Analysis
-
max time kernel
140s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 06:27
Static task
static1
Behavioral task
behavioral1
Sample
e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
Resource
win10v2004-20220901-en
General
-
Target
e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
-
Size
1.1MB
-
MD5
49357de181571d86ef91c9225b95b474
-
SHA1
8f74e682dfe7072d026d88ef84f32dadaa977461
-
SHA256
e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
-
SHA512
56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723
-
SSDEEP
24576:8MwVW5oFASygtv2/ryWLivEDT00MVq3UHr2BlKVb:8OoFASyg92T/oEDT9MVQU8ib
Malware Config
Extracted
darkcomet
Securityy ;3
89.215.253.73:1605
DCMIN_MUTEX-V730MT7
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
jmPfYy0Z7wHy
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\DCSCMIN\\IMDCSC.exe" e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe -
Executes dropped EXE 5 IoCs
pid Process 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 4136 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 432 IMDCSC.exe 4164 IMDCSC.exe 4728 IMDCSC.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe -
Adds Run key to start application 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" IMDCSC.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" IMDCSC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" IMDCSC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\DCSCMIN\\IMDCSC.exe" e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" IMDCSC.exe -
Suspicious use of SetThreadContext 8 IoCs
description pid Process procid_target PID 3400 set thread context of 360 3400 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 85 PID 3400 set thread context of 4084 3400 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 89 PID 4084 set thread context of 2996 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 93 PID 4084 set thread context of 4136 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 96 PID 432 set thread context of 3696 432 IMDCSC.exe 100 PID 432 set thread context of 4164 432 IMDCSC.exe 104 PID 4164 set thread context of 4756 4164 IMDCSC.exe 106 PID 4164 set thread context of 4728 4164 IMDCSC.exe 112 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989640" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "251067352" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989640" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "167940128" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "277159833" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989640" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3572DFFB-493B-11ED-A0EE-4A7057C3C021} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989640" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "167940128" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372240397" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989640" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3A817CA1-493B-11ED-A0EE-4A7057C3C021} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30989640" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "232003664" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "253253724" IEXPLORE.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3400 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 3400 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 432 IMDCSC.exe 432 IMDCSC.exe 4164 IMDCSC.exe 4164 IMDCSC.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3696 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4136 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeSecurityPrivilege 4136 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeTakeOwnershipPrivilege 4136 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeLoadDriverPrivilege 4136 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeSystemProfilePrivilege 4136 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeSystemtimePrivilege 4136 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeProfSingleProcessPrivilege 4136 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeIncBasePriorityPrivilege 4136 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeCreatePagefilePrivilege 4136 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeBackupPrivilege 4136 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeRestorePrivilege 4136 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeShutdownPrivilege 4136 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeDebugPrivilege 4136 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeSystemEnvironmentPrivilege 4136 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeChangeNotifyPrivilege 4136 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeRemoteShutdownPrivilege 4136 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeUndockPrivilege 4136 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeManageVolumePrivilege 4136 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeImpersonatePrivilege 4136 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeCreateGlobalPrivilege 4136 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: 33 4136 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: 34 4136 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: 35 4136 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: 36 4136 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeIncreaseQuotaPrivilege 4728 IMDCSC.exe Token: SeSecurityPrivilege 4728 IMDCSC.exe Token: SeTakeOwnershipPrivilege 4728 IMDCSC.exe Token: SeLoadDriverPrivilege 4728 IMDCSC.exe Token: SeSystemProfilePrivilege 4728 IMDCSC.exe Token: SeSystemtimePrivilege 4728 IMDCSC.exe Token: SeProfSingleProcessPrivilege 4728 IMDCSC.exe Token: SeIncBasePriorityPrivilege 4728 IMDCSC.exe Token: SeCreatePagefilePrivilege 4728 IMDCSC.exe Token: SeBackupPrivilege 4728 IMDCSC.exe Token: SeRestorePrivilege 4728 IMDCSC.exe Token: SeShutdownPrivilege 4728 IMDCSC.exe Token: SeDebugPrivilege 4728 IMDCSC.exe Token: SeSystemEnvironmentPrivilege 4728 IMDCSC.exe Token: SeChangeNotifyPrivilege 4728 IMDCSC.exe Token: SeRemoteShutdownPrivilege 4728 IMDCSC.exe Token: SeUndockPrivilege 4728 IMDCSC.exe Token: SeManageVolumePrivilege 4728 IMDCSC.exe Token: SeImpersonatePrivilege 4728 IMDCSC.exe Token: SeCreateGlobalPrivilege 4728 IMDCSC.exe Token: 33 4728 IMDCSC.exe Token: 34 4728 IMDCSC.exe Token: 35 4728 IMDCSC.exe Token: 36 4728 IMDCSC.