Analysis
-
max time kernel
602s -
max time network
606s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 03:39
Static task
static1
Behavioral task
behavioral1
Sample
Output.exe
Resource
win10v2004-20240508-en
Errors
General
-
Target
Output.exe
-
Size
107.1MB
-
MD5
3670535d0c66e883ef860251db57cd58
-
SHA1
a2ab33e914970d615341aff4de1f5c836bb61252
-
SHA256
3334e3754179b8a49c17d76a4b89365384a2988980a01cc372553680a2425304
-
SHA512
d65e26a4e512242eab7b07fb5eb54eb1897d458a4d511d6c6ee330cde3b4c626bec3a91f4e83bfd0e48863c30d57b5bcb5a2647d96f342b31d4f8f0ee9ce025f
-
SSDEEP
1572864:wYBW7N98NbdcFzMArhkeAmWQNUxqtO9X0E/XhOVtlGQHsZT7PiHnku7dfqvPAq4:jBGN98NXAJjEVd/Xh0GQoiHku4LnBB
Malware Config
Extracted
xworm
127.0.0.1:40971
us3.localto.net:40971
Name1442-40971.portmap.host:40971
-
Install_directory
%Temp%
-
install_file
KVRT.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\XClient.exe family_xworm behavioral1/memory/2076-13-0x0000000000200000-0x000000000021C000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 4836 powershell.exe 4468 powershell.exe 1220 powershell.exe 4052 powershell.exe -
Drops file in Drivers directory 2 IoCs
Processes:
227651fc.exedescription ioc process File created C:\Windows\System32\Drivers\87df702d.sys 227651fc.exe File created C:\Windows\System32\Drivers\klupd_87df702da_arkmon.sys 227651fc.exe -
Sets service image path in registry 2 TTPs 6 IoCs
Processes:
227651fc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_87df702da_arkmon\ImagePath = "System32\\Drivers\\klupd_87df702da_arkmon.sys" 227651fc.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_87df702da_klbg\ImagePath = "System32\\Drivers\\klupd_87df702da_klbg.sys" 227651fc.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_87df702da_klark\ImagePath = "System32\\Drivers\\klupd_87df702da_klark.sys" 227651fc.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_87df702da_mark\ImagePath = "System32\\Drivers\\klupd_87df702da_mark.sys" 227651fc.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_87df702da_arkmon_FD710C43\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\FD710C439F89CA6B7D8CAF3EE6F307D0\\klupd_87df702da_arkmon.sys" 227651fc.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\87df702d\ImagePath = "System32\\Drivers\\87df702d.sys" 227651fc.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Output.exeXClient.exe227651fc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Output.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation XClient.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 227651fc.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KVRT.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KVRT.lnk XClient.exe -
Executes dropped EXE 7 IoCs
Processes:
XClient.exeKVRT.exe227651fc.exeKVRT.exeKVRT.exeKVRT.exeKVRT.exepid process 2076 XClient.exe 4796 KVRT.exe 4952 227651fc.exe 3208 KVRT.exe 4016 KVRT.exe 3264 KVRT.exe 4076 KVRT.exe -
Loads dropped DLL 42 IoCs
Processes:
227651fc.exepid process 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
