Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
08-08-2023 06:06
Static task
static1
Behavioral task
behavioral1
Sample
fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe
Resource
win7-20230712-en
General
-
Target
fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe
-
Size
385KB
-
MD5
b289e58e4bfd1f1577b480dcbd0b00d1
-
SHA1
70700a0b417fbbe9285984e7925d88a4091a2aff
-
SHA256
fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d618bd91f2102c9c3760
-
SHA512
9387fe7fc4f561f832e7069597d05f39df8ecf9513fa787913567dbc52f9fa49ed3559cbe78af8605b98e04176b1521a97d701245e092f710a2f6d0a8915d707
-
SSDEEP
6144:6ziAiPfbfHD4kF4Ncf1N6lGOnF+ZNi9Vwsa:6uhPzfj4kF43T0P2ys
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
209.250.248.11:33522
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
description pid Process procid_target PID 2692 created 1208 2692 setup.exe 21 PID 2692 created 1208 2692 setup.exe 21 PID 2692 created 1208 2692 setup.exe 21 PID 2692 created 1208 2692 setup.exe 21 PID 2692 created 1208 2692 setup.exe 21 PID 1028 created 1208 1028 updater.exe 21 PID 1028 created 1208 1028 updater.exe 21 PID 1028 created 1208 1028 updater.exe 21 PID 1028 created 1208 1028 updater.exe 21 PID 1028 created 1208 1028 updater.exe 21 PID 1028 created 1208 1028 updater.exe 21 -
XMRig Miner payload 7 IoCs
resource yara_rule behavioral1/memory/1028-228-0x000000013F6E0000-0x0000000140906000-memory.dmp xmrig behavioral1/memory/2704-232-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2704-234-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2704-236-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2704-238-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2704-240-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2704-242-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts setup.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 3 IoCs
pid Process 2136 mi.exe 2692 setup.exe 1028 updater.exe -
Loads dropped DLL 3 IoCs
pid Process 2588 fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe 2136 mi.exe 364 taskeng.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000f00000001580f-143.dat themida behavioral1/files/0x000f00000001580f-145.dat themida behavioral1/files/0x000f00000001580f-147.dat themida behavioral1/memory/2692-150-0x000000013F090000-0x00000001402B6000-memory.dmp themida behavioral1/memory/2692-151-0x000000013F090000-0x00000001402B6000-memory.dmp themida behavioral1/memory/2692-152-0x000000013F090000-0x00000001402B6000-memory.dmp themida behavioral1/memory/2692-153-0x000000013F090000-0x00000001402B6000-memory.dmp themida behavioral1/memory/2692-154-0x000000013F090000-0x00000001402B6000-memory.dmp themida behavioral1/memory/2692-155-0x000000013F090000-0x00000001402B6000-memory.dmp themida behavioral1/memory/2692-156-0x000000013F090000-0x00000001402B6000-memory.dmp themida behavioral1/memory/2692-157-0x000000013F090000-0x00000001402B6000-memory.dmp themida behavioral1/files/0x000f00000001580f-188.dat themida behavioral1/memory/2692-187-0x000000013F090000-0x00000001402B6000-memory.dmp themida behavioral1/files/0x0009000000015c10-192.dat themida behavioral1/memory/364-194-0x000000013F6E0000-0x0000000140906000-memory.dmp themida behavioral1/files/0x0009000000015c10-195.dat themida behavioral1/memory/1028-196-0x000000013F6E0000-0x0000000140906000-memory.dmp themida behavioral1/memory/1028-198-0x000000013F6E0000-0x0000000140906000-memory.dmp themida behavioral1/memory/1028-199-0x000000013F6E0000-0x0000000140906000-memory.dmp themida behavioral1/memory/1028-200-0x000000013F6E0000-0x0000000140906000-memory.dmp themida behavioral1/memory/1028-201-0x000000013F6E0000-0x0000000140906000-memory.dmp themida behavioral1/memory/1028-202-0x000000013F6E0000-0x0000000140906000-memory.dmp themida behavioral1/memory/1028-203-0x000000013F6E0000-0x0000000140906000-memory.dmp themida behavioral1/memory/1028-205-0x000000013F6E0000-0x0000000140906000-memory.dmp themida behavioral1/files/0x0009000000015c10-225.dat themida behavioral1/memory/1028-228-0x000000013F6E0000-0x0000000140906000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2692 setup.exe 1028 updater.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1028 set thread context of 2668 1028 updater.exe 73 PID 1028 set thread context of 2704 1028 updater.exe 74 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe setup.