Malware Analysis Report

2024-09-22 15:14

Sample ID 240531-xbhdlshh93
Target 87f3c5cceabdfc71e56c3e6272374496_JaffaCakes118
SHA256 e793b7faec4ada0bcf07c96dc80c209a069055658849c7c43554f39e6acbbeb3
Tags
rootkit purplefox discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e793b7faec4ada0bcf07c96dc80c209a069055658849c7c43554f39e6acbbeb3

Threat Level: Known bad

The file 87f3c5cceabdfc71e56c3e6272374496_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

rootkit purplefox discovery

Detect PurpleFox MSI

Purplefox family

Drops file in Drivers directory

Enumerates connected drives

Drops file in System32 directory

Checks computer location settings

Checks installed software on the system

Executes dropped EXE

Drops file in Program Files directory

Drops file in Windows directory

Loads dropped DLL

Enumerates physical storage devices

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious behavior: LoadsDriver

Runs net.exe

Suspicious use of SetWindowsHookEx

Runs .reg file with regedit

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-31 18:40

Signatures

Detect PurpleFox MSI

rootkit
Description Indicator Process Target
N/A N/A N/A N/A

Purplefox family

purplefox

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 18:40

Reported

2024-05-31 18:41

Platform

win7-20240221-en

Max time kernel

16s

Max time network

28s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\87f3c5cceabdfc71e56c3e6272374496_JaffaCakes118.msi

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\npf.sys C:\Msupdate\update.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\wpcap.dll C:\Msupdate\update.exe N/A
File created C:\Windows\system32\Packet.dll C:\Msupdate\update.exe N/A
File created C:\Windows\SysWOW64\pthreadVC.dll C:\Msupdate\update.exe N/A
File created C:\Windows\SysWOW64\wpcap.dll C:\Msupdate\update.exe N/A
File created C:\Windows\SysWOW64\Packet.dll C:\Msupdate\update.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WinPcap\rpcapd.exe C:\Msupdate\update.exe N/A
File created C:\Program Files\WinPcap\LICENSE C:\Msupdate\update.exe N/A
File created C:\Program Files\WinPcap\uninstall.exe C:\Msupdate\update.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI8DC1.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f768a0a.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9409.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f768a07.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8AE1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8E6D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\sysupdate.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9785.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f768a07.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8D72.tmp C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Installer\MSI9785.tmp N/A
N/A N/A \??\c:\Msupdate\instsrv.exe N/A
N/A N/A C:\Msupdate\update.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1072 wrote to memory of 2916 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1072 wrote to memory of 2916 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1072 wrote to memory of 2916 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1072 wrote to memory of 2916 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1072 wrote to memory of 2916 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1072 wrote to memory of 2916 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1072 wrote to memory of 2916 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1072 wrote to memory of 1216 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI9785.tmp
PID 1072 wrote to memory of 1216 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI9785.tmp
PID 1072 wrote to memory of 1216 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI9785.tmp
PID 1072 wrote to memory of 1216 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI9785.tmp
PID 1072 wrote to memory of 1216 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI9785.tmp
PID 1072 wrote to memory of 1216 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI9785.tmp
PID 1072 wrote to memory of 1216 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI9785.tmp
PID 1216 wrote to memory of 2340 N/A C:\Windows\Installer\MSI9785.tmp C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 2340 N/A C:\Windows\Installer\MSI9785.tmp C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 2340 N/A C:\Windows\Installer\MSI9785.tmp C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 2340 N/A C:\Windows\Installer\MSI9785.tmp C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\Msupdate\instsrv.exe
PID 2340 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\Msupdate\instsrv.exe
PID 2340 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\Msupdate\instsrv.exe
PID 2340 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\Msupdate\instsrv.exe
PID 2340 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2340 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2340 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2340 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2340 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Msupdate\update.exe
PID 2340 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Msupdate\update.exe
PID 2340 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Msupdate\update.exe
PID 2340 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Msupdate\update.exe
PID 2340 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Msupdate\update.exe
PID 2340 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Msupdate\update.exe
PID 2340 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Msupdate\update.exe
PID 1668 wrote to memory of 1784 N/A C:\Msupdate\update.exe C:\Windows\SysWOW64\net.exe
PID 1668 wrote to memory of 1784 N/A C:\Msupdate\update.exe C:\Windows\SysWOW64\net.exe
PID 1668 wrote to memory of 1784 N/A C:\Msupdate\update.exe C:\Windows\SysWOW64\net.exe
PID 1668 wrote to memory of 1784 N/A C:\Msupdate\update.exe C:\Windows\SysWOW64\net.exe
PID 1784 wrote to memory of 1640 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1784 wrote to memory of 1640 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1784 wrote to memory of 1640 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1784 wrote to memory of 1640 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1668 wrote to memory of 1768 N/A C:\Msupdate\update.exe C:\Windows\SysWOW64\net.exe
PID 1668 wrote to memory of 1768 N/A C:\Msupdate\update.exe C:\Windows\SysWOW64\net.exe
PID 1668 wrote to memory of 1768 N/A C:\Msupdate\update.exe C:\Windows\SysWOW64\net.exe
PID 1668 wrote to memory of 1768 N/A C:\Msupdate\update.exe C:\Windows\SysWOW64\net.exe
PID 1768 wrote to memory of 1696 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1768 wrote to memory of 1696 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1768 wrote to memory of 1696 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1768 wrote to memory of 1696 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2916 wrote to memory of 2812 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 2916 wrote to memory of 2812 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 2916 wrote to memory of 2812 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 2916 wrote to memory of 2812 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 2916 wrote to memory of 592 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 2916 wrote to memory of 592 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 2916 wrote to memory of 592 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 2916 wrote to memory of 592 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 2916 wrote to memory of 2780 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 2916 wrote to memory of 2780 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 2916 wrote to memory of 2780 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 2916 wrote to memory of 2780 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 2916 wrote to memory of 1068 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 2916 wrote to memory of 1068 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 2916 wrote to memory of 1068 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\87f3c5cceabdfc71e56c3e6272374496_JaffaCakes118.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding C78EDCAD5105C09F8C2934271C277185

