa0ca63
SHA1a002d1ce027f2b8bb2a40767d70265aea9c2b1af
SHA25649b6713412b24b167a1fcee63aaeb8744ab4403095953d219c4cb91e1f22e41c
SHA5124b69ec3721dc64e750e43b8c508d566887f991442ecb5bb152a9eccf07af834f1fe1782339ec9958291b512f8f68bb92c9eb860d1f22e020013efe49a8190ba5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\e108cefc-66bb-4ec3-aff2-df264db68663
Filesize982B
MD539ef37162f5b23a68baeb77cbbbbb9bd
SHA17bf5a9dbc6a1ba32e6e9e2fe19b1af57d7bab7ed
SHA2564de994268614a178f6b3733f93b780fd5b8b2100bf2225d48c1385f6409d1dce
SHA5128afb3ecf3e00cdfce2bd0361421b9c6cd69363d00edf79ab6cb950e1664c4226251df73c91411053c54f48339c857c1290af827f926975aa471599986c549e7b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD5677edcaea8570542d1e83a1b86466d87
SHA15551a4ec7c842b00957526708bb71ca51328c9e5
SHA25649a437ddb98fa4aa3e8b3610782907bfa2e6d34cc15cfa8fa77477d86418fbd7
SHA512b4b6b61ba03d77a3346eaac6c12f7d35582afdae390860bc0cb3914367283fa03b93f8d2c613a81a1b350f356b6f92572120b2fcc44f27a12aade6cc8daf135c
-
Filesize
15KB
MD587e8f93e6940a01dafa0b598d3986c89
SHA10cca15eea9726b07c1442ff8f7fb96fcc83700d6
SHA2565e4fb709112882b765db2cb26f855348b45f55be00fa2fc9648fc6a4f3d46a7f
SHA512b698dc232ae6d93232daff2313cc5e0b6d7ec7bfff3354a1f67d00d4de1599850161f8d8ee3cc3a5ccc5002316a21b9c955968aa64c298e15598dc4dfcf32b77
-
Filesize
11KB
MD585d9d61355f9538088008e29c407434c
SHA1fa7f64a0be82f00f67dcbef2efe3504716eaf9a3
SHA25650d24d1cf55b4d50f175b819623f5502c088ddeb80547334431d5841329bde72
SHA5121c848e11b824ce410f20bc6f1c07bb2259aef09e5e9ce176eed3f137f55c9994ebfa42896141b66dc0137d022bb3c2a20c38273deed9fa1c1832952232ed3ec1
-
Filesize
11KB
MD58ffc1b7791b4906e3ee2989020b281c5
SHA15ba6746b4a955047be25090005e00a6f7979adab
SHA2568c3149aff0f31520850b70fb0b741d09f74e210168d8fbdd7f7265d534197870
SHA512200dff64014cd085a1b269f84b3676afd203858b40b52f3aa8effa36a2eb327ea6ea0e67541417fe696e23374933912f5623cff7ccb0bc70e939bd185bf0b198