Analysis
-
max time kernel
137s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/03/2024, 21:58
Behavioral task
behavioral1
Sample
b33381cf1b615fe71a76a5d021f5bc0b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b33381cf1b615fe71a76a5d021f5bc0b.exe
Resource
win10v2004-20240226-en
General
-
Target
b33381cf1b615fe71a76a5d021f5bc0b.exe
-
Size
657KB
-
MD5
b33381cf1b615fe71a76a5d021f5bc0b
-
SHA1
7f8eb2c5f4e0d6b17a7d08247725a29d6a9b1e5c
-
SHA256
521c3397e74ac90efdc6e89fa011fa555576d943d35a1b6e7709369467fac541
-
SHA512
9dbb3189d479443da35d4d2adaaa817f2698c52f610d70f7a4df40e662ef010698b9e67c8807968fbb6bdc22b50285b27425df0d253cecb4c2943d4de0e677cb
-
SSDEEP
12288:hcwqmAA2LUsVY225bV1AdMAw90ZkJEufn8nEzlM2Yw0vCyyXo4aD:hXAAyl2SdMokJgETGyvE
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x000c00000001224f-21.dat aspack_v212_v242 -
Deletes itself 1 IoCs
pid Process 2604 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2980 L_Server2007.exe -
Drops file in System32 directory 43 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{478DF2A1-DA72-11EE-87AA-FA8378BF1C4A}.dat IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low IEXPLORE.EXE File opened for modification C:\Windows\System32\config\systemprofile\Favorites\Links IEXPLORE.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml IEXPLORE.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico IEXPLORE.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{478DF2AC-DA72-11EE-87AA-FA8378BF1C4A}.dat IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 IEXPLORE.EXE File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk ie4uinit.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~ IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~ IEXPLORE.EXE File created C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\Favorites IEXPLORE.EXE File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch ie4uinit.exe File opened for modification C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\Favorites\desktop.ini IEXPLORE.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{478DF2A3-DA72-11EE-87AA-FA8378BF1C4A}.dat IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 IEXPLORE.EXE File created C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming IEXPLORE.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{478DF2A1-DA72-11EE-87AA-FA8378BF1C4A}.dat IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low IEXPLORE.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat IEXPLORE.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms IEXPLORE.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1] IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low IEXPLORE.EXE File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini ie4uinit.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 IEXPLORE.EXE -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\L_Server2007.exe b33381cf1b615fe71a76a5d021f5bc0b.exe File opened for modification C:\Windows\L_Server2007.exe b33381cf1b615fe71a76a5d021f5bc0b.exe File created C:\Windows\L_Server2007.DLL L_Server2007.exe File opened for modification C:\Windows\L_Server2007.DLL L_Server2007.exe File created C:\Windows\uninstal.bat b33381cf1b615fe71a76a5d021f5bc0b.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\WpadDecision = "0" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF} IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 00000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\Flags = "1024" IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Connection Wizard\Completed = 01000000 L_Server2007.