Malware Analysis Report

2025-08-11 06:15

Sample ID 231118-d5x7daac43
Target ed4e123b6451095714644fcf1367ba60.bin
SHA256 b957c6d107b4f671a489452761f99ce7ad7396e88f2d3f54310b44a39c87e9f7
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b957c6d107b4f671a489452761f99ce7ad7396e88f2d3f54310b44a39c87e9f7

Threat Level: Known bad

The file ed4e123b6451095714644fcf1367ba60.bin was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Dcrat family

DcRat

Process spawned unexpected child process

DCRat payload

DCRat payload

Executes dropped EXE

Checks computer location settings

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-18 03:36

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-18 03:36

Reported

2023-11-18 03:38

Platform

win7-20231023-en

Max time kernel

151s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Downloaded Program Files\csrss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\MSBuild\csrss.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Program Files\Windows Defender\en-US\Idle.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File created C:\Program Files (x86)\Windows Mail\fr-FR\explorer.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\es-ES\8f5eaa17b5ce4f C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\it-IT\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\it-IT\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Program Files\Windows Journal\en-US\csrss.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\RCX35AE.tmp C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Program Files (x86)\Uninstall Information\RCX429C.tmp C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File created C:\Program Files (x86)\Windows Mail\fr-FR\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\b75386f1303e64 C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\es-ES\ed4e123b6451095714644fcf1367ba60.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File created C:\Program Files (x86)\Uninstall Information\audiodg.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\fr-FR\explorer.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File created C:\Program Files\Windows Defender\en-US\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\en-US\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\en-US\RCXD6E.tmp C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\RCX22B7.tmp C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\it-IT\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File created C:\Program Files (x86)\MSBuild\csrss.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\taskhost.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File created C:\Program Files (x86)\Uninstall Information\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Program Files\Windows Defender\en-US\RCX34C.tmp C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\taskhost.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File created C:\Program Files\Windows Defender\en-US\Idle.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX1185.tmp C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\es-ES\ed4e123b6451095714644fcf1367ba60.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\smss.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File created C:\Program Files\Windows Journal\en-US\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\smss.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\fr-FR\RCX5FC.tmp C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Program Files\Windows Journal\en-US\RCX24CB.tmp C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\es-ES\RCX3A41.tmp C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File created C:\Program Files (x86)\MSBuild\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File created C:\Program Files\Windows Journal\en-US\csrss.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RCX4098.tmp C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Program Files (x86)\Uninstall Information\audiodg.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\it-IT\RCX44A0.tmp C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Downloaded Program Files\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Windows\Downloaded Program Files\RCX32FE.tmp C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Windows\Downloaded Program Files\csrss.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File created C:\Windows\Downloaded Program Files\csrss.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Downloaded Program Files\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2212 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe C:\Windows\System32\cmd.exe
PID 2212 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe C:\Windows\System32\cmd.exe
PID 2212 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe C:\Windows\System32\cmd.exe
PID 2940 wrote to memory of 2224 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2940 wrote to memory of 2224 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2940 wrote to memory of 2224 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2940 wrote to memory of 2236 N/A C:\Windows\System32\cmd.exe C:\Windows\Downloaded Program Files\csrss.exe
PID 2940 wrote to memory of 2236 N/A C:\Windows\System32\cmd.exe C:\Windows\Downloaded Program Files\csrss.exe
PID 2940 wrote to memory of 2236 N/A C:\Windows\System32\cmd.exe C:\Windows\Downloaded Program Files\csrss.exe
PID 2236 wrote to memory of 2756 N/A C:\Windows\Downloaded Program Files\csrss.exe C:\Windows\System32\WScript.exe
PID 2236 wrote to memory of 2756 N/A C:\Windows\Downloaded Program Files\csrss.exe C:\Windows\System32\WScript.exe
PID 2236 wrote to memory of 2756 N/A C:\Windows\Downloaded Program Files\csrss.exe C:\Windows\System32\WScript.exe
PID 2236 wrote to memory of 3064 N/A C:\Windows\Downloaded Program Files\csrss.exe C:\Windows\System32\WScript.exe
PID 2236 wrote to memory of 3064 N/A C:\Windows\Downloaded Program Files\csrss.exe C:\Windows\System32\WScript.exe
PID 2236 wrote to memory of 3064 N/A C:\Windows\Downloaded Program Files\csrss.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe

"C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\en-US\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\en-US\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\14fb2242-720d-11ee-be72-ec26920784ed\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\14fb2242-720d-11ee-be72-ec26920784ed\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\14fb2242-720d-11ee-be72-ec26920784ed\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\14fb2242-720d-11ee-be72-ec26920784ed\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\14fb2242-720d-11ee-be72-ec26920784ed\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\14fb2242-720d-11ee-be72-ec26920784ed\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\en-US\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\en-US\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\en-US\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ed4e123b6451095714644fcf1367ba60e" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\ed4e123b6451095714644fcf1367ba60.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ed4e123b6451095714644fcf1367ba60" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\ed4e123b6451095714644fcf1367ba60.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ed4e123b6451095714644fcf1367ba60e" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\ed4e123b6451095714644fcf1367ba60.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NVPMa6E9xy.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Downloaded Program Files\csrss.exe

"C:\Windows\Downloaded Program Files\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adb5acda-4392-4450-b1fb-447b4ec62c96.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3ede2f1-8cf1-4f24-abdc-3c62eac83f61.vbs"

Network

N/A

Files

memory/2212-0-0x0000000000FF0000-0x000000000111C000-memory.dmp

memory/2212-1-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp

memory/2212-2-0x000000001AF70000-0x000000001AFF0000-memory.dmp

memory/2212-3-0x00000000003C0000-0x00000000003DC000-memory.dmp

memory/2212-4-0x0000000000780000-0x0000000000790000-memory.dmp

memory/2212-5-0x0000000000A40000-0x0000000000A56000-memory.dmp

memory/2212-6-0x0000000000790000-0x00000000007A2000-memory.dmp

memory/2212-7-0x0000000000A60000-0x0000000000A6A000-memory.dmp

memory/2212-8-0x0000000000C70000-0x0000000000C7E000-memory.dmp

C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe

MD5 ed4e123b6451095714644fcf1367ba60
SHA1 12a24314c6d55271d040f3a62703f6669ef51b61
SHA256 b957c6d107b4f671a489452761f99ce7ad7396e88f2d3f54310b44a39c87e9f7
SHA512 a26e311a29ac440f8339a97ae825a7afd4368afd02f258d2865c5a8690e27619470d09a083d8309655c441f292c681510a3b79aa5802846fd8a83acf54d698c5

memory/2212-41-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp

memory/2212-42-0x000000001AF70000-0x000000001AFF0000-memory.dmp

C:\Windows\Downloaded Program Files\csrss.exe

MD5 0ee3b7ae54ea1bca63b6590752c46300
SHA1 32655b45f632a676d9cdd721c6c3de90cd14d329
SHA256 6496c6c2188a43073e94f2900c8db346718b3ace1aa19c42d8e8bd63a3a22bd0
SHA512 188b561d32e06df461495c50b3e51f74ce51691d00a35723144961f7809608e19f9a30708a700bebc50e05474d7d13d5b1dea16d295cf9626287b07acf0c4e50

memory/2212-168-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NVPMa6E9xy.bat

MD5 b6554afedc2833bb17019201af391652
SHA1 faaa9440317c3c92e8936a2d18ea2ef4dd1ef8eb
SHA256 db97efc70672a57bda3846fd15ebd24b67098fe7f12b7c950036f9c9103585cf
SHA512 eda4d2b4ec58a69078d00f5169cf3aee6913f2a5de031ab9335d4108688c7d263d33eabc2b3ab7ea818fd53dce3484b3089f48f861418f96e325b50a643dba60

C:\Windows\Downloaded Program Files\csrss.exe

MD5 0ee3b7ae54ea1bca63b6590752c46300
SHA1 32655b45f632a676d9cdd721c6c3de90cd14d329
SHA256 6496c6c2188a43073e94f2900c8db346718b3ace1aa19c42d8e8bd63a3a22bd0
SHA512 188b561d32e06df461495c50b3e51f74ce51691d00a35723144961f7809608e19f9a30708a700bebc50e05474d7d13d5b1dea16d295cf9626287b07acf0c4e50

C:\Windows\Downloaded Program Files\csrss.exe

MD5 0ee3b7ae54ea1bca63b6590752c46300
SHA1 32655b45f632a676d9cdd721c6c3de90cd14d329
SHA256 6496c6c2188a43073e94f2900c8db346718b3ace1aa19c42d8e8bd63a3a22bd0
SHA512 188b561d32e06df461495c50b3e51f74ce51691d00a35723144961f7809608e19f9a30708a700bebc50e05474d7d13d5b1dea16d295cf9626287b07acf0c4e50

memory/2236-172-0x000007FEF4ED0000-0x000007FEF58BC000-memory.dmp

memory/2236-173-0x00000000000D0000-0x00000000001FC000-memory.dmp

memory/2236-174-0x000000001B0F0000-0x000000001B170000-memory.dmp

memory/2236-175-0x0000000000320000-0x0000000000332000-memory.dmp

memory/2236-176-0x000007FEF4ED0000-0x000007FEF58BC000-memory.dmp

memory/2236-177-0x000000001B0F0000-0x000000001B170000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\adb5acda-4392-4450-b1fb-447b4ec62c96.vbs

