Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-03-2024 03:56
Static task
static1
Behavioral task
behavioral1
Sample
d7d26e52666b2a4633daf1255b15f967.exe
Resource
win7-20240221-en
General
-
Target
d7d26e52666b2a4633daf1255b15f967.exe
-
Size
505KB
-
MD5
d7d26e52666b2a4633daf1255b15f967
-
SHA1
07e603c3ae9f2e876acb2e35791f810b22621aff
-
SHA256
b5783b1d56cb32dfd50a16fd41c70c72cef40ff6c3389242ff4e5bb4a2905413
-
SHA512
2dc43bc611da3bed3404f8a91b76f4570f45992bda58798231c7aeaae4f8f87038556f0431d5a5de2724aeaaad48dae696637a7ff9ae8f37ce2d4d6e8f46c90d
-
SSDEEP
12288:cppem0FZJWq+s4Kp6MssRN1j0PNeQXOEleiSMd2ZliWqmn:AYFZJWqCK0gRfj0PshQj22sn
Malware Config
Signatures
-
Detect ZGRat V1 35 IoCs
Processes:
resource yara_rule behavioral1/memory/2352-99-0x0000000007FB0000-0x000000000801E000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-100-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-101-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-103-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-105-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-107-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-109-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-111-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-113-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-115-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-117-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-119-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-121-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-123-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-125-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-127-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-129-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-131-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-133-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-135-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-137-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-139-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-145-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-147-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-149-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-143-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-141-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-151-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-153-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-161-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-163-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-159-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-157-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2352-155-0x0000000007FB0000-0x0000000008019000-memory.dmp family_zgrat_v1 behavioral1/memory/2376-2321-0x0000000000400000-0x0000000000466000-memory.dmp family_zgrat_v1 -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2376-2321-0x0000000000400000-0x0000000000466000-memory.dmp family_stormkitty -
Nirsoft 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft -
Executes dropped EXE 4 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exepid process 672 AdvancedRun.exe 2244 AdvancedRun.exe 2196 AdvancedRun.exe 2440 AdvancedRun.exe -
Loads dropped DLL 8 IoCs
Processes:
d7d26e52666b2a4633daf1255b15f967.exeAdvancedRun.exeAdvancedRun.exepid process 2352 d7d26e52666b2a4633daf1255b15f967.exe 2352 d7d26e52666b2a4633daf1255b15f967.exe 672 AdvancedRun.exe 672 AdvancedRun.exe 2352 d7d26e52666b2a4633daf1255b15f967.exe 2352 d7d26e52666b2a4633daf1255b15f967.exe 2196 AdvancedRun.exe 2196 AdvancedRun.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 6 IoCs
Processes:
d7d26e52666b2a4633daf1255b15f967.exedescription ioc process File created C:\Users\Admin\AppData\Local\4509b3832af23bba71ee674759eb84b7\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini d7d26e52666b2a4633daf1255b15f967.exe File opened for modification C:\Users\Admin\AppData\Local\4509b3832af23bba71ee674759eb84b7\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini d7d26e52666b2a4633daf1255b15f967.exe File created C:\Users\Admin\AppData\Local\4509b3832af23bba71ee674759eb84b7\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini d7d26e52666b2a4633daf1255b15f967.exe File created C:\Users\Admin\AppData\Local\4509b3832af23bba71ee674759eb84b7\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini d7d26e52666b2a4633daf1255b15f967.exe File created C:\Users\Admin\AppData\Local\4509b3832af23bba71ee674759eb84b7\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini d7d26e52666b2a4633daf1255b15f967.exe File opened for modification C:\Users\Admin\AppData\Local\4509b3832af23bba71ee674759eb84b7\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini d7d26e52666b2a4633daf1255b15f967.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
d7d26e52666b2a4633daf1255b15f967.exedescription pid process target process PID 2352 set thread context of 2376 2352 d7d26e52666b2a4633daf1255b15f967.exe d7d26e52666b2a4633daf1255b15f967.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
d7d26e52666b2a4633daf1255b15f967.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 d7d26e52666b2a4633daf1255b15f967.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier d7d26e52666b2a4633daf1255b15f967.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