XClient.exe227651fc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KVRT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KVRT.exe" XClient.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\9c90243f-c43c-435a-8bb8-af3a0f3e9573 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{04320283-d027-42ae-aacb-bc3469a70089}\\9c90243f-c43c-435a-8bb8-af3a0f3e9573.cmd\"" 227651fc.exe -
Checks for any installed AV software in registry 1 TTPs 1 IoCs
Processes:
227651fc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\KasperskyLab 227651fc.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
227651fc.exedescription ioc process File opened (read-only) \??\F: 227651fc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 ip-api.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
227651fc.exedescription ioc process File opened for modification \??\PhysicalDrive0 227651fc.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
227651fc.exeKVRT.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN 227651fc.exe File opened (read-only) \??\VBoxMiniRdrDN KVRT.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "197" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
227651fc.exeXClient.exepid process 4952 227651fc.exe 2076 XClient.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeXClient.exe227651fc.exepid process 1220 powershell.exe 1220 powershell.exe 4052 powershell.exe 4052 powershell.exe 4836 powershell.exe 4836 powershell.exe 4468 powershell.exe 4468 powershell.exe 2076 XClient.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
227651fc.exepid process 4952 227651fc.exe -
Suspicious behavior: LoadsDriver 4 IoCs
Processes:
227651fc.exepid process 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe -
Suspicious use of AdjustPrivilegeToken 59 IoCs
Processes:
XClient.exepowershell.exe227651fc.exepowershell.exepowershell.exepowershell.exeKVRT.exeKVRT.exeKVRT.exeKVRT.exeshutdown.exedescription pid process Token: SeDebugPrivilege 2076 XClient.exe Token: SeDebugPrivilege 1220 powershell.exe Token: SeDebugPrivilege 4952 227651fc.exe Token: SeBackupPrivilege 4952 227651fc.exe Token: SeRestorePrivilege 4952 227651fc.exe Token: SeLoadDriverPrivilege 4952 227651fc.exe Token: SeShutdownPrivilege 4952 227651fc.exe Token: SeSystemEnvironmentPrivilege 4952 227651fc.exe Token: SeSecurityPrivilege 4952 227651fc.exe Token: SeDebugPrivilege 4052 powershell.exe Token: SeDebugPrivilege 4836 powershell.exe Token: SeDebugPrivilege 4468 powershell.exe Token: SeDebugPrivilege 2076 XClient.exe Token: SeDebugPrivilege 3208 KVRT.exe Token: SeBackupPrivilege 4952 227651fc.exe Token: SeRestorePrivilege 4952 227651fc.exe Token: SeDebugPrivilege 4952 227651fc.exe Token: SeSystemEnvironmentPrivilege 4952 227651fc.exe Token: SeSecurityPrivilege 4952 227651fc.exe Token: SeCreatePermanentPrivilege 4952 227651fc.exe Token: SeShutdownPrivilege 4952 227651fc.exe Token: SeLoadDriverPrivilege 4952 227651fc.exe Token: SeIncreaseQuotaPrivilege 4952 