Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
23/01/2024, 15:14
Static task
static1
Behavioral task
behavioral1
Sample
dotnet-runtime-6.0.12-win-x64 (1).exe
Resource
win7-20231215-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
dotnet-runtime-6.0.12-win-x64 (1).exe
Resource
win10v2004-20231215-en
windows10-2004-x64
17 signatures
150 seconds
General
-
Target
dotnet-runtime-6.0.12-win-x64 (1).exe
-
Size
26.5MB
-
MD5
b904aee532297d7bab64dcdc6dc56988
-
SHA1
e9f7728237134666fd4cb0875465d1460e3d12b5
-
SHA256
1f59de85b9172ce651f8e031e946534e02e58bc4dcb56e72430fe8572beb33ab
-
SHA512
f8c6d7d379ec9ec8e39e6ca20c6015d7c2d049eecd06045818fe95e87b3e515adbdf445f83b79241248fa5a3f3093ce4bf6f7f67cb9f7e6c74e03523a70d9fd5
-
SSDEEP
393216:LvFbxOLkfjwdSjSovAgb/kIHkKQC5MyItiK3+aFVLfoZbMlw3UJsvI/g1:LvFbxOQf0dSQgzQC52tXdi3UJs7
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation dotnet-runtime-6.0.12-win-x64 (1).exe -
Executes dropped EXE 2 IoCs
pid Process 352 dotnet-runtime-6.0.12-win-x64 (1).exe 3408 dotnet-runtime-6.0.12-win-x64.exe -
Loads dropped DLL 5 IoCs
pid Process 352 dotnet-runtime-6.0.12-win-x64 (1).exe 3144 MsiExec.exe 3144 MsiExec.exe 5108 MsiExec.exe 5108 MsiExec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{35588924-6b2a-48cd-a3ee-b9118cad2d01} = "\"C:\\ProgramData\\Package Cache\\{35588924-6b2a-48cd-a3ee-b9118cad2d01}\\dotnet-runtime-6.0.12-win-x64.exe\" /burn.runonce" dotnet-runtime-6.0.12-win-x64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.IO.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Runtime.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Threading.Timer.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.IO.UnmanagedMemoryStream.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Diagnostics.TextWriterTraceListener.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Linq.Queryable.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Private.CoreLib.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Reflection.Metadata.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\api-ms-win-crt-environment-l1-1-0.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Xml.Serialization.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\clretwrc.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Text.Encoding.CodePages.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Runtime.Intrinsics.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\Microsoft.NETCore.App.runtimeconfig.json msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Security.Cryptography.X509Certificates.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Security.SecureString.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\api-ms-win-core-timezone-l1-1-0.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Reflection.TypeExtensions.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.IO.Compression.ZipFile.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\createdump.exe msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Text.Encoding.Extensions.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\clrjit.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Private.Xml.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Resources.ResourceManager.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Console.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\Microsoft.VisualBasic.Core.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Security.Cryptography.OpenSsl.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Linq.Parallel.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Numerics.Vectors.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\api-ms-win-core-profile-l1-1-0.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\ucrtbase.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\api-ms-win-core-console-l1-1-0.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\Microsoft.DiaSymReader.Native.amd64.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\api-ms-win-core-file-l1-1-0.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Threading.Tasks.Parallel.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\coreclr.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\api-ms-win-core-processthreads-l1-1-0.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\api-ms-win-core-console-l1-2-0.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Data.DataSetExtensions.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Diagnostics.Process.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Net.Http.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.ComponentModel.Primitives.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Resources.Reader.