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 360 iexplore.exe 3696 iexplore.exe 3696 iexplore.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 360 iexplore.exe 360 iexplore.exe 3408 IEXPLORE.EXE 3408 IEXPLORE.EXE 3696 iexplore.exe 3696 iexplore.exe 3524 IEXPLORE.EXE 3524 IEXPLORE.EXE 3696 iexplore.exe 3696 iexplore.exe 4728 IMDCSC.exe 1752 IEXPLORE.EXE 1752 IEXPLORE.EXE 1752 IEXPLORE.EXE 1752 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3400 wrote to memory of 4768 3400 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 84 PID 3400 wrote to memory of 4768 3400 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 84 PID 3400 wrote to memory of 4768 3400 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 84 PID 3400 wrote to memory of 360 3400 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 85 PID 3400 wrote to memory of 360 3400 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 85 PID 3400 wrote to memory of 360 3400 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 85 PID 3400 wrote to memory of 360 3400 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 85 PID 3400 wrote to memory of 360 3400 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 85 PID 3400 wrote to memory of 360 3400 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 85 PID 3400 wrote to memory of 360 3400 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 85 PID 4768 wrote to memory of 804 4768 cmd.exe 87 PID 4768 wrote to memory of 804 4768 cmd.exe 87 PID 4768 wrote to memory of 804 4768 cmd.exe 87 PID 804 wrote to memory of 512 804 net.exe 88 PID 804 wrote to memory of 512 804 net.exe 88 PID 804 wrote to memory of 512 804 net.exe 88 PID 3400 wrote to memory of 4084 3400 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 89 PID 3400 wrote to memory of 4084 3400 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 89 PID 3400 wrote to memory of 4084 3400 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 89 PID 3400 wrote to memory of 4084 3400 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 89 PID 3400 wrote to memory of 4084 3400 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 89 PID 3400 wrote to memory of 4084 3400 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 89 PID 3400 wrote to memory of 4084 3400 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 89 PID 3400 wrote to memory of 4084 3400 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 89 PID 3400 wrote to memory of 4084 3400 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 89 PID 360 wrote to memory of 3408 360 iexplore.exe 90 PID 360 wrote to memory of 3408 360 iexplore.exe 90 PID 360 wrote to memory of 3408 360 iexplore.exe 90 PID 4084 wrote to memory of 1848 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 91 PID 4084 wrote to memory of 1848 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 91 PID 4084 wrote to memory of 1848 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 91 PID 4084 wrote to memory of 2996 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 93 PID 4084 wrote to memory of 2996 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 93 PID 4084 wrote to memory of 2996 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 93 PID 4084 wrote to memory of 2996 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 93 PID 4084 wrote to memory of 2996 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 93 PID 4084 wrote to memory of 2996 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 93 PID 4084 wrote to memory of 2996 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 93 PID 4084 wrote to memory of 2996 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 93 PID 4084 wrote to memory of 2996 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 93 PID 4084 wrote to memory of 2996 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 93 PID 4084 wrote to memory of 2996 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 93 PID 4084 wrote to memory of 2996 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 93 PID 1848 wrote to memory of 372 1848 cmd.exe 94 PID 1848 wrote to memory of 372 1848 cmd.exe 94 PID 1848 wrote to memory of 372 1848 cmd.exe 94 PID 372 wrote to memory of 2652 372 net.exe 95 PID 372 wrote to memory of 2652 372 net.exe 95 PID 372 wrote to memory of 2652 372 net.exe 95 PID 4084 wrote to memory of 4136 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 96 PID 4084 wrote to memory of 4136 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 96 PID 4084 wrote to memory of 4136 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 96 PID 4084 wrote to memory of 4136 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 96 PID 4084 wrote to memory of 4136 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 96 PID 4084 wrote to memory of 4136 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 96 PID 4084 wrote to memory of 4136 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 96 PID 4084 wrote to memory of 4136 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 96 PID 4084 wrote to memory of 4136 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 96 PID 4084 wrote to memory of 4136 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 96 PID 4084 wrote to memory of 4136 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 96 PID 4084 wrote to memory of 4136 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 96 PID 4084 wrote to memory of 4136 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 96 PID 4084 wrote to memory of 4136 4084 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 96 PID 4136 wrote to memory of 432 4136 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe"C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc2⤵