C:\Windows\Installer\MSI9785.tmp

"C:\Windows\Installer\MSI9785.tmp" /HideWindow "C:\Msupdate\service.bat"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Msupdate\service.bat" "

\??\c:\Msupdate\instsrv.exe

c:\Msupdate\instsrv.exe Msupdate c:\Msupdate\srvany.exe

C:\Windows\SysWOW64\regedit.exe

regedit /s 1.reg

C:\Msupdate\update.exe

update.exe /S

C:\Windows\SysWOW64\net.exe

net stop npf

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop npf

C:\Windows\SysWOW64\net.exe

net start npf

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start npf

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8443 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

C:\Windows\Installer\MSI8AE1.tmp

MD5 aaab8d3f7e9e8f143a17a0d15a1d1715
SHA1 8aca4e362e4cdc68c2f8f8f35f200126716f9c74
SHA256 fd3d6c50c3524063f7c28f815838e0fb06fd4ebff094e7b88902334abd463889
SHA512 1999224f57cd453d5d4d7d678144e0b719290ae925bb3574ce28ae787dc406a6b3df8e44475b12b9cdc0ff43d2979f626f08291304c66cdca536cd1897715c9a

C:\Windows\Installer\MSI8DC1.tmp

MD5 3eb31b9a689d506f3b1d3738d28ab640
SHA1 1681fe3bbdcbe617a034b092ea77249dd4c3e986
SHA256 3a7d9cdd6be9ce0e4d01e9894242b497536336bf1850fb0a814a369c8a189c46
SHA512 2598e39f4fd139775bbb040218af802db722d4dca99a4230edfde282362b433c5e30c15d5385063aa76bff916031b0e43586ef05d2ada4edc3c1410371b98e09

C:\Windows\Installer\MSI9785.tmp

MD5 73c578ca2383a2e7f4687cdee410aefe
SHA1 431b7de3091245b3affbf1911da17a6964b813dc
SHA256 67fdafaf7c115fab48e50b3031f8b7f599770ca333321ded1dcb24db06fe6db1
SHA512 915d88ec68e061c880f319345a4e5d709b4e789b5cc3c6a1c84fd83cc95fe765ef7324a722abf8935f2f8567bffbb3ede9e78fb4baa3f004118959f7ae7f43dd

C:\Msupdate\service.bat

MD5 b10428f1774d2caa81092891a980f9e7
SHA1 6fb6df8cb4d293c0e0264c83d97f016fbb0da926
SHA256 884abdf05624ab4d76db2e35720014a616378d299a8c64ab3743d9320258886c
SHA512 9412ac38e876f9232172c6ff6d890dd0c2d1258126bf712602a9e5795ed52aadebad113fc0b985557b615f6305b704ce19bb3440942ee02f56b06793cb4ee105

