Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
157s -
max time network
166s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
04/11/2023, 20:51
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe
Resource
win7-20231023-en
General
-
Target
NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe
-
Size
198KB
-
MD5
000eecf4a8e2d22481e515a215ae0c40
-
SHA1
9685ff6beb409e38ae909a8bf8b177e9e66a7038
-
SHA256
5bfd8bcdd2c1c8eba547526e2593c53e7b66fecf98439a062a7c241be24e8e93
-
SHA512
49a2abfd40e732df68bf08f34d218edc1e728133512e0395bd96f17d3845cf041a96db0bd9a04b5371e4f0450656ac014ae70e6cc1518657dc1fbac7878cdcd6
-
SSDEEP
1536:QMcdBvnPrNQKpxLwW/diJ+ZNikxEYCkAqoYTMCuBFgfav633KhpsO:6vhDLZ/sJ+ukxhCaTNS6
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" C21BC5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" C21BC5.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E110C269E7076B4D\C21BC5.exe = "C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe:*:Enabled:@xpsp2res.dll,-57951861" C21BC5.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C21BC5.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C21BC5.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C21BC5.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C21BC5.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C21BC5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C21BC5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C21BC5.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E110C269E7076B4D\C21BC5.exe = "C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe:*:Enabled:@xpsp2res.dll,-70554750" C21BC5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" C21BC5.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E110C269E7076B4D\C21BC5.exe = "C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe:*:Enabled:@xpsp2res.dll,-53342401" C21BC5.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E110C269E7076B4D\C21BC5.exe = "C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe:*:Enabled:@xpsp2res.dll,-28956246" C21BC5.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C21BC5.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3" C21BC5.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C21BC5.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" C21BC5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C21BC5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C21BC5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C21BC5.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C21BC5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C21BC5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" C21BC5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C21BC5.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C21BC5.exe -
Disables Task Manager via registry modification
-
Disables taskbar notifications via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts C21BC5.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mghtml.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgui.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\proport.exe C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcuimgr.exe C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npf40_tw_98_nt_me_2k.exe C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perswf.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\platin.exe C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\route.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalarm.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xscan.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalm2601.exe C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fa-setup.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpexec.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fix-it.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mghtml.exe C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mxtask.exe C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppvstop.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiaudit.exe C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monsys32.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sd.exe C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcadmin.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONELEV.EXE C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxmonitor9x.exe C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcm.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w9x.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csinsm32.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portdetective.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qconsole.exe C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcleaner.exe C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmon.exe C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmias.exe C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav32.exe C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icsupp.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luall.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nprotect.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pview.exe C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpc42.exe C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dv95_o.exe C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallSettings.exe C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netstat.exe C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pview95.exe C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rulaunch.exe C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav7win.exe C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scrscan.exe C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkwcl9.exe C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naveng.exe C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netscanpro.exe C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvlaunch.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\flowprotector.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcc2002s902.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wnt.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clamauto.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCELCNV.EXE C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cwnb181.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfweng3.02d30.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pingscan.exe C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spyxx.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icsupp95.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mdll.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srwatch.exe C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallControlPanel.exe\Debugger = "\"C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe\"" C21BC5.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe C21BC5.exe -