227651fc.exe Token: SeSecurityPrivilege 4952 227651fc.exe Token: SeSystemProfilePrivilege 4952 227651fc.exe Token: SeDebugPrivilege 4952 227651fc.exe Token: SeMachineAccountPrivilege 4952 227651fc.exe Token: SeCreateTokenPrivilege 4952 227651fc.exe Token: SeAssignPrimaryTokenPrivilege 4952 227651fc.exe Token: SeTcbPrivilege 4952 227651fc.exe Token: SeAuditPrivilege 4952 227651fc.exe Token: SeSystemEnvironmentPrivilege 4952 227651fc.exe Token: SeLoadDriverPrivilege 4952 227651fc.exe Token: SeLoadDriverPrivilege 4952 227651fc.exe Token: SeIncreaseQuotaPrivilege 4952 227651fc.exe Token: SeSecurityPrivilege 4952 227651fc.exe Token: SeSystemProfilePrivilege 4952 227651fc.exe Token: SeDebugPrivilege 4952 227651fc.exe Token: SeMachineAccountPrivilege 4952 227651fc.exe Token: SeCreateTokenPrivilege 4952 227651fc.exe Token: SeAssignPrimaryTokenPrivilege 4952 227651fc.exe Token: SeTcbPrivilege 4952 227651fc.exe Token: SeAuditPrivilege 4952 227651fc.exe Token: SeSystemEnvironmentPrivilege 4952 227651fc.exe Token: SeIncreaseQuotaPrivilege 4952 227651fc.exe Token: SeSecurityPrivilege 4952 227651fc.exe Token: SeSystemProfilePrivilege 4952 227651fc.exe Token: SeDebugPrivilege 4952 227651fc.exe Token: SeMachineAccountPrivilege 4952 227651fc.exe Token: SeCreateTokenPrivilege 4952 227651fc.exe Token: SeAssignPrimaryTokenPrivilege 4952 227651fc.exe Token: SeTcbPrivilege 4952 227651fc.exe Token: SeAuditPrivilege 4952 227651fc.exe Token: SeSystemEnvironmentPrivilege 4952 227651fc.exe Token: SeDebugPrivilege 4016 KVRT.exe Token: SeDebugPrivilege 3264 KVRT.exe Token: SeDebugPrivilege 4076 KVRT.exe Token: SeShutdownPrivilege 5100 shutdown.exe Token: SeRemoteShutdownPrivilege 5100 shutdown.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
227651fc.exepid process 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe 4952 227651fc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
227651fc.exeXClient.exeLogonUI.exepid process 4952 227651fc.exe 2076 XClient.exe 3480 LogonUI.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
Output.exeXClient.exeKVRT.exe227651fc.execmd.exedescription pid process target process PID 3300 wrote to memory of 2076 3300 Output.exe XClient.exe PID 3300 wrote to memory of 2076 3300 Output.exe XClient.exe PID 3300 wrote to memory of 4796 3300 Output.exe KVRT.exe PID 3300 wrote to memory of 4796 3300 Output.exe KVRT.exe PID 3300 wrote to memory of 4796 3300 Output.exe KVRT.exe PID 2076 wrote to memory of 1220 2076 XClient.exe powershell.exe PID 2076 wrote to memory of 1220 2076 XClient.exe powershell.exe PID 4796 wrote to memory of 4952 4796 KVRT.exe 227651fc.exe PID 4796 wrote to memory of 4952 4796 KVRT.exe 227651fc.exe PID 4796 wrote to memory of 4952 4796 KVRT.exe 227651fc.exe PID 2076 wrote to memory of 4052 2076 XClient.exe powershell.exe PID 2076 wrote to memory of 4052 2076 XClient.exe powershell.exe PID 2076 wrote to memory of 4836 2076 XClient.exe powershell.exe PID 2076 wrote to memory of 4836 2076 XClient.exe powershell.exe PID 2076 