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Globalization.Calendars.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Security.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\api-ms-win-crt-filesystem-l1-1-0.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Threading.Tasks.Extensions.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\api-ms-win-core-namedpipe-l1-1-0.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Runtime.InteropServices.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\hostpolicy.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.ServiceProcess.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Text.RegularExpressions.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.IO.Compression.FileSystem.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\mscordbi.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.IO.IsolatedStorage.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\api-ms-win-core-file-l1-2-0.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.ComponentModel.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Runtime.Serialization.Formatters.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Runtime.Extensions.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Threading.Thread.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Net.Security.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.IO.MemoryMappedFiles.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.IO.FileSystem.Watcher.dll msiexec.exe -
Drops file in Windows directory 17 IoCs
description ioc Process File created C:\Windows\Installer\e57eb1b.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e57eb1f.msi msiexec.exe File created C:\Windows\Installer\SourceHash{0712F23C-FBAC-436C-9DDB-125F32D15033} msiexec.exe File opened for modification C:\Windows\Installer\MSI133A.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57eb1b.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIF5EA.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{1BF67DC1-8BB5-4AF5-BE20-3B53D9532D01} msiexec.exe File opened for modification C:\Windows\Installer\MSI944.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57eb20.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI1183.tmp msiexec.exe File created C:\Windows\Installer\e57eb24.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIF02C.tmp msiexec.exe File created C:\Windows\Installer\e57eb20.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIF60.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1CD76FB15BB85FA4EB02B3359D35D210\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.51.51943_x64\ = "{0712F23C-FBAC-436C-9DDB-125F32D15033}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C32F2170CABFC634D9BD21F5231D0533\MainFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{35588924-6b2a-48cd-a3ee-b9118cad2d01}\ = "{35588924-6b2a-48cd-a3ee-b9118cad2d01}" dotnet-runtime-6.0.12-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1CD76FB15BB85FA4EB02B3359D35D210\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{1BF67DC1-8BB5-4AF5-BE20-3B53D9532D01}v48.51.51943\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1CD76FB15BB85FA4EB02B3359D35D210 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1CD76FB15BB85FA4EB02B3359D35D210\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1CD76FB15BB85FA4EB02B3359D35D210\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C32F2170CABFC634D9BD21F5231D0533\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C32F2170CABFC634D9BD21F5231D0533\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\57551FB77DE5D216E4457A8034D0EF38\C32F2170CABFC634D9BD21F5231D0533 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C32F2170CABFC634D9BD21F5231D0533\SourceList\PackageName = "dotnet-hostfxr-6.0.12-win-x64.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.51.51943_x64\Dependents dotnet-runtime-6.0.12-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.51.51943_x64\DisplayName = "Microsoft .NET Host FX Resolver - 6.0.12 (x64)" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C32F2170CABFC634D9BD21F5231D0533 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C32F2170CABFC634D9BD21F5231D0533\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.51.51943_x64\Dependents dotnet-runtime-6.0.12-win-x64.