Malware Analysis Report

2024-10-23 21:47

Sample ID 240312-c53lesfg68
Target 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
SHA256 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815
Tags
purelogstealer xworm rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815

Threat Level: Known bad

The file 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe was found to be: Known bad.

Malicious Activity Summary

purelogstealer xworm rat stealer trojan

Detect Xworm Payload

Xworm

PureLog Stealer

PureLog Stealer payload

Detects executables packed with SmartAssembly

Detects Windows executables referencing non-Windows User-Agents

Checks computer location settings

Drops startup file

Loads dropped DLL

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-12 02:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-12 02:40

Reported

2024-03-12 02:43

Platform

win7-20240221-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PureLog Stealer

stealer purelogstealer

PureLog Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mdnsresp.lnk C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mdnsresp.lnk C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
PID 2208 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
PID 2208 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
PID 2208 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
PID 2208 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
PID 2208 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
PID 2208 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
PID 2208 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
PID 2208 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
PID 2508 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe

"C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwANQA4ADUAZAAxAGYAYgA0AGYAMgA4ADgAOQA3ADQAYgA2ADgAMwBjADUAYQBiAGYAYgAxADAAYwA5ADcAZAA3AGQAMgBhAGUAMwBmADUAOQBjADIAYgBjAGYAZAA3ADgAYgBhADIANwAyAGUAMwBiAGUAMgBjAGQANwA4ADEANQAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAANQA4ADUAZAAxAGYAYgA0AGYAMgA4ADgAOQA3ADQAYgA2ADgAMwBjADUAYQBiAGYAYgAxADAAYwA5ADcAZAA3AGQAMgBhAGUAMwBmADUAOQBjADIAYgBjAGYAZAA3ADgAYgBhADIANwAyAGUAMwBiAGUAMgBjAGQANwA4ADEANQAuAGUAeABlADsA

C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe

C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mdnsresp.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mdnsresp.exe'

Network

Country Destination Domain Proto
DE 5.182.87.154:7000 tcp
DE 5.182.87.154:7000 tcp
DE 5.182.87.154:7000 tcp
DE 5.182.87.154:7000 tcp
DE 5.182.87.154:7000 tcp
DE 5.182.87.154:7000 tcp
DE 5.182.87.154:7000 tcp
DE 5.182.87.154:7000 tcp
DE 5.182.87.154:7000 tcp
DE 5.182.87.154:7000 tcp
DE 5.182.87.154:7000 tcp
DE 5.182.87.154:7000 tcp
DE 5.182.87.154:7000 tcp
DE 5.182.87.154:7000 tcp
DE 5.182.87.154:7000 tcp

Files

memory/2208-0-0x0000000000F70000-0x0000000000FE0000-memory.dmp

memory/2208-1-0x0000000074330000-0x0000000074A1E000-memory.dmp

memory/2208-2-0x0000000004A00000-0x0000000004A40000-memory.dmp

memory/2208-3-0x0000000000650000-0x0000000000698000-memory.dmp

memory/2208-4-0x0000000000320000-0x0000000000350000-memory.dmp

memory/2208-5-0x0000000000A50000-0x0000000000A80000-memory.dmp

memory/2208-6-0x0000000000CD0000-0x0000000000D1C000-memory.dmp

memory/2508-7-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2508-9-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2508-13-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2508-17-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2508-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2508-19-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2508-11-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2508-21-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2208-22-0x0000000074330000-0x0000000074A1E000-memory.dmp

memory/2508-23-0x0000000074330000-0x0000000074A1E000-memory.dmp

memory/2056-26-0x0000000070CE0000-0x000000007128B000-memory.dmp

memory/2056-27-0x0000000070CE0000-0x000000007128B000-memory.dmp

memory/2056-28-0x00000000026A0000-0x00000000026E0000-memory.dmp

memory/2056-29-0x00000000026A0000-0x00000000026E0000-memory.dmp

memory/2056-30-0x0000000070CE0000-0x000000007128B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 da02baf60d0f64942e0f806ba027aba5
SHA1 122828e98b7b918231e3d3290481ca6628ea21c0
SHA256 b2a53b437844124e1e67e12e55b56641da1b6d4602cada05f8971f6ef7be8708
SHA512 ca3fe4f1f5cf2267fd44fbe99d3240df3ee99f35df793f00f02f2c8382db4bc9613c0c9bf3f78fc5197e94d016848ca3904557c9f4eb65eca4a28bb780050a6a