wrote to memory of 4468 2076 XClient.exe powershell.exe PID 2076 wrote to memory of 4468 2076 XClient.exe powershell.exe PID 2076 wrote to memory of 224 2076 XClient.exe schtasks.exe PID 2076 wrote to memory of 224 2076 XClient.exe schtasks.exe PID 4952 wrote to memory of 4536 4952 227651fc.exe cmd.exe PID 4952 wrote to memory of 4536 4952 227651fc.exe cmd.exe PID 4536 wrote to memory of 4636 4536 cmd.exe PING.EXE PID 4536 wrote to memory of 4636 4536 cmd.exe PING.EXE PID 4536 wrote to memory of 2484 4536 cmd.exe reg.exe PID 4536 wrote to memory of 2484 4536 cmd.exe reg.exe PID 2076 wrote to memory of 5100 2076 XClient.exe shutdown.exe PID 2076 wrote to memory of 5100 2076 XClient.exe shutdown.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Output.exe"C:\Users\Admin\AppData\Local\Temp\Output.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Users\Admin\AppData\Roaming\XClient.exe"C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\KVRT.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KVRT.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4468
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "KVRT" /tr "C:\Users\Admin\AppData\Local\Temp\KVRT.exe"3⤵
- Creates scheduled task(s)
PID:224
-
-
C:\Windows\SYSTEM32\shutdown.exeshutdown.exe /f /s /t 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:5100
-
-
-
C:\Users\Admin\AppData\Roaming\KVRT.exe"C:\Users\Admin\AppData\Roaming\KVRT.exe"2⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\227651fc.exeC:/Users/Admin/AppData/Local/Temp/{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}/\227651fc.exe3⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{04320283-d027-42ae-aacb-bc3469a70089}\9c90243f-c43c-435a-8bb8-af3a0f3e9573.cmd" "4⤵
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
PID:4636
-
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 9c90243f-c43c-435a-8bb8-af3a0f3e9573 /f5⤵
- Modifies registry key
PID:2484
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\KVRT.exeC:\Users\Admin\AppData\Local\Temp\KVRT.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3208
-
C:\Users\Admin\AppData\Local\Temp\KVRT.exeC:\Users\Admin\AppData\Local\Temp\KVRT.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4016
-
C:\Users\Admin\AppData\Local\Temp\KVRT.exeC:\Users\Admin\AppData\Local\Temp\KVRT.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3264
-
C:\Users\Admin\AppData\Local\Temp\KVRT.exeC:\Users\Admin\AppData\Local\Temp\KVRT.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4076
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa393b855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3480
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5a43e653ffb5ab07940f4bdd9cc8fade4
SHA1af43d04e3427f111b22dc891c5c7ee8a10ac4123
SHA256c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe
SHA51262a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b
-
Filesize
944B
MD576692775e4781f0c9f0092f5804cfdb1
SHA16740e4e4110028c62282ee1e7eb8be576a2bc23a
