Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
22-02-2024 01:54
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20240221-en
General
-
Target
file.exe
-
Size
136KB
-
MD5
1bc8dd1a5e08a1dcaeefb1a03f5c71eb
-
SHA1
9fbb0b46be6b7b0d60841f6c4d6940cdd1b4b08e
-
SHA256
30845b56fd4b84afa4212a7c5130b4ee2c07924524c357ea21d4b79ef21fd2f5
-
SHA512
5e8d3d808445684b08ec6e4b15d1a701c40bc80fb7d878695970a73f06fd318f6a812c7254dd7d61f74c1c36a0a989894dc80234374d9fc914142adcd9f6bc40
-
SSDEEP
1536:Y3HKFCXebMDnye3MtblERG2DnWQZWSqaiWz5AAm7FcNLuAfyEDyIEpovc29OhSc4:iHKCXeC3VdZWS5ijAm7FcUMyIrjksE
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://habrafa.com/test1/get.php
-
extension
.lkhy
-
offline_id
OxV6DGl22io8sqMOW1zCCOlzPiv4f1Vqzw7Y8zt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-uNdL2KHHdy Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0851ASdw
Extracted
redline
LogsDiller Cloud (Telegram: @logsdillabot)
5.42.65.38:46185
Extracted
lumma
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
file.exe15D5.exeschtasks.exeschtasks.exedescription ioc pid Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Set value (str) \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5953d43e-fb0a-4ac4-8520-990531719594\\15D5.exe\" --AutoStart" 15D5.exe 4908 schtasks.exe 3328 schtasks.exe -
Detected Djvu ransomware 9 IoCs
Processes:
resource yara_rule behavioral2/memory/3040-17-0x0000000004B70000-0x0000000004C8B000-memory.dmp family_djvu behavioral2/memory/652-18-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/652-20-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/652-21-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/652-22-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/652-34-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1688-40-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1688-41-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1688-43-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 13 IoCs
Processes:
resource yara_rule behavioral2/memory/2816-118-0x0000000005280000-0x0000000005B6B000-memory.dmp family_glupteba behavioral2/memory/2816-119-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/2816-141-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/2816-167-0x0000000005280000-0x0000000005B6B000-memory.dmp family_glupteba behavioral2/memory/2816-174-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/2816-176-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/1316-177-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/1316-206-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/1316-243-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/1316-274-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/740-342-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/740-376-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/740-386-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2996-59-0x0000000000400000-0x0000000000454000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid Process 4268 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
15D5.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation 15D5.exe -
Deletes itself 1 IoCs
Processes:
pid Process 3280 -
Executes dropped EXE 13 IoCs
Processes:
15D5.exe15D5.exe15D5.exe15D5.exe2547.exe78B7.exe8F7D.exe9654.exe9654.execsrss.exeinjector.exewindefender.exewindefender.exepid Process 3040 15D5.exe 652 15D5.exe 860 15D5.exe 1688 15D5.exe 3624 2547.exe 1184 78B7.exe 4184 8F7D.exe 2816 9654.exe 1316 9654.exe 740 csrss.exe 4676 injector.exe 1568 windefender.exe 372 windefender.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Processes:
resource yara_rule behavioral2/files/0x000700000002324e-380.dat upx behavioral2/memory/1568-384-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
csrss.exe15D5.exe9654.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5953d43e-fb0a-4ac4-8520-990531719594\\15D5.exe\" --AutoStart" 15D5.exe Set value (str) \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 9654.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 43 api.2ip.ua 44 api.2ip.ua -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
15D5.exe15D5.exe2547.exedescription pid Process procid_target PID 3040 set thread context of 652 3040 15D5.exe 91 PID 860 set thread context of 1688 860 15D5.exe 96 PID 3624 set thread context of 2996 3624 2547.exe 101 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