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43} IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046} IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\MigrationTime = 2000430a7f6eda01 IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\LinksBar\MarketingLinksMigrate = 8061450a7f6eda01 IEXPLORE.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 IEXPLORE.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Version = "*" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Zones IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{478DF2A1-DA72-11EE-87AA-FA8378BF1C4A} = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\DataStreamEnabledState = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\Version = "*" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Connection Wizard L_Server2007.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-8e-05-c7-1d-61 IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-8e-05-c7-1d-61\WpadDecisionReason = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "1" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup ie4uinit.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "2" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs IEXPLORE.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs IEXPLORE.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR" IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "1" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046} IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 2568 IEXPLORE.EXE 2568 IEXPLORE.EXE 2568 IEXPLORE.EXE 2568 IEXPLORE.EXE 2568 IEXPLORE.EXE 2568 IEXPLORE.EXE 2568 IEXPLORE.EXE 2568 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2568 IEXPLORE.EXE 2568 IEXPLORE.EXE 2528 IEXPLORE.EXE 2528 IEXPLORE.EXE 2528 IEXPLORE.EXE 2528 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2568 2980 L_Server2007.exe 29 PID 2980 wrote to memory of 2568 2980 L_Server2007.exe 29 PID 2980 wrote to memory of 2568 2980 L_Server2007.exe 29 PID 2980 wrote to memory of 2568 2980 L_Server2007.exe 29 PID 2568 wrote to memory of 2644 2568 IEXPLORE.EXE 30 PID 2568 wrote to memory of 2644 2568 IEXPLORE.EXE 30 PID 2568 wrote to memory of 2644 2568 IEXPLORE.EXE 30 PID 1688 wrote to memory of 2604 1688 b33381cf1b615fe71a76a5d021f5bc0b.exe 31 PID 1688 wrote to memory of 2604 1688 b33381cf1b615fe71a76a5d021f5bc0b.exe 31 PID 1688 wrote to memory of 2604 1688 b33381cf1b615fe71a76a5d021f5bc0b.exe 31 PID 1688 wrote to memory of 2604 1688 b33381cf1b615fe71a76a5d021f5bc0b.exe 31 PID 1688 wrote to memory of 2604 1688 b33381cf1b615fe71a76a5d021f5bc0b.exe 31 PID 1688 wrote to memory of 2604 1688 b33381cf1b615fe71a76a5d021f5bc0b.exe 31 PID 1688 wrote to memory of 2604 1688 b33381cf1b615fe71a76a5d021f5bc0b.exe 31 PID 2568 wrote to memory of 2528 2568 IEXPLORE.EXE 33 PID 2568 wrote to memory of 2528 2568 IEXPLORE.EXE 33 PID 2568 wrote to memory of 2528 2568 IEXPLORE.EXE 33 PID 2568 wrote to memory of 2528 2568 IEXPLORE.EXE 33 PID 2980 wrote to memory of 2568 2980 L_Server2007.exe 29 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b33381cf1b615fe71a76a5d021f5bc0b.exe"C:\Users\Admin\AppData\Local\Temp\b33381cf1b615fe71a76a5d021f5bc0b.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\uninstal.bat2⤵
- Deletes itself
PID:2604
-
-
