Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2024 01:05
Static task
static1
Behavioral task
behavioral1
Sample
ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe
Resource
win7-20240729-en
General
-
Target
ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe
-
Size
26.2MB
-
MD5
e9a61d220a0df35ea009b602eec9a9a7
-
SHA1
e9ef755041a907cd394d23da33784ab4a12c75a7
-
SHA256
ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531
-
SHA512
de8787231952a993f0c98c8f5268e171aa7c34b7722ed36e4ab4e418e116b67bab455069ce3507e5df3c9d66831b9c0f423bde6c8573161530e3f90a66a0b266
-
SSDEEP
393216:kgIRvV8Y6xX3F+Gt/SArbLAE+/HnC/XZ1LF8HhZhpVLiQ2V8BWmy9DEtNhE:D6OY6pBSArYLC/p1Lg/pVOhyBS9ehE
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4488-13102-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/4488-13111-0x0000000000400000-0x0000000001F8C000-memory.dmp purplefox_rootkit behavioral2/memory/5792-26195-0x0000000000400000-0x0000000001F8C000-memory.dmp purplefox_rootkit behavioral2/memory/22904-39280-0x0000000000400000-0x0000000001F8C000-memory.dmp purplefox_rootkit behavioral2/memory/5792-39676-0x0000000000400000-0x0000000001F8C000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 5 IoCs
resource yara_rule behavioral2/memory/4488-13102-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/4488-13111-0x0000000000400000-0x0000000001F8C000-memory.dmp family_gh0strat behavioral2/memory/5792-26195-0x0000000000400000-0x0000000001F8C000-memory.dmp family_gh0strat behavioral2/memory/22904-39280-0x0000000000400000-0x0000000001F8C000-memory.dmp family_gh0strat behavioral2/memory/5792-39676-0x0000000000400000-0x0000000001F8C000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ LineAppMgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ LINE.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ LINE.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion LineAppMgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion LineAppMgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion LINE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion LINE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion LINE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion LINE.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation LineLauncher.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation LineLauncher.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation LineUpdater.exe -
Executes dropped EXE 11 IoCs
pid Process 4488 yqyfghg.exe 3820 LineInst.exe 5792 Tlctl.exe 22904 Tlctl.exe 22944 LineInst_240649078.exe 24248 LineAppMgr.exe 24440 LineLauncher.exe 11884 LINE.exe 25216 LineUpdater.exe 25364 LineLauncher.exe 25432 LINE.exe -
Loads dropped DLL 58 IoCs
pid Process 22944 LineInst_240649078.exe 22944 LineInst_240649078.exe 22944 LineInst_240649078.exe 22944 LineInst_240649078.exe 24248 LineAppMgr.exe 24248 LineAppMgr.exe 24248 LineAppMgr.exe 11884 LINE.exe 11884 LINE.exe 11884 LINE.exe 11884 LINE.exe 11884 LINE.exe 11884 LINE.exe 11884 LINE.exe 11884 LINE.exe 11884 LINE.exe 11884 LINE.exe 11884 LINE.exe 11884 LINE.exe 11884 LINE.exe 11884 LINE.exe 11884 LINE.exe 11884 LINE.exe 11884 LINE.exe 11884 LINE.exe 11884 LINE.exe 11884 LINE.exe 11884 LINE.exe 11884 LINE.exe 11884 LINE.exe 11884 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe -
