Analysis
-
max time kernel
300s -
max time network
264s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2023 07:39
Behavioral task
behavioral1
Sample
RMTGXSC.exe
Resource
win7-20230220-en
windows7-x64
19 signatures
300 seconds
Behavioral task
behavioral2
Sample
RMTGXSC.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
17 signatures
300 seconds
General
-
Target
RMTGXSC.exe
-
Size
483KB
-
MD5
5097acd1e5dfea3d734788584b148d0a
-
SHA1
2194df0f5d37664dcaf069e7a84b5c38fc55bbff
-
SHA256
ce43e9b8fd7c4442c9fdbbf3a236bdb63e05b9dd23b57e1ac184a0e4e861c25c
-
SHA512
54fb01f16a18420d2ed6232c8161b327b529965c99eda2c029bd7e80219d050b06efa1c89abe017a045aac6f9f7ffcd7ca83e8a799022adfde01c8786e455db4
-
SSDEEP
12288:qsHzOUNUSB/o5LsI1uwajJ5yvv1l2EepGHNu4n4UUxa34EPf:diUmSB/o5d1ubcvjI4ftHX
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\[email protected] Readme.txt
Ransom Note
Hello dear friend
Your files were encrypted!
Write back to our e-mails:
[email protected]
[email protected]
In your message you have to write:
1. YOU LOCK-ID:
FA48AF8140A76
After payment our team will decrypt your files immediatly
Free decryption as guarantee:
1. File must be less than 1MB
2. Only .txt or .lnk files, no databases
3. Only 1 files
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2004 bcdedit.exe 4116 bcdedit.exe -
resource yara_rule behavioral2/memory/2600-136-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-622-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-623-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-624-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-625-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-626-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-627-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-629-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-630-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-631-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-632-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-633-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-634-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-635-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-636-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-637-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-638-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-639-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-640-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-641-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-642-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-643-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-644-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-645-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-646-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-647-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-648-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-649-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-650-0x0000000000420000-0x000000000053D000-memory.dmp upx behavioral2/memory/2600-651-0x0000000000420000-0x000000000053D000-memory.dmp upx -
Drops desktop.ini file(s) 16 IoCs
description ioc Process File opened for modification C:\Users\Admin\3D Objects\desktop.ini RMTGXSC.exe File opened for modification C:\Users\Admin\Documents\desktop.ini RMTGXSC.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini RMTGXSC.exe File opened for modification C:\Users\Admin\Links\desktop.ini RMTGXSC.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini RMTGXSC.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini RMTGXSC.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini RMTGXSC.exe File opened for modification C:\Users\Admin\Videos\desktop.ini RMTGXSC.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini RMTGXSC.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini RMTGXSC.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini RMTGXSC.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini RMTGXSC.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini RMTGXSC.exe File opened for modification C:\Users\Admin\Music\desktop.ini RMTGXSC.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini RMTGXSC.exe File opened for modification C:\Users\Admin\Searches\desktop.ini RMTGXSC.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\u: RMTGXSC.exe File opened (read-only) \??\a: RMTGXSC.exe File opened (read-only) \??\h: RMTGXSC.exe File opened (read-only) \??\n: RMTGXSC.exe File opened (read-only) \??\s: RMTGXSC.exe File opened (read-only) \??\q: RMTGXSC.exe File opened (read-only) \??\v: RMTGXSC.exe File opened (read-only) \??\y: RMTGXSC.exe File opened (read-only) \??\p: RMTGXSC.exe File opened (read-only) \??\r: RMTGXSC.exe File opened (read-only) \??\w: RMTGXSC.exe File opened (read-only) \??\z: RMTGXSC.exe File opened (read-only) \??\b: RMTGXSC.exe File opened (read-only) \??\e: RMTGXSC.exe File opened (read-only) \??\l: RMTGXSC.exe File opened (read-only) \??\o: RMTGXSC.exe File opened (read-only) \??\k: RMTGXSC.exe File opened (read-only) \??\m: RMTGXSC.exe File opened (read-only) \??\t: RMTGXSC.exe File opened (read-only) \??\x: RMTGXSC.exe File opened (read-only) \??\f: RMTGXSC.exe File opened (read-only) \??\g: RMTGXSC.exe File opened (read-only) \??\i: RMTGXSC.exe File opened (read-only) \??\j: RMTGXSC.exe -
