Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/10/2024, 08:22
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe
-
Size
17.5MB
-
MD5
1603ae955d010896283442534a8ad39c
-
SHA1
90101b5164c138f227d7add871c1f629bd6d083d
-
SHA256
34d99b2a6ed62e5080c9448ab3728066c6db5f997212ef71bd2705c79b19fc09
-
SHA512
e1c8d2ba780d98ff7a845543d35fdf7a2f2092d66295d82cfa07a0d6b64dda58db913967e4f595538f43ac94e88d97e3bfb762205f5588a675ba9abd2ceadb9e
-
SSDEEP
98304:E33JumYT82ylgsN0Nbh0pgnu99UHxh+VU1KSmv+4mn:A8hggIuh+VUvmmn
Malware Config
Extracted
vidar
11
346a77fbabba142b23c256004b5a7c5d
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Signatures
-
Detect Vidar Stealer 16 IoCs
resource yara_rule behavioral2/memory/1980-1-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-4-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-7-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-8-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-17-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-18-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-34-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-35-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-51-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-52-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-74-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-75-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-82-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-86-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-87-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-268-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 -
XMRig Miner payload 8 IoCs
resource yara_rule behavioral2/memory/724-191-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/724-193-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/724-196-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/724-195-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/724-194-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/724-190-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/724-197-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/724-199-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4072 powershell.exe 4996 powershell.exe 2224 powershell.exe 2296 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\hosts HCFCAAEBGC.exe File created C:\Windows\system32\drivers\etc\hosts Updater.exe File created C:\Windows\system32\drivers\etc\hosts Updater.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation service.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation CGCFBFBGHD.exe -
Executes dropped EXE 5 IoCs
pid Process 2344 HCFCAAEBGC.exe 764 CGCFBFBGHD.exe 4180 Updater.exe 2600 Updater.exe 2212 service.exe -
Loads dropped DLL 2 IoCs
pid Process 1980 BitLockerToGo.exe 1980 BitLockerToGo.exe -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 96 pastebin.com 51 bitbucket.org 52 bitbucket.org 89 pastebin.com 90 pastebin.com 95 pastebin.com -
Power Settings 1 TTPs 12 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 5036 powercfg.exe 4144 powercfg.exe 532 powercfg.exe 1052 powercfg.exe 4308 powercfg.exe 4972 powercfg.exe 3352 powercfg.exe 5032 powercfg.exe 696 powercfg.exe 2384 powercfg.exe 4804 powercfg.exe 312 powercfg.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\system32\MRT.exe HCFCAAEBGC.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe Updater.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\MRT.exe Updater.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3672 set thread context of 1980 3672 2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe 87 PID 4180 set thread context of 3388 4180 Updater.exe 150 PID 4180 set thread context of 724 4180 Updater.exe 152 PID 2600 set thread context of 1220 2600 Updater.exe 181 -
resource yara_rule behavioral2/memory/724-186-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/724-191-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/724-193-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/724-196-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/724-195-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/724-194-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/724-190-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/724-189-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/724-187-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/724-185-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/724-188-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/724-197-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/724-199-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Launches sc.exe 19 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4948 sc.exe 2760 sc.exe 2608 sc.exe 1936 sc.exe 2588 sc.exe 3100 sc.exe 3344 sc.exe 3432 sc.exe 4392 sc.exe 4852 sc.exe 2580 sc.exe 4740 sc.exe 756 sc.exe 388 sc.exe 2504 sc.exe 3560 sc.exe 2956 sc.exe 3268 sc.exe 4896 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CGCFBFBGHD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 BitLockerToGo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString BitLockerToGo.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2312 timeout.