d7d26e52666b2a4633daf1255b15f967.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 d7d26e52666b2a4633daf1255b15f967.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 d7d26e52666b2a4633daf1255b15f967.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 d7d26e52666b2a4633daf1255b15f967.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 d7d26e52666b2a4633daf1255b15f967.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 d7d26e52666b2a4633daf1255b15f967.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 d7d26e52666b2a4633daf1255b15f967.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exed7d26e52666b2a4633daf1255b15f967.exed7d26e52666b2a4633daf1255b15f967.exepid process 1160 powershell.exe 2756 powershell.exe 2552 powershell.exe 2952 powershell.exe 2644 powershell.exe 1420 powershell.exe 2328 powershell.exe 1468 powershell.exe 2388 powershell.exe 1344 powershell.exe 672 AdvancedRun.exe 672 AdvancedRun.exe 2244 AdvancedRun.exe 2244 AdvancedRun.exe 2196 AdvancedRun.exe 2196 AdvancedRun.exe 2440 AdvancedRun.exe 2440 AdvancedRun.exe 2352 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe 2376 d7d26e52666b2a4633daf1255b15f967.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1160 powershell.exe Token: SeIncreaseQuotaPrivilege 1160 powershell.exe Token: SeSecurityPrivilege 1160 powershell.exe Token: SeTakeOwnershipPrivilege 1160 powershell.exe Token: SeLoadDriverPrivilege 1160 powershell.exe Token: SeSystemProfilePrivilege 1160 powershell.exe Token: SeSystemtimePrivilege 1160 powershell.exe Token: SeProfSingleProcessPrivilege 1160 powershell.exe Token: SeIncBasePriorityPrivilege 1160 powershell.exe Token: SeCreatePagefilePrivilege 1160 powershell.exe Token: SeBackupPrivilege 1160 powershell.exe Token: SeRestorePrivilege 1160 powershell.exe Token: SeShutdownPrivilege 1160 powershell.exe Token: SeDebugPrivilege 1160 powershell.exe Token: SeSystemEnvironmentPrivilege 1160 powershell.exe Token: SeRemoteShutdownPrivilege 1160 powershell.exe Token: SeUndockPrivilege 1160 powershell.exe Token: SeManageVolumePrivilege 1160 powershell.exe Token: 33 1160 powershell.exe Token: 34 1160 powershell.exe Token: 35 1160 powershell.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeIncreaseQuotaPrivilege 2756 powershell.exe Token: SeSecurityPrivilege 2756 powershell.exe Token: SeTakeOwnershipPrivilege 2756 powershell.exe Token: SeLoadDriverPrivilege 2756 powershell.exe Token: SeSystemProfilePrivilege 2756 powershell.exe Token: SeSystemtimePrivilege 2756 powershell.exe Token: SeProfSingleProcessPrivilege 2756 powershell.exe Token: SeIncBasePriorityPrivilege 2756 powershell.exe Token: SeCreatePagefilePrivilege 2756 powershell.exe Token: SeBackupPrivilege 2756 powershell.exe Token: SeRestorePrivilege 2756 powershell.exe Token: SeShutdownPrivilege 2756 powershell.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeSystemEnvironmentPrivilege 2756 powershell.exe Token: SeRemoteShutdownPrivilege 2756 powershell.exe Token: SeUndockPrivilege 2756 powershell.exe Token: SeManageVolumePrivilege 2756 powershell.exe Token: 33 2756 powershell.exe Token: 34 2756 powershell.exe Token: 35 2756 powershell.exe Token: SeDebugPrivilege 2552 powershell.exe Token: SeIncreaseQuotaPrivilege 2552 powershell.exe Token: SeSecurityPrivilege 2552 powershell.exe Token: SeTakeOwnershipPrivilege 2552 powershell.exe Token: SeLoadDriverPrivilege 2552 powershell.exe Token: SeSystemProfilePrivilege 2552 powershell.exe Token: SeSystemtimePrivilege 2552 powershell.exe Token: SeProfSingleProcessPrivilege 2552 powershell.exe Token: SeIncBasePriorityPrivilege 2552 powershell.exe Token: SeCreatePagefilePrivilege 2552 powershell.exe Token: SeBackupPrivilege 2552 powershell.exe Token: SeRestorePrivilege 2552 powershell.exe Token: SeShutdownPrivilege 2552 powershell.exe Token: SeDebugPrivilege 2552 powershell.exe Token: SeSystemEnvironmentPrivilege 2552 powershell.exe Token: SeRemoteShutdownPrivilege 2552 powershell.exe Token: SeUndockPrivilege 2552 powershell.exe Token: SeManageVolumePrivilege 2552 powershell.exe Token: 33 2552 powershell.exe Token: 34 2552 powershell.exe Token: 35 2552 powershell.exe Token: SeDebugPrivilege 2952 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d7d26e52666b2a4633daf1255b15f967.exeAdvancedRun.exeAdvancedRun.exedescription pid process target process PID 2352 wrote to memory of 1160 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 1160 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 1160 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 1160 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 2756 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 2756 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 2756 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 2756 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 2552 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 2552 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 2552 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 2552 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 2952 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 2952 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 2952 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 2952 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 2644 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 2644 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 2644 