SHA2560c451ff3823450d544066237cbfb08556b7ca36c4a0ea085055f69ab35795b00
SHA5126e0731e3736594d9e86da2fc33e08a663f29100074cc8d46e2716123c946b9eb150c804c7cf8428cac631e1cff984663d41ce3b5e1e77965bd8e2ecf0742af34
-
Filesize
944B
MD5c479fa6b22fe32f7cee57f34e3139f7e
SHA15b4fc2d270842aaac66a3b2a99ef51c6d70f350e
SHA25653855181e3f0e38a3e96654f1a9a281a6e5295e05814d69183d44327a5af326c
SHA51208239e5d253f86eabc12f7222bd9c060410c645fd21934b6ed7b558737dcc82a2507284e1e23358958a7dddc3c909e3c478a4fcce773e69066a6458fd941cb10
-
Filesize
944B
MD5aeceee3981c528bdc5e1c635b65d223d
SHA1de9939ed37edca6772f5cdd29f6a973b36b7d31b
SHA256b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32
SHA512df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\{04320283-d027-42ae-aacb-bc3469a70089}\9c90243f-c43c-435a-8bb8-af3a0f3e9573.cmd
Filesize695B
MD58f8d51aeb41f8ee982c5d45884ea53da
SHA16d40fe047b0e73ffbefcd4d811c1a475cce6c48e
SHA2560b92a76c64a3595f651092f8d6d51225c648bb68de93e55055f8c9a2903a6e67
SHA512fb953d8cd3de3a0ff19436ebdb760ac6246891c5149cf2cba817842353873a9c2102dc709ea426e1bf2a5d336c16fef33f5fa08fdfa99f8dcd8c446b53b90e65
-
Filesize
2.6MB
MD537226eb4f1c7a0b79275c1401f83cc6d
SHA171ed962d1e0d212869d92c23d6e20a4e1e7ad430
SHA256be00dba953a6f26990e020bdc4e3f13e5799a3ff60384768ee6c1af37c656a4d
SHA512afea618c795406a49d159e1359e76168dc6b6dee07234666d21ee21bb5011fe9af57a3425e76126f2595e3d180cf2121db5d02258d7aca77b3c4d8621a8aa15d
-
Filesize
377KB
MD5fd710c439f89ca6b7d8caf3ee6f307d0
SHA15273c87564d9fcbf99b846195ea8bd3102d65a76
SHA256ca317c531bdd3a23d401a242a904e8eb81401c79073eee470b6e1078f3645faa
SHA5123df58ac276362fb7d7999bc8e902f22e9ee1501ee2e4f653e58595d411752e18bf7ee0cbc95766ecb8da34a5ebd3a11fd5bbf5450b1c01fd3ed8ee0e22183b09
-
Filesize
2.2MB
MD538717f028f7df6e29996dabe26375956
SHA1328c0ed49e079999ad0cc7c1315375b77531c8c9
SHA2569db65ebeaf888b6cc99c06d0f063e48932feb27f25b5350d9d870e9ce40d1e10
SHA5124c6de66d71527c1c0e8d666e85dde671ca6b2705e5e4584487be265f25c6369f5512c0601d251192c56ad44bec538161bded7fcfcd3a578cddf76d7617af237d
-
Filesize
4.6MB
MD502b21d6184ec835fba23088e7c7368e4
SHA12386e5cd242ad6abfadecc2d8ba416125f0bde56
SHA2565967b2240167500cfbb602408833776fb9be95ee404ad2bbdbdde18c752aaefe
SHA512e8b15e68c61f1a0f78fa4f4821a636e07ab3a87699fc45ace096d080d7bda62534af7acf93b9a32d730b0403b52dc1eac8df9175ae02d5f6f829c7849e340eb9
-
Filesize
4.8MB
MD58fd0c7b86b4988b234614944edb565a7
SHA1120015375d66f6e3f1c889cbada3efc4f8ff7f5b
SHA256449a105683a27ebce39f2a7a0fb413cbe2eb2df8c2c8f51870a40e9eb9708a7a
SHA5123e92401ee9ed0dd51fe95f963378caa73fe07bae0186406b9689519d6b75926b5027339ea52c8643c92c21b621ddc05056a1338f0114a6902c2897406cf371f7
-
Filesize
4.4MB
MD58751f0205fc7a87b46afae8ceda42d90
SHA1d7e41a64c09f580d9e63ff5ffc8ac37d1f7da4c1
SHA2567273600d11889adba9287e6d5a3b684a9d902d1b4db8cedec21562fa00c436cd
SHA51218466c4c4b6dd07445862d8e6a84825b8b0edeaa95dc8fe58741527d5dd20cbfc7672825108acec69bae506b41fb01fc6413401759db3d8265503fea88ed9bba
-
Filesize
1.3MB
MD5fe0964663cf9c5e4ff493198e035cc1f
SHA1ab9b19bd0e4efa36f78d2059b4ca556521eb35cb
