Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
18/11/2023, 02:57
Behavioral task
behavioral1
Sample
NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe
-
Size
1.4MB
-
MD5
5e2ccb97d6bf2f8bedd6d473079c33b0
-
SHA1
699314bf74a661917771308e7cd6d6b618af2827
-
SHA256
6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
-
SHA512
0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93
-
SSDEEP
24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 2896 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2896 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2896 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 2896 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1264 2896 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 652 2896 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2896 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2896 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 2896 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 616 2896 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1372 2896 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2896 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2896 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 2896 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 2896 schtasks.exe 28 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe -
resource yara_rule behavioral1/memory/1320-0-0x0000000000D60000-0x0000000000ECC000-memory.dmp dcrat behavioral1/files/0x0008000000015c57-34.dat dcrat behavioral1/files/0x0007000000015f2f-63.dat dcrat behavioral1/memory/1600-134-0x0000000000E30000-0x0000000000F9C000-memory.dmp dcrat behavioral1/files/0x000600000001606a-132.dat dcrat behavioral1/files/0x000600000001606a-118.dat dcrat behavioral1/files/0x000600000001606a-247.dat dcrat behavioral1/files/0x001a000000014c45-256.dat dcrat behavioral1/files/0x000600000001606a-286.dat dcrat behavioral1/files/0x001a000000014c45-295.dat dcrat -
Executes dropped EXE 3 IoCs
pid Process 1600 smss.exe 2792 smss.exe 2828 smss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\RCX9EB7.tmp NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\RCX9EB8.tmp NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File created C:\Program Files (x86)\Google\winlogon.exe NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File opened for modification C:\Program Files (x86)\Windows Mail\en-US\RCX9A80.tmp NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File opened for modification C:\Program Files (x86)\Google\winlogon.exe NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File opened for modification C:\Program Files (x86)\Windows Mail\en-US\RCX9A02.tmp NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File opened for modification C:\Program Files (x86)\Windows Mail\en-US\dllhost.exe NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File opened for modification C:\Program Files (x86)\Google\RCX9C93.tmp NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File opened for modification C:\Program Files (x86)\Google\RCX9CA4.tmp NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File created C:\Program Files (x86)\Windows Mail\en-US\dllhost.exe NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File created C:\Program Files (x86)\Windows Mail\en-US\5940a34987c991 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\System.exe NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File created C:\Program Files (x86)\Google\cc11b995f2a76d NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\27d1bcfc3c54e0 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\System.exe NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2520 schtasks.exe 1484 schtasks.exe 3068 schtasks.exe 2796 schtasks.exe 3040 schtasks.exe 652 schtasks.exe 1372 schtasks.exe 2940 schtasks.exe 2536 schtasks.exe 1712 schtasks.exe 2548 schtasks.exe 616 schtasks.exe 1264 schtasks.exe 2912 schtasks.exe 3064 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2312 powershell.exe 2988 powershell.exe 2216 powershell.exe 2236 powershell.exe 2440 powershell.exe 2160 powershell.exe 1260 powershell.exe 2036 powershell.exe 1204 powershell.exe 1600 smss.exe 1600 smss.exe 1600 smss.exe 1600 smss.exe 1600 smss.exe 1600 smss.exe 1600 smss.exe 1600 smss.exe 1600 smss.exe 1600 smss.exe 1600 smss.exe 1600 smss.exe 2584 powershell.exe 1600 smss.exe 1980 powershell.exe 1600 smss.exe 1632 powershell.exe 1600 smss.exe 1600 smss.exe 1600 smss.exe 1600 smss.exe 1600 smss.exe 1600 smss.exe 1600 smss.exe 1600 smss.exe 1600 smss.exe 1600 smss.exe 1600 smss.exe 1600 smss.