9654.exedescription ioc Process File opened (read-only) \??\VBoxMiniRdrDN 9654.exe -
Drops file in Windows directory 4 IoCs
Processes:
csrss.exe9654.exedescription ioc Process File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss 9654.exe File created C:\Windows\rss\csrss.exe 9654.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid Process 1240 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2284 1688 WerFault.exe 96 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
file.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 4908 schtasks.exe 3328 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
9654.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" 9654.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" 9654.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" 9654.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" 9654.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" 9654.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" 9654.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" 9654.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" 9654.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" 9654.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" 9654.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" 9654.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" 9654.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" 9654.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" 9654.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" 9654.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" 9654.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" 9654.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" 9654.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" 9654.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" 9654.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" 9654.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" 9654.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" 9654.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" 9654.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" 9654.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" 9654.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" 9654.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" 9654.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
file.exepid Process 2212 file.exe 2212 file.exe 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 3280 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
file.exepid Process 2212 file.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
powershell.exe9654.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exesc.exedescription pid Process Token: SeShutdownPrivilege 3280 Token: SeCreatePagefilePrivilege 3280 Token: SeShutdownPrivilege 3280 Token: SeCreatePagefilePrivilege 3280 Token: SeShutdownPrivilege 3280 Token: SeCreatePagefilePrivilege 3280 Token: SeShutdownPrivilege 3280 Token: SeCreatePagefilePrivilege 3280 Token: SeShutdownPrivilege 3280 Token: SeCreatePagefilePrivilege 3280 Token: SeShutdownPrivilege 3280 Token: SeCreatePagefilePrivilege 3280 Token: SeShutdownPrivilege 3280 Token: SeCreatePagefilePrivilege 3280 Token: SeShutdownPrivilege 3280 Token: SeCreatePagefilePrivilege 3280 Token: SeDebugPrivilege 1732 powershell.exe Token: SeShutdownPrivilege 3280 Token: SeCreatePagefilePrivilege 3280 Token: SeDebugPrivilege 2816 9654.exe Token: SeImpersonatePrivilege 2816 9654.exe Token: SeDebugPrivilege 988 powershell.exe Token: SeShutdownPrivilege 3280 Token: SeCreatePagefilePrivilege 3280 Token: SeShutdownPrivilege 3280 Token: SeCreatePagefilePrivilege 3280 Token: SeDebugPrivilege 3572 powershell.exe Token: SeShutdownPrivilege 3280 Token: SeCreatePagefilePrivilege 3280 Token: SeDebugPrivilege 552 powershell.exe Token: SeShutdownPrivilege 3280 Token: SeCreatePagefilePrivilege 3280 Token: SeDebugPrivilege 712 powershell.exe Token: SeShutdownPrivilege 3280 Token: SeCreatePagefilePrivilege 3280 Token: SeDebugPrivilege 228 powershell.exe Token: SeShutdownPrivilege 3280 Token: SeCreatePagefilePrivilege 3280 Token: SeDebugPrivilege 2444 powershell.exe Token: SeShutdownPrivilege 3280 Token: SeCreatePagefilePrivilege 3280 Token: SeSystemEnvironmentPrivilege 740 csrss.exe Token: SeSecurityPrivilege 1240 sc.exe Token: SeSecurityPrivilege 1240 sc.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid Process 3280 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