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\dotnet_runtime_48.51.51943_x64 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1CD76FB15BB85FA4EB02B3359D35D210\DeploymentFlags = "3" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1CD76FB15BB85FA4EB02B3359D35D210\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C32F2170CABFC634D9BD21F5231D0533\Provider msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C32F2170CABFC634D9BD21F5231D0533\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{35588924-6b2a-48cd-a3ee-b9118cad2d01} dotnet-runtime-6.0.12-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1CD76FB15BB85FA4EB02B3359D35D210\SourceList\Net msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C32F2170CABFC634D9BD21F5231D0533\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\57551FB77DE5D216E4457A8034D0EF38 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C32F2170CABFC634D9BD21F5231D0533\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.51.51943_x64\Dependents\{35588924-6b2a-48cd-a3ee-b9118cad2d01} dotnet-runtime-6.0.12-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C32F2170CABFC634D9BD21F5231D0533\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{0712F23C-FBAC-436C-9DDB-125F32D15033}v48.51.51943\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{35588924-6b2a-48cd-a3ee-b9118cad2d01}\Version = "6.0.12.31918" dotnet-runtime-6.0.12-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{35588924-6b2a-48cd-a3ee-b9118cad2d01}\DisplayName = "Microsoft .NET Runtime - 6.0.12 (x64)" dotnet-runtime-6.0.12-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{35588924-6b2a-48cd-a3ee-b9118cad2d01}\Dependents\{35588924-6b2a-48cd-a3ee-b9118cad2d01} dotnet-runtime-6.0.12-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{35588924-6b2a-48cd-a3ee-b9118cad2d01}\Dependents dotnet-runtime-6.0.12-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.51.51943_x64\DisplayName = "Microsoft .NET Runtime - 6.0.12 (x64)" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1CD76FB15BB85FA4EB02B3359D35D210\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\Dependents\{35588924-6b2a-48cd-a3ee-b9118cad2d01} dotnet-runtime-6.0.12-win-x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1CD76FB15BB85FA4EB02B3359D35D210\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2A1D5C7710A520B4CF71F18CEA425338\1CD76FB15BB85FA4EB02B3359D35D210 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.51.51943_x64\Dependents\{35588924-6b2a-48cd-a3ee-b9118cad2d01} dotnet-runtime-6.0.12-win-x64.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.51.51943_x64 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C32F2170CABFC634D9BD21F5231D0533\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C32F2170CABFC634D9BD21F5231D0533\SourceList msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C32F2170CABFC634D9BD21F5231D0533\Version = "808700647" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C32F2170CABFC634D9BD21F5231D0533\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1CD76FB15BB85FA4EB02B3359D35D210 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1CD76FB15BB85FA4EB02B3359D35D210\PackageCode = "077F0A78AA2A8FD42ACE7ACA42A46FB0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1CD76FB15BB85FA4EB02B3359D35D210\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1CD76FB15BB85FA4EB02B3359D35D210\Version = "808700647" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1CD76FB15BB85FA4EB02B3359D35D210\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{1BF67DC1-8BB5-4AF5-BE20-3B53D9532D01}v48.51.51943\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.51.51943_x64\Version = "48.51.51943" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.51.51943_x64\ = "{1BF67DC1-8BB5-4AF5-BE20-3B53D9532D01}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1CD76FB15BB85FA4EB02B3359D35D210\MainFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1CD76FB15BB85FA4EB02B3359D35D210\ProductName = "Microsoft .NET Runtime - 6.0.12 (x64)" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2A1D5C7710A520B4CF71F18CEA425338 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C32F2170CABFC634D9BD21F5231D0533 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C32F2170CABFC634D9BD21F5231D0533\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C32F2170CABFC634D9BD21F5231D0533\ProductName = "Microsoft .NET Host FX Resolver - 6.0.12 (x64)" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C32F2170CABFC634D9BD21F5231D0533\PackageCode = "4636416B02CCB1B408C62C5F856366FD" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C32F2170CABFC634D9BD21F5231D0533\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C32F2170CABFC634D9BD21F5231D0533\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{0712F23C-FBAC-436C-9DDB-125F32D15033}v48.51.51943\\" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.51.51943_x64 dotnet-runtime-6.0.12-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1CD76FB15BB85FA4EB02B3359D35D210\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1CD76FB15BB85FA4EB02B3359D35D210\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\dotnet_runtime_48.51.51943_x64 dotnet-runtime-6.0.12-win-x64.