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe Token: SeDebugPrivilege 1600 smss.exe Token: SeDebugPrivilege 2312 powershell.exe Token: SeDebugPrivilege 2988 powershell.exe Token: SeDebugPrivilege 2216 powershell.exe Token: SeDebugPrivilege 2160 powershell.exe Token: SeDebugPrivilege 2236 powershell.exe Token: SeDebugPrivilege 1260 powershell.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeDebugPrivilege 2036 powershell.exe Token: SeDebugPrivilege 1204 powershell.exe Token: SeDebugPrivilege 2584 powershell.exe Token: SeDebugPrivilege 1980 powershell.exe Token: SeDebugPrivilege 1632 powershell.exe Token: SeDebugPrivilege 2792 smss.exe Token: SeDebugPrivilege 2828 smss.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 1320 wrote to memory of 1632 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 44 PID 1320 wrote to memory of 1632 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 44 PID 1320 wrote to memory of 1632 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 44 PID 1320 wrote to memory of 2236 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 45 PID 1320 wrote to memory of 2236 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 45 PID 1320 wrote to memory of 2236 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 45 PID 1320 wrote to memory of 1204 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 46 PID 1320 wrote to memory of 1204 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 46 PID 1320 wrote to memory of 1204 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 46 PID 1320 wrote to memory of 1260 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 49 PID 1320 wrote to memory of 1260 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 49 PID 1320 wrote to memory of 1260 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 49 PID 1320 wrote to memory of 2440 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 50 PID 1320 wrote to memory of 2440 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 50 PID 1320 wrote to memory of 2440 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 50 PID 1320 wrote to memory of 2216 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 51 PID 1320 wrote to memory of 2216 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 51 PID 1320 wrote to memory of 2216 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 51 PID 1320 wrote to memory of 2036 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 52 PID 1320 wrote to memory of 2036 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 52 PID 1320 wrote to memory of 2036 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 52 PID 1320 wrote to memory of 2584 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 60 PID 1320 wrote to memory of 2584 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 60 PID 1320 wrote to memory of 2584 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 60 PID 1320 wrote to memory of 2160 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 59 PID 1320 wrote to memory of 2160 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 59 PID 1320 wrote to memory of 2160 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 59 PID 1320 wrote to memory of 2312 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 56 PID 1320 wrote to memory of 2312 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 56 PID 1320 wrote to memory of 2312 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 56 PID 1320 wrote to memory of 2988 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 53 PID 1320 wrote to memory of 2988 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 53 PID 1320 wrote to memory of 2988 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 53 PID 1320 wrote to memory of 1980 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 55 PID 1320 wrote to memory of 1980 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 55 PID 1320 wrote to memory of 1980 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 55 PID 1320 wrote to memory of 1600 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 68 PID 1320 wrote to memory of 1600 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 68 PID 1320 wrote to memory of 1600 1320 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 68 PID 1600 wrote to memory of 2724 1600 smss.exe 69 PID 1600 wrote to memory of 2724 1600 smss.exe 69 PID 1600 wrote to memory of 2724 1600 smss.exe 69 PID 1600 wrote to memory of 1628 1600 smss.exe 70 PID 1600 wrote to memory of 1628 1600 smss.exe 70 PID 1600 wrote to memory of 1628 1600 smss.exe 70 PID 2724 wrote to memory of 2792 2724 WScript.exe 73 PID 2724 wrote to memory of 2792 2724 WScript.exe 73 PID 2724 wrote to