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2604 sc.exe 2900 sc.exe 1752 sc.exe 2404 sc.exe 2224 sc.exe 1632 sc.exe 1844 sc.exe 1056 sc.exe 804 sc.exe 2424 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 908 schtasks.exe 2972 schtasks.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 60ce909bbec9d901 powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2588 fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe 2588 fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe 2588 fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe 2692 setup.exe 2692 setup.exe 368 powershell.exe 2692 setup.exe 2692 setup.exe 2692 setup.exe 2692 setup.exe 2692 setup.exe 2692 setup.exe 1948 powershell.exe 2692 setup.exe 2692 setup.exe 1028 updater.exe 1028 updater.exe 1720 powershell.exe 1028 updater.exe 1028 updater.exe 1028 updater.exe 1028 updater.exe 1028 updater.exe 1028 updater.exe 2408 powershell.exe 1028 updater.exe 1028 updater.exe 1028 updater.exe 1028 updater.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 464 Process not Found -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 2588 fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe Token: SeDebugPrivilege 368 powershell.exe Token: SeShutdownPrivilege 1336 powercfg.exe Token: SeShutdownPrivilege 832 powercfg.exe Token: SeDebugPrivilege 1948 powershell.exe Token: SeShutdownPrivilege 688 powercfg.exe Token: SeShutdownPrivilege 1936 powercfg.exe Token: SeDebugPrivilege 1720 powershell.exe Token: SeShutdownPrivilege 2412 powercfg.exe Token: SeDebugPrivilege 2408 powershell.exe Token: SeShutdownPrivilege 3020 powercfg.exe Token: SeShutdownPrivilege 2688 powercfg.exe Token: SeShutdownPrivilege 2676 powercfg.exe Token: SeLockMemoryPrivilege 2704 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2588 wrote to memory of 2136 2588 fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe 29 PID 2588 wrote to memory of 2136 2588 fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe 29 PID 2588 wrote to memory of 2136 2588 fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe 29 PID 2588 wrote to memory of 2136 2588 fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe 29 PID 2136 wrote to memory of 2692 2136 mi.exe 30 PID 2136 wrote to memory of 2692 2136 mi.exe 30 PID 2136 wrote to memory of 2692 2136 mi.exe 30 PID 2136 wrote to memory of 2692 2136 mi.exe 30 PID 1092 wrote to memory of 2424 1092 cmd.exe 37 PID 1092 wrote to memory of 2424 1092 cmd.exe 37 PID 1092 wrote to memory of 2424 1092 cmd.exe 37 PID 1092 wrote to memory of 1632 1092 cmd.exe 38 PID 1092 wrote to memory of 1632 1092 cmd.exe 38 PID 1092 wrote to memory of 1632 1092 cmd.exe 38 PID 1092 wrote to memory of 2224 1092 cmd.exe 39 PID 1092 wrote to memory of 2224 1092 cmd.exe 39 PID 1092 wrote to memory of 2224 1092 cmd.exe 39 PID 1092 wrote to memory of 1844 1092 cmd.exe 40 PID 1092 wrote to memory of 1844 1092 cmd.exe 40 PID 1092 wrote to memory of 1844 1092 cmd.exe 40 PID 1092 wrote to memory of 1056 1092 cmd.exe 41 PID 1092 wrote to memory of 1056 1092 cmd.exe 41 PID 1092 wrote to memory of 1056 1092 cmd.exe 41 PID 1784 wrote to memory of 1336 1784 cmd.exe 46 PID 1784 wrote to memory of 1336 1784 cmd.exe 46 PID 1784 wrote to memory of 1336 1784 cmd.exe 46 PID 1784 wrote to memory of 832 1784 cmd.exe 47 PID 1784 wrote to memory of 832 1784 cmd.exe 47 PID 1784 wrote to memory of 832 1784 cmd.exe 47 PID 1784 wrote to memory of 688 1784 cmd.exe 48 PID 1784 wrote to memory of 688 1784 cmd.exe 48 PID 1784 wrote to memory of 688 1784 cmd.exe 48 PID 1784 wrote to memory of 1936 1784 cmd.exe 49 PID 1784 wrote to memory of 1936 1784 cmd.exe 49 PID 1784 wrote to memory of 1936 1784 cmd.exe 49 PID 1948 wrote to memory of 908 1948 powershell.exe 50 PID 1948 wrote to memory of 908 1948 powershell.exe 50 PID 1948 wrote to memory of 908 1948 powershell.exe 50 PID 364 wrote to memory of 1028 364 taskeng.exe 54 PID 364 wrote to memory of 1028 364 taskeng.exe 54 PID 364 wrote to memory of 1028 364 taskeng.exe 54 PID 2524 wrote to memory of 2604 2524 cmd.exe 59 PID 2524 wrote to memory of 2604 2524 cmd.exe 59 PID 2524 wrote to memory of 2604 2524 cmd.exe 59 PID 2524 wrote to memory of 2900 2524 cmd.exe 60 PID 2524 wrote to memory of 2900 2524 cmd.exe 60 PID 2524 wrote to memory of 2900 2524 cmd.exe 60 PID 2524 wrote to memory