resource yara_rule behavioral2/files/0x0008000000023c77-39491.dat themida behavioral2/memory/24248-39498-0x00007FF635EC0000-0x00007FF63676C000-memory.dmp themida behavioral2/memory/24248-39500-0x00007FF635EC0000-0x00007FF63676C000-memory.dmp themida behavioral2/memory/24248-39501-0x00007FF635EC0000-0x00007FF63676C000-memory.dmp themida behavioral2/memory/24248-39505-0x00007FF635EC0000-0x00007FF63676C000-memory.dmp themida -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA LineAppMgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA LINE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA LINE.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: Tlctl.exe File opened (read-only) \??\T: Tlctl.exe File opened (read-only) \??\X: Tlctl.exe File opened (read-only) \??\Y: Tlctl.exe File opened (read-only) \??\Z: Tlctl.exe File opened (read-only) \??\K: Tlctl.exe File opened (read-only) \??\P: Tlctl.exe File opened (read-only) \??\V: Tlctl.exe File opened (read-only) \??\W: Tlctl.exe File opened (read-only) \??\J: Tlctl.exe File opened (read-only) \??\E: Tlctl.exe File opened (read-only) \??\G: Tlctl.exe File opened (read-only) \??\H: Tlctl.exe File opened (read-only) \??\R: Tlctl.exe File opened (read-only) \??\S: Tlctl.exe File opened (read-only) \??\B: Tlctl.exe File opened (read-only) \??\L: Tlctl.exe File opened (read-only) \??\M: Tlctl.exe File opened (read-only) \??\O: Tlctl.exe File opened (read-only) \??\Q: Tlctl.exe File opened (read-only) \??\U: Tlctl.exe File opened (read-only) \??\I: Tlctl.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName LINE.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName LINE.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Tlctl.exe yqyfghg.exe File created C:\Windows\SysWOW64\Tlctl.exe yqyfghg.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 35 IoCs
pid Process 4488 yqyfghg.exe 4488 yqyfghg.exe 4488 yqyfghg.exe 4488 yqyfghg.exe 5792 Tlctl.exe 5792 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 24248 LineAppMgr.exe 22904 Tlctl.exe 22904 Tlctl.exe 11884 LINE.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 25432 LINE.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LineInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LineInst_240649078.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LineLauncher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LineUpdater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LineLauncher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yqyfghg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tlctl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tlctl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 62432 cmd.exe 22880 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Tlctl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Tlctl.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\LineD.exe = "11000" LineLauncher.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\LINE.exe = "11000" LineLauncher.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\LineD.exe = "11000" LineLauncher.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\LINE.exe = "11000" LINE.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\LineD.exe = "11000" LINE.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\LINE.exe = "11000" LineLauncher.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Tlctl.exe Key created \REGISTRY\USER\.DEFAULT\Software Tlctl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft Tlctl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie Tlctl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" Tlctl.exe -