memory of 2792 2724 WScript.exe 73 PID 2792 wrote to memory of 1100 2792 smss.exe 74 PID 2792 wrote to memory of 1100 2792 smss.exe 74 PID 2792 wrote to memory of 1100 2792 smss.exe 74 PID 2792 wrote to memory of 2696 2792 smss.exe 75 PID 2792 wrote to memory of 2696 2792 smss.exe 75 PID 2792 wrote to memory of 2696 2792 smss.exe 75 PID 1100 wrote to memory of 2828 1100 WScript.exe 76 PID 1100 wrote to memory of 2828 1100 WScript.exe 76 PID 1100 wrote to memory of 2828 1100 WScript.exe 76 PID 2828 wrote to memory of 2428 2828 smss.exe 77 PID 2828 wrote to memory of 2428 2828 smss.exe 77 PID 2828 wrote to memory of 2428 2828 smss.exe 77 PID 2828 wrote to memory of 1620 2828 smss.exe 78 PID 2828 wrote to memory of 1620 2828 smss.exe 78 PID 2828 wrote to memory of 1620 2828 smss.exe 78 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1320 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Users\All Users\Documents\smss.exe"C:\Users\All Users\Documents\smss.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1600 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60c016ce-e911-468c-8b5b-9258fff19634.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\All Users\Documents\smss.exe"C:\Users\All Users\Documents\smss.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2792 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f1e8466-88bd-41ef-9e26-a0c5b746ecc5.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\All Users\Documents\smss.exe"C:\Users\All Users\Documents\smss.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2828 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4823b02f-678b-49ce-b8c3-efa8c15d028c.vbs"7⤵PID:2428
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\283103aa-2958-4c01-82e5-36c16518f179.vbs"7⤵PID:1620
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74e596a9-a030-4722-ab3f-678150867930.vbs"5⤵PID:2696
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59a1127d-ec24-45d1-9edf-6832273bb0a7.vbs"3⤵PID:1628
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Documents\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Documents\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\en-US\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3068
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD540b8ab027d105aef6ee81351cbf33e01
SHA1d58d8d96d96b41965e8ae67d0956157c0ce7a9d7
SHA2569d26d8ab136e6703a8e98cb36847b879bc9284da2ade8792d1f85ecdf600b02c
SHA5122c50c1238c731f6fb546cda371a4cdbcb6e58fecb92e14321217155a3c55dc2dffad34ea5271a1069c33b44d87775d453701b47e243336eb83d9869190d76e0c
-
Filesize
1.4MB
MD55e2ccb97d6bf2f8bedd6d473079c33b0
SHA1699314bf74a661917771308e7cd6d6b618af2827
SHA2566f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
SHA5120f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93
-
Filesize
713B
MD5cebd39c9e4f83323f870f0a926bb9507
SHA1229916c57c503b9f5deb269a5bb13d5fa92f574a
SHA2560db7f2c37d1ce5a476acb3975f8b64d93a1071257c483696e8b58db82bc6382d
SHA512e5e7e34846fba1eff398336d933293d119f3255e9baaf3d69bbb98ca0e92cef0a969c9836b304df2f2481c26658c114c176075ef328212e3442e14fda6c7bcbe
-
Filesize
489B
MD5ff5b97fb6306c641466d345413c11681
SHA18645270aa952670b602b443516931ad7b5fffe04
SHA2565acce3db4501af0de745f5b1b3e7fe36df0c0a0e51dd93cbb6cc2eb7130bb639
SHA51204928f51a6396437856202b87c1809e12c96e87d7faeddc7d02b70fabd7f1b79bfa54a35df5ccc02998e2e969d89c2985ba3398cbd59fcea9a85433270ed0eda
-
Filesize
713B
MD5312bb5bc5578762f5103fc9dd52a9cda
SHA18268048dde68f3a9adefc1985b421c01c782586d
SHA2563e94ff29e3645c26ff2ef289cd2e6ffbc0d0f83aa3071ae652259a76721a7c05
SHA512a1418d2e305b48b8277dca299dc3dd7d1e6e8878374371a2d480f271388634b319a67e646fd0d4f9eb4319b4d8f5d86cc34d48a9918f8ef4edc98ffee6d5c940
-
Filesize
489B
MD5ff5b97fb6306c641466d345413c11681
SHA18645270aa952670b602b443516931ad7b5fffe04
SHA2565acce3db4501af0de745f5b1b3e7fe36df0c0a0e51dd93cbb6cc2eb7130bb639
SHA51204928f51a6396437856202b87c1809e12c96e87d7faeddc7d02b70fabd7f1b79bfa54a35df5ccc02998e2e969d89c2985ba3398cbd59fcea9a85433270ed0eda
-
Filesize
713B
MD576626e8ba1160dfbd543304eea886658
SHA1590612efde4ec67322f0e0c5d7c81d2788f4d5cb
SHA2565c0c925cc7db33998430377e00bc30ffa968c7654b357f8d0ac85cef86674b25
SHA512233d0476b74e56544c7ff0f703cfb6187b5d52b5e3a7e58baddf18401593233089cde386da9a100c39be1253d90022d428149c1bbabbb63d5390282702ff0905
-
Filesize
489B
MD5ff5b97fb6306c641466d345413c11681
SHA18645270aa952670b602b443516931ad7b5fffe04
SHA2565acce3db4501af0de745f5b1b3e7fe36df0c0a0e51dd93cbb6cc2eb7130bb639
SHA51204928f51a6396437856202b87c1809e12c96e87d7faeddc7d02b70fabd7f1b79bfa54a35df5ccc02998e2e969d89c2985ba3398cbd59fcea9a85433270ed0eda
-
Filesize
489B