\Msupdate\instsrv.exe

MD5 9f7acaad365af0d1a3cd9261e3208b9b
SHA1 b4c7049562e770093e707ac1329cb37ad6313a37
SHA256 f7b0a444b590eb8a6b46cedf544bcb3117c85cab02b599b45d61b8a590095c9c
SHA512 6847bb10cf08f7e594907b5d160768e60468b14a62cdd87ad33dcc0bc2b523549c1c91e9854069ca11ee074e43a6f41f11351201626922c02aaea41fd32c2a54

\??\c:\Msupdate\srvany.exe

MD5 4635935fc972c582632bf45c26bfcb0e
SHA1 7c5329229042535fe56e74f1f246c6da8cea3be8
SHA256 abd4afd71b3c2bd3f741bbe3cec52c4fa63ac78d353101d2e7dc4de2725d1ca1
SHA512 167503133b5a0ebd9f8b2971bca120e902497eb21542d6a1f94e52ae8e5b6bde1e4cae1a2c905870a00d772e0df35f808701e2cfbd26dcbb130a5573fa590060

C:\Msupdate\1.reg

MD5 8dacf3ded9159fb1f5b065215e1fd8aa
SHA1 0c43e91b996ca72b75a02de3f85a695ded7a4a5e
SHA256 1d5766733fdbeb1ecd8ddc4c49634d96024398621a55f3de9d20dbdc9f3c24c5
SHA512 a682ce938d8ecb78fd93e085c35f868968ad9e94b571fcf4de3c007314dfa5495304e31f643f8f3df2f553dadd6cc65f932479103c7570c4ba9939839d6eb0c6

\Msupdate\update.exe

MD5 c6f1d4a6cccd04e4b15a96942372d5f7
SHA1 2f79839fe5cb740f21b29dae3181f43c1ae9de9c
SHA256 89b74dc79f229b0488bf43b552da9f84864a6a38c11039898e4f9d854411a26e
SHA512 1ce87f5b4b0897a6a4cd4d9a58548db47d335eba860714598b297a939e476edc6a8b3e597b71ee92e655857c2320f5812e375da4d67d503e70623f6828eb2119

\Users\Admin\AppData\Local\Temp\nst9CED.tmp\System.dll

MD5 00a0194c20ee912257df53bfe258ee4a
SHA1 d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256 dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA512 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

\Users\Admin\AppData\Local\Temp\nst9CED.tmp\nsExec.dll

MD5 e54eb27fb5048964e8d1ec7a1f72334b
SHA1 2b76d7aedafd724de96532b00fbc6c7c370e4609
SHA256 ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824
SHA512 c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

C:\Config.Msi\f768a0b.rbs

MD5 6664542121fce007c105e1fd4a5f1b28
SHA1 fc42c128fc260612b0b38292b661f8149f21aee0
SHA256 859471d06868a6ea4452c91762d6fb08c53b47891d1f2249776516693da244b8
SHA512 682734d6d78ea5d51d1f76d526aa5abad492f7510e8bee446edbd5e5248edd1b597b2bb39619dacd63f4d8d237e943cf72c221c2bcce8fca367d38718df92d51

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 18:40

Reported

2024-05-31 18:42

Platform

win10v2004-20240226-en

Max time kernel

90s

Max time network

104s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\87f3c5cceabdfc71e56c3e6272374496_JaffaCakes118.msi