Modifies registry class 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\lineb\ = "URL:LINE Protocol" LineInst_240649078.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\lineb\DefaultIcon LineInst_240649078.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\lineb\shell\ LineInst_240649078.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\line LineInst_240649078.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\line\DefaultIcon LineInst_240649078.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\line\shell\open LineInst_240649078.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\lineb\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\LINE\\bin\\LineLauncher.exe\",0" LineInst_240649078.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\lineb\shell\open\ LineInst_240649078.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\lineb\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\LINE\\bin\\LineLauncher.exe\" \"%1\"" LineInst_240649078.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\line\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\LINE\\bin\\LineLauncher.exe\" \"%1\"" LineInst_240649078.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\lineb LineInst_240649078.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\line\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\LINE\\bin\\LineLauncher.exe\",0" LineInst_240649078.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\line\shell\ LineInst_240649078.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\line\shell\open\command LineInst_240649078.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3227495264-2217614367-4027411560-1000\{6B310B56-DE84-4E05-88BF-998ABE5EB2C3} LINE.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\lineb\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\LINE\\bin\\LineLauncher.exe\" \"%1\"" LINE.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\lineb\shell\open LineInst_240649078.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3227495264-2217614367-4027411560-1000\{3FDD2DDE-CBD1-4F0D-9528-3BB123A9DA23} LINE.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3227495264-2217614367-4027411560-1000\{9796604D-3C1A-45B2-8C8E-3F7F0BD4E167} LINE.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\lineb\shell LineInst_240649078.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\line\ = "URL:LINE Protocol" LineInst_240649078.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\line\shell LineInst_240649078.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\line\URL Protocol LineInst_240649078.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3227495264-2217614367-4027411560-1000\{234AE05E-3A1F-4C48-BF1B-BBA725827C6F} LINE.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\lineb\URL Protocol LineInst_240649078.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\lineb\shell\open\command LineInst_240649078.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\line\shell\open\ LineInst_240649078.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 22880 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 11884 LINE.exe 25432 LINE.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 22944 LineInst_240649078.exe 22944 LineInst_240649078.exe 22944 LineInst_240649078.exe 22944 LineInst_240649078.exe 22944 LineInst_240649078.exe 22944 LineInst_240649078.exe 22944 LineInst_240649078.exe 22944 LineInst_240649078.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe 22904 Tlctl.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4488 yqyfghg.exe Token: 33 22904 Tlctl.exe Token: SeIncBasePriorityPrivilege 22904 Tlctl.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 22944 LineInst_240649078.exe 22944 LineInst_240649078.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe 25432 LINE.