C:\Windows\L_Server2007.exeC:\Windows\L_Server2007.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\System32\ie4uinit.exe"C:\Windows\System32\ie4uinit.exe" -ShowQLIcon3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2644
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2568 CREDAT:275457 /prefetch:23⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2528
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
657KB
MD5b33381cf1b615fe71a76a5d021f5bc0b
SHA17f8eb2c5f4e0d6b17a7d08247725a29d6a9b1e5c
SHA256521c3397e74ac90efdc6e89fa011fa555576d943d35a1b6e7709369467fac541
SHA5129dbb3189d479443da35d4d2adaaa817f2698c52f610d70f7a4df40e662ef010698b9e67c8807968fbb6bdc22b50285b27425df0d253cecb4c2943d4de0e677cb
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize252B
MD59c3fd37dcb26541dcb074ae6f005bae6
SHA17a691ee45ae00317106d4016885ee7c4c17fa608
SHA2565a640c2de2697879c13a510248bdc1996fe7e33285f1a786c16ebbc8849b1dbb
SHA5125543ed13cfb74106d3832263b26f4ffea0364c12626287e4479d2a01da72d97500deb42c2df9a5580dfb3d14c80af364bbb520e257412f077c46e075c8dba065
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b5c552ea3f4f513d97d7cdda6a14afe9
SHA19b979f893537b723a1888933c445463ce7093641
SHA256842846b4cf4cf6cca953a7a4a7acb322029f7da7fae5bd9698bdffb2e3cc49c6
SHA512abd47b82d41fb3d7b012b31806bc1aedab387942151558038a084e73599d36643440b0e943806a681aeb037d2fc5f3baaef598125e5aa7f005293e1a30f3adc6
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5958c45bbd933f6178d365a4a57d43ce6
SHA1646687ba102742570242ff200ee142956847f7e4
SHA256eb9604594c4d4fdc25e6a2f47ab8ca213d6aff09edbfeda6c8752bf42ea60b93
SHA5125074e6c74bb211c0c377e856a6db475a11e82b1165c0cc0ee0dbb7e84a2714f78e08a0ba6695c13d5d7b121aa3f8b942039afb3fa8ec1e49a26af90e8e553a11
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52a6f6d1d75e273505e855aa5b3bd08e5
SHA1f3fd551cd19283905af2429c8d07a9e01e10d3cd
SHA2568218a7265d779d5ef90c4f9050c5dd21d6004f8ef39ab5ef3886224c3d749e82
SHA512cfde50cb0b4c39f611c12cc2f4507e3fb648ea975998cc4f3efeadcdf5342ef295c3f39bccb9a280ac3bfaa840062a0243fb6cd4ec3f776c9ecd9ba208d9e604
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55a16141242afb04cd19ddd37600a7cf0
SHA12691cafc3b27c841b3789704f8d6111b9a95dbfc
SHA256ee5e7829d1c30ceb7026f344c8732141f5e7f4b9b6df5d52db1bb4e087b40f6d
SHA51262d5620c9c5b66b103183e7c9c1509c50551ac24bbf1dd6774bdafeb9c25b60b853c7e7e5b0df7b14c669e52ee943dccd6569a5bb32c54ec45de73bf642602ff
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5bc355ebae87110e6f3d03204ff03daf7
SHA1cd4f93292fb12e71d774c61b57a31e2b8b3d0121
SHA2566e6085c29024ee2e86d8e6f263784841d268d13d8ff8afcd90896b8fbee7939c
SHA5123a897c171a071e4fb1728fd22b6ddcc5e027de1725268f55325887b398b1601ada237d96639ae950906b39f0ef74f40c46149129e72d3acf673d6a92ceb6d5f6
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5856b3644a778c17780c6bcae84d46448
SHA14991440b3cde0f4aa73e3a201311fb88f842ea59
SHA2565d18bbc38f992e3fa70534400f155dce4058825bc3a6fbe122b7f31d092ac4dd
SHA5127a86d6f0d66ab3b5b01e3113a3670eac4b1d94bc67fdf6c09f87a27b32905d2d1dc37c7761f27b79214de394773c40c15e8c1d647d7416bbd1fe65d825512487
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD526bd8d3e733da6fd64ca55fd01cf8d09
SHA131f07b3810090c64e6256f5bc3f4089c16a09b15
SHA25635f47ff5a29222a12c838d997d79bc2142f11d67b0bb8576530b0543215b48a6
SHA5126e2183d598c16337782675e092370b96e7d5c46c0623201faf1958628ca24db7cd1ae61f8eea8ae0953f03fd93dfb0ac6c71083930073626436fbfb099d498f7
