Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19-11-2024 05:13
Static task
static1
Behavioral task
behavioral1
Sample
a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe
Resource
win10v2004-20241007-en
General
-
Target
a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe
-
Size
1.9MB
-
MD5
2d756772bc00e5778d794c107358ddf7
-
SHA1
77229fc9ceeb137c6644a4fa3085aecabaf94ec3
-
SHA256
a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469
-
SHA512
31fae1a50618ed221cef3bfc72a017e8e925c3aa2bac727040ee655d9dff567813e91d76fecda0478653d50b8061481447ded77939b94e1ec823c3419b68c783
-
SSDEEP
24576:S1cKuEoW9iN0TvOJcaCXMgg2Suqp6Nheem6Vuuean7WiOLYGhYJG9oQpyhctpnWq:wb24KbkglgVMm9OAG9oMgctpnW5yI4
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\taskhost.exe\", \"C:\\Program Files\\Mozilla Firefox\\uninstall\\sppsvc.exe\", \"C:\\Windows\\Help\\mui\\0C0A\\lsm.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\wininit.exe\", \"C:\\Program Files\\Microsoft Games\\Minesweeper\\it-IT\\sppsvc.exe\"" a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\taskhost.exe\", \"C:\\Program Files\\Mozilla Firefox\\uninstall\\sppsvc.exe\", \"C:\\Windows\\Help\\mui\\0C0A\\lsm.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\wininit.exe\", \"C:\\Program Files\\Microsoft Games\\Minesweeper\\it-IT\\sppsvc.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe\"" a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\taskhost.exe\"" a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\taskhost.exe\", \"C:\\Program Files\\Mozilla Firefox\\uninstall\\sppsvc.exe\"" a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\taskhost.exe\", \"C:\\Program Files\\Mozilla Firefox\\uninstall\\sppsvc.exe\", \"C:\\Windows\\Help\\mui\\0C0A\\lsm.exe\"" a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\taskhost.exe\", \"C:\\Program Files\\Mozilla Firefox\\uninstall\\sppsvc.exe\", \"C:\\Windows\\Help\\mui\\0C0A\\lsm.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\wininit.exe\"" a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2852 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2852 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2852 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2852 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 828 2852 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2852 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 2852 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 2852 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2852 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 972 2852 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 2852 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 2852 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 2852 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 2852 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2852 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 2852 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2852 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2852 schtasks.exe 29 -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 808 powershell.exe 528 powershell.exe 1688 powershell.exe 2244 powershell.exe 944 powershell.exe 2612 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 3008 lsm.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Public\\Videos\\Sample Videos\\taskhost.exe\"" a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Mozilla Firefox\\uninstall\\sppsvc.exe\"" a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Help\\mui\\0C0A\\lsm.exe\"" a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\wininit.exe\"" a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\wininit.exe\"" a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Microsoft Games\\Minesweeper\\it-IT\\sppsvc.exe\"" a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe\"" a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Public\\Videos\\Sample Videos\\taskhost.exe\"" a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Mozilla Firefox\\uninstall\\sppsvc.exe\"" a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Help\\mui\\0C0A\\lsm.exe\"" a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Microsoft Games\\Minesweeper\\it-IT\\sppsvc.exe\"" a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe\"" a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ipinfo.io 5 ipinfo.io 12 ipinfo.io 13 ipinfo.io -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\hi5-9c.exe csc.exe File created \??\c:\Windows\System32\CSCEDB6EE0536304180AE68289E59D557B.TMP csc.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files\Mozilla Firefox\uninstall\0a1fd5f707cd16 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe File created C:\Program Files\Microsoft Games\Minesweeper\it-IT\sppsvc.exe a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\it-IT\sppsvc.exe a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe File created C:\Program Files\Microsoft Games\Minesweeper\it-IT\0a1fd5f707cd16 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe File created C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Help\mui\0C0A\101b941d020240 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe File created C:\Windows\Help\mui\0C0A\lsm.exe a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3060 schtasks.exe 1952 schtasks.exe 1028 schtasks.exe 2412 schtasks.exe 2520 schtasks.exe 1740 schtasks.exe 2924 schtasks.exe 1704 schtasks.exe 2504 schtasks.exe 2760 schtasks.exe 828 schtasks.exe 2532 schtasks.exe 2272 schtasks.exe 2716 schtasks.exe 2572 schtasks.exe 972 schtasks.exe 1240 schtasks.exe 2124 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3008 lsm.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe Token: SeDebugPrivilege 944 powershell.exe Token: SeDebugPrivilege 2244 powershell.exe Token: SeDebugPrivilege 808 powershell.exe Token: SeDebugPrivilege 1688 powershell.exe Token: SeDebugPrivilege 528 powershell.exe Token: SeDebugPrivilege 2612 powershell.exe Token: SeDebugPrivilege 3008 lsm.