15D5.exe15D5.exe15D5.exe2547.execmd.exe9654.exe9654.execmd.exedescription pid Process procid_target PID 3280 wrote to memory of 3040 3280 90 PID 3280 wrote to memory of 3040 3280 90 PID 3280 wrote to memory of 3040 3280 90 PID 3040 wrote to memory of 652 3040 15D5.exe 91 PID 3040 wrote to memory of 652 3040 15D5.exe 91 PID 3040 wrote to memory of 652 3040 15D5.exe 91 PID 3040 wrote to memory of 652 3040 15D5.exe 91 PID 3040 wrote to memory of 652 3040 15D5.exe 91 PID 3040 wrote to memory of 652 3040 15D5.exe 91 PID 3040 wrote to memory of 652 3040 15D5.exe 91 PID 3040 wrote to memory of 652 3040 15D5.exe 91 PID 3040 wrote to memory of 652 3040 15D5.exe 91 PID 3040 wrote to memory of 652 3040 15D5.exe 91 PID 652 wrote to memory of 1876 652 15D5.exe 92 PID 652 wrote to memory of 1876 652 15D5.exe 92 PID 652 wrote to memory of 1876 652 15D5.exe 92 PID 652 wrote to memory of 860 652 15D5.exe 94 PID 652 wrote to memory of 860 652 15D5.exe 94 PID 652 wrote to memory of 860 652 15D5.exe 94 PID 860 wrote to memory of 1688 860 15D5.exe 96 PID 860 wrote to memory of 1688 860 15D5.exe 96 PID 860 wrote to memory of 1688 860 15D5.exe 96 PID 860 wrote to memory of 1688 860 15D5.exe 96 PID 860 wrote to memory of 1688 860 15D5.exe 96 PID 860 wrote to memory of 1688 860 15D5.exe 96 PID 860 wrote to memory of 1688 860 15D5.exe 96 PID 860 wrote to memory of 1688 860 15D5.exe 96 PID 860 wrote to memory of 1688 860 15D5.exe 96 PID 860 wrote to memory of 1688 860 15D5.exe 96 PID 3280 wrote to memory of 3624 3280 99 PID 3280 wrote to memory of 3624 3280 99 PID 3280 wrote to memory of 3624 3280 99 PID 3624 wrote to memory of 2996 3624 2547.exe 101 PID 3624 wrote to memory of 2996 3624 2547.exe 101 PID 3624 wrote to memory of 2996 3624 2547.exe 101 PID 3624 wrote to memory of 2996 3624 2547.exe 101 PID 3624 wrote to memory of 2996 3624 2547.exe 101 PID 3624 wrote to memory of 2996 3624 2547.exe 101 PID 3624 wrote to memory of 2996 3624 2547.exe 101 PID 3624 wrote to memory of 2996 3624 2547.exe 101 PID 3280 wrote to memory of 1184 3280 102 PID 3280 wrote to memory of 1184 3280 102 PID 3280 wrote to memory of 1184 3280 102 PID 3280 wrote to memory of 4392 3280 103 PID 3280 wrote to memory of 4392 3280 103 PID 4392 wrote to memory of 2324 4392 cmd.exe 105 PID 4392 wrote to memory of 2324 4392 cmd.exe 105 PID 3280 wrote to memory of 4184 3280 106 PID 3280 wrote to memory of 4184 3280 106 PID 3280 wrote to memory of 2816 3280 107 PID 3280 wrote to memory of 2816 3280 107 PID 3280 wrote to memory of 2816 3280 107 PID 2816 wrote to memory of 1732 2816 9654.exe 109 PID 2816 wrote to memory of 1732 2816 9654.exe 109 PID 2816 wrote to memory of 1732 2816 9654.exe 109 PID 1316 wrote to memory of 988 1316 9654.exe 114 PID 1316 wrote to memory of 988 1316 9654.exe 114 PID 1316 wrote to memory of 988 1316 9654.exe 114 PID 1316 wrote to memory of 2324 1316 9654.exe 116 PID 1316 wrote to memory of 2324 1316 9654.exe 116 PID 2324 wrote to memory of 4268 2324 cmd.exe 118 PID 2324 wrote to memory of 4268 2324 cmd.exe 118 PID 1316 wrote to memory of 3572 1316 9654.exe 119 PID 1316 wrote to memory of 3572 1316 9654.exe 119 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2212
-
C:\Users\Admin\AppData\Local\Temp\15D5.exeC:\Users\Admin\AppData\Local\Temp\15D5.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\15D5.exeC:\Users\Admin\AppData\Local\Temp\15D5.exe2⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\5953d43e-fb0a-4ac4-8520-990531719594" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:1876
-
-
C:\Users\Admin\AppData\Local\Temp\15D5.exe"C:\Users\Admin\AppData\Local\Temp\15D5.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Users\Admin\AppData\Local\Temp\15D5.exe"C:\Users\Admin\AppData\Local\Temp\15D5.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 5685⤵
- Program crash
PID:2284
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1688 -ip 16881⤵PID:3736
-
C:\Users\Admin\AppData\Local\Temp\2547.exeC:\Users\Admin\AppData\Local\Temp\2547.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2996
-
-
C:\Users\Admin\AppData\Local\Temp\78B7.exeC:\Users\Admin\AppData\Local\Temp\78B7.exe1⤵
- Executes dropped EXE
PID:1184
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7C81.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:2324
-
-
C:\Users\Admin\AppData\Local\Temp\8F7D.exeC:\Users\Admin\AppData\Local\Temp\8F7D.exe1⤵
- Executes dropped EXE