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 11884 LINE.exe 25432 LINE.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 4492 wrote to memory of 4488 4492 ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe 86 PID 4492 wrote to memory of 4488 4492 ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe 86 PID 4492 wrote to memory of 4488 4492 ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe 86 PID 4492 wrote to memory of 3820 4492 ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe 88 PID 4492 wrote to memory of 3820 4492 ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe 88 PID 4492 wrote to memory of 3820 4492 ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe 88 PID 5792 wrote to memory of 22904 5792 Tlctl.exe 94 PID 5792 wrote to memory of 22904 5792 Tlctl.exe 94 PID 5792 wrote to memory of 22904 5792 Tlctl.exe 94 PID 4488 wrote to memory of 62432 4488 yqyfghg.exe 95 PID 4488 wrote to memory of 62432 4488 yqyfghg.exe 95 PID 4488 wrote to memory of 62432 4488 yqyfghg.exe 95 PID 62432 wrote to memory of 22880 62432 cmd.exe 97 PID 62432 wrote to memory of 22880 62432 cmd.exe 97 PID 62432 wrote to memory of 22880 62432 cmd.exe 97 PID 3820 wrote to memory of 22944 3820 LineInst.exe 98 PID 3820 wrote to memory of 22944 3820 LineInst.exe 98 PID 3820 wrote to memory of 22944 3820 LineInst.exe 98 PID 22944 wrote to memory of 24248 22944 LineInst_240649078.exe 104 PID 22944 wrote to memory of 24248 22944 LineInst_240649078.exe 104 PID 3820 wrote to memory of 24440 3820 LineInst.exe 106 PID 3820 wrote to memory of 24440 3820 LineInst.exe 106 PID 3820 wrote to memory of 24440 3820 LineInst.exe 106 PID 24440 wrote to memory of 11884 24440 LineLauncher.exe 107 PID 24440 wrote to memory of 11884 24440 LineLauncher.exe 107 PID 11884 wrote to memory of 25216 11884 LINE.exe 108 PID 11884 wrote to memory of 25216 11884 LINE.exe 108 PID 11884 wrote to memory of 25216 11884 LINE.exe 108 PID 25216 wrote to memory of 25364 25216 LineUpdater.exe 109 PID 25216 wrote to memory of 25364 25216 LineUpdater.exe 109 PID 25216 wrote to memory of 25364 25216 LineUpdater.exe 109 PID 25364 wrote to memory of 25432 25364 LineLauncher.exe 110 PID 25364 wrote to memory of 25432 25364 LineLauncher.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe"C:\Users\Admin\AppData\Local\Temp\ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Users\Admin\AppData\Local\Temp\yqyfghg.exe"C:\Users\Admin\AppData\Local\Temp\yqyfghg.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\yqyfghg.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:62432 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:22880
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\LineInst.exe"C:\Users\Admin\AppData\Local\Temp\LineInst.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Users\Admin\AppData\Local\Temp\LineInst_240649078.exeC:\Users\Admin\AppData\Local\Temp\\LineInst_240649078.exe /M3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:22944 -
C:\Users\Admin\AppData\Local\LINE\bin\9.4.2.3477\LineAppMgr.exe"C:\Users\Admin\AppData\Local\LINE\bin\9.4.2.3477\LineAppMgr.exe" -afterinstall4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:24248
-
-
-
C:\Users\Admin\AppData\Local\LINE\bin\LineLauncher.exeC:\Users\Admin\AppData\Local\LINE\bin\LineLauncher.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:24440 -
C:\Users\Admin\AppData\Local\LINE\bin\9.4.2.3477\LINE.exe"C:\Users\Admin\AppData\Local\LINE\bin\9.4.2.3477\LINE.exe" run -t 2406981874⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Checks system information in the registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:11884 -
