Resubmissions
21-11-2024 22:31
241121-2fewhasrfn 10Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 22:31
Behavioral task
behavioral1
Sample
59b9f54f927431d2cf31d3aa202a0843.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
59b9f54f927431d2cf31d3aa202a0843.exe
Resource
win10v2004-20241007-en
General
-
Target
59b9f54f927431d2cf31d3aa202a0843.exe
-
Size
2.2MB
-
MD5
59b9f54f927431d2cf31d3aa202a0843
-
SHA1
b23d214605133dc8e930f9a9d473c7c7622b4b56
-
SHA256
007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594
-
SHA512
89106822646d8d412d5c956fd01ad37e4b1f34599497f8e362262f82d2d47f4460632019d6ec09da58c45d690ebd03f2812d5809743203be081702680bfb28f8
-
SSDEEP
24576:9zyhnYISyKSBWpKCeCirC9CMz+052LEgPHQ944INbKK6uK5Ye6KBOO3op+kE9hk4:9zyt2DixLb4I5KKnK5zgdlKWky
Malware Config
Signatures
-
DcRat 43 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 2204 schtasks.exe 1612 schtasks.exe 2884 schtasks.exe 796 schtasks.exe 672 schtasks.exe 2860 schtasks.exe 1684 schtasks.exe 1000 schtasks.exe 1672 schtasks.exe 2804 schtasks.exe 3052 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 59b9f54f927431d2cf31d3aa202a0843.exe 2536 schtasks.exe 2200 schtasks.exe 2148 schtasks.exe 748 schtasks.exe 2032 schtasks.exe 1596 schtasks.exe 1476 schtasks.exe 2304 schtasks.exe 284 schtasks.exe 2312 schtasks.exe 3048 schtasks.exe 2612 schtasks.exe 2892 schtasks.exe 3036 schtasks.exe 1848 schtasks.exe 2616 schtasks.exe 1512 schtasks.exe 1652 schtasks.exe 2144 schtasks.exe 1996 schtasks.exe 1452 schtasks.exe 1724 schtasks.exe 1876 schtasks.exe 936 schtasks.exe 1408 schtasks.exe 908 schtasks.exe 1736 schtasks.exe 2588 schtasks.exe 1884 schtasks.exe 2036 schtasks.exe 2560 schtasks.exe -
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 14 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Program Files\\Reference Assemblies\\explorer.exe\", \"C:\\Program Files\\Microsoft Games\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\audiodg.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\it-IT\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\csrss.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Program Files\\Reference Assemblies\\explorer.exe\", \"C:\\Program Files\\Microsoft Games\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\audiodg.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\it-IT\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\es-ES\\sppsvc.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Program Files\\Reference Assemblies\\explorer.exe\", \"C:\\Program Files\\Microsoft Games\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\audiodg.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\it-IT\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\es-ES\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\smss.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Program Files\\Reference Assemblies\\explorer.exe\", \"C:\\Program Files\\Microsoft Games\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\audiodg.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\it-IT\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\es-ES\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\59b9f54f927431d2cf31d3aa202a0843.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\59b9f54f927431d2cf31d3aa202a0843.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Program Files\\Reference Assemblies\\explorer.exe\", \"C:\\Program Files\\Microsoft Games\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\audiodg.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\it-IT\\spoolsv.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Program Files\\Reference Assemblies\\explorer.exe\", \"C:\\Program Files\\Microsoft Games\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\audiodg.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\it-IT\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\es-ES\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\taskhost.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Program Files\\Reference Assemblies\\explorer.exe\", \"C:\\Program Files\\Microsoft Games\\sppsvc.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Program Files\\Reference Assemblies\\explorer.exe\", \"C:\\Program Files\\Microsoft Games\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\audiodg.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Program Files\\Reference Assemblies\\explorer.exe\", \"C:\\Program Files\\Microsoft Games\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\audiodg.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default User\\audiodg.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Program Files\\Reference Assemblies\\explorer.exe\", \"C:\\Program Files\\Microsoft Games\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\audiodg.