memory/2512-37-0x0000000002700000-0x0000000002740000-memory.dmp

memory/2512-36-0x0000000070220000-0x00000000707CB000-memory.dmp

memory/2512-38-0x0000000070220000-0x00000000707CB000-memory.dmp

memory/2512-40-0x0000000002700000-0x0000000002740000-memory.dmp

memory/2512-41-0x0000000002700000-0x0000000002740000-memory.dmp

memory/2512-39-0x0000000070220000-0x00000000707CB000-memory.dmp

memory/2512-42-0x0000000070220000-0x00000000707CB000-memory.dmp

memory/1940-48-0x000000006FC70000-0x000000007021B000-memory.dmp

memory/1940-49-0x0000000002800000-0x0000000002840000-memory.dmp

memory/1940-50-0x000000006FC70000-0x000000007021B000-memory.dmp

memory/1940-52-0x0000000002800000-0x0000000002840000-memory.dmp

memory/1940-51-0x0000000002800000-0x0000000002840000-memory.dmp

memory/1940-54-0x000000006FC70000-0x000000007021B000-memory.dmp

memory/2508-53-0x0000000074330000-0x0000000074A1E000-memory.dmp

memory/2656-60-0x0000000070220000-0x00000000707CB000-memory.dmp

memory/2656-61-0x0000000002770000-0x00000000027B0000-memory.dmp

memory/2656-62-0x0000000070220000-0x00000000707CB000-memory.dmp

memory/2656-63-0x0000000002770000-0x00000000027B0000-memory.dmp

memory/2656-64-0x0000000070220000-0x00000000707CB000-memory.dmp

memory/1232-70-0x000000006FC70000-0x000000007021B000-memory.dmp

memory/1232-71-0x0000000001FC0000-0x0000000002000000-memory.dmp

memory/1232-72-0x000000006FC70000-0x000000007021B000-memory.dmp

memory/1232-74-0x0000000001FC0000-0x0000000002000000-memory.dmp

memory/1232-75-0x000000006FC70000-0x000000007021B000-memory.dmp

memory/1232-73-0x000000006FC70000-0x000000007021B000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\Temp\mdnsresp.exe

MD5 fcdaab00e2f4e2b208939d9a2301dfb8
SHA1 31e19cc04ec33f974441dd30f306ca3b9cce1420
SHA256 59fe950316d446bbaa3fcc389f094407db644ed87f4a40cf31da997d60676ada
SHA512 4f806563160383b7441b4b6191808053ad83ca6516f0d14a025edeffbd534915d8c5b70ad9fc55ae09005696fdc919b77e0f18fed4f5996e4be1031e1f41807f

memory/2508-82-0x0000000004B60000-0x0000000004BA0000-memory.dmp

memory/2508-83-0x0000000004B60000-0x0000000004BA0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-12 02:40

Reported

2024-03-12 02:43

Platform

win10v2004-20240226-en

Max time kernel

163s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

PureLog Stealer

stealer purelogstealer

PureLog Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mdnsresp.lnk C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mdnsresp.lnk C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3444 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3444 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3444 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3444 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
PID 3444 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
PID 3444 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
PID 3444 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
PID 3444 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
PID 3444 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
PID 3444 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
PID 3444 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
PID 2648 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe

"C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwANQA4ADUAZAAxAGYAYgA0AGYAMgA4ADgAOQA3ADQAYgA2ADgAMwBjADUAYQBiAGYAYgAxADAAYwA5ADcAZAA3AGQAMgBhAGUAMwBmADUAOQBjADIAYgBjAGYAZAA3ADgAYgBhADIANwAyAGUAMwBiAGUAMgBjAGQANwA4ADEANQAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAANQA4ADUAZAAxAGYAYgA0AGYAMgA4ADgAOQA3ADQAYgA2ADgAMwBjADUAYQBiAGYAYgAxADAAYwA5ADcAZAA3AGQAMgBhAGUAMwBmADUAOQBjADIAYgBjAGYAZAA3ADgAYgBhADIANwAyAGUAMwBiAGUAMgBjAGQANwA4ADEANQAuAGUAeABlADsA