C:\Users\Admin\AppData\Local\LINE\bin\LineUpdater.exeC:\Users\Admin\AppData\Local/LINE//bin/LineUpdater.exe --deploy 9.4.2.3477 en-US real 05⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:25216 -
C:\Users\Admin\AppData\Local\LINE\bin\LineLauncher.exe"C:\Users\Admin\AppData\Local\LINE\bin\LineLauncher.exe" --updated 9.4.2.34776⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:25364 -
C:\Users\Admin\AppData\Local\LINE\bin\9.4.2.3477\LINE.exe"C:\Users\Admin\AppData\Local\LINE\bin\9.4.2.3477\LINE.exe" run --updated 9.4.2.3477 -t 2407285007⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Checks system information in the registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:25432
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Tlctl.exeC:\Windows\SysWOW64\Tlctl.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5792 -
C:\Windows\SysWOW64\Tlctl.exeC:\Windows\SysWOW64\Tlctl.exe -acsi2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:22904
-
Network
MITRE ATT&CK Enterprise v15
Discovery
Peripheral Device Discovery
1Query Registry
7Remote System Discovery
1System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27.8MB
MD54ef273b70ab77e96810ef5ca88418635
SHA187170abb677522f2ed7ba0dc19efb9149bdd7964
SHA2566ff874bca4c566e07d8f5ecb62b7efb4ee9208d5b80b6d84caf0cf3b9a34738f
SHA5123af9d552d6f548a89abe31711d4b482cf98e1f344192d14c2cc1d012930a234f1c94a90becd3a0e9421944def3fe3a3fd55d834d97de631f161e7f281d11d9be
-
Filesize
3.1MB
MD502f554541e0036d6fd7bf2d333b7f0bf
SHA16a3f2d00bae392b184c7932f4e394b445ea8223c
SHA256f822d5ee04cb5afb6c9ddf0a760c50196fb5e3b7221a665ac1329988f6565856
SHA51253082de34cbf94ce9bc168dcee968f39abb00b88b4f99e327ab03113c508ffb1514b757f86e5bc4e2d3e0b577f9915e5b4675b7b3f154c1ec83565bd4eb69dcc
-
Filesize
1.7MB
MD5a4bad7925d81ce54588a4b35063d0104
SHA1d3198c1ed0e01610c2e45c13dddf6b3e49c0b4de
SHA256ae2cc3ce522aa600a177e19a87e21871813977c70d0ca70cbb6cf6cf65f96aba
SHA512e738a66b81b1cdb552d07ff974666178f94fa80d47dbb5c00994149152e70f53ab140efecec63c3206a68e948756cc6d2ba6c78ca970c56fc93c6cf64243ea85
-
Filesize
171KB
MD5e90095d1ea82b665747cbb7cbf53d904
SHA104aea8bafefa1b169f848f289e149e413101bc06
SHA256958e5c28fa97f1503d0a9e96e22a1e53724a74b8b9bcbc9eb63cff806d4138c7
SHA512ffae3acc2447f44ed87555c9189950ec6608708246d3e4cc38777c0f3a73ff32b94643bf40c66689604937590f2a09a3400e27f49624d487f6af5050f7640404
-
Filesize
3.3MB
MD5becf6bfcc9667284a88e46869d1bc46b
SHA1d750e28982db7a1c90dc95d9dc0682a1f07818a5
SHA25682249727558823b8471e98b3a8c18764d15318b812f1b9524d9040a4ae4f8657
SHA512aeb54f1f9cdc26e8ffba241e4e185942fa468580102e8af4d4d04699e95e34cda5ee6752b55da30e9bec8031b3b399c1582f11076d3d57deb009fcccf59a4203
-
Filesize
566KB
MD5a62a22c33ed01a2cf362d3890ffa70e1
SHA1ea3f55d92cdcb788876d689d394ec3225b1d222c
SHA256003da4807acdc912e67edba49be574daa5238bb7acff871d8666d16f8072ff89
SHA5127da909a6c5dc26631fec8a382d5cb677d3aabf5b5c4e98b545c120685f879adcef8cc98e7bf74d37f7fc24b0f18999780d70aa28061f50adf6b28f19ce06930a
-
Filesize
5.9MB
MD56e953efa169f7746b90558aff0bf5c97
SHA11a1b5386dfe8eb412e3f414f766222dba93da32d
SHA2560d3bf792b9b142ef10f9698f03921ba5d4e029a960975861453a38562e6341a4
SHA512df54e6c030ec2197082a2134bb5632fad77a0d48cee9061c95746dcfbe4a24effa3cbcf0c0503809d074e4fa22aec3c931e563d765a166bc1008919e6ba69dc2
-
Filesize
850KB
MD5ae3eadcaea9606ff016f229425205922
SHA192e473a454893b8503790cc263e25bef1f9e6b21
SHA2567284b02652c9a7becb9b463c1bd5b8213a2b1efa788a923a9c7a0d3261e66118
SHA512e9129535fb89ba7a3d17d30f1274e00e016a06f1fce7b96fee6543a68bfbd0bceec03e1eebc2fd258d2ac2941c1e73494dd26e5024ffebf1cb82da65ac2b1165