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\it-IT\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\es-ES\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Program Files\\Uninstall Information\\Idle.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Program Files\\Reference Assemblies\\explorer.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Program Files\\Reference Assemblies\\explorer.exe\", \"C:\\Program Files\\Microsoft Games\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\audiodg.exe\", \"C:\\Windows\\Cursors\\smss.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Program Files\\Reference Assemblies\\explorer.exe\", \"C:\\Program Files\\Microsoft Games\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\audiodg.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\it-IT\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\es-ES\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe -
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 284 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1884 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 748 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1452 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1408 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 672 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 908 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 936 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1000 2452 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 2452 schtasks.exe 31 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe -
resource yara_rule behavioral1/memory/2196-1-0x0000000000DE0000-0x000000000100E000-memory.dmp dcrat behavioral1/files/0x0005000000019aee-38.dat dcrat behavioral1/files/0x000700000001a576-83.dat dcrat behavioral1/files/0x0008000000004ed7-163.dat dcrat behavioral1/files/0x000600000001a41c-185.dat dcrat behavioral1/memory/2960-229-0x00000000000E0000-0x000000000030E000-memory.dmp dcrat -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts 59b9f54f927431d2cf31d3aa202a0843.exe -
Executes dropped EXE 1 IoCs
pid Process 2960 lsm.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 28 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Reference Assemblies\\explorer.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Cursors\\smss.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\DigitalLocker\\es-ES\\sppsvc.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\DigitalLocker\\es-ES\\sppsvc.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\smss.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\59b9f54f927431d2cf31d3aa202a0843 = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\59b9f54f927431d2cf31d3aa202a0843.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\audiodg.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\csrss.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Uninstall Information\\Idle.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\audiodg.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Sidebar\\it-IT\\spoolsv.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\59b9f54f927431d2cf31d3aa202a0843 = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\59b9f54f927431d2cf31d3aa202a0843.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\59b9f54f927431d2cf31d3aa202a0843 = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\59b9f54f927431d2cf31d3aa202a0843.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\csrss.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Microsoft Games\\sppsvc.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Default User\\audiodg.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Sidebar\\it-IT\\spoolsv.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\smss.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\59b9f54f927431d2cf31d3aa202a0843 = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\59b9f54f927431d2cf31d3aa202a0843.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Default User\\audiodg.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Uninstall Information\\Idle.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Reference Assemblies\\explorer.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Microsoft Games\\sppsvc.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Cursors\\smss.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\taskhost.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\taskhost.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 59b9f54f927431d2cf31d3aa202a0843.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 59b9f54f927431d2cf31d3aa202a0843.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ipinfo.io 7 ipinfo.io -