C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe

C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mdnsresp.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mdnsresp.exe'

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
DE 5.182.87.154:7000 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
DE 5.182.87.154:7000 tcp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
DE 5.182.87.154:7000 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 5.182.87.154:7000 tcp
DE 5.182.87.154:7000 tcp
DE 5.182.87.154:7000 tcp
DE 5.182.87.154:7000 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
DE 5.182.87.154:7000 tcp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
DE 5.182.87.154:7000 tcp
DE 5.182.87.154:7000 tcp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
DE 5.182.87.154:7000 tcp

Files

memory/3444-0-0x0000000074500000-0x0000000074CB0000-memory.dmp

memory/3444-1-0x0000000000C30000-0x0000000000CA0000-memory.dmp

memory/3444-2-0x0000000005C30000-0x00000000061D4000-memory.dmp

memory/3444-3-0x0000000005720000-0x00000000057B2000-memory.dmp

memory/3444-4-0x0000000005870000-0x0000000005880000-memory.dmp

memory/3444-5-0x00000000056A0000-0x00000000056AA000-memory.dmp

memory/3444-6-0x00000000057C0000-0x0000000005808000-memory.dmp

memory/3444-7-0x0000000005810000-0x0000000005840000-memory.dmp

memory/3444-8-0x0000000005880000-0x00000000058B0000-memory.dmp

memory/3444-9-0x00000000058D0000-0x000000000591C000-memory.dmp

memory/2648-10-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe.log

MD5 8c2da65103d6b46d8cf610b118210cf0
SHA1 9db4638340bb74f2af3161cc2c9c0b8b32e6ab65
SHA256 0e48e2efd419951e0eb9a8d942493cfdf5540d1d19ff9dae6f145fb3ebcbeeac
SHA512 3cf5a125276e264cd8478f2b92d3848fb68b96d46eb4a39e650d09df02068c274881a1c314cdfbfdcb452672fb70dd8becf3ffe9562d39919d9c4d6b07fbb614

memory/3264-13-0x00000000046B0000-0x00000000046E6000-memory.dmp

memory/3444-15-0x0000000074500000-0x0000000074CB0000-memory.dmp

memory/2648-14-0x0000000074500000-0x0000000074CB0000-memory.dmp

memory/2648-16-0x0000000005720000-0x00000000057BC000-memory.dmp

memory/3264-17-0x0000000074500000-0x0000000074CB0000-memory.dmp

memory/3264-18-0x0000000004820000-0x0000000004830000-memory.dmp

memory/3264-19-0x0000000004E60000-0x0000000005488000-memory.dmp

memory/3264-20-0x0000000004CC0000-0x0000000004CE2000-memory.dmp

memory/3264-21-0x0000000005490000-0x00000000054F6000-memory.dmp

memory/3264-27-0x0000000005600000-0x0000000005666000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fnm03lzd.tcl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3264-32-0x0000000005770000-0x0000000005AC4000-memory.dmp