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5107995b3dd27aff11d6a3ec0cf81160f
SHA16e78c49ec2870610a50ce1e1640d01e485b1a8d8
SHA256bc07fe6dd12de4122aa17ca11db99da1ab4f2b39cb43854747457386b1d4e14d
SHA5126d898b786aec8d4c1896e982e52d8289df10c130de2ea13d67562f8094cb9de065a5c5700e70a4c3e008bfee1a256b1efd20236631fb7e1a68e7daecc97acc40
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54e8ca413b68b9e39a2dcc6a463643114
SHA13d2936aad33c59d1ebbec8f33e617c67aa4f1297
SHA25608f11f2bbd728273f385e732c76399136ed8845bcb8ee34eb1d00fc261abaa80
SHA5129dcc4ad2ce664fbf78a3c1c20d8d6c32177e4a49a5e6a6f6dee5bacb571f75e60f459a8b9eaa9189d0a28d08a0f8ea0e4d0828c624a8f00281a580bfc3839f63
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5797431af55acfd1b83623c5119d4dab3
SHA10d550e06c844562affcc41b49f49cea3a989a00e
SHA2565abb50b5981085c84a1e5f198c87ce029557b79a254e6b1040203548edc33479
SHA512bc537b4f45262e66442bca922441b65ddb23e7e84c0f95eed73d91b9a686e267081d0019c26d342066c4e61ce416c938923a9a2cf0c8fc37376eb411eefb5388
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e1b8ea90f3a2cc9f6928893b3fe235ec
SHA18404d99569837e52830efd0792e21bf752e4276e
SHA2566595e48c42dc520534064b8fbf1ef4ccb0c325690d6f83e40bec9c26972201e0
SHA51285469c0786298569767764fead1f6604e59aa7e41453c393e7ce9bdf1c77f9cd408b8eec609359675785faecebb77914af4ebf84717c1795851f6ecf5aaf3433
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d1facc0911ef44e8e7935210b5584369
SHA1750abfe1bb0222bc1d89ef06b29c71c8d19a0561
SHA256b6c80b234a19a25d44ab2e4b47f375dfcb946a1e46a8adda7d6997a6fa8565a8
SHA512c5ec3dcaa50f29cdb1260e14e18eed59f362b0b92312b5f282526da9c8bbc69910b28e8fcc87ae56809b544afa0462fe586106b41e7c0e89ce24149c7f7128a4
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5190c0917e26b5b34fd354ec6e676d0a3
SHA1e5b69b3d541b6a04970c64492b23542f86cb30df
SHA256d2dbf82e54c7abe86fc2f12a02dcc5d29e4377bf3311b8d1bd26d9f7e6afc3b8
SHA51284860f88dfa272b0851c60778551a31284c97cc57dc0b6979e3e66403e501218bbfb5e1d3be5b6b5bcd8ed134a03615fa50bdf89bb7dd68dbd8f2819c3d7b168
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ccff0385fff3bb1f966917b3a6a26846
SHA13f91d7f1c258988920423bf22b8edeb59ec362be
SHA256d3a4e7135302b37443de70e1c8c213a556d4d8148712783c4299825af68985a7
SHA512de848abce2c567a6c304e8119dfd05142ba519b11ea4df823988d7d261bea6551bb85efcb904d4fe24593f96dced5d69c0e75837d633fb71f398925d1ebd4fb2
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c4be6fc1b661028fc747890ecdd091c7
SHA1720e3797616ee2bb65c8eb87dddeceb04961cb33
SHA2560cfad7caa557aa5f99b9208ee9d922a28c829e0a186017d787f4d5efa7d950b2
SHA51268344dc77e6675b1c7728cd819d28e97dd92cfac2570a08486d181133740234933824efd0b181484e1a0399b1084d67fa89cc2bea7a2cc9386d50e86d7935cf0
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5bbdb49a1c7dab12d9a5f4b4891c004e0
SHA10fcedbca05262553fcd3a11cd481da9e86ee8e9b
SHA256a6769a4586753df4b35758318427c8af871f4e6cb7d4b5b53956e2495e28530b
SHA512325901e2a2e0023b1fb4bf25a28e3c761d6deb31ba6e4347f305141f458646fd01b5dd3745fb1b5dc2bd1df0f0423c772b039a0619d356b9761408e1e60db156
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59f87a6ad0b6fd52e3e42365e9d6a950c
SHA15c41a04967a05a861f1a6f89eba470d119386eb9
SHA256f1c60cbbf988751ea15878baedb214f13f9b422f9f62806669322fa80abf2823
SHA512c55cec10cf9ca0b0b572d811de0e5b8e4433608fa709b52675a6f7671aa7d66123ba09c30dcb6ec9255800fa633165a2542ca14d4a152b78478ef1aedf57f9f0
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5430fdc1c625c7897c06079e03c78a2b9
