Malware Analysis Report

2024-09-11 13:45

Sample ID 240614-bhkawssgkl
Target 2aeeb429e9290526b96bf4b58b2411ad.bin
SHA256 d144d29c8cdbdba8377fe263ab9996b562b9925c59588a0b17f132723408293b
Tags
rat asyncrat stormkitty xworm default persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d144d29c8cdbdba8377fe263ab9996b562b9925c59588a0b17f132723408293b

Threat Level: Known bad

The file 2aeeb429e9290526b96bf4b58b2411ad.bin was found to be: Known bad.

Malicious Activity Summary

rat asyncrat stormkitty xworm default persistence spyware stealer trojan

Async RAT payload

Stormkitty family

StormKitty payload

Asyncrat family

Detect Xworm Payload

Xworm family

AsyncRat

StormKitty

Xworm

Async RAT payload

Executes dropped EXE

Drops startup file

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Adds Run key to start application

Looks up geolocation information via web service

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Checks processor information in registry

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 01:08

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 01:08

Reported

2024-06-14 01:11

Platform

win7-20240611-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe"

Signatures

AsyncRat

rat asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender security.lnk C:\Users\Admin\AppData\Roaming\Windows Defender security.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender security.lnk C:\Users\Admin\AppData\Roaming\Windows Defender security.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender security = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender security.exe" C:\Users\Admin\AppData\Roaming\Windows Defender security.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\3557c6acd3721b97a8f3fb142afad5a5\Admin@JAFTUVRJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\3557c6acd3721b97a8f3fb142afad5a5\Admin@JAFTUVRJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\3557c6acd3721b97a8f3fb142afad5a5\Admin@JAFTUVRJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\3557c6acd3721b97a8f3fb142afad5a5\Admin@JAFTUVRJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\3557c6acd3721b97a8f3fb142afad5a5\Admin@JAFTUVRJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\3557c6acd3721b97a8f3fb142afad5a5\Admin@JAFTUVRJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender security.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Defender security.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1928 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1928 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1928 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1928 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe C:\Users\Admin\AppData\Roaming\Windows Defender security.exe
PID 1928 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe C:\Users\Admin\AppData\Roaming\Windows Defender security.exe
PID 1928 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe C:\Users\Admin\AppData\Roaming\Windows Defender security.exe
PID 1928 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe C:\Users\Admin\AppData\Roaming\Windows Defender security.exe
PID 1928 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe
PID 1928 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe
PID 1928 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe
PID 1928 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe
PID 2760 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe C:\Windows\System32\cmd.exe
PID 2760 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe C:\Windows\System32\cmd.exe
PID 2760 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe C:\Windows\System32\cmd.exe
PID 2760 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe C:\Windows\system32\cmd.exe
PID 2760 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe C:\Windows\system32\cmd.exe
PID 2760 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe C:\Windows\system32\cmd.exe
PID 2560 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2560 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2560 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2808 wrote to memory of 3016 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2808 wrote to memory of 3016 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2808 wrote to memory of 3016 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2396 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Roaming\Windows Defender security.exe C:\Windows\System32\schtasks.exe
PID 2396 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Roaming\Windows Defender security.exe C:\Windows\System32\schtasks.exe
PID 2396 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Roaming\Windows Defender security.exe C:\Windows\System32\schtasks.exe
PID 2560 wrote to memory of 1624 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe
PID 2560 wrote to memory of 1624 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe
PID 2560 wrote to memory of 1624 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe
PID 2636 wrote to memory of 576 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 576 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 576 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 576 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 576 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 576 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 576 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 576 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 576 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 576 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 576 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 576 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 576 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 576 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 576 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2636 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1068 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1068 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1068 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1068 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1068 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1068 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1068 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1068 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe

"C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\AppData\Roaming\Windows Defender security.exe

"C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"

C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe

"C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender Security Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1EB7.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender Security Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender security" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"