memory/3264-33-0x0000000005C90000-0x0000000005CAE000-memory.dmp

memory/3264-34-0x0000000005D30000-0x0000000005D7C000-memory.dmp

memory/2748-35-0x0000000074500000-0x0000000074CB0000-memory.dmp

memory/2748-36-0x0000000005310000-0x0000000005320000-memory.dmp

memory/2748-37-0x0000000005310000-0x0000000005320000-memory.dmp

memory/3264-47-0x0000000004820000-0x0000000004830000-memory.dmp

memory/3264-48-0x000000007F1C0000-0x000000007F1D0000-memory.dmp

memory/3264-49-0x0000000006260000-0x0000000006292000-memory.dmp

memory/3264-50-0x0000000070310000-0x000000007035C000-memory.dmp

memory/3264-60-0x0000000006230000-0x000000000624E000-memory.dmp

memory/3264-61-0x00000000062B0000-0x0000000006353000-memory.dmp

memory/3264-62-0x00000000075F0000-0x0000000007C6A000-memory.dmp

memory/3264-63-0x0000000006FB0000-0x0000000006FCA000-memory.dmp

memory/2748-64-0x0000000005310000-0x0000000005320000-memory.dmp

memory/3264-65-0x0000000007020000-0x000000000702A000-memory.dmp

memory/2748-66-0x000000007F780000-0x000000007F790000-memory.dmp

memory/2748-67-0x0000000070310000-0x000000007035C000-memory.dmp

memory/3264-77-0x0000000007230000-0x00000000072C6000-memory.dmp

memory/3264-78-0x00000000071B0000-0x00000000071C1000-memory.dmp

memory/3264-79-0x00000000071E0000-0x00000000071EE000-memory.dmp

memory/3264-80-0x00000000071F0000-0x0000000007204000-memory.dmp

memory/2748-81-0x0000000007E50000-0x0000000007E6A000-memory.dmp

memory/3264-82-0x00000000072D0000-0x00000000072D8000-memory.dmp

memory/2748-85-0x0000000074500000-0x0000000074CB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f650e7407077df0d7e1b0f8f5993efc5
SHA1 a8a5f0f72d682d09d8225a4c16acce8f3b9b1881
SHA256 ec02ed6338650d3765aed09d73af3d5c1c19157822843511eaa16a0f7ae4efa2
SHA512 067e91fc6d616fa35cfb6bf7f56347ea3c5242bff597c337922e93399de23db6c05116d5e56d33c127ec2a9d1bbb59b002be4cdd224596833f851a034658656a

memory/1544-90-0x0000000074500000-0x0000000074CB0000-memory.dmp

memory/1544-91-0x0000000002590000-0x00000000025A0000-memory.dmp

memory/3264-89-0x0000000074500000-0x0000000074CB0000-memory.dmp

memory/2648-92-0x0000000074500000-0x0000000074CB0000-memory.dmp

memory/1544-102-0x00000000057C0000-0x0000000005B14000-memory.dmp

memory/1544-104-0x0000000002590000-0x00000000025A0000-memory.dmp

memory/1544-105-0x0000000070310000-0x000000007035C000-memory.dmp

memory/1544-116-0x0000000074500000-0x0000000074CB0000-memory.dmp

memory/3444-117-0x0000000074500000-0x0000000074CB0000-memory.dmp

memory/3444-118-0x00000000056B0000-0x00000000056C0000-memory.dmp

memory/3444-119-0x00000000056B0000-0x00000000056C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4d745ee879a625891be21c705f4d281a
SHA1 a7bd27d859b462e7d21d8b9f6a3ce66b9dbd2e08
SHA256 52ab3c1d6f2b85b5d1a2d93c87848522cb01fa67311675be6a6daf03f0e7b814
SHA512 2fb78a9d7947ec2b02a7a91ebd0adf2bd7c8a52b97a07d27b2edc25f18c1493d180ae0293080e2d3a191b8e358a01e1aa99f192e6b2234b564e6df89f1badfe8

memory/3444-130-0x0000000006F90000-0x0000000006FDC000-memory.dmp

memory/3444-131-0x00000000056B0000-0x00000000056C0000-memory.dmp

memory/3444-132-0x0000000070460000-0x00000000704AC000-memory.dmp

memory/3444-142-0x0000000007CC0000-0x0000000007D63000-memory.dmp

memory/3444-143-0x0000000007F40000-0x0000000007F51000-memory.dmp

memory/3444-144-0x0000000007F70000-0x0000000007F84000-memory.dmp

memory/3444-146-0x0000000074500000-0x0000000074CB0000-memory.dmp

memory/2536-147-0x0000000074500000-0x0000000074CB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2089b2699a81b97383732345fc315b84
SHA1 4dedf5e3c85b48ac071ea47e3f2102d43a3912e0
SHA256 4246c58639ac921bf67e783b18d87195744d745d9034125850095b73e47eb6da
SHA512 a38985cb00cc0ccf82175d870343ac56d4cf61d4defc6caa660f8f27c9b17618bad4f64e7226ec1b0367469118c401cc92d80c40554b2a8d32c6d96d498eeb80