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 4888 taskmgr.exe 4888 taskmgr.exe 2360 msiexec.exe 2360 msiexec.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 2360 msiexec.exe 2360 msiexec.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeIncreaseQuotaPrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeSecurityPrivilege 2360 msiexec.exe Token: SeCreateTokenPrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeAssignPrimaryTokenPrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeLockMemoryPrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeIncreaseQuotaPrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeMachineAccountPrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeTcbPrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeSecurityPrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeTakeOwnershipPrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeLoadDriverPrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeSystemProfilePrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeSystemtimePrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeProfSingleProcessPrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeIncBasePriorityPrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeCreatePagefilePrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeCreatePermanentPrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeBackupPrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeRestorePrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeShutdownPrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeDebugPrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeAuditPrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeSystemEnvironmentPrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeChangeNotifyPrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeRemoteShutdownPrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeUndockPrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeSyncAgentPrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeEnableDelegationPrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeManageVolumePrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeImpersonatePrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeCreateGlobalPrivilege 3408 dotnet-runtime-6.0.12-win-x64.exe Token: SeRestorePrivilege 2360 msiexec.exe Token: SeTakeOwnershipPrivilege 2360 msiexec.exe Token: SeRestorePrivilege 2360 msiexec.exe Token: SeTakeOwnershipPrivilege 2360 msiexec.exe Token: SeDebugPrivilege 4888 taskmgr.exe Token: SeSystemProfilePrivilege 4888 taskmgr.exe Token: SeCreateGlobalPrivilege 4888 taskmgr.exe Token: SeRestorePrivilege 2360 msiexec.exe Token: SeTakeOwnershipPrivilege 2360 msiexec.exe Token: SeRestorePrivilege 2360 msiexec.exe Token: SeTakeOwnershipPrivilege 2360 msiexec.exe Token: SeRestorePrivilege 2360 msiexec.exe Token: SeTakeOwnershipPrivilege 2360 msiexec.exe Token: SeRestorePrivilege 2360 msiexec.exe Token: SeTakeOwnershipPrivilege 2360 msiexec.exe Token: SeRestorePrivilege 2360 msiexec.exe Token: SeTakeOwnershipPrivilege 2360 msiexec.exe Token: SeRestorePrivilege 2360 msiexec.exe Token: SeTakeOwnershipPrivilege 2360 msiexec.exe Token: SeRestorePrivilege 2360 msiexec.exe Token: SeTakeOwnershipPrivilege 2360 msiexec.exe Token: SeRestorePrivilege 2360 msiexec.exe Token: SeTakeOwnershipPrivilege 2360 msiexec.exe Token: SeRestorePrivilege 2360 msiexec.exe Token: SeTakeOwnershipPrivilege 2360 msiexec.exe Token: SeRestorePrivilege 2360 msiexec.exe Token: SeTakeOwnershipPrivilege 2360 msiexec.exe Token: SeRestorePrivilege 2360 msiexec.exe Token: SeTakeOwnershipPrivilege 2360 msiexec.exe Token: SeRestorePrivilege 2360 msiexec.exe Token: SeTakeOwnershipPrivilege 2360 msiexec.exe Token: SeRestorePrivilege 2360 msiexec.exe -
Suspicious use of FindShellTrayWindow 55 IoCs
pid Process 352 dotnet-runtime-6.0.12-win-x64 (1).exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe -
Suspicious use of SendNotifyMessage 53 IoCs