MD5 ecebf908eab583aa2b6ca52468c9ee36
SHA1 cd00498ef15e80af1852873ed145121f52e57327
SHA256 5d515b19ef36408b40526dcb34844998a6bac02349863171786ed7c90e344ebc
SHA512 db6812ee19a7f9c388e256e8f1de7d48ab0117f6fe584a53fb5ae4eeb5b67425d4a674db08a351a450457c38076b8f04e403c1205cb5169be3a0a69031feca1d

C:\Users\Admin\AppData\Local\Temp\b3ede2f1-8cf1-4f24-abdc-3c62eac83f61.vbs

MD5 535af12e88d43767ed9e081862c7ae6f
SHA1 33ce9c98e61b7bcba3d3666662cdc179d9d994e5
SHA256 3ec13780826df03ee7bb875b86d264e308333a835f4918b40f6de5f77105a7ea
SHA512 8fd1e87f3b2293bb4e83dd2d86f68af8a8b242dfa5d1f2180c45ed43e3affb8754bf006c294e6ff1674274412f8f8498b0ed57d4fe6db81e125d40716ccc1891

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-18 03:36

Reported

2023-11-18 03:38

Platform

win10v2004-20231020-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\de-DE\RCXDDEE.tmp C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\RCXE66E.tmp C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File created C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File created C:\Program Files\Windows Photo Viewer\de-DE\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Downloaded Program Files\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Windows\Downloaded Program Files\RCXE882.tmp C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File opened for modification C:\Windows\Downloaded Program Files\explorer.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
File created C:\Windows\Downloaded Program Files\explorer.exe C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe
PID 1728 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe
PID 968 wrote to memory of 392 N/A C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe C:\Windows\System32\WScript.exe
PID 968 wrote to memory of 392 N/A C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe C:\Windows\System32\WScript.exe
PID 968 wrote to memory of 1048 N/A C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe C:\Windows\System32\WScript.exe
PID 968 wrote to memory of 1048 N/A C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe C:\Windows\System32\WScript.exe
PID 392 wrote to memory of 2544 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe
PID 392 wrote to memory of 2544 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe
PID 2544 wrote to memory of 2896 N/A C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe C:\Windows\System32\WScript.exe
PID 2544 wrote to memory of 2896 N/A C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe C:\Windows\System32\WScript.exe
PID 2544 wrote to memory of 4716 N/A C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe C:\Windows\System32\WScript.exe
PID 2544 wrote to memory of 4716 N/A C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe C:\Windows\System32\WScript.exe
PID 2896 wrote to memory of 1720 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe
PID 2896 wrote to memory of 1720 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe
PID 1720 wrote to memory of 1532 N/A C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe C:\Windows\System32\WScript.exe
PID 1720 wrote to memory of 1532 N/A C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe C:\Windows\System32\WScript.exe
PID 1720 wrote to memory of 3048 N/A C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe C:\Windows\System32\WScript.exe
PID 1720 wrote to memory of 3048 N/A C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe

"C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\All Users\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\All Users\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\odt\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /rl HIGHEST /f

C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe

"C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5461879b-51ee-4964-b48c-e8b7ed8070ac.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\936ae47a-fe93-4320-aad7-c4a11ff10c46.vbs"

C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe

"C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25da8d3a-7c51-45d4-a4bf-f8eb4a4f446d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24538454-b5c4-4b27-9292-f4f248a20288.vbs"

C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe

"C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1b701b4-3746-45b1-9109-ca2773514631.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77ecb74e-7b0e-4e98-a78e-65ae5b0ecb93.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
RU 5.42.92.132:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 138.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RU 5.42.92.132:80 tcp
US 8.8.8.8:53 126.22.238.8.in-addr.arpa udp
RU 5.42.92.132:80 tcp
RU 5.42.92.132:80 tcp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
RU 5.42.92.132:80 tcp