Drops file in Program Files directory 30 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Games\RCXEF55.tmp 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files\Reference Assemblies\RCXED50.tmp 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files\Microsoft Games\RCXEF54.tmp 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\59b9f54f927431d2cf31d3aa202a0843.exe 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files\Uninstall Information\RCX651.tmp 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files\Uninstall Information\Idle.exe 59b9f54f927431d2cf31d3aa202a0843.exe File created C:\Program Files\Reference Assemblies\7a0fd90576e088 59b9f54f927431d2cf31d3aa202a0843.exe File created C:\Program Files\Uninstall Information\6ccacd8608530f 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\it-IT\RCXF98B.tmp 59b9f54f927431d2cf31d3aa202a0843.exe File created C:\Program Files\Microsoft Games\sppsvc.exe 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\it-IT\RCXF98A.tmp 59b9f54f927431d2cf31d3aa202a0843.exe File created C:\Program Files (x86)\Windows Sidebar\it-IT\f3b6ecef712a24 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\RCX371.tmp 59b9f54f927431d2cf31d3aa202a0843.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\41a4431c21167d 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files\Reference Assemblies\RCXED51.tmp 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files\Reference Assemblies\explorer.exe 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\it-IT\spoolsv.exe 59b9f54f927431d2cf31d3aa202a0843.exe File created C:\Program Files\Microsoft Games\0a1fd5f707cd16 59b9f54f927431d2cf31d3aa202a0843.exe File created C:\Program Files (x86)\Windows Sidebar\it-IT\spoolsv.exe 59b9f54f927431d2cf31d3aa202a0843.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\59b9f54f927431d2cf31d3aa202a0843.exe 59b9f54f927431d2cf31d3aa202a0843.exe File created C:\Program Files\Uninstall Information\Idle.exe 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RCXFB8E.tmp 59b9f54f927431d2cf31d3aa202a0843.exe File created C:\Program Files\Reference Assemblies\explorer.exe 59b9f54f927431d2cf31d3aa202a0843.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\csrss.exe 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files\Uninstall Information\RCX650.tmp 59b9f54f927431d2cf31d3aa202a0843.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\886983d96e3d3e 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RCXFBFD.tmp 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\RCX3DF.tmp 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files\Microsoft Games\sppsvc.exe 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\csrss.exe 59b9f54f927431d2cf31d3aa202a0843.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\Cursors\smss.exe 59b9f54f927431d2cf31d3aa202a0843.exe File created C:\Windows\DigitalLocker\es-ES\sppsvc.exe 59b9f54f927431d2cf31d3aa202a0843.exe File created C:\Windows\DigitalLocker\es-ES\0a1fd5f707cd16 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Windows\Cursors\smss.exe 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Windows\DigitalLocker\es-ES\RCXFEDC.tmp 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Windows\DigitalLocker\es-ES\sppsvc.exe 59b9f54f927431d2cf31d3aa202a0843.exe File created C:\Windows\Cursors\69ddcba757bf72 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Windows\Cursors\RCXF3CB.tmp 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Windows\Cursors\RCXF439.tmp 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Windows\DigitalLocker\es-ES\RCXFE6E.tmp 59b9f54f927431d2cf31d3aa202a0843.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 lsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 lsm.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2148 schtasks.exe 1596 schtasks.exe 2144 schtasks.exe 2612 schtasks.exe 2204 schtasks.exe 2036 schtasks.exe 1408 schtasks.exe 2536 schtasks.exe 748 schtasks.exe 1512 schtasks.exe 2304 schtasks.exe 2884 schtasks.exe 3052 schtasks.exe 284 schtasks.exe 1996 schtasks.exe 2312 schtasks.exe 1612 schtasks.exe 3048 schtasks.exe 1848 schtasks.exe 2200 schtasks.exe 1876 schtasks.exe 3036 schtasks.exe 1684 schtasks.exe 796 schtasks.exe 1672 schtasks.exe 1000 schtasks.exe 1884 schtasks.exe 1724 schtasks.exe 672 schtasks.exe 908 schtasks.exe 2588 schtasks.exe 2860 schtasks.exe 1736 schtasks.exe 2616 schtasks.exe 1652 schtasks.exe 2804 schtasks.exe 1476 schtasks.exe 2560 schtasks.exe 2892 schtasks.exe 1452 schtasks.exe 2032 schtasks.exe 936 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2196 59b9f54f927431d2cf31d3aa202a0843.exe 2960 lsm.exe 2960 lsm.exe 2960 lsm.exe 2960 lsm.exe 2960 lsm.exe 2960 lsm.exe 2960 lsm.exe 2960 lsm.exe 2960 lsm.exe 2960 lsm.exe 2960 lsm.exe 2960 lsm.exe 2960 lsm.exe 2960 lsm.exe 2960 lsm.exe 2960 lsm.exe 2960 lsm.exe 2960 lsm.exe 2960 lsm.exe 2960 lsm.exe 2960 lsm.exe 2960 lsm.exe 2960 lsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2960 lsm.