pid Process 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4620 wrote to memory of 352 4620 dotnet-runtime-6.0.12-win-x64 (1).exe 88 PID 4620 wrote to memory of 352 4620 dotnet-runtime-6.0.12-win-x64 (1).exe 88 PID 4620 wrote to memory of 352 4620 dotnet-runtime-6.0.12-win-x64 (1).exe 88 PID 352 wrote to memory of 3408 352 dotnet-runtime-6.0.12-win-x64 (1).exe 94 PID 352 wrote to memory of 3408 352 dotnet-runtime-6.0.12-win-x64 (1).exe 94 PID 352 wrote to memory of 3408 352 dotnet-runtime-6.0.12-win-x64 (1).exe 94 PID 2360 wrote to memory of 3144 2360 msiexec.exe 101 PID 2360 wrote to memory of 3144 2360 msiexec.exe 101 PID 2360 wrote to memory of 3144 2360 msiexec.exe 101 PID 2360 wrote to memory of 5108 2360 msiexec.exe 102 PID 2360 wrote to memory of 5108 2360 msiexec.exe 102 PID 2360 wrote to memory of 5108 2360 msiexec.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\dotnet-runtime-6.0.12-win-x64 (1).exe"C:\Users\Admin\AppData\Local\Temp\dotnet-runtime-6.0.12-win-x64 (1).exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\Temp\{C705EAA1-FD11-4F0B-9C2F-355B98AAED91}\.cr\dotnet-runtime-6.0.12-win-x64 (1).exe"C:\Windows\Temp\{C705EAA1-FD11-4F0B-9C2F-355B98AAED91}\.cr\dotnet-runtime-6.0.12-win-x64 (1).exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\dotnet-runtime-6.0.12-win-x64 (1).exe" -burn.filehandle.attached=684 -burn.filehandle.self=5362⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Windows\Temp\{D10727D1-AC02-40B8-B718-481248483213}\.be\dotnet-runtime-6.0.12-win-x64.exe"C:\Windows\Temp\{D10727D1-AC02-40B8-B718-481248483213}\.be\dotnet-runtime-6.0.12-win-x64.exe" -q -burn.elevated BurnPipe.{10430A53-52DA-4241-8905-69E38733EB22} {166FF724-C634-4468-8759-BA917566A4F3} 3523⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3408
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3647417324837FE8E06307DB85EEF0242⤵
- Loads dropped DLL
PID:3144
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6CE0A5601EB30917E6CCA43D255AACC92⤵
- Loads dropped DLL
PID:5108
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD5f17a98a634bb7d0c0a6bca9020148513
SHA162ef58dc711a3d7cebf4f436de592e7f3d0b33ef
SHA25687fde1996f6535e1c19aba3a5e86fe7ee7cd02936155be53e80c3c2f2ad063ae
SHA512d896f9eaf3c06c8e3e2ad760da95a711f57457d711746d0b559f75ea215c3ac603539c830a59e9f6d7cc517a398e7dda5f78fec78e66a79985d6d8a14a9f344a
-
Filesize
9KB
MD583a4cf7c2197368f8090a507e9aeef3b
SHA10f0304e15594bfb3aca1de68040e8c3972c9c9db
SHA256ba77f3229101ae497300dd89af74e5e3b89bdcf2b8a0db49deec5d2237e47eed
SHA5124a36ee2288d71bb57858830a0f3d6dd70e8cffc8b4f7e2814702d21e6b0eca07aa2d08820634eba3bfa1a2370ca5af0b23392834698134e6ebe3b8628783d52f
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_.NET_Runtime_-_6.0.12_(x64)_20240123151531_000_dotnet_runtime_6.0.12_win_x64.msi.log
Filesize2KB
MD55f88bfd652344f81f1ef3516648ba873
SHA12c3483e0c8f624ebf009465f995bb6550f3c5555
SHA256b8eeec2e8753dd4c613f672d19ff7f01a6b58b90fa0547df51fe4325912158d6
SHA512a9669d9ceef9ec068f97a58be81debb0369d9d99464a48f510453f4c29f09ab2f919fa892672173b799b61899cd748f794a480680122f2f49f8352c8cf141126
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_.NET_Runtime_-_6.0.12_(x64)_20240123151531_001_dotnet_hostfxr_6.0.12_win_x64.msi.log
Filesize2KB
MD59efc0b15837ebb570964af2310420613
SHA112fc461920728ba8ad95838955dcf70b560460d8
SHA256d38808e2bfd56453b61e76d18447552ab539da750829d0cf93b28f6c877ebaf2
SHA51275699d1c4886a118025bb2191267d9f4433ec850b0dfb78a6fb4c5128e46f169b51132e9c55b19ed12c656dd545c6c344f94e9ac42217fffbadfcf95f3a57afe
-
Filesize
225KB
MD5d711da8a6487aea301e05003f327879f
SHA1548d3779ed3ab7309328f174bfb18d7768d27747
SHA2563d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681
-
Filesize
609KB
MD54e457c83e119923253386bdf662073e6
SHA1756bc1ade8fed0d806a101df392fcbde03be05cd
SHA2568f6a150851d0e59e15d9eee220b7877fdd8e3108e04c468b5633a79244019aef
SHA512db0cbc9a92371ace2e46d6394cc7688114254a774963abd6d7ec8f4d861073056706d7fc09ee6c78208cf3f3b84b33f8fe3f21a3ff140f5a18de3c63ae8095c9
-
Filesize
4KB
MD59eb0320dfbf2bd541e6a55c01ddc9f20
SHA1eb282a66d29594346531b1ff886d455e1dcd6d99
SHA2569095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA5129ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d
-
Filesize
197KB
MD54356ee50f0b1a878e270614780ddf095
SHA1b5c0915f023b2e4ed3e122322abc40c4437909af
SHA25641a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104
SHA512b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691
-
Filesize
804KB
MD5288f19e824eafccf3654eeebf69c03f1
SHA114d49baab39001a3459be19f9e760e467b39c90d
SHA256264d63dcaa7052dcf9539fedc99f5a56da6234e3a69433a6cdeaa50cfc143e8f
SHA5123ca3f18db329164f46aab9b8228dc5e79ded4fce571b848556fccc28970829ffb38070daf593c617ba2acdff859f48fc49ccaf77d052f76004cba200f5b2735c
-
Filesize
25.6MB
MD5ed04f657c593c878184f2cacd259d89d
SHA1b3b9ef6c6a7d7b26e1db8a25c9cfca801b4510e2
SHA256c271c90769d282c35da7496b217d8c1b7e1f110f98c910263fd0a511f06b7b6c
SHA512e5540046b4fad6b2848a8a5ec895e1482d1b185ff580e086f998217c4f1af8e101c66724c35f1149014e4bd3037814ebc0f9246f943f129df3f65bb401a9c5aa