Executes dropped EXE 2 IoCs
pid Process 2688 C21BC5.exe 2596 C21BC5.exe -
Loads dropped DLL 3 IoCs
pid Process 2764 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 2764 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 2688 C21BC5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2764-4-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/2764-5-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/2764-8-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/2764-10-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/2764-11-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/2764-12-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/2764-24-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/2596-1622-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/2596-1947-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/2596-2024-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/2596-2107-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/2596-2191-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/2596-2274-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/2596-2353-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/2596-2437-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/2596-2525-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/2596-2605-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/2596-2678-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/2596-2762-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/2596-2849-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/2596-2938-0x0000000000400000-0x0000000000447000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C21BC5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" C21BC5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" C21BC5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" C21BC5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus C21BC5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C21BC5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C21BC5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" C21BC5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1" C21BC5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall C21BC5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C21BC5.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254003743208BA6735D23877EED = "C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe" C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E110C269E7076B4D\\C21BC5.exe" C21BC5.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C21BC5.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3036 set thread context of 2764 3036 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 28 PID 2688 set thread context of 2596 2688 C21BC5.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Control Panel\Sound C21BC5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Control Panel\Sound\Beep = "no" C21BC5.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://z73u08bugq91bi2.directorio-w.com" C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://52aef4c806bk896.directorio-w.com" C21BC5.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Download C21BC5.exe Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" C21BC5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes" C21BC5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no" C21BC5.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main C21BC5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://aka4vw43762mmw0.directorio-w.com" C21BC5.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://49a18479ogj6hep.directorio-w.com" C21BC5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://69mbm5at8evb10p.directorio-w.com" C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://i81gx5hvy3v6a04.directorio-w.com" C21BC5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://9wo07srku2j13e6.directorio-w.com" C21BC5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" C21BC5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://30csc54u746023z.directorio-w.com" C21BC5.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://v9176pu2xnxbci3.directorio-w.com" C21BC5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://1q3n2j5n955zvc7.directorio-w.com" C21BC5.exe -