MD5ff5b97fb6306c641466d345413c11681
SHA18645270aa952670b602b443516931ad7b5fffe04
SHA2565acce3db4501af0de745f5b1b3e7fe36df0c0a0e51dd93cbb6cc2eb7130bb639
SHA51204928f51a6396437856202b87c1809e12c96e87d7faeddc7d02b70fabd7f1b79bfa54a35df5ccc02998e2e969d89c2985ba3398cbd59fcea9a85433270ed0eda
-
Filesize
1.4MB
MD55e2ccb97d6bf2f8bedd6d473079c33b0
SHA1699314bf74a661917771308e7cd6d6b618af2827
SHA2566f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
SHA5120f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93
-
Filesize
1.4MB
MD55e2ccb97d6bf2f8bedd6d473079c33b0
SHA1699314bf74a661917771308e7cd6d6b618af2827
SHA2566f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
SHA5120f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53f21815d5378acb11617b0a9d0dab29a
SHA115ae09559113259f5ee4f4580dd6cd07ee73a81b
SHA2565df0cb3ee007bf9af236f9120c26bedeb0621daff60249a7ca2e601a486b01b9
SHA512eac7e1c8291b1699836583acf6c541344ccc1d08b5d54cea21a96bbc1f0f11e1cf693852b75446c616cefcd2eec3ff59a0212e725b852f1c1999d47faca7fab3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53f21815d5378acb11617b0a9d0dab29a
SHA115ae09559113259f5ee4f4580dd6cd07ee73a81b
SHA2565df0cb3ee007bf9af236f9120c26bedeb0621daff60249a7ca2e601a486b01b9
SHA512eac7e1c8291b1699836583acf6c541344ccc1d08b5d54cea21a96bbc1f0f11e1cf693852b75446c616cefcd2eec3ff59a0212e725b852f1c1999d47faca7fab3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53f21815d5378acb11617b0a9d0dab29a
SHA115ae09559113259f5ee4f4580dd6cd07ee73a81b
SHA2565df0cb3ee007bf9af236f9120c26bedeb0621daff60249a7ca2e601a486b01b9
SHA512eac7e1c8291b1699836583acf6c541344ccc1d08b5d54cea21a96bbc1f0f11e1cf693852b75446c616cefcd2eec3ff59a0212e725b852f1c1999d47faca7fab3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53f21815d5378acb11617b0a9d0dab29a
SHA115ae09559113259f5ee4f4580dd6cd07ee73a81b
SHA2565df0cb3ee007bf9af236f9120c26bedeb0621daff60249a7ca2e601a486b01b9
SHA512eac7e1c8291b1699836583acf6c541344ccc1d08b5d54cea21a96bbc1f0f11e1cf693852b75446c616cefcd2eec3ff59a0212e725b852f1c1999d47faca7fab3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53f21815d5378acb11617b0a9d0dab29a
SHA115ae09559113259f5ee4f4580dd6cd07ee73a81b
SHA2565df0cb3ee007bf9af236f9120c26bedeb0621daff60249a7ca2e601a486b01b9
SHA512eac7e1c8291b1699836583acf6c541344ccc1d08b5d54cea21a96bbc1f0f11e1cf693852b75446c616cefcd2eec3ff59a0212e725b852f1c1999d47faca7fab3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53f21815d5378acb11617b0a9d0dab29a
SHA115ae09559113259f5ee4f4580dd6cd07ee73a81b
SHA2565df0cb3ee007bf9af236f9120c26bedeb0621daff60249a7ca2e601a486b01b9
SHA512eac7e1c8291b1699836583acf6c541344ccc1d08b5d54cea21a96bbc1f0f11e1cf693852b75446c616cefcd2eec3ff59a0212e725b852f1c1999d47faca7fab3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53f21815d5378acb11617b0a9d0dab29a
SHA115ae09559113259f5ee4f4580dd6cd07ee73a81b
SHA2565df0cb3ee007bf9af236f9120c26bedeb0621daff60249a7ca2e601a486b01b9
SHA512eac7e1c8291b1699836583acf6c541344ccc1d08b5d54cea21a96bbc1f0f11e1cf693852b75446c616cefcd2eec3ff59a0212e725b852f1c1999d47faca7fab3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53f21815d5378acb11617b0a9d0dab29a
SHA115ae09559113259f5ee4f4580dd6cd07ee73a81b
SHA2565df0cb3ee007bf9af236f9120c26bedeb0621daff60249a7ca2e601a486b01b9
SHA512eac7e1c8291b1699836583acf6c541344ccc1d08b5d54cea21a96bbc1f0f11e1cf693852b75446c616cefcd2eec3ff59a0212e725b852f1c1999d47faca7fab3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KQYPVYHCJY6ZSDUUPIHJ.temp
Filesize7KB
MD53f21815d5378acb11617b0a9d0dab29a
SHA115ae09559113259f5ee4f4580dd6cd07ee73a81b
SHA2565df0cb3ee007bf9af236f9120c26bedeb0621daff60249a7ca2e601a486b01b9
SHA512eac7e1c8291b1699836583acf6c541344ccc1d08b5d54cea21a96bbc1f0f11e1cf693852b75446c616cefcd2eec3ff59a0212e725b852f1c1999d47faca7fab3
-
Filesize
1.4MB
MD55e2ccb97d6bf2f8bedd6d473079c33b0
SHA1699314bf74a661917771308e7cd6d6b618af2827
SHA2566f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
SHA5120f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93
-
Filesize
1.4MB
MD55e2ccb97d6bf2f8bedd6d473079c33b0
SHA1699314bf74a661917771308e7cd6d6b618af2827
SHA2566f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
SHA5120f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93
-
Filesize
1.4MB
MD55e2ccb97d6bf2f8bedd6d473079c33b0
SHA1699314bf74a661917771308e7cd6d6b618af2827
SHA2566f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
SHA5120f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93
-
Filesize
1.4MB
MD55e2ccb97d6bf2f8bedd6d473079c33b0
SHA1699314bf74a661917771308e7cd6d6b618af2827
SHA2566f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
SHA5120f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93