SHA107a5338fdb63b13337522fa5371b940661e0ea9a
SHA256fa5838fc0f1cdca5001d1247f98e4c041cf6935ad04f36e0836f2fd446b6bbc8
SHA512a5d12fdfc7a7d938bf4b109137343fa6f8492a4f123a0136c3f8f0b66c16f43b450ddc6d51d7370de07cc724b5008ead2c6053469dd424b0eb71e036d788bbd8
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD530eed99544b2598d68a9b10c322ad8a3
SHA175dc449cf29027958d8b5ad395ee654a2ac48bb6
SHA256e0db7302a07a4a73e440f31a6ad23b8f3e55eaab4a131c43bff52db271e2feeb
SHA512f9f43cc542a83703c900a022e3add6dcd26495dac9f23185fe3abced39e2a2aec549bbc2eb71b80f46822f39231cd567bfa7451df5b3f257574db01da2ccc0c8
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5cbe8b5ee8d4351e05cab8fde13d4daa5
SHA11f8bf1700e244841cada91a4107580893d610033
SHA256b62b0cd43e8f4ce10e20921d6b8298119a7de6f028100e4b394fe336a056c3c4
SHA5126010b065879193b47149d8e0b922f28250e0437e53e8df6f9f7992d5f85cbb2291a880b62f62ee28cb64413e5244a91f13616fa6abbfbbd8e7c13559ab179e96
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5e5d946e9f261da8bbe0c259cb82a23b7
SHA1bb0d0601e7d31fe5e42d3b3e8c08b1b14ec4128a
SHA25615c0a773c7edae3e88aaf55477e9c53cff48c8ebf1f885b1ff7e4b96cb02461c
SHA5120906331c3e94acdfe29f93815a982d0634483e3cebda7f8bf61b2f74da36a85ab0f26de5a6bd3bced84741676da47ae9358be8d7cb2ff744b816794304720535
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Filesize4KB
MD5da597791be3b6e732f0bc8b20e38ee62
SHA11125c45d285c360542027d7554a5c442288974de
SHA2565b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e
-
Filesize
129B
MD52578ef0db08f1e1e7578068186a1be0f
SHA187dca2f554fa51a98726f0a7a9ac0120be0c4572
SHA256bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3
SHA512b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee
-
Filesize
80B
MD53c106f431417240da12fd827323b7724
SHA12345cc77576f666b812b55ea7420b8d2c4d2a0b5
SHA256e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57
SHA512c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb
-
Filesize
402B
MD5881dfac93652edb0a8228029ba92d0f5
SHA15b317253a63fecb167bf07befa05c5ed09c4ccea
SHA256a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464
SHA512592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810
-
Filesize
29KB
MD5d59a6b36c5a94916241a3ead50222b6f
SHA1e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA51217012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489
-
Filesize
81KB
MD5b13f51572f55a2d31ed9f266d581e9ea
SHA17eef3111b878e159e520f34410ad87adecf0ca92
SHA256725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
195B
MD5a1fd5255ed62e10721ac426cd139aa83
SHA198a11bdd942bb66e9c829ae0685239212e966b9e
SHA256d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4
SHA51251399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370
-
Filesize
216B
MD52ce792bc1394673282b741a25d6148a2
SHA15835c389ea0f0c1423fa26f98b84a875a11d19b1
SHA256992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48
SHA512cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749
-
Filesize
236B
MD511cede0563d1d61930e433cd638d6419
SHA1366b26547292482b871404b33930cefca8810dbd
SHA256e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9
SHA512d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752
-
Filesize
190B
MD58c2446fb931db0610b32642e29b85f15
SHA1057c2144df3a19145a1202a5102ceacdf67bbb10
SHA256d201a98f4eb1638dc7b5ca01769057ad9efe191c7b5ff440cab59db88c1cedc9
SHA512e005419d50d9d2f7ed0d99bf000fdbb2cac0d733a885a42b24a1b4d280730ec696d6f2a1cf1cdbe9e93d30a53fc88ba64fa7ae1aa637511fd2827fdb9f0c419d