C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe

"C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\taskeng.exe

taskeng.exe {93913E30-578C-467B-A8E6-A34AF4CF5E68} S-1-5-21-2812790648-3157963462-487717889-1000:JAFTUVRJ\Admin:Interactive:[1]

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
TH 119.59.98.116:7812 tcp
TH 119.59.98.116:7812 tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.153:80 apps.identrust.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
TH 119.59.98.116:7812 tcp
N/A 127.0.0.1:7707 tcp
TH 119.59.98.116:7812 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
TH 119.59.98.116:7812 tcp
N/A 127.0.0.1:6606 tcp
TH 119.59.98.116:7812 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
TH 119.59.98.116:7812 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
TH 119.59.98.116:7812 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
TH 119.59.98.116:7812 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
TH 119.59.98.116:7812 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
TH 119.59.98.116:7812 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
TH 119.59.98.116:7812 tcp
N/A 127.0.0.1:8808 tcp

Files

memory/1928-0-0x0000000074371000-0x0000000074372000-memory.dmp

memory/1928-1-0x0000000074370000-0x000000007491B000-memory.dmp

memory/1928-2-0x0000000074370000-0x000000007491B000-memory.dmp

\Users\Admin\AppData\Roaming\svchost.exe

MD5 1d94cbce42232d67fb1e032e1e61d77e
SHA1 0f10e767c0cba85a39122b8e040c976de50dc468
SHA256 5b9f1c1780a2889685343734f81db30b92b7407cc8e476d01cf4f46d37db04a9
SHA512 5f8a3c1d35fe009b36c54bed90e8ce44bba86180a409855b10b4693d123f1c323f8c928507d01ba552eff6e387074a07736bb7851dbf1984db0d750107eaeff4

\Users\Admin\AppData\Roaming\Windows Defender security.exe

MD5 454abb9d524208fb694e7e70c0fbc56a
SHA1 060037a032fa3ccf469d902e12c1523e00040748
SHA256 c93c27a171d7a883f34e944d16bb47f0e949eb36181060f923e4d8df8da24298
SHA512 dd390f87dfb7f80074c92a61ae1ee65193855dc0b7dafe14ae65aedffb92625d6ebb5ea9fac9e452ad0ee4b3bb0d8923a926793c87a4af745f718921688d4b54

C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe

MD5 c3f58ffd73d3afc5cc08a29dc5a864c8
SHA1 aad0a8c93043e3a4f7c422278c9c02a016ed55b7
SHA256 27d16a4b6970b62bc05c437177605391f7788a3e602e69da9d1375ace81b4ee2
SHA512 4d45d348bbbc2d503eea99c7265e68c6ce87cf8be982ba153c6e8e6c58484476fc4287a91f8cff2eaa3f4ff1de04e02b2b4bcb597326c6963b28967670fc50b7

memory/1928-22-0x0000000074370000-0x000000007491B000-memory.dmp

memory/2636-23-0x00000000013D0000-0x0000000001400000-memory.dmp

memory/2760-24-0x0000000000D10000-0x0000000000D28000-memory.dmp

memory/2396-25-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1EB7.tmp.bat

MD5 6be7505dc87e5602ce351f5ddc47ec1d
SHA1 2d3ff0c86ea97b5836de43476332c3e309f137af
SHA256 c99b0a8bf0f1b3e4e0dff452eb4fd633d7c9d3f39a92fab0b2105c5b74c9963b
SHA512 4a2e9b048fc2860e9097ecc929d46fb302a6df58627c28cf85ddee6cbbabe323e06b84362f04cea3092ac14709b099ff4c1251e6e2ca69925552de679a477860

memory/1624-40-0x0000000000AA0000-0x0000000000AB8000-memory.dmp

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\3557c6acd3721b97a8f3fb142afad5a5\Admin@JAFTUVRJ_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\Temp\Cab4978.tmp