Files

memory/1728-0-0x0000000000660000-0x000000000078C000-memory.dmp

memory/1728-1-0x00007FF9359D0000-0x00007FF936491000-memory.dmp

memory/1728-2-0x000000001B410000-0x000000001B420000-memory.dmp

memory/1728-3-0x00000000029B0000-0x00000000029CC000-memory.dmp

memory/1728-4-0x000000001B340000-0x000000001B390000-memory.dmp

memory/1728-5-0x0000000002890000-0x00000000028A0000-memory.dmp

memory/1728-6-0x00000000029D0000-0x00000000029E6000-memory.dmp

memory/1728-7-0x00000000029F0000-0x0000000002A02000-memory.dmp

memory/1728-8-0x000000001CE90000-0x000000001D3B8000-memory.dmp

memory/1728-9-0x0000000002A20000-0x0000000002A2A000-memory.dmp

memory/1728-10-0x0000000002A30000-0x0000000002A3E000-memory.dmp

C:\odt\backgroundTaskHost.exe

MD5 ed4e123b6451095714644fcf1367ba60
SHA1 12a24314c6d55271d040f3a62703f6669ef51b61
SHA256 b957c6d107b4f671a489452761f99ce7ad7396e88f2d3f54310b44a39c87e9f7
SHA512 a26e311a29ac440f8339a97ae825a7afd4368afd02f258d2865c5a8690e27619470d09a083d8309655c441f292c681510a3b79aa5802846fd8a83acf54d698c5

C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe

MD5 ed4e123b6451095714644fcf1367ba60
SHA1 12a24314c6d55271d040f3a62703f6669ef51b61
SHA256 b957c6d107b4f671a489452761f99ce7ad7396e88f2d3f54310b44a39c87e9f7
SHA512 a26e311a29ac440f8339a97ae825a7afd4368afd02f258d2865c5a8690e27619470d09a083d8309655c441f292c681510a3b79aa5802846fd8a83acf54d698c5

C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe

MD5 ed4e123b6451095714644fcf1367ba60
SHA1 12a24314c6d55271d040f3a62703f6669ef51b61
SHA256 b957c6d107b4f671a489452761f99ce7ad7396e88f2d3f54310b44a39c87e9f7
SHA512 a26e311a29ac440f8339a97ae825a7afd4368afd02f258d2865c5a8690e27619470d09a083d8309655c441f292c681510a3b79aa5802846fd8a83acf54d698c5

memory/968-137-0x00007FF9359D0000-0x00007FF936491000-memory.dmp

memory/1728-136-0x00007FF9359D0000-0x00007FF936491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\936ae47a-fe93-4320-aad7-c4a11ff10c46.vbs

MD5 c22ae86abc18e9b7eab3024376910623
SHA1 7f49061ff232126e2e6986b8d4ea050383e3959e
SHA256 360b17b76317753aa4db244da54ee3e9471cf8dc71ee4203ada0f526dfcaac47
SHA512 08526cb8b3c5e191f95ae8fc5beaaba03fc13e6ff34df461dad2a154a0071317225c0d7ab3ff5661c06f7c31bc985d32ecfe0a827ef6e620a25f1e1ba532e314

C:\Users\Admin\AppData\Local\Temp\5461879b-51ee-4964-b48c-e8b7ed8070ac.vbs

MD5 fe7a84bf0da8c0441eda74720a399f62
SHA1 059e26c10220067c15c08898105c0ad232e074fa
SHA256 b02822eb75ff2292c21d21aeafce029bb7e8f230c13d08e1677fc150c6ffb4a9
SHA512 b6f635d0cba6ee44fb9ae3c9d111e4c4aeaa24779f6a3fc56a9f0356029190da34df5250e7bd89a155979466bc1781f2f60d4efca6ac5c1058e2af2e6ccb20c2

memory/968-147-0x00007FF9359D0000-0x00007FF936491000-memory.dmp

memory/968-149-0x00007FF9359D0000-0x00007FF936491000-memory.dmp

C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe

MD5 ed4e123b6451095714644fcf1367ba60
SHA1 12a24314c6d55271d040f3a62703f6669ef51b61
SHA256 b957c6d107b4f671a489452761f99ce7ad7396e88f2d3f54310b44a39c87e9f7
SHA512 a26e311a29ac440f8339a97ae825a7afd4368afd02f258d2865c5a8690e27619470d09a083d8309655c441f292c681510a3b79aa5802846fd8a83acf54d698c5

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

memory/2544-152-0x00007FF9359D0000-0x00007FF936491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f8901282d4c602a9b5b95cb5aeb411efc3b72249.exe

MD5 ed4e123b6451095714644fcf1367ba60
SHA1 12a24314c6d55271d040f3a62703f6669ef51b61
SHA256 b957c6d107b4f671a489452761f99ce7ad7396e88f2d3f54310b44a39c87e9f7
SHA512 a26e311a29ac440f8339a97ae825a7afd4368afd02f258d2865c5a8690e27619470d09a083d8309655c441f292c681510a3b79aa5802846fd8a83acf54d698c5