AutoIT Executable 30 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2600-136-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-622-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-623-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-624-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-625-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-626-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-627-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-629-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-630-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-631-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-632-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-633-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-634-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-635-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-636-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-637-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-638-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-639-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-640-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-641-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-642-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-643-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-644-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-645-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-646-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-647-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-648-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-649-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-650-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe behavioral2/memory/2600-651-0x0000000000420000-0x000000000053D000-memory.dmp autoit_exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\PROGRA~2\COMMON~1\4404287643 RMTGXSC.exe File created C:\PROGRA~2\COMMON~1\RMTGXSC.exe RMTGXSC.exe File opened for modification C:\PROGRA~2\COMMON~1\RMTGXSC.exe RMTGXSC.exe File opened for modification C:\PROGRA~2\COMMON~1\log.txt RMTGXSC.exe File created C:\PROGRA~2\COMMON~1\34678240443467824044 RMTGXSC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4256 schtasks.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 1564 ipconfig.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4928 vssadmin.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2600 RMTGXSC.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 4968 vssvc.exe Token: SeRestorePrivilege 4968 vssvc.exe Token: SeAuditPrivilege 4968 vssvc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe 2600 RMTGXSC.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2600 wrote to memory of 3284 2600 RMTGXSC.exe 83 PID 2600 wrote to memory of 3284 2600 RMTGXSC.exe 83 PID 2600 wrote to memory of 3284 2600 RMTGXSC.exe 83 PID 3284 wrote to memory of 1564 3284 cmd.exe 85 PID 3284 wrote to memory of 1564 3284 cmd.exe 85 PID 3284 wrote to memory of 1564 3284 cmd.exe 85 PID 2600 wrote to memory of 1396 2600 RMTGXSC.exe 86 PID 2600 wrote to memory of 1396 2600 RMTGXSC.exe 86 PID 2600 wrote to memory of 1396 2600 RMTGXSC.exe 86 PID 1396 wrote to memory of 4256 1396 cmd.exe 88 PID 1396 wrote to memory of 4256 1396 cmd.exe 88 PID 1396 wrote to memory of 4256 1396 cmd.exe 88 PID 2600 wrote to memory of 532 2600 RMTGXSC.exe 90 PID 2600 wrote to memory of 532 2600 RMTGXSC.exe 90 PID 2600 wrote to memory of 1776 2600 RMTGXSC.exe 91 PID 2600 wrote to memory of 1776 2600 RMTGXSC.exe 91 PID 2600 wrote to memory of 2464 2600 RMTGXSC.exe 92 PID 2600 wrote to memory of 2464 2600 RMTGXSC.exe 92 PID 532 wrote to memory of 1012 532 cmd.exe 97 PID 532 wrote to memory of 1012 532 cmd.exe 97 PID 1776 wrote to memory of 3724 1776 cmd.exe 96 PID 1776 wrote to memory of 3724 1776 cmd.exe 96 PID 532 wrote to memory of 4928 532 cmd.exe 98 PID 532 wrote to memory of 4928 532 cmd.exe 98 PID 1776 wrote to memory of 2004 1776 cmd.exe 99 PID 1776 wrote to memory of 2004 1776 cmd.exe 99 PID 2464 wrote to memory of 4712 2464 cmd.exe 100 PID 2464 wrote to memory of 4712 2464 cmd.exe 100 PID 2464 wrote to memory of 4116 2464 cmd.exe 101 PID 2464 wrote to memory of 4116 2464 cmd.exe 101 PID 2600 wrote to memory of 1992 2600 RMTGXSC.exe 104 PID 2600 wrote to memory of 1992 2600 RMTGXSC.exe 104 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RMTGXSC.exe"C:\Users\Admin\AppData\Local\Temp\RMTGXSC.exe"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /all2⤵
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:1564
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /sc onlogon /tn 3467824044 /rl highest /tr C:\PROGRA~2\COMMON~1\RMTGXSC.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc onlogon /tn 3467824044 /rl highest /tr C:\PROGRA~2\COMMON~1\RMTGXSC.exe3⤵
- Creates scheduled task(s)
PID:4256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C title 8072264|vssadmin.exe Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" title 8072264"3⤵PID:1012
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:4928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C title 9118689|bcdedit /set {default} recoveryenabled No2⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" title 9118689"3⤵PID:3724
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:2004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C title 7783996|bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" title 7783996"3⤵PID:4712
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:4116
-
-
-
C:\Windows\SYSTEM32\notepad.exenotepad.exe2⤵PID:1992
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD589201ad786bbcde72c99493d5da3cf1e
SHA13eb53340eaf13d3ac8af7f5f4b5e1b6a62fad915
SHA2564406795c3e7e15583f28cf32078dc02578a3195459624b285d0940768be929da
SHA51241baa0a9186b9b9ee3f1229b337faa69aedb883e8fbf60f20e44d15dbd97fcf3f7ba953320683fb76bac32179755b222217d06562c86ae7387ec4a533bce2d89
-
Filesize
591KB
MD58335fe17a6f22a7922031da8d1e0b795
SHA17f1087327a1c36de4a478fbd56fa2a7da9f4f16e
SHA256db2f1da27ce789c2341400f32ea688e7d7184dc672ec6bce4bdb4bf6a96c518a
SHA512ab802318313d2ad7cb74b25e6b25a16af8b780b9f515dc710aede20f98b3b64586c7f9bd206bd5da48e268175308fd4a1fcf9421374754c93b68d6365fcfaa02
-
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\[email protected] Readme.txt
Filesize378B
MD5d54d2429152085dcaa30c3afbaf201df
SHA1dc512d715ef481df3183e1a6e4aa5504fad853f8
SHA256567683423be72c5e5f0de61e34645673c423bdf15554d3a62db3639103119f47
SHA5120d073429e76e57b4b9a5899190a17de311c09b5cef805fa66702471a76ea5a443680a0e6bc0942a22abd50da46882903a3de05fab1bab96914808b75dffdd69c