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1020 schtasks.exe 4448 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1980 BitLockerToGo.exe 1980 BitLockerToGo.exe 1980 BitLockerToGo.exe 1980 BitLockerToGo.exe 1980 BitLockerToGo.exe 1980 BitLockerToGo.exe 1980 BitLockerToGo.exe 1980 BitLockerToGo.exe 2344 HCFCAAEBGC.exe 4072 powershell.exe 4072 powershell.exe 2344 HCFCAAEBGC.exe 2344 HCFCAAEBGC.exe 2344 HCFCAAEBGC.exe 2344 HCFCAAEBGC.exe 2344 HCFCAAEBGC.exe 2344 HCFCAAEBGC.exe 2344 HCFCAAEBGC.exe 2344 HCFCAAEBGC.exe 2344 HCFCAAEBGC.exe 2344 HCFCAAEBGC.exe 2344 HCFCAAEBGC.exe 2344 HCFCAAEBGC.exe 2344 HCFCAAEBGC.exe 2344 HCFCAAEBGC.exe 4180 Updater.exe 4996 powershell.exe 4996 powershell.exe 4180 Updater.exe 4180 Updater.exe 4180 Updater.exe 4180 Updater.exe 4180 Updater.exe 4180 Updater.exe 4180 Updater.exe 4180 Updater.exe 4180 Updater.exe 4180 Updater.exe 4180 Updater.exe 4180 Updater.exe 3388 conhost.exe 2224 powershell.exe 2224 powershell.exe 3388 conhost.exe 2600 Updater.exe 2296 powershell.exe 2296 powershell.exe 2600 Updater.exe 2600 Updater.exe 2600 Updater.exe 2600 Updater.exe 2600 Updater.exe 2600 Updater.exe 2600 Updater.exe 2600 Updater.exe 2600 Updater.exe 2600 Updater.exe 2600 Updater.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 4072 powershell.exe Token: SeShutdownPrivilege 4972 powercfg.exe Token: SeCreatePagefilePrivilege 4972 powercfg.exe Token: SeShutdownPrivilege 696 powercfg.exe Token: SeCreatePagefilePrivilege 696 powercfg.exe Token: SeShutdownPrivilege 3352 powercfg.exe Token: SeCreatePagefilePrivilege 3352 powercfg.exe Token: SeShutdownPrivilege 5032 powercfg.exe Token: SeCreatePagefilePrivilege 5032 powercfg.exe Token: SeDebugPrivilege 4996 powershell.exe Token: SeShutdownPrivilege 4144 powercfg.exe Token: SeCreatePagefilePrivilege 4144 powercfg.exe Token: SeShutdownPrivilege 5036 powercfg.exe Token: SeCreatePagefilePrivilege 5036 powercfg.exe Token: SeShutdownPrivilege 532 powercfg.exe Token: SeCreatePagefilePrivilege 532 powercfg.exe Token: SeLockMemoryPrivilege 724 explorer.exe Token: SeShutdownPrivilege 2384 powercfg.exe Token: SeCreatePagefilePrivilege 2384 powercfg.exe Token: SeDebugPrivilege 2224 powershell.exe Token: SeDebugPrivilege 2296 powershell.exe Token: SeShutdownPrivilege 1052 powercfg.exe Token: SeCreatePagefilePrivilege 1052 powercfg.exe Token: SeShutdownPrivilege 4308 powercfg.exe Token: SeCreatePagefilePrivilege 4308 powercfg.exe Token: SeShutdownPrivilege 312 powercfg.exe Token: SeCreatePagefilePrivilege 312 powercfg.exe Token: SeShutdownPrivilege 4804 powercfg.exe Token: SeCreatePagefilePrivilege 4804 powercfg.exe Token: SeLockMemoryPrivilege 1220 explorer.exe -
Suspicious use of WriteProcessMemory 58 IoCs
description pid Process procid_target PID 3672 wrote to memory of 1980 3672 2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe 87 PID 3672 wrote to memory of 1980 3672 2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe 87 PID 3672 wrote to memory of 1980 3672 2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe 87 PID 3672 wrote to memory of 1980 3672 2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe 87 PID 3672 wrote to memory of 1980 3672 2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe 87 PID 3672 wrote to memory of 1980 3672 2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe 87 PID 3672 wrote to memory of 1980 3672 2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe 87 PID 3672 wrote to memory of 1980 3672 2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe 87 PID 3672 wrote to memory of 1980 3672 2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe 87 PID 3672 wrote to memory of 1980 3672 2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe 87 PID 1980 wrote to memory of 2344 1980 BitLockerToGo.exe 92 PID 1980 wrote to memory of 2344 1980 BitLockerToGo.exe 92 PID 1980 wrote to memory of 764 1980 BitLockerToGo.exe 94 PID 1980 wrote to memory of 764 1980 BitLockerToGo.exe 94 PID 1980 wrote to memory of 764 1980 BitLockerToGo.exe 94 PID 764 wrote to memory of 2564 764 CGCFBFBGHD.exe 95 PID 764 wrote to memory of 2564 764 CGCFBFBGHD.exe 95 PID 764 wrote to memory of 2564 764 CGCFBFBGHD.exe 95 PID 2564 wrote to memory of 1020 2564 cmd.exe 97 PID 2564 wrote to memory of 1020 2564 cmd.exe 97 PID 2564 wrote to memory of 1020 2564 cmd.exe 97 PID 3612 wrote to memory of 4484 3612 cmd.exe 105 PID 3612 wrote to memory of 4484 3612 cmd.exe 105 PID 4488 wrote to memory of 1644 4488 cmd.exe 136 PID 4488 wrote to memory of 1644 4488 cmd.exe 136 PID 4180 wrote to memory of 3388 4180 Updater.exe 150 PID 4180 wrote to memory of 3388 4180 Updater.exe 150 PID 4180 wrote to memory of 3388 4180 Updater.exe 150 PID 4180 wrote to memory of 3388 4180 Updater.exe 150 PID 4180 wrote to memory of 3388 4180 Updater.exe 150 PID 4180 wrote to memory of 3388 4180 Updater.exe 150 PID 4180 wrote to memory of 3388 4180 Updater.exe 150 PID 4180 wrote to memory of 3388 4180 Updater.exe 150 PID 4180 wrote to memory of 3388 4180 Updater.exe 150 PID 4180 wrote to memory of 724 4180 Updater.exe 152 PID 4180 wrote to memory of 724 4180 Updater.exe 152 PID 4180 wrote to memory of 724 4180 Updater.exe 152 PID 4180 wrote to memory of 724 4180 Updater.exe 152 PID 4180 wrote to memory of 724 4180 Updater.exe 152 PID 3524 