of 1752 2524 cmd.exe 61 PID 2524 wrote to memory of 1752 2524 cmd.exe 61 PID 2524 wrote to memory of 1752 2524 cmd.exe 61 PID 2524 wrote to memory of 2404 2524 cmd.exe 62 PID 2524 wrote to memory of 2404 2524 cmd.exe 62 PID 2524 wrote to memory of 2404 2524 cmd.exe 62 PID 2524 wrote to memory of 804 2524 cmd.exe 63 PID 2524 wrote to memory of 804 2524 cmd.exe 63 PID 2524 wrote to memory of 804 2524 cmd.exe 63 PID 1512 wrote to memory of 2412 1512 cmd.exe 68 PID 1512 wrote to memory of 2412 1512 cmd.exe 68 PID 1512 wrote to memory of 2412 1512 cmd.exe 68 PID 1512 wrote to memory of 3020 1512 cmd.exe 69 PID 1512 wrote to memory of 3020 1512 cmd.exe 69 PID 1512 wrote to memory of 3020 1512 cmd.exe 69 PID 1512 wrote to memory of 2688 1512 cmd.exe 70 PID 1512 wrote to memory of 2688 1512 cmd.exe 70
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe"C:\Users\Admin\AppData\Local\Temp\fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe"2⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\mi.exe"C:\Users\Admin\AppData\Local\Temp\mi.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\Temp\setup.exe"C:\Windows\Temp\setup.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2692
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:368
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2424
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1632
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2224
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:1844
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1056
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1336
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:832
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:688
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
PID:908
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2604
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2900
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1752
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2404
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:804
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
PID:2972
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:2668
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {4B039321-D243-4C0B-979E-2845BE7C5C5E} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1028
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56c1e68954c21ae279ed0c0cf7948c7e8
SHA16296c19322fde9da6deb2e1448dd0f6266d9f829
SHA25633ae8c280e32a5d489dd13df1a249e008e6c09dcb8a3607fce906b09269bdc38
SHA51222e6ac1ec81cd90b734d721912af730c26fa65e2b250bf1050bd286931ea7da6372553e44e8411ee0d2a02a5e52ee7eaf36208a8579e5cbbef58a02c363978f1
-
Filesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
Filesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27
-
Filesize
9.9MB
MD580b0b41decb53a01e8c87def18400267
SHA1885f327c4e91065486137ca96105190f7a29d0f9
SHA25610d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA51219bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e
-
Filesize
9.9MB
MD580b0b41decb53a01e8c87def18400267
SHA1885f327c4e91065486137ca96105190f7a29d0f9
SHA25610d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA51219bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b89560217118a1645c561ebd3e025412
SHA102ca57a3ca2aa2abed2a2eda11c576ab751d9463
SHA2561214a47f1f0d504e4fd74e398d05c656297964ee40e9e42498b1a158f2610455
SHA51229d05418fc5dd7a656c379d3bd641ade2b331af00346b01540131e2034d6d2c6002f4cf1e903519e640c7978a7da624000f90236e2b60df45a992fda003bbdec
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S1VFB2A0487RHW50JMPL.temp
Filesize7KB
MD5b89560217118a1645c561ebd3e025412
SHA102ca57a3ca2aa2abed2a2eda11c576ab751d9463
SHA2561214a47f1f0d504e4fd74e398d05c656297964ee40e9e42498b1a158f2610455
SHA51229d05418fc5dd7a656c379d3bd641ade2b331af00346b01540131e2034d6d2c6002f4cf1e903519e640c7978a7da624000f90236e2b60df45a992fda003bbdec
-
Filesize
2KB
MD52b19df2da3af86adf584efbddd0d31c0
SHA1f1738910789e169213611c033d83bc9577373686
SHA25658868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd
SHA5124a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
9.9MB
MD580b0b41decb53a01e8c87def18400267
SHA1885f327c4e91065486137ca96105190f7a29d0f9
SHA25610d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA51219bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379