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\npf.sys C:\Msupdate\update.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\Installer\MSI7DEB.tmp N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\pthreadVC.dll C:\Msupdate\update.exe N/A
File created C:\Windows\SysWOW64\wpcap.dll C:\Msupdate\update.exe N/A
File created C:\Windows\SysWOW64\Packet.dll C:\Msupdate\update.exe N/A
File created C:\Windows\system32\wpcap.dll C:\Msupdate\update.exe N/A
File created C:\Windows\system32\Packet.dll C:\Msupdate\update.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WinPcap\rpcapd.exe C:\Msupdate\update.exe N/A
File created C:\Program Files\WinPcap\LICENSE C:\Msupdate\update.exe N/A
File created C:\Program Files\WinPcap\uninstall.exe C:\Msupdate\update.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI7724.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e581eed.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5DEB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7DEB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5E98.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6D6F.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e581eed.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI21AC.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{40360E66-1CE1-4EB2-A89A-697A94459BA9} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\sysupdate.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6772.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Installer\MSI7DEB.tmp N/A
N/A N/A \??\c:\Msupdate\instsrv.exe N/A
N/A N/A C:\Msupdate\update.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "221" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 3776 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2268 wrote to memory of 3776 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2268 wrote to memory of 3776 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2268 wrote to memory of 1376 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI7DEB.tmp
PID 2268 wrote to memory of 1376 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI7DEB.tmp
PID 2268 wrote to memory of 1376 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI7DEB.tmp
PID 1376 wrote to memory of 2544 N/A C:\Windows\Installer\MSI7DEB.tmp C:\Windows\SysWOW64\cmd.exe
PID 1376 wrote to memory of 2544 N/A C:\Windows\Installer\MSI7DEB.tmp C:\Windows\SysWOW64\cmd.exe
PID 1376 wrote to memory of 2544 N/A C:\Windows\Installer\MSI7DEB.tmp C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\Msupdate\instsrv.exe
PID 2544 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\Msupdate\instsrv.exe
PID 2544 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\Msupdate\instsrv.exe
PID 2544 wrote to memory of 4928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2544 wrote to memory of 4928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2544 wrote to memory of 4928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2544 wrote to memory of 4364 N/A C:\Windows\SysWOW64\cmd.exe C:\Msupdate\update.exe
PID 2544 wrote to memory of 4364 N/A C:\Windows\SysWOW64\cmd.exe C:\Msupdate\update.exe
PID 2544 wrote to memory of 4364 N/A C:\Windows\SysWOW64\cmd.exe C:\Msupdate\update.exe
PID 4364 wrote to memory of 2448 N/A C:\Msupdate\update.exe C:\Windows\SysWOW64\net.exe
PID 4364 wrote to memory of 2448 N/A C:\Msupdate\update.exe C:\Windows\SysWOW64\net.exe
PID 4364 wrote to memory of 2448 N/A C:\Msupdate\update.exe C:\Windows\SysWOW64\net.exe
PID 2448 wrote to memory of 4576 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2448 wrote to memory of 4576 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2448 wrote to memory of 4576 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4364 wrote to memory of 3700 N/A C:\Msupdate\update.exe C:\Windows\SysWOW64\net.exe
PID 4364 wrote to memory of 3700 N/A C:\Msupdate\update.exe C:\Windows\SysWOW64\net.exe
PID 4364 wrote to memory of 3700 N/A C:\Msupdate\update.exe C:\Windows\SysWOW64\net.exe
PID 3700 wrote to memory of 2284 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3700 wrote to memory of 2284 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3700 wrote to memory of 2284 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3776 wrote to memory of 3912 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 3912 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 3912 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 3876 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 3876 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 3876 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 3432 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 3432 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 3432 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 1124 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 1124 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 1124 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 3392 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 3392 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 3392 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 3956 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 3956 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 3956 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 5056 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 5056 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 5056 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 4440 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 4440 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 4440 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 4576 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 4576 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 4576 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 2980 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 2980 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 2980 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 4428 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 4428 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 4428 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 1700 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\87f3c5cceabdfc71e56c3e6272374496_JaffaCakes118.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 7C1B84AB20177776E3EF080BA4D8EA65

C:\Windows\Installer\MSI7DEB.tmp

"C:\Windows\Installer\MSI7DEB.tmp" /HideWindow "C:\Msupdate\service.bat"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Msupdate\service.bat" "

\??\c:\Msupdate\instsrv.exe

c:\Msupdate\instsrv.exe Msupdate c:\Msupdate\srvany.exe

C:\Windows\SysWOW64\regedit.exe

regedit /s 1.reg

C:\Msupdate\update.exe

update.exe /S

C:\Windows\SysWOW64\net.exe

net stop npf

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop npf

C:\Windows\SysWOW64\net.exe

net start npf

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start npf

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8443 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39a3055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

C:\Windows\Installer\MSI21AC.tmp

MD5 aaab8d3f7e9e8f143a17a0d15a1d1715
SHA1 8aca4e362e4cdc68c2f8f8f35f200126716f9c74
SHA256 fd3d6c50c3524063f7c28f815838e0fb06fd4ebff094e7b88902334abd463889
SHA512 1999224f57cd453d5d4d7d678144e0b719290ae925bb3574ce28ae787dc406a6b3df8e44475b12b9cdc0ff43d2979f626f08291304c66cdca536cd1897715c9a