Modifies registry class 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore" C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore" C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore" C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell C21BC5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open C21BC5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec C21BC5.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2596 C21BC5.exe 2596 C21BC5.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeBackupPrivilege 2596 C21BC5.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3036 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 2764 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 2688 C21BC5.exe 2596 C21BC5.exe 2596 C21BC5.exe 2596 C21BC5.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3036 wrote to memory of 2764 3036 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 28 PID 3036 wrote to memory of 2764 3036 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 28 PID 3036 wrote to memory of 2764 3036 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 28 PID 3036 wrote to memory of 2764 3036 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 28 PID 3036 wrote to memory of 2764 3036 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 28 PID 3036 wrote to memory of 2764 3036 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 28 PID 3036 wrote to memory of 2764 3036 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 28 PID 3036 wrote to memory of 2764 3036 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 28 PID 2764 wrote to memory of 2688 2764 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 29 PID 2764 wrote to memory of 2688 2764 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 29 PID 2764 wrote to memory of 2688 2764 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 29 PID 2764 wrote to memory of 2688 2764 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 29 PID 2688 wrote to memory of 2596 2688 C21BC5.exe 30 PID 2688 wrote to memory of 2596 2688 C21BC5.exe 30 PID 2688 wrote to memory of 2596 2688 C21BC5.exe 30 PID 2688 wrote to memory of 2596 2688 C21BC5.exe 30 PID 2688 wrote to memory of 2596 2688 C21BC5.exe 30 PID 2688 wrote to memory of 2596 2688 C21BC5.exe 30 PID 2688 wrote to memory of 2596 2688 C21BC5.exe 30 PID 2688 wrote to memory of 2596 2688 C21BC5.exe 30 PID 2596 wrote to memory of 1224 2596 C21BC5.exe 10 PID 2596 wrote to memory of 1224 2596 C21BC5.exe 10 PID 2596 wrote to memory of 1224 2596 C21BC5.exe 10 PID 2596 wrote to memory of 1224 2596 C21BC5.exe 10 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C21BC5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C21BC5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C21BC5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" C21BC5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" C21BC5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" C21BC5.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1224
-
C:\Users\Admin\AppData\Local\Temp\NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe"3⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\E110C269E7076B4D\C21BC5.exe"C:\Users\Admin\E110C269E7076B4D\C21BC5.exe" E69960464⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\E110C269E7076B4D\C21BC5.exe"C:\Users\Admin\E110C269E7076B4D\C21BC5.exe"5⤵
- Modifies firewall policy service
- Modifies security service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Drops startup file
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2596
-
-
-
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2564
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EN7EZ85X\httpErrorPagesScripts[1]
Filesize8KB
MD53f57b781cb3ef114dd0b665151571b7b
SHA1ce6a63f996df3a1cccb81720e21204b825e0238c
SHA25646e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
SHA5128cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EN7EZ85X\http_404_webOC[1]
Filesize6KB
MD592ab50175c4b03970f264c637c78febe
SHA1b00fbe1169da972ba4a4a84871af9eca7479000a
SHA2563926c545ae82fc264c98d6c229a8a0999e2b59ed2bb736f1bda9e2f89e0eeac8
SHA5123311f118963ad1eaf1b9c7fb10b67280aae1ab38358aed77c10f2587100427af58c7d008abb46ad0f59880ac51e50b5a53fc2c2a96d70f5ece4578ab72382b7a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R0SO7ESW\ErrorPageTemplate[1]
Filesize2KB
MD5f4fe1cb77e758e1ba56b8a8ec20417c5
SHA1f4eda06901edb98633a686b11d02f4925f827bf0
SHA2568d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
SHA51262514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X62LAKSP\errorPageStrings[1]
Filesize2KB
MD5e3e4a98353f119b80b323302f26b78fa
SHA120ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA2569466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee
-
Filesize
198KB
MD5000eecf4a8e2d22481e515a215ae0c40
SHA19685ff6beb409e38ae909a8bf8b177e9e66a7038
SHA2565bfd8bcdd2c1c8eba547526e2593c53e7b66fecf98439a062a7c241be24e8e93
SHA51249a2abfd40e732df68bf08f34d218edc1e728133512e0395bd96f17d3845cf041a96db0bd9a04b5371e4f0450656ac014ae70e6cc1518657dc1fbac7878cdcd6
-
Filesize
198KB
MD5000eecf4a8e2d22481e515a215ae0c40
SHA19685ff6beb409e38ae909a8bf8b177e9e66a7038
SHA2565bfd8bcdd2c1c8eba547526e2593c53e7b66fecf98439a062a7c241be24e8e93
SHA51249a2abfd40e732df68bf08f34d218edc1e728133512e0395bd96f17d3845cf041a96db0bd9a04b5371e4f0450656ac014ae70e6cc1518657dc1fbac7878cdcd6
-
Filesize
198KB
MD5000eecf4a8e2d22481e515a215ae0c40
SHA19685ff6beb409e38ae909a8bf8b177e9e66a7038
SHA2565bfd8bcdd2c1c8eba547526e2593c53e7b66fecf98439a062a7c241be24e8e93
SHA51249a2abfd40e732df68bf08f34d218edc1e728133512e0395bd96f17d3845cf041a96db0bd9a04b5371e4f0450656ac014ae70e6cc1518657dc1fbac7878cdcd6
-
Filesize
198KB
MD5000eecf4a8e2d22481e515a215ae0c40
SHA19685ff6beb409e38ae909a8bf8b177e9e66a7038
SHA2565bfd8bcdd2c1c8eba547526e2593c53e7b66fecf98439a062a7c241be24e8e93
SHA51249a2abfd40e732df68bf08f34d218edc1e728133512e0395bd96f17d3845cf041a96db0bd9a04b5371e4f0450656ac014ae70e6cc1518657dc1fbac7878cdcd6
-
Filesize
198KB
MD5000eecf4a8e2d22481e515a215ae0c40
SHA19685ff6beb409e38ae909a8bf8b177e9e66a7038
SHA2565bfd8bcdd2c1c8eba547526e2593c53e7b66fecf98439a062a7c241be24e8e93
SHA51249a2abfd40e732df68bf08f34d218edc1e728133512e0395bd96f17d3845cf041a96db0bd9a04b5371e4f0450656ac014ae70e6cc1518657dc1fbac7878cdcd6
-
Filesize
198KB
MD5000eecf4a8e2d22481e515a215ae0c40
SHA19685ff6beb409e38ae909a8bf8b177e9e66a7038
SHA2565bfd8bcdd2c1c8eba547526e2593c53e7b66fecf98439a062a7c241be24e8e93
SHA51249a2abfd40e732df68bf08f34d218edc1e728133512e0395bd96f17d3845cf041a96db0bd9a04b5371e4f0450656ac014ae70e6cc1518657dc1fbac7878cdcd6
-
Filesize
198KB
MD5000eecf4a8e2d22481e515a215ae0c40
SHA19685ff6beb409e38ae909a8bf8b177e9e66a7038
SHA2565bfd8bcdd2c1c8eba547526e2593c53e7b66fecf98439a062a7c241be24e8e93
SHA51249a2abfd40e732df68bf08f34d218edc1e728133512e0395bd96f17d3845cf041a96db0bd9a04b5371e4f0450656ac014ae70e6cc1518657dc1fbac7878cdcd6