C:\Users\Admin\AppData\Local\Temp\24538454-b5c4-4b27-9292-f4f248a20288.vbs

MD5 c22ae86abc18e9b7eab3024376910623
SHA1 7f49061ff232126e2e6986b8d4ea050383e3959e
SHA256 360b17b76317753aa4db244da54ee3e9471cf8dc71ee4203ada0f526dfcaac47
SHA512 08526cb8b3c5e191f95ae8fc5beaaba03fc13e6ff34df461dad2a154a0071317225c0d7ab3ff5661c06f7c31bc985d32ecfe0a827ef6e620a25f1e1ba532e314

C:\Users\Admin\AppData\Local\Temp\25da8d3a-7c51-45d4-a4bf-f8eb4a4f446d.vbs

MD5 0f74eaf42150a1425dc8e1369e4e5113
SHA1 a831fc2bc3b42ec84464ccaf6cfa9a02b7b12cb7
SHA256 79f6e53ab48e2347dfda94464102c893842d9805ff86d337693eb090c0f9364f
SHA512 c00dd06265e7e6978a7218ae30b0132007168e99cf2307ddee896928c0456141797d8bee112ded1a83960c3b60b0800bfde3ab335b0d045da4afefaf91cf28a3

C:\Users\Admin\AppData\Local\Temp\24538454-b5c4-4b27-9292-f4f248a20288.vbs

MD5 c22ae86abc18e9b7eab3024376910623
SHA1 7f49061ff232126e2e6986b8d4ea050383e3959e
SHA256 360b17b76317753aa4db244da54ee3e9471cf8dc71ee4203ada0f526dfcaac47
SHA512 08526cb8b3c5e191f95ae8fc5beaaba03fc13e6ff34df461dad2a154a0071317225c0d7ab3ff5661c06f7c31bc985d32ecfe0a827ef6e620a25f1e1ba532e314

memory/2544-163-0x00007FF9359D0000-0x00007FF936491000-memory.dmp

memory/2544-164-0x00007FF9359D0000-0x00007FF936491000-memory.dmp

C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe

MD5 ed4e123b6451095714644fcf1367ba60
SHA1 12a24314c6d55271d040f3a62703f6669ef51b61
SHA256 b957c6d107b4f671a489452761f99ce7ad7396e88f2d3f54310b44a39c87e9f7
SHA512 a26e311a29ac440f8339a97ae825a7afd4368afd02f258d2865c5a8690e27619470d09a083d8309655c441f292c681510a3b79aa5802846fd8a83acf54d698c5

memory/1720-166-0x00007FF9359D0000-0x00007FF936491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f8901282d4c602a9b5b95cb5aeb411efc3b72249.exe

MD5 ed4e123b6451095714644fcf1367ba60
SHA1 12a24314c6d55271d040f3a62703f6669ef51b61
SHA256 b957c6d107b4f671a489452761f99ce7ad7396e88f2d3f54310b44a39c87e9f7
SHA512 a26e311a29ac440f8339a97ae825a7afd4368afd02f258d2865c5a8690e27619470d09a083d8309655c441f292c681510a3b79aa5802846fd8a83acf54d698c5

C:\Users\Admin\AppData\Local\Temp\f1b701b4-3746-45b1-9109-ca2773514631.vbs

MD5 661296456da6507ea13c581dce664ea3
SHA1 9c82c50080f9483b25373adbd84413c4715e5c38
SHA256 14d70338eb8be83b8f7f8b7427cd6557fff655413534873971c19ca52cd0918f
SHA512 1159f2372c8d6de28b56b48fab060cebe861b5e5e95fec8131f4327537bc39f068a34061a331577f51643f7d503765bc884d125d1633caacc17bd8a4407bb0f3

C:\Users\Admin\AppData\Local\Temp\77ecb74e-7b0e-4e98-a78e-65ae5b0ecb93.vbs

MD5 c22ae86abc18e9b7eab3024376910623
SHA1 7f49061ff232126e2e6986b8d4ea050383e3959e
SHA256 360b17b76317753aa4db244da54ee3e9471cf8dc71ee4203ada0f526dfcaac47
SHA512 08526cb8b3c5e191f95ae8fc5beaaba03fc13e6ff34df461dad2a154a0071317225c0d7ab3ff5661c06f7c31bc985d32ecfe0a827ef6e620a25f1e1ba532e314