-
Filesize
8.1MB
MD560a53995b0f470905a71a2400feb9fd9
SHA17c45ab27a13090f2704b80af94a36a9c30525588
SHA256029055f9149aed18e5216a1793dbceee38c33f76399d61f9ae79a6f263794610
SHA5122cfec5ec6be25d42594eff96dfa5711fec955d83c23ddc76637898b1eeba04ae7c3bd01c089a3fb2c48cf5745f263dda5c8f6221b0516394b79d850e7ea538ba
-
Filesize
852KB
MD568b21cbecaff415773eb99b4f0cb07b9
SHA11100fb139570dc278b7cd8a87cc30594d014b372
SHA2568be4916abb8354b8f738873138fa61d13f805178d85f0bd35fe520e59575aef4
SHA5127e7eafae138c81e29123dfc49bbb9366a2a0b1f600fb71d09fcd78818316bd4c710a0436dce19e48f2e54c2b8bdf55123052930d8f4d6c270ee3ff177ffaaa68
-
Filesize
1.4MB
MD5eb0bc1bd676ba558f92494f6e879b959
SHA1f1d6bc4d0acd5a0f12910b42ac90cc1f369190c1
SHA256a126ade93717aa5efa6b2d4a7623ab3b9de7ce79c86dcf12cf587e8182808ab9
SHA51288bf24428424da06df25aabf54121aeff49481a781a445e08e98071f0a8e502b4ce41c78b1007bea5afa5cb6dc13bddaee453d79c2598c2ed4f569766c4e82ca
-
Filesize
1.9MB
MD58f4e76ec9936bf1a42255acdb9b99127
SHA1000a7556e905c79ec24e91f3a7b66834a4910bef
SHA25697d91fe958e1a2491f9798c63bd78679fa12b6e8144c36297a3db4b73424063e
SHA512e2dfe462315ffd36f100a64bc0cab4d855e476d9d2f278367be7f67d1c08f4c3c1c2af700726bb2695e7b66bab19f3aa943134e6ca342f830ed9649eaf9b76b8
-
Filesize
4.8MB
MD566d259c58aec3a291adc5582e8907dca
SHA1649863e78c448920ba1fdaed6b7abfd9e4410d41
SHA25609290ea947363728d35ffdf830045a3e21bc19af2967415e6ed1622fbec949df
SHA5123cce3115c900d1c4f934243d936b89316466914087c5d312ed906a83e7e27ef2ec71f3eeec5612863f4ec7d8ad68862d2911350a717be3fe5e57e87cbdce7173
-
Filesize
5.3MB
MD53a9c568b4db6d9085079e7eb8b6372ea
SHA19fe0bcba8fe9170ee8101c7413983a5aaf1f385b
SHA256682746073e9c1cca03b9eb12475cf0050b4bd0812d4dbe62e5ab1b40d9fd0b42
SHA51224e9a6dc4a78cdbf2604d03a6de19ca75e7404ab5fce855336d1a7c68e129f3fa067f68554a55ae4bf04a998e02bdbe69cbd78af4bcca292480ce1a3d51ae4c7
-
Filesize
383KB
MD5c2ffb9ea51a8a37a33bd8bdd59272db1
SHA1a6ec79b0c765638c542dabf565b54eb49d5542d9
SHA2563e8ce05635bb4d0154c5d882e3fddd993ad7bca8bd857eaf39cd35c135303cd3
SHA512e67f825b2440c4ae97ecbe545a0afa95f6fa994ec5d91962cd78ca8b6834c926bdba415d56b633ce949023d15b902383bc3ba4d54f78fe706e02d99bf458f27f
-
Filesize
140KB
MD5e6803a778a125fc302b6b5ed412499b0
SHA1bb360c2a16ed54369095478af1c60c01c566b76e
SHA256680767cc9a9b68fe1154063b952fcd199c2bf5a1faa3f90efd45cef8cee810ea
SHA512056d30a2bcd0fd3fbfeddff245ad46b4d28894c3cafa8e119c11e16b0f8782238e53178af010fec2ff7f5feebc4c58f197383784b51e53b3e6c755d140cf09c9
-
Filesize
6.1MB
MD5ef277e18ff92658ea7a8d9b72ccfdfd2
SHA11b66db0116c923a2b9a336bb47748f781e31b431
SHA256a5cfcc056dac0ad992102db8ac25e97384913e9e7047d370c8e858ee64a46999
SHA512d0b5766b56682625ba36300e84539d02f9f342e55a4956f223df011a6a657558efa3d141f0e7191dab9a16945bc5a745217d7a1f7317158ed646f3c83ccf6104
-
Filesize
135KB
MD5bceebc73cb9e3f239b99575c0d38951c
SHA1d71033e74b44ae5584b6be1d4cc99e4094f5aadf
SHA256f86b7be36295297de21bffccfde3cef776e175478592b4b16c3063b420723312
SHA5122cac4b095a46ab625ba7e4c9297133df1ccf3e87eb45938fc65c3ffe6cac31204229f3f4cedc6e58244bf74c76fbe9f2fda7710c784c79814e5ee2ccfb1994e7
-
Filesize
1006KB
MD5623c9754952a35b018f2448af8184075
SHA1c37c32c391c509d0bfc8522ac7018a3c4b2a1940
SHA256f089f6b1aa2a324603728c0453568201cb0ab6b8d3e8d6dcc2b000ad5cdfaba4
SHA5127f848c186962abe6d9db18406ecf26f824216ebf44a4972f1681ac89a4b793dcc43287d3d1bbe8d13079e80d4718ca59fec500c2dd8e5f17b61035fc0b2b3c43
-
Filesize
2.2MB
MD52015b36a4ec425de3ffde0153f327b45
SHA1977fcdd554a9b1455336a426738a5bbf7c5924be
SHA2563e5ae8ff2bd0cd20656b83bd2e4375b038299cc6a85ef04c255b971d4317bc9c