C:\Windows\Installer\MSI6772.tmp

MD5 3eb31b9a689d506f3b1d3738d28ab640
SHA1 1681fe3bbdcbe617a034b092ea77249dd4c3e986
SHA256 3a7d9cdd6be9ce0e4d01e9894242b497536336bf1850fb0a814a369c8a189c46
SHA512 2598e39f4fd139775bbb040218af802db722d4dca99a4230edfde282362b433c5e30c15d5385063aa76bff916031b0e43586ef05d2ada4edc3c1410371b98e09

C:\Windows\Installer\MSI7DEB.tmp

MD5 73c578ca2383a2e7f4687cdee410aefe
SHA1 431b7de3091245b3affbf1911da17a6964b813dc
SHA256 67fdafaf7c115fab48e50b3031f8b7f599770ca333321ded1dcb24db06fe6db1
SHA512 915d88ec68e061c880f319345a4e5d709b4e789b5cc3c6a1c84fd83cc95fe765ef7324a722abf8935f2f8567bffbb3ede9e78fb4baa3f004118959f7ae7f43dd

C:\Msupdate\service.bat

MD5 b10428f1774d2caa81092891a980f9e7
SHA1 6fb6df8cb4d293c0e0264c83d97f016fbb0da926
SHA256 884abdf05624ab4d76db2e35720014a616378d299a8c64ab3743d9320258886c
SHA512 9412ac38e876f9232172c6ff6d890dd0c2d1258126bf712602a9e5795ed52aadebad113fc0b985557b615f6305b704ce19bb3440942ee02f56b06793cb4ee105

C:\Msupdate\instsrv.exe

MD5 9f7acaad365af0d1a3cd9261e3208b9b
SHA1 b4c7049562e770093e707ac1329cb37ad6313a37
SHA256 f7b0a444b590eb8a6b46cedf544bcb3117c85cab02b599b45d61b8a590095c9c
SHA512 6847bb10cf08f7e594907b5d160768e60468b14a62cdd87ad33dcc0bc2b523549c1c91e9854069ca11ee074e43a6f41f11351201626922c02aaea41fd32c2a54

\??\c:\Msupdate\srvany.exe

MD5 4635935fc972c582632bf45c26bfcb0e
SHA1 7c5329229042535fe56e74f1f246c6da8cea3be8
SHA256 abd4afd71b3c2bd3f741bbe3cec52c4fa63ac78d353101d2e7dc4de2725d1ca1
SHA512 167503133b5a0ebd9f8b2971bca120e902497eb21542d6a1f94e52ae8e5b6bde1e4cae1a2c905870a00d772e0df35f808701e2cfbd26dcbb130a5573fa590060

C:\Msupdate\1.reg

MD5 8dacf3ded9159fb1f5b065215e1fd8aa
SHA1 0c43e91b996ca72b75a02de3f85a695ded7a4a5e
SHA256 1d5766733fdbeb1ecd8ddc4c49634d96024398621a55f3de9d20dbdc9f3c24c5
SHA512 a682ce938d8ecb78fd93e085c35f868968ad9e94b571fcf4de3c007314dfa5495304e31f643f8f3df2f553dadd6cc65f932479103c7570c4ba9939839d6eb0c6

C:\Msupdate\update.exe

MD5 c6f1d4a6cccd04e4b15a96942372d5f7
SHA1 2f79839fe5cb740f21b29dae3181f43c1ae9de9c
SHA256 89b74dc79f229b0488bf43b552da9f84864a6a38c11039898e4f9d854411a26e
SHA512 1ce87f5b4b0897a6a4cd4d9a58548db47d335eba860714598b297a939e476edc6a8b3e597b71ee92e655857c2320f5812e375da4d67d503e70623f6828eb2119

C:\Users\Admin\AppData\Local\Temp\nsfAB31.tmp\System.dll

MD5 00a0194c20ee912257df53bfe258ee4a
SHA1 d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256 dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA512 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

C:\Users\Admin\AppData\Local\Temp\nsfAB31.tmp\nsExec.dll

MD5 e54eb27fb5048964e8d1ec7a1f72334b
SHA1 2b76d7aedafd724de96532b00fbc6c7c370e4609
SHA256 ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824
SHA512 c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

C:\Config.Msi\e581ef0.rbs

MD5 d47eb3cdfe9260d67e97b64de50f0174
SHA1 2c09648ccb362ace46974064aa52e004f9fd49ab
SHA256 058de0f280d813197d162fdfd2dd289b798a332fa9ac36efa66e513411114d24
SHA512 c624a0c6b2f691ec13451d3b11bde98e8f997b2429abe2031ffa2bde336602767ff0a5986902c6a1b7c4b29e9726554cff3350419bf44f40d987b8b9a0c2974d