SHA256ddd70011d86b8ec909295ef45f94b48b0252229b6182af9ef8a6029c30daaf39
SHA512923cfd9143d3850357bda901f66b5292f36ff025f05b2156667873861a02d9f498a03cdb73d2c477c0055d46600628f936b70dec46d7687fe0a97cbb1c8cf0ea
-
Filesize
51KB
MD5184a351c4d532405206e309c10af1d15
SHA13cf49f2275f3f9bd8e385eddcdd04e3fc2a17352
SHA256ef0b7e22d8f7bd06964969a7f2979a475ba1c9c34efccb0c3b9e03ae950c63f6
SHA5129a1a3cb0e3713ba41f36f4f01f2151b0c04454a05c986215ed2cc42180994f90d10e031d77452a2d0ad5a78f15d8d31c327d0d1ee676789780e6483dbe5e0341
-
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\crls\c7e6bd7fe0e4965892ad706f0d2f42e88789b8041daf5b3eea9ca41785297798
Filesize368B
MD54b03934418970c06f092afe3d2155bf1
SHA156a0e9666c3ee0071d70b9d2b364666fbb93068c
SHA256c3a63c68ae58f008e5eb52c8e515fe6f5f978e3a8e33ff3c4c4ec43b186486c6
SHA5127846f929ec6d68397c60155202365bbbae28c5faf053c67469b378bd059ac7fd8575ee4973d905e51471cabeadcf3251d229057fdba70eb5df478ab4eafb39f8
-
Filesize
61KB
MD53d9d1753ed0f659e4db02e776a121862
SHA1031fb78fe7dc211fe9e0dc8ba0027c14e84cd07f
SHA256b6163ec9d4825102e3d423e02fb026259a6a17e7d7696ae060ec2b0ba97f54f2
SHA512e1f50513db117c32505944bfb19fd3185b3231b6bd9f0495942bd9e80dd0f54ab575f1a2fca5e542174d3abe4106a9b5448d924c690e8548cd43aa77f6497c92
-
Filesize
1.2MB
MD54003e34416ebd25e4c115d49dc15e1a7
SHA1faf95ec65cde5bd833ce610bb8523363310ec4ad
SHA256c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f
SHA51288f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84
-
Filesize
703KB
MD598b1a553c8c5944923814041e9a73b73
SHA13e6169af53125b6da0e69890d51785a206c89975
SHA2566fc0104817caa1337531c9d8b284d80052770051efb76e5829895a3854ebaec8
SHA5128ee4467bce6495f492895a9dfaedaf85b76d6d1f67d9ff5c8c27888191c322863bc29c14ae3f505336a5317af66c31354afaeb63127e7e781f5b249f1c967363
-
Filesize
409KB
MD5f56387639f201429fb31796b03251a92
SHA123df943598a5e92615c42fc82e66387a73b960ff
SHA256e7eefcf569d98a5fb14a459d949756dc00faf32ed6bda1233d9d2c79ca11531c
SHA5127bfce579b601408262c0edd342cb2cb1ef1353b6b73dce5aad540eb77f56d1184f71c56ea859bc4373aac4875b8861e2cc5d9c49518e6c40d0b2350a7ab26c0e
-
Filesize
3.4MB
MD5c6acd1d9a80740f8a416b0a78e3fa546
SHA17ea7b707d58bde0d5a14d8a7723f05e04189bce7
SHA256db8acd14ace6d4c8d4d61016debe3c0d72677416661caf0d36e7306ed020920f
SHA51246c889f4d84e2f8dc8bfd5bdc34a346aa393fc49adcbe95bc601e6d970599f579e5cb057196061c280cbfa976989c960ac2f1830fd61c0a9166f09a6c088c20d
-
Filesize
158KB
MD59bf7f895cff1f0b9ddf5fc077bac314c
SHA17e9c0ce6569c6f12c57f34597b213cd4d8f55e68
SHA256d03e0af01fbcd9ce714caf3db5ca2ab3ca4a717d5fda5c99b77e09b5672498a4
SHA512d416cfa9446e6c92f0805278c744cf9f8ac6a2bfb96a6e0b2d65e701472ea6feaf5742ed6cef833555188a95c613499e7e14cfe5788427ec2616cfd723021a67
-
Filesize
368KB
MD5990442d764ff1262c0b7be1e3088b6d3
SHA10b161374074ef2acc101ed23204da00a0acaa86e
SHA2566c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4
SHA512af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4
-
Filesize
87KB
MD5a69adedb0d47cfb23f23a9562a4405bc
SHA19e70576571a15aaf71106ea0cd55e0973ef2dd15