MD5 2d3dcf90f6c99f47e7593ea250c9e749
SHA1 51be82be4a272669983313565b4940d4b1385237
SHA256 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA512 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

C:\Users\Admin\AppData\Local\d4f0b8d937cb012cbfc40aeb1b8ca9c0\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 01:08

Reported

2024-06-14 01:11

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe"

Signatures

AsyncRat

rat asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Windows Defender security.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender security.lnk C:\Users\Admin\AppData\Roaming\Windows Defender security.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender security.lnk C:\Users\Admin\AppData\Roaming\Windows Defender security.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender security.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender security = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender security.exe" C:\Users\Admin\AppData\Roaming\Windows Defender security.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\bd0f31557645cf98f12f3f81f5944b53\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\bd0f31557645cf98f12f3f81f5944b53\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\bd0f31557645cf98f12f3f81f5944b53\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\bd0f31557645cf98f12f3f81f5944b53\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\bd0f31557645cf98f12f3f81f5944b53\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\bd0f31557645cf98f12f3f81f5944b53\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\bd0f31557645cf98f12f3f81f5944b53\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\bd0f31557645cf98f12f3f81f5944b53\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender security.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Defender security.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Defender security.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Defender security.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Defender security.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4344 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4344 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4344 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4344 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe C:\Users\Admin\AppData\Roaming\Windows Defender security.exe
PID 4344 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe C:\Users\Admin\AppData\Roaming\Windows Defender security.exe
PID 4344 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe
PID 4344 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe
PID 3404 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe C:\Windows\System32\cmd.exe
PID 3404 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe C:\Windows\System32\cmd.exe
PID 3404 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe C:\Windows\system32\cmd.exe
PID 3404 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe C:\Windows\system32\cmd.exe
PID 1436 wrote to memory of 4484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1436 wrote to memory of 4484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3620 wrote to memory of 3692 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3620 wrote to memory of 3692 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2140 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Roaming\Windows Defender security.exe C:\Windows\System32\schtasks.exe
PID 2140 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Roaming\Windows Defender security.exe C:\Windows\System32\schtasks.exe
PID 1436 wrote to memory of 4036 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe
PID 1436 wrote to memory of 4036 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe
PID 4496 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 4496 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 4496 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 4972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4480 wrote to memory of 4972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4480 wrote to memory of 4972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4480 wrote to memory of 4728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4480 wrote to memory of 4728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4480 wrote to memory of 4728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4480 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4480 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4480 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4496 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 4496 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 4496 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3416 wrote to memory of 4940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3416 wrote to memory of 4940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3416 wrote to memory of 4940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3416 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3416 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3416 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe

"C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\AppData\Roaming\Windows Defender security.exe

"C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"

C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe

"C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender Security Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp536F.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender Security Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender security" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"

C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe

"C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Users\Admin\AppData\Roaming\Windows Defender security.exe

"C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"

C:\Users\Admin\AppData\Roaming\Windows Defender security.exe

"C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"

C:\Users\Admin\AppData\Roaming\Windows Defender security.exe

"C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
TH 119.59.98.116:7812 tcp
US 8.8.8.8:53 icanhazip.com udp
TH 119.59.98.116:7812 tcp
US 8.8.8.8:53 api.mylnikov.org udp
N/A 127.0.0.1:8808 tcp
TH 119.59.98.116:7812 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
TH 119.59.98.116:7812 tcp
TH 119.59.98.116:7812 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
TH 119.59.98.116:7812 tcp
TH 119.59.98.116:7812 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
TH 119.59.98.116:7812 tcp
N/A 127.0.0.1:8808 tcp
TH 119.59.98.116:7812 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
TH 119.59.98.116:7812 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
TH 119.59.98.116:7812 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp

Files

memory/4344-0-0x0000000074EA2000-0x0000000074EA3000-memory.dmp

memory/4344-1-0x0000000074EA0000-0x0000000075451000-memory.dmp

memory/4344-2-0x0000000074EA0000-0x0000000075451000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 1d94cbce42232d67fb1e032e1e61d77e
SHA1 0f10e767c0cba85a39122b8e040c976de50dc468
SHA256 5b9f1c1780a2889685343734f81db30b92b7407cc8e476d01cf4f46d37db04a9
SHA512 5f8a3c1d35fe009b36c54bed90e8ce44bba86180a409855b10b4693d123f1c323f8c928507d01ba552eff6e387074a07736bb7851dbf1984db0d750107eaeff4

C:\Users\Admin\AppData\Roaming\Windows Defender security.exe

MD5 454abb9d524208fb694e7e70c0fbc56a
SHA1 060037a032fa3ccf469d902e12c1523e00040748
SHA256 c93c27a171d7a883f34e944d16bb47f0e949eb36181060f923e4d8df8da24298
SHA512 dd390f87dfb7f80074c92a61ae1ee65193855dc0b7dafe14ae65aedffb92625d6ebb5ea9fac9e452ad0ee4b3bb0d8923a926793c87a4af745f718921688d4b54

C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe

MD5 c3f58ffd73d3afc5cc08a29dc5a864c8
SHA1 aad0a8c93043e3a4f7c422278c9c02a016ed55b7
SHA256 27d16a4b6970b62bc05c437177605391f7788a3e602e69da9d1375ace81b4ee2
SHA512 4d45d348bbbc2d503eea99c7265e68c6ce87cf8be982ba153c6e8e6c58484476fc4287a91f8cff2eaa3f4ff1de04e02b2b4bcb597326c6963b28967670fc50b7

memory/2140-34-0x00007FFBBBDC3000-0x00007FFBBBDC5000-memory.dmp

memory/4496-38-0x000000007207E000-0x000000007207F000-memory.dmp

memory/2140-39-0x0000000000910000-0x0000000000920000-memory.dmp

memory/4496-41-0x0000000000720000-0x0000000000750000-memory.dmp

memory/3404-40-0x0000000000A30000-0x0000000000A48000-memory.dmp

memory/4344-43-0x0000000074EA0000-0x0000000075451000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp536F.tmp.bat

MD5 cd3233af885693391fdec5620c3880c4
SHA1 9c4f8a2582c0e29d6104638f1aa71310093757d9
SHA256 3a9df5ba36d093a95a94faa569491080b82ad38886c3f7c0a7e631a603383b4a
SHA512 95f5b7107e8e885d4dc14332d408c52214704c4aa6c32bad9541c46b39dcbe20426e6197fc1614289e5829efe46433abb4c19f84f39f758f714cab163138e8a9

memory/4496-50-0x0000000005870000-0x00000000058D6000-memory.dmp

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

C:\Users\Admin\AppData\Local\bd0f31557645cf98f12f3f81f5944b53\Admin@SNFVGQLU_en-US\System\Process.txt

MD5 16b379e5e9278c314460b4ce33724b2d
SHA1 958af972b0393f189ece396a948a778b97f9b9da
SHA256 6bd26a9e258db86c9b1cab9d369958a5617f21034a85a4cbf7564f488f59e9e9
SHA512 de0eae30a8e4797754cb20c5a246cd69cc2920fd535fd3f6e8edc6bd6afc3657984b27ff236624cfeffe02a7ed1c82a9cf0d62f3cfaad18b9a0dc1c6d9cfa356

memory/4496-198-0x00000000061E0000-0x0000000006272000-memory.dmp

memory/4496-199-0x0000000006830000-0x0000000006DD4000-memory.dmp

memory/4496-203-0x0000000006380000-0x000000000638A000-memory.dmp

memory/4496-206-0x000000007207E000-0x000000007207F000-memory.dmp

C:\Users\Admin\AppData\Local\cfd2ab89bc4083f7f1abdebfd243735a\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windows Defender security.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1