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵PID:512
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:360 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:360 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3408
-
-
-
C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exeC:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc3⤵
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\net.exenet stop MpsSvc4⤵
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc5⤵PID:2652
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
PID:2996
-
-
C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exeC:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\DCSCMIN\IMDCSC.exe"C:\DCSCMIN\IMDCSC.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:432 -
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc5⤵PID:1500
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc6⤵PID:1016
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc7⤵PID:1152
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3696 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3696 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3524
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3696 CREDAT:17414 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1752
-
-
-
C:\DCSCMIN\IMDCSC.exeC:\DCSCMIN\IMDCSC.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4164 -
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc6⤵PID:2000
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc7⤵PID:3724
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc8⤵PID:1280
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
PID:4756
-
-
C:\DCSCMIN\IMDCSC.exeC:\DCSCMIN\IMDCSC.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4728
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD549357de181571d86ef91c9225b95b474
SHA18f74e682dfe7072d026d88ef84f32dadaa977461
SHA256e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA51256482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723
-
Filesize
1.1MB
MD549357de181571d86ef91c9225b95b474
SHA18f74e682dfe7072d026d88ef84f32dadaa977461
SHA256e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA51256482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723
-
Filesize
1.1MB
MD549357de181571d86ef91c9225b95b474
SHA18f74e682dfe7072d026d88ef84f32dadaa977461
SHA256e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA51256482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723
-
Filesize
1.1MB
MD549357de181571d86ef91c9225b95b474
SHA18f74e682dfe7072d026d88ef84f32dadaa977461
SHA256e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA51256482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5fceed7a5f76725fb398c6a91ff552899
SHA1237aec000ae7c7c35a639664b1ad6c0d842a0749
SHA2562888c66a6908f10474313b2fef31aeeff40cffe1bcbd19b84b29334ff6a71383
SHA512adfba4e72523d38395c13122d6498d9b48d93b2967858f0208549e3830c9b47ee3e98249b98fe585aeeeffe491a6985a98c80a3be581abccf4239bad4d1cdef3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5e91d0ccc141e8cd3c1acd1d37cba31ff
SHA11d1885a33fc9d53076cbf08ed18822c9a4d9f77e
SHA25690d72dc1d0ef5fe6f19629e673a49c05f15f8c7612bbb49f1aa127b7e927c957
SHA512b191defda59e6b427525ae1e84b8683cae9fb3d2e18d8e70af52feff9e7199d7c37871a007576024dc3e2030f9dcdd3096cdff53d44d43506b2c51b7f4ba780d
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3572DFFB-493B-11ED-A0EE-4A7057C3C021}.dat
Filesize5KB
MD5f63725c0920a9d9ec62fe989432e8d18
SHA1c567d6d7c8aa0214114d5528ebd7c197421caed7
SHA256c0f1e1f1e2233333e0a31e2a82ae44d9fad08998ab0dde798c22c7986db89e74
SHA512895205e131144c614c8fa8832aa30753760f8007f32b0703ef4457f4edfebbe189dad4baec549d3f2883e7dbd6f6929cad09a180f269825fd1f8d71c3aed2405
-
C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
Filesize1.1MB
MD549357de181571d86ef91c9225b95b474
SHA18f74e682dfe7072d026d88ef84f32dadaa977461
SHA256e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA51256482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723
-
C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
Filesize1.1MB
MD549357de181571d86ef91c9225b95b474
SHA18f74e682dfe7072d026d88ef84f32dadaa977461
SHA256e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA51256482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723
-
Filesize
1.1MB
MD549357de181571d86ef91c9225b95b474
SHA18f74e682dfe7072d026d88ef84f32dadaa977461
SHA256e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA51256482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723
-
Filesize
1.1MB
MD549357de181571d86ef91c9225b95b474
SHA18f74e682dfe7072d026d88ef84f32dadaa977461
SHA256e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA51256482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723
-
Filesize
1.1MB
MD549357de181571d86ef91c9225b95b474
SHA18f74e682dfe7072d026d88ef84f32dadaa977461
SHA256e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA51256482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723