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2268 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 33 PID 2220 wrote to memory of 2268 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 33 PID 2220 wrote to memory of 2268 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 33 PID 2268 wrote to memory of 1032 2268 csc.exe 35 PID 2268 wrote to memory of 1032 2268 csc.exe 35 PID 2268 wrote to memory of 1032 2268 csc.exe 35 PID 2220 wrote to memory of 528 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 51 PID 2220 wrote to memory of 528 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 51 PID 2220 wrote to memory of 528 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 51 PID 2220 wrote to memory of 2244 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 52 PID 2220 wrote to memory of 2244 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 52 PID 2220 wrote to memory of 2244 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 52 PID 2220 wrote to memory of 1688 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 54 PID 2220 wrote to memory of 1688 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 54 PID 2220 wrote to memory of 1688 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 54 PID 2220 wrote to memory of 808 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 55 PID 2220 wrote to memory of 808 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 55 PID 2220 wrote to memory of 808 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 55 PID 2220 wrote to memory of 2612 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 56 PID 2220 wrote to memory of 2612 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 56 PID 2220 wrote to memory of 2612 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 56 PID 2220 wrote to memory of 944 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 57 PID 2220 wrote to memory of 944 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 57 PID 2220 wrote to memory of 944 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 57 PID 2220 wrote to memory of 764 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 63 PID 2220 wrote to memory of 764 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 63 PID 2220 wrote to memory of 764 2220 a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe 63 PID 764 wrote to memory of 1276 764 cmd.exe 65 PID 764 wrote to memory of 1276 764 cmd.exe 65 PID 764 wrote to memory of 1276 764 cmd.exe 65 PID 764 wrote to memory of 2340 764 cmd.exe 66 PID 764 wrote to memory of 2340 764 cmd.exe 66 PID 764 wrote to memory of 2340 764 cmd.exe 66 PID 764 wrote to memory of 3008 764 cmd.exe 67 PID 764 wrote to memory of 3008 764 cmd.exe 67 PID 764 wrote to memory of 3008 764 cmd.exe 67 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe"C:\Users\Admin\AppData\Local\Temp\a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\epjwd2ux\epjwd2ux.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F72.tmp" "c:\Windows\System32\CSCEDB6EE0536304180AE68289E59D557B.TMP"3⤵PID:1032
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\taskhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\mui\0C0A\lsm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Minesweeper\it-IT\sppsvc.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:944
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VKIqlhbWOK.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:1276
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2340
-
-
C:\Windows\Help\mui\0C0A\lsm.exe"C:\Windows\Help\mui\0C0A\lsm.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\Sample Videos\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Videos\Sample Videos\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\Help\mui\0C0A\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Help\mui\0C0A\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\mui\0C0A\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Minesweeper\it-IT\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Minesweeper\it-IT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Games\Minesweeper\it-IT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469a" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469a" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ecc9ef271cf23844f4a3e8a77f9c3cc2
SHA188adb189ed1ead0a22ba456cf5c4a7b56172c87a
SHA2565c08fd0f71d541b0a789989d146db1aa9b7432551eac11e2ff619619818aa27f
SHA5122a3247f6b70538e2633854c5812f10f09f7973c88f29eb8ace06fd08ddf6ef5aaf430ae2a6532c49975abdaefc78b87f93b931cca851fe0e9c3fa580f8acaeb8
-
Filesize
208B
MD58b40407f7579d9cf71018ab9fd449a2d
SHA18210ab7863828b30f1a5f5179b5b640d20c951fc
SHA256675074d0500a6f99e1aab1e5a92f1db1af360e59e4e89a58bb77bcd9ca6a978a
SHA5120c17dad69d4fabf2e3c86ba25344a24dc491a252bfc81910f6643d1c2360230f01d5af30ca8390882d9e262a40dd1ce7f051387155bbf8cd7f9cc1370f8fb2f7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b123895e65410e8d5835365e6b883410
SHA15d2bb7033ce9f7fefb43a385d016cc9d703cde1e
SHA2565550b38bfa514f37cf1aa0732800d4a234dc3eef00b964bd48c02b0837ffa9ad
SHA512d9ee8cb5c5518c18c4fa84562f959b72584ac301a6bb81fb828c57dc3212f9f3d4d9c97bc426685c69f854984b37b4c2445302a4087789a71797d256e6722008
-
Filesize
1.9MB
MD52d756772bc00e5778d794c107358ddf7
SHA177229fc9ceeb137c6644a4fa3085aecabaf94ec3
SHA256a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469
SHA51231fae1a50618ed221cef3bfc72a017e8e925c3aa2bac727040ee655d9dff567813e91d76fecda0478653d50b8061481447ded77939b94e1ec823c3419b68c783
-
Filesize
381B
MD5b57a909fb7dda78454056bcbb8b9fae6
SHA1b29e7bef9aaa0e9b5b1cfd0c21b55d4346ec655e
SHA2562f8dde177b97034c2eb89b0e04032595744509dcc0b9f7dc0d0c5fac7ca444e1
SHA5121c846a23b7163bbacf4d67da461575a147d3ba5f5640d4d9eeca747504150bada67a7c15e154cacc4d6235ca0042ed1cbb85c97a1c42a667fe9db58029d1e964
-
Filesize
235B
MD51b18b073575546656784be62eef5b121
SHA124b274b5557752dcf6d01c1faafe97f47db73d0e
SHA2567127bfd5d7e361e42dff48aa3eb440a01215d4fda80bb595f90e6bb871d4c174
SHA5128562cd7770022b579623c119e5542da1edef0a454876b8005ea1f52182f37a130ef04e1e42b3c9a59aac070b196c1c383ed98ef9755383905e8c9bd6b4e9b6a5
-
Filesize
1KB
MD560a1ebb8f840aad127346a607d80fc19
SHA1c8b7e9ad601ac19ab90b3e36f811960e8badf354
SHA2569d6a9d38b7a86cc88e551a0c1172a3fb387b1a5f928ac13993ec3387d39cc243
SHA51244830cefb264bac520174b4b884312dd0393be33a193d4f0fee3cc3c14deb86ca39e43ef281232f9169fd204d19b22e8a7aad72fa448ca52d5cbc3ee1dbb18a4