SHA25631eaa7f1f9872c63091f4b3ec5310686b1dd1e2123af17991a6b4679eda3f62d
SHA51277abb4435d8d445f7a29cdb8a318486a96122b5cc535da7a63da0fa920980e6ad73e78b72552f6949e66b349bbdc9aa9ea202481046e478c2829c155a1045820
-
Filesize
439KB
MD55ff1fca37c466d6723ec67be93b51442
SHA134cc4e158092083b13d67d6d2bc9e57b798a303b
SHA2565136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA5124802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546
-
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\plugins\imageformats\qgif.dll
Filesize45KB
MD5213734f42848f6cfb91b5d0f80a352dc
SHA172060bb18421eba12591e923929bc70b200b26fa
SHA256ed3a7867931a8c05d267a62522223ca78bd435d45af6dfde116e7eb72c2fde7c
SHA512913afbd6e950f61d038f81ff7f0f08986469ee11cd7202cc0598d9caa7a4200e9e8e5e23f0c5062e01a6ef908e92a52f35dcf60f1af77a075200e8db466df807
-
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\plugins\imageformats\qicns.dll
Filesize54KB
MD54d1fcfe0e08da0bfd61ad27863f05a8f
SHA151a9c2d12181b66f3f9fd9137a699a715df8d2fd
SHA256b95d07323612b27e04a716a3894e46a723a457e8c0be37ee838573eaee1624ab
SHA5122251f8c7bdfa0ad6cda6d619f6df1cef76e8f317119ec4b495d0d98351e77e5f7c678f49f9c8c6eefadfee175304d00757689ff35f8c77693b2ea3435dac2aa9
-
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\plugins\imageformats\qico.dll
Filesize46KB
MD5f463183ff33be64d8a61fc5d61b16064
SHA15a2d6a62d293e8335d787c1e4681cca7e953b20a
SHA256e4773864ec821c90ff7b2b6a081c4abd7b9fb10829b7e067521b0b18d4e75422
SHA5126576842034440b4329a6cc99e419913316e2bb869e20053238add0adf23eb9e35e32ec758c93dddc8162c64049690db177791c11ed7fbdd2ef4780c6be0dbf2c
-
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\plugins\imageformats\qjpeg.dll
Filesize258KB
MD503e1249b16b47fd240283f44636f6087
SHA1e0a02adeee91ff330891ed93428956f1fb90ef44
SHA256f1b0528f0b43b798b78580363f19bb75e68347755ef84bbf313cbb1c9fa649b2
SHA512287a13ebcddb151cd37ec60b47c6f674730d1886ee53d4a864e62d23aca084d9b3a4e0b8eefc07b8e1aee2e40a6b7327602aa547f1afc63dc4b254abe14749f1
-
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\plugins\imageformats\qtga.dll
Filesize40KB
MD582a65b1ce5a7041da64290b66a6a1c8c
SHA1577e7174b02182ada17328cbac3ac1d3605fc023
SHA2566da0850ed1f6d93e1d99cecc31153e8993b7b20d68308c248c71e9af4c061336
SHA512bbc0fd32e8bdcac4d7f5fac77d9a4386be671b9d6c18d14ac6807e521a0f5192af91e106e0a3258653afbba625c09f79542f1fd7a1eaf97d9b5b98cbd2bb1084
-
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\plugins\imageformats\qtiff.dll
Filesize342KB
MD5058a1449a4656fe891bc589ea61434b1
SHA18803afd1bb77e4804925610e6a94361a1e26c4d5
SHA256fc271f33b879c7966564d04f698b7fd77d806e61107574d1240502e7c7666f26
SHA51291f43f8062095044ba41fea9fd4df490711f131437ee90a0354a629a7677c9c7fce84b1c1165e07a2b8c4e58beb1d66d953c1034923c986a2288553221761ca9
-
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\plugins\imageformats\qwbmp.dll
Filesize39KB
MD543bc7f0b0b91676368db78d61e83edd3
SHA1628228c8c477f2e6e8d6f2f9dd8cc72b894d5fe6
SHA256fe95bdae47201a7788c2cb18042c7eafa0041fb6ce6b2ea7e7d5ffd656086583