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2196 59b9f54f927431d2cf31d3aa202a0843.exe Token: SeDebugPrivilege 2960 lsm.exe Token: SeBackupPrivilege 908 vssvc.exe Token: SeRestorePrivilege 908 vssvc.exe Token: SeAuditPrivilege 908 vssvc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2960 lsm.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2960 2196 59b9f54f927431d2cf31d3aa202a0843.exe 74 PID 2196 wrote to memory of 2960 2196 59b9f54f927431d2cf31d3aa202a0843.exe 74 PID 2196 wrote to memory of 2960 2196 59b9f54f927431d2cf31d3aa202a0843.exe 74 PID 2960 wrote to memory of 1484 2960 lsm.exe 75 PID 2960 wrote to memory of 1484 2960 lsm.exe 75 PID 2960 wrote to memory of 1484 2960 lsm.exe 75 PID 2960 wrote to memory of 2128 2960 lsm.exe 76 PID 2960 wrote to memory of 2128 2960 lsm.exe 76 PID 2960 wrote to memory of 2128 2960 lsm.exe 76 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 59b9f54f927431d2cf31d3aa202a0843.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\59b9f54f927431d2cf31d3aa202a0843.exe"C:\Users\Admin\AppData\Local\Temp\59b9f54f927431d2cf31d3aa202a0843.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2196 -
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2960 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33119683-9821-4246-9c47-e8499529bef2.vbs"3⤵PID:1484
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42c731b7-cd6c-406d-aaff-5a1786c19ba1.vbs"3⤵PID:2128
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "59b9f54f927431d2cf31d3aa202a08435" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\59b9f54f927431d2cf31d3aa202a0843.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "59b9f54f927431d2cf31d3aa202a0843" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\59b9f54f927431d2cf31d3aa202a0843.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "59b9f54f927431d2cf31d3aa202a08435" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\59b9f54f927431d2cf31d3aa202a0843.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Cursors\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\es-ES\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\es-ES\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\es-ES\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "59b9f54f927431d2cf31d3aa202a08435" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\59b9f54f927431d2cf31d3aa202a0843.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "59b9f54f927431d2cf31d3aa202a0843" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\59b9f54f927431d2cf31d3aa202a0843.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "59b9f54f927431d2cf31d3aa202a08435" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\59b9f54f927431d2cf31d3aa202a0843.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:908
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1772
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD52df8e84d76c517286f65d40f69844ace
SHA1cbbc28aaa8862b7d4182c04f82ebf33f589dd852
SHA25658d1f18b8cea469dc4515783d33b6c3b78865043552fd10ee6e19f936b2e02de
SHA512862c8168acc4e35760598891e54037b4179779d5a9e805136075a03c15d21a252e1b13b61caa569c6971b87370d5890d53ce33a2af64313fe0a3d79f3c122ac3
-
Filesize
2.2MB
MD554b48d7611fb49892fd9f36e6c9eb58c
SHA1ca6e1ff091ea3624afd344751886e9b4e655a6f3
SHA256f8fd70996226e10c0e26187249fc0e156c5d5141f6db19e2cf070b75d0e800c8
SHA51252312fb241f9c9a3e1978e64127e574e35130b052081ead8eeb3bc9361825738cab14d172e3651effc7b97615cfec9ca565726decb3b721c1754c4f7a84ae754
-
Filesize
746B
MD57e63ffc2c1d7d5a9ef139b7de6198331
SHA1204256492393f60a959cc50f70ceff83b4e4ef6f
SHA256810f2725922559e87fad92ce8438bca28641f61b036de3d38ee68dd7c71137b9
SHA5128b4e51adfb84c349ddef121587da60d45eac911741a4b938f9ca8456f59cbba51413300672ccac976115457553f8408b98558ffa337a0af090d45a54ae9539ca
-
Filesize
522B
MD5408655c8ae8b8b144503095766dc70a3
SHA119ed084d193c73038f44f096eadfff18a38eff19
SHA256dbec708aa8b23e5123daaad3506d2d7657c8b868f7a07f7ff9bd4cc44a19c6a6
SHA51266a69afa40ff22f4422dd42ff00de58135a09adb20497cfe784e43c33101720c60addf1c3dc72895007afaf7408700fbfbe12178be1711d1fc1bb2af931df546
-
Filesize
2.2MB
MD559b9f54f927431d2cf31d3aa202a0843
SHA1b23d214605133dc8e930f9a9d473c7c7622b4b56
SHA256007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594
SHA51289106822646d8d412d5c956fd01ad37e4b1f34599497f8e362262f82d2d47f4460632019d6ec09da58c45d690ebd03f2812d5809743203be081702680bfb28f8
-
Filesize
2.2MB
MD506bd9cd8dc19f7c395e894e0ea5a8881
SHA180b018712b9105a4d1bd5fa8ca55598c43b4c4d3
SHA2568dda218c256b388ce046e49b408b6e2f965bf5bfbcf660741bb3c8183e23ed76
SHA512aef14cc9991c7401d236540dace19f7ef18f1db7092e0730ec37d56b3be2f427b082ed34dc7f528529eec5ce77f91504e0848b229b040ddb3c8401bc40caaf74