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 2644 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 1420 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 1420 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 1420 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 1420 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 2328 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 2328 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 2328 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 2328 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 1468 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 1468 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 1468 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 1468 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 2388 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 2388 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 2388 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 2388 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 1344 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 1344 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 1344 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 1344 2352 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 2352 wrote to memory of 672 2352 d7d26e52666b2a4633daf1255b15f967.exe AdvancedRun.exe PID 2352 wrote to memory of 672 2352 d7d26e52666b2a4633daf1255b15f967.exe AdvancedRun.exe PID 2352 wrote to memory of 672 2352 d7d26e52666b2a4633daf1255b15f967.exe AdvancedRun.exe PID 2352 wrote to memory of 672 2352 d7d26e52666b2a4633daf1255b15f967.exe AdvancedRun.exe PID 672 wrote to memory of 2244 672 AdvancedRun.exe AdvancedRun.exe PID 672 wrote to memory of 2244 672 AdvancedRun.exe AdvancedRun.exe PID 672 wrote to memory of 2244 672 AdvancedRun.exe AdvancedRun.exe PID 672 wrote to memory of 2244 672 AdvancedRun.exe AdvancedRun.exe PID 2352 wrote to memory of 2196 2352 d7d26e52666b2a4633daf1255b15f967.exe AdvancedRun.exe PID 2352 wrote to memory of 2196 2352 d7d26e52666b2a4633daf1255b15f967.exe AdvancedRun.exe PID 2352 wrote to memory of 2196 2352 d7d26e52666b2a4633daf1255b15f967.exe AdvancedRun.exe PID 2352 wrote to memory of 2196 2352 d7d26e52666b2a4633daf1255b15f967.exe AdvancedRun.exe PID 2196 wrote to memory of 2440 2196 AdvancedRun.exe AdvancedRun.exe PID 2196 wrote to memory of 2440 2196 AdvancedRun.exe AdvancedRun.exe PID 2196 wrote to memory of 2440 2196 AdvancedRun.exe AdvancedRun.exe PID 2196 wrote to memory of 2440 2196 AdvancedRun.exe AdvancedRun.exe PID 2352 wrote to memory of 2376 2352 d7d26e52666b2a4633daf1255b15f967.exe d7d26e52666b2a4633daf1255b15f967.exe PID 2352 wrote to memory of 2376 2352 d7d26e52666b2a4633daf1255b15f967.exe d7d26e52666b2a4633daf1255b15f967.exe PID 2352 wrote to memory of 2376 2352 d7d26e52666b2a4633daf1255b15f967.exe d7d26e52666b2a4633daf1255b15f967.exe PID 2352 wrote to memory of 2376 2352 d7d26e52666b2a4633daf1255b15f967.exe d7d26e52666b2a4633daf1255b15f967.exe PID 2352 wrote to memory of 2376 2352 d7d26e52666b2a4633daf1255b15f967.exe d7d26e52666b2a4633daf1255b15f967.exe PID 2352 wrote to memory of 2376 2352 d7d26e52666b2a4633daf1255b15f967.exe d7d26e52666b2a4633daf1255b15f967.exe PID 2352 wrote to memory of 2376 2352 d7d26e52666b2a4633daf1255b15f967.exe d7d26e52666b2a4633daf1255b15f967.exe PID 2352 wrote to memory of 2376 2352 d7d26e52666b2a4633daf1255b15f967.exe d7d26e52666b2a4633daf1255b15f967.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe"C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2644 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1420 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2328 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1468 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2388 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 6723⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 21963⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exeC:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe2⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2376 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵PID:2000
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:712
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵PID:1816
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵PID:336
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵PID:1984
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:540
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵PID:1788
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe"3⤵
- Creates scheduled task(s)
PID:3040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a720437bb7c6811d7102713ed50a4fc3
SHA174d4fe110b75df7c2f913088b783a6bad24fab9f
SHA256b32e8a0c340acce4df648555c9a080f73ab0088a5e968d53e5521f34d73e35dc
SHA5120b7964e5f7ebe92632e2df9f5eebc2b4b20635b2d7f008342bdb42f6d3738f04df564b2e4ff207ef29a9ba23e99a48d882af965ce837beede7461366effe3671
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD51a9d77294b1c58e9335205f7dead8147
SHA1620954efbebc1a3b828ab50679ce87efa46be977
SHA256007b02864686c5ebb03b1bfd7554e5497fc87b637a04cf2fd74c3245481359c3
SHA51273c7e1b3de300744ce7d32b8a5dbfdaaa7222639f5201c10eca6d4b80e1f1d3196fb23b1efc275aa139172d8ec8c732b07e9c971ce4ea32a8a8a82f3c33a7f13
-
Filesize
88KB
MD517fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a