wrote to memory of 2580 3524 cmd.exe 164 PID 3524 wrote to memory of 2580 3524 cmd.exe 164 PID 2600 wrote to memory of 1220 2600 Updater.exe 181 PID 2600 wrote to memory of 1220 2600 Updater.exe 181 PID 2600 wrote to memory of 1220 2600 Updater.exe 181 PID 2600 wrote to memory of 1220 2600 Updater.exe 181 PID 2600 wrote to memory of 1220 2600 Updater.exe 181 PID 1980 wrote to memory of 3244 1980 BitLockerToGo.exe 182 PID 1980 wrote to memory of 3244 1980 BitLockerToGo.exe 182 PID 1980 wrote to memory of 3244 1980 BitLockerToGo.exe 182 PID 3244 wrote to memory of 2312 3244 cmd.exe 184 PID 3244 wrote to memory of 2312 3244 cmd.exe 184 PID 3244 wrote to memory of 2312 3244 cmd.exe 184 PID 2212 wrote to memory of 4952 2212 service.exe 186 PID 2212 wrote to memory of 4952 2212 service.exe 186 PID 2212 wrote to memory of 4952 2212 service.exe 186 PID 4952 wrote to memory of 4448 4952 cmd.exe 188 PID 4952 wrote to memory of 4448 4952 cmd.exe 188 PID 4952 wrote to memory of 4448 4952 cmd.exe 188
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\ProgramData\HCFCAAEBGC.exe"C:\ProgramData\HCFCAAEBGC.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2344 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:4484
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:388
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:4392
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:2504
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:3560
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:2588
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4972
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:696
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3352
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"4⤵
- Launches sc.exe
PID:4852
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"4⤵
- Launches sc.exe
PID:2580
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:3100
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"4⤵
- Launches sc.exe
PID:3344
-
-
-
C:\ProgramData\CGCFBFBGHD.exe"C:\ProgramData\CGCFBFBGHD.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1020
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AAFHIIDHJEBF" & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\timeout.exetimeout /t 104⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2312
-
-
-
-
C:\ProgramData\GoogleUP\Chrome\Updater.exeC:\ProgramData\GoogleUP\Chrome\Updater.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:1644
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:4948
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2956
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:3268
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:3432
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:2760
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4144
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5036
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:532
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3388 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
C:\ProgramData\GoogleUP\Chrome\Updater.exe"C:\ProgramData\GoogleUP\Chrome\Updater.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:2580
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:756
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:4896
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:4740
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:2608
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:1936
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1052
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4308
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:312
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4804
-
-
C:\Windows\explorer.exeexplorer.exe4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220
-
-
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:724
-
-
C:\Users\Admin\AppData\Roaming\service.exeC:\Users\Admin\AppData\Roaming\service.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4448
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.4MB
MD5925ec45b5ac88ab7af039190589204b9
SHA1c71158e158d9b593be3187340c731cab5f14ad98
SHA256419901e7e1747a9c413e657920429ce1d31e1b5af24e68a7dd79629066118133
SHA512089ade1924ffc617670cac36e90d2c302d5b1d9e9edb1501fb0ba2c82ef530dae019b037923cdc45482998fec83fc0c5256f1fc55f22ad4b386721432cd96890
-
Filesize
5.6MB
MD52eea3ddbfc81544b54a4ac5028a30805
SHA1b57ad8495421c6bc56498d494a99b4e0cbfabdea
SHA256ab043bb5ec1911f462c0e6341efb93c2760f097becc0c01ecbd02e5949b10025
SHA5120b87ff6eb029675c2b6a9af0136270cb0cfcced04f53756dd35983962b46dbd79cc6ffc679ea3f84b5c6b6f25df07af886ddb3c8a770dfa31fd5b5a522cf9f79
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
14KB
MD50c0195c48b6b8582fa6f6373032118da
SHA1d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA25611bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD52b24135c275cd88473601b97234e4c4d
SHA15aac75438f222f430ab9b95f80f22a5626c498fa
SHA256f66b5a12ca819afeb838fe912093d4c3cab6287fddad1ae516052a83a35b8983
SHA512274f62312c4734c8ea7ec02411a3f0e179871b76660f487a3b0a7b9934675e414ca5bc7f3bf89d133aca52b947e8e309cdc3c5fa066e47516ce55414e498ffbd
-
Filesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62