SHA51224a560133a0d63db91c5c8adbe2b22fc6bd46ed25b266aa9859ed5548cbf41ef48acd2307b66e479ef7a9fff2e74caed8d238bddc2b69dadc8984ee85712dd46
-
Filesize
2.4MB
MD5b85488da78e6fee382de1726860b5f9a
SHA17e96fc54ba5b96bdded6bdf28fe1267133032def
SHA25677018a7735e434822a2f52656be85546cab93bfd9388b750ebff6aa0a490a649
SHA51223ec1cc429226a3172c25c1a46a52e02d5d8e1a314fa054dc6d2bb6948d33cfc26ad1f70a3ac7cbd9217226e3d304f84c9f5e066c6269e16b13a2a120592c0ee
-
Filesize
628KB
MD5970996fc9b4cdbb10af6044507d5b7ae
SHA10e1b2957753c458ae9596901a6cf3c70839b39ec
SHA2569fc18a126e7167f422a574a71243e04b9d73be666b24ea7a054822c6dbdf30e4
SHA512b3a5e6a4ff24e918f2c278643e4b1270c69732199707b6db729b5b6c7d0af30c15c6eebf6a3fb36fe4208d12fa96c7713cbe7a00770233a51deb1b860af18ded
-
Filesize
34KB
MD5ae146db58039e40b9b4bf1c6fb973d07
SHA1ac0700813a2974f6d5b91c37ccabfff0302d7be0
SHA256a61901a4d719a3e1cc4fa8f629218571330331e8dde2ef1f05c34845b180928e
SHA5120ebef21b9935d498a749ac5b90719c23dec1f2209a8fdd17919cfca43aa098c64cad687643412dd61d1b4fa573e09e9f7b27a1e0f9a82bb892816045998a186f
-
Filesize
5.4MB
MD5ce8f5d2f0f62c626edad01f0482448c7
SHA1198b461b08220af35548b9ff143aefc78e5ee7a3
SHA256e13ea4e788014abdf8c1cc8a02f2eb3f228c14a9ee810791842236ca1afdc4b7
SHA5125710fb40c5e30eea64dfafff62cfe1b4a28c1be2844966a0ea36c192d83294582f57c92bee42c832d15d46e53eac0d66e02736bc6eb1bb1d3522840db3fea8a0
-
Filesize
106KB
MD54585a96cc4eef6aafd5e27ea09147dc6
SHA1489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286
-
Filesize
48KB
MD57e668ab8a78bd0118b94978d154c85bc
SHA1dbac42a02a8d50639805174afd21d45f3c56e3a0
SHA256e4b533a94e02c574780e4b333fcf0889f65ed00d39e32c0fbbda2116f185873f
SHA51272bb41db17256141b06e2eaeb8fc65ad4abdb65e4b5f604c82b9e7e7f60050734137d602e0f853f1a38201515655b6982f2761ee0fa77c531aa58591c95f0032
-
Filesize
1004KB
MD5587e3bc21efaf428c87331decc9bfeb3
SHA1a5b8ebeab4e3968673a61a95350b7f0bf60d7459
SHA256b931c5686cc09b2183bba197dc151b8e95ca6151e39fb98954352340c0b31120
SHA512ffae2dab5caf16dc7dfd0a97a8ff6349a466bc57ee043d1ac4d53e011498e39b9a855295d10207ba578c6857abebd445d378e83aa2ff6ec247713d81b370d0ca
-
Filesize
1.5MB
MD56eb8c366315498feabd796786a621bcb
SHA13074fbe6287be713de51280d8277ab2f4b707155
SHA256626db8bea999709c8faead0ec9d60025604676fcc44130abe6c1168b90989b3b
SHA512dc28756c56c8ceffde09717e71212c5335e7cd1195105f6d5955a8ea3419e11b63669b03c5eba1a72be84adc9d92b0a3250a991b7c6a59817d3ffd21fc452733
-
Filesize
11KB
MD5d77839cc52a47e2db7d7fb944643fb0a
SHA1ed3cd493e5a465a143862df3f280e936f3bd2fac
SHA25693b73294a24201a4299fd0da7e0ab0dbffa130da300cc3a2c80d2aa7f2da7c77
SHA51276f2739990bfae391f8c4c7346487150fa70eca82a15adff14e84d83ca03af5b202b8abab139f56b59dffd942a26aacdb359548367be7f80ff6bbf28b973e77e
-
Filesize
4KB
MD56461ba2b54c2239503eff55de913c437
SHA17796499cc23eee4c522be381987913e6c5e8826e
SHA2564658e40d14895f792cb5ea8bbee7dc95a6bff6478f8e41c3732a66b92fccc0d5
SHA51212ae466bc824d57d8e44b5a2dca395b98f002fe3cfe4ed544939d7ce5480b174934adf4e9e06ea9d6907e64e180f1b1b6f9d25d607713ca23bb090f1cf3379cf
-
Filesize
89KB
MD5b9edf77857f539db509c59673523150a
SHA123276a59846d61d0a1826ba3b3f3c4b47b257f20
SHA25662f8e07d3ba5e9e57aaf529786a92931098f6ee33c6ab5057be5ad4ee0545b31
SHA5128bedf1ffd4d5f1853e1794e32b7ff482c3c207a8d6600a54d9f0c583feac8711ac70c985f4579a947ee3c686e179dcdf42752bb45da2a5b9254f372265a92f79
-
Filesize
27.5MB
MD5fc7f52ba7722c4beecbc550e6376a53f
SHA148649e85ae0181dee896cfa40369d8887bb0fb49
SHA2567c3763106ba7b5f96ee7fc4411278737db191faf19bd0d5fd3cc4cc63f3f110a
SHA512a401e6d587e25ac24fb47dce47468eb24250edaf5477d21d6eea7d7b8881916273034705d346519d530d61927ae80ce347d26852e71a89bb62b47747a6408c92