SHA51211e847fe59e28bdbf7448846b88578f5b0a1d6b1d7c11a80271d833ad540991d83cc1b89c2b5bfaf9b5dfa68dae538233575fac3b6f1cd5f09398b400b421872
-
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\plugins\imageformats\qwebp.dll
Filesize412KB
MD5a23c6a3494e296a521a08dd2d676eb3c
SHA1260ccb3b2f454bda853d003e3b71fb0789858873
SHA256e58be278a435f44bf10e13d81fba5349d0f5ea224701c91f992276bcea173856
SHA512a99eea4b72d20e34c37e0c7971f6e467b2421ff99f059c46f76d961093eea27d031edbd907ed2a99bc9ddaea9ec5b0980871b4a018284c3c324e59c00491b11f
-
C:\Users\Admin\AppData\Local\Temp\{dffda3b3-8afe-4823-a7c8-52f9b8e7a180}\plugins\platforms\qwindows.dll
Filesize1.1MB
MD5869b64be13907d16f8108d4e46eb1ae4
SHA1abf528676719f69a4d2f85147dc683d1c9bb606a
SHA25693debc8c092905993932b16f165e0b959639920d0af6156a64b9c947784fbe73
SHA512cbd294354d5f84103b7c2f31cca6ee7f390c7852266478fb790cdd2448b1a563ddc6fcf7e351b4b28c3f5e23a52a442064ed75409f076752d0d94f133c9d7e96
-
Filesize
11KB
MD50cd7bac19edb301ce1b501bfac07acea
SHA1d66a1ba1d9a961b5f44d8d3356c79d60c7ae81d6
SHA256f5d7c50ab67ff498fddf257193bea1ad496613c611b962a31ca39f96ef16bc05
SHA5129a744bd7829716afe7249094a63609c32da0a8988f9cd1881be6bca809a9f120521e7de1a30180581a8bd6f662ae18a8ac88629d404b807602e5a45a5f8ddb0a
-
Filesize
6KB
MD51a3330c4f388360e4c2b0d94fb48a788
SHA1127ad9be38c4aa491bd1bce6458f99a27c6d465b
SHA25601b8d0d8c7114b59f159021384c8a59535f87018a6a136a276b5a297f54d776d
SHA5121fcd1e99e35dc4ec972ab63299637322a27b471d02175d56409a3a114db6259f9cd767ac054c7a2bba075f36ab62f19c8118c3dda93e37b7deda05aa2b260553
-
Filesize
78KB
MD5a37ee36b536409056a86f50e67777dd7
SHA11cafa159292aa736fc595fc04e16325b27cd6750
SHA2568934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA5123a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356
-
Filesize
88KB
MD5895d9cd4167756a8cfb44977286f84ec
SHA1e26ce2bec5d62b7914c43545c59d097260cc7673
SHA256f3090015a11a8d27705cb5b1a89834a7f96c64ca15313138a68089a2705092df
SHA512a913d27b5df4b1df88541f142ead5c9a533218452f1c1509e540f878e645e616b62b5246c64065940f5c28330433d699f8a5ad1cf2b6667234ae5508ad27f58e
-
Filesize
350KB
MD55ea5aa37289ae16948dc771223f94160
SHA1640392a0d01521cb0e4485d5641f74e64e1f38aa
SHA2564b1fd5753737f72f2b8cb0fb299c6c0e3857df69dc19931351d9784f52f307b3
SHA5122721db2afd55f6abbe54b5865cb41f72216a52cddb6d07721cf0bd1b76fe58b47540467ce9b503ab56e4c614765c18f559b17d73479a4f5a0fae8f6093772455
-
Filesize
179KB
MD5ed6cd641a02baf78ecbe069e0b18b3b0
SHA1cc4d47d1d0fcd3deb841f58923ac309f3be42081
SHA25666e7b89188e292d0abce941fcb2469e515e2a1bdbe07ad9868a34feb5f47005d
SHA512cb945fa49683b92841a7a915c73eb11b00fbceee8715a166d256cab0971dc4b4d8b2c7ad3c96e4efb73a7ea9c43ef6bfc9ff3acaffdc08df40b00048ea903abb
-
Filesize
259KB
MD5124a94969ce6660453ccd66e40ecdbb0
SHA146f7ad59b93bc1b78f76fc973ce728c7951352aa
SHA2565938747dbf6aea335fdf9131fc912452cee781dff8be61750a9b2ef384b5f835
SHA5123b25bc9eead7f09350c81bca4eb1a11c5332b128918802385d15fb35d017bf2a5eef64966c3e6bb74d4450d794327a1a81c0521dda8b742fda17c0bcc50079e0