PID:4184
-
C:\Users\Admin\AppData\Local\Temp\9654.exeC:\Users\Admin\AppData\Local\Temp\9654.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Users\Admin\AppData\Local\Temp\9654.exe"C:\Users\Admin\AppData\Local\Temp\9654.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:988
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:4268
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3572
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:552
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:740 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:712
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
PID:4908
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:4180
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:228
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
PID:4676
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
PID:3328
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:4984
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:1240
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
PID:372
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
713KB
MD59d9114ab84aa79f8a22356d35ce7fd66
SHA180ace18221477538d8219bd0495e79875c334fa7
SHA25605cff8cebc34d942d16d5fe3eae68ceb3420e96264819f8dd3fd6bb28028e514
SHA512ba12481c78ab484781fb3466f28140f653230fa8b947a3afe4327621195de259258587c143f4e79a2dc5658439216b9fa11b337ec4c7794d910ce1262c915968
-
Filesize
483KB
MD5820bc0398778528a79c639a9c1d9fceb
SHA1b4d6633456ecfd1488c267abad140d3f765166c3
SHA256ac847ca2a4f39ced778cb7724ee175e1c8130f6d0edf8eb75d495d02225ecab6
SHA5120fb054b5f08759bda57e2106963f3e8c99b5104ba41588d0b6041047710526551ee8037804e3d989f867d46f6230c5dec8b96fc18491b13139ceb60c9b624b85
-
Filesize
5.6MB
MD5479342d62078aaf31881972c7574f6f2
SHA1382fa9a95746ca6199e7dfb9ae2bd035f4000fb4
SHA256a6b59e0a275b5314935a3f812a5ba7dd5d5cc9524d3a6efdeb3a103eea386f6d
SHA5120e74e3e0b993968220e712ffd94a76c00d35f0452494d62b3f6780c80cc0cae2e9982978830c54bed3a57d17a5a84abbdc4c0cbb5961afcae785048ac4ac47da
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
1.9MB
MD5b2b4879290de8e43ccbcd92b507de1cd
SHA1de32697442f04035415d6c89d3398f778ed50bf2
SHA2563800084470a4fde43467a91cba0e08399f7bdf70b0f03af2f99c282b18f1aa49
SHA512179ffc5976e0a9a033816863cbb71ca0b8bc513e3f93a0da9773da1b7b5f3109d1442623f13482dd2a5632694262d5497e10c434149eb267ed028318c45a0bf1
-
Filesize
4.1MB
MD502918300e22e657baba70691b738ce12
SHA11fbfb963370dfceb62b270d348c6b35ca03b4715
SHA2562a411824ee17b6546edb1d5d8144bf49d4e58c51b7a4c98fcec51198f7032cad
SHA512af63db2688208bcb06bd441f74d97d61e9451554f30cc616b7222d1085c8d84109d02359021d163de86f4753090500810efac38adda9cb8713a856d0d19a0747
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5dba357be8e0f06523ea7b61e82c493fb
SHA1fc53ced112265400c55b5cc3ec2e754da2ac3e65
SHA25687fe43113219e209c492e1c6fa6c96acfa285b5a0f32890e27a08baf4428b46a
SHA5129a67c44ad7b1bed0d52cdbf5b3257715e2920b63d55aebcc76ca0e109af62d5fd70613408777a0d086c35b2c26ca842d0e06d9cc39fb11235a25b75bb1f27047
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD59cf279f9935690199eeebf2481a07f17
SHA101ff7d722b85db63031a85be91f856ae5c4ec6fe
SHA256d439a9d998d6812efb7ef67cf5cdce4aa550614f67e65680640fda1096df0cfb
SHA5125c66c5064f9075e8f185b87b02cb4f8295f0d30889869ec53ec407d67d1deb9ef633632ac7ada69c14516cb19f6d8ed8a0659bd24dc6a8bb71ddffa70bb14b78
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD521cdb267361712025b39a62ff7e37bd6
SHA119ccb9d3493f28bb90eb23b910a9192f1eae9bcb
SHA256c245dd216df5d2c3e7d8efaf2acf861e4a6ab14b18db636e5fba7625981f5c3c
SHA512a6ed02856073fba55c92d25e7304ccdfa75c04518ed8b287dce15b6122a966023c2ce80255f814076c10dc729625544c81eb0453cf254ab46d211202fac9b4bb
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD511da6d8442d6e41faef6661377513c48
SHA18e6cc9eef89fde9af49543df0406e8a0760e6dca
SHA256eb3502178f9523fe5188da545923cf9352018bafba61c43090de1654af40bbb1
SHA5126874113fb2f4f4ec8e38d93315af0c820d3bc805cab448d662b2110eb166ab9385293091a92f8a7257ae63ee85b7a2148121dfde03187f2fb5c72dd6272faa0f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5780f6c5e1520f58801fc8b9cee78ae5f
SHA1e82ef0d221abb5666efedda28fd283ff244e372e
SHA256507f943ba3862a583bffd0086019bae54a01cdb4a0ad74171b98a2843c45cce4
SHA512258e8d76ab3814f3de31be30cfa4175b1b70d9065ed5e1d4047700f29f908aa53cebb862b12f5bc079444a82ca03236b4e8b8ba54ab8769c1f5e9f67db15a662
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec