Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
12/04/2024, 13:32
240412-qtgfpsag84 812/04/2024, 13:32
240412-qtc4aaag83 812/04/2024, 13:32
240412-qtcshsag82 812/04/2024, 13:32
240412-qtb6zsag79 812/04/2024, 13:32
240412-qtbkfsdh4s 809/04/2024, 05:34
240409-f9mmjsbc9t 809/04/2024, 05:33
240409-f9bkaabc8w 809/04/2024, 05:33
240409-f86n2abc71 809/04/2024, 05:33
240409-f8wh3afh27 801/02/2024, 11:29
240201-nlq9tsebck 10Analysis
-
max time kernel
1200s -
max time network
1197s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/04/2024, 05:33
Static task
static1
Behavioral task
behavioral1
Sample
svchost_dump_SCY - Copy.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
svchost_dump_SCY - Copy.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
svchost_dump_SCY - Copy.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
svchost_dump_SCY - Copy.exe
Resource
win11-20240319-en
General
-
Target
svchost_dump_SCY - Copy.exe
-
Size
5.2MB
-
MD5
5fd3d21a968f4b8a1577b5405ab1c36a
-
SHA1
710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
-
SHA256
7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
-
SHA512
085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
-
SSDEEP
98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 14 IoCs
pid Process 1900 netsh.exe 1872 netsh.exe 1676 netsh.exe 2840 netsh.exe 1636 netsh.exe 2196 netsh.exe 1640 netsh.exe 1660 netsh.exe 2552 netsh.exe 1768 netsh.exe 2104 netsh.exe 2732 netsh.exe 1060 netsh.exe 1900 netsh.exe -
Executes dropped EXE 7 IoCs
pid Process 1612 svchost.exe 1964 ~tl57D.tmp 2724 svchost.exe 652 svchost.exe 1068 ~tl6C4.tmp 1452 svchost.exe 1188 ~tl401C.tmp -
Loads dropped DLL 12 IoCs
pid Process 3064 svchost_dump_SCY - Copy.exe 3064 svchost_dump_SCY - Copy.exe 1612 svchost.exe 1612 svchost.exe 2408 taskeng.exe 2408 taskeng.exe 1964 ~tl57D.tmp 2724 svchost.exe 2724 svchost.exe 3008 taskeng.exe 1452 svchost.exe 1452 svchost.exe -
Drops file in System32 directory 18 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg svchost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat ~tl6C4.tmp File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm ~tl6C4.tmp File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat ~tl401C.tmp File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm ~tl401C.tmp File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\System\xxx1.bak svchost_dump_SCY - Copy.exe File created C:\Windows\System\svchost.exe svchost_dump_SCY - Copy.exe File opened for modification C:\Windows\System\svchost.exe svchost_dump_SCY - Copy.exe File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\System\xxx1.bak ~tl57D.tmp File opened for modification C:\Windows\System\svchost.exe ~tl57D.tmp File created C:\Windows\System\xxx1.bak svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 544 schtasks.exe 2440 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000a009deda458ada01 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-1e-c5-3d-80-44 ~tl6C4.tmp Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" ~tl401C.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-1e-c5-3d-80-44 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f002b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ~tl401C.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections ~tl6C4.tmp Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f002b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ~tl6C4.tmp Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" ~tl6C4.tmp Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix ~tl6C4.tmp Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5D5D0CBD-F2E4-43FC-978E-380C3672D1AF}\WpadNetworkName = "Network 2" ~tl6C4.tmp Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-1e-c5-3d-80-44 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings ~tl401C.tmp Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5D5D0CBD-F2E4-43FC-978E-380C3672D1AF}\WpadDecisionTime = c0d945dc468ada01 ~tl401C.tmp Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-1e-c5-3d-80-44\WpadDecision = "0" ~tl6C4.tmp Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5D5D0CBD-F2E4-43FC-978E-380C3672D1AF}\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5D5D0CBD-F2E4-43FC-978E-380C3672D1AF}\WpadDecision = "0" ~tl6C4.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ~tl401C.tmp Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" ~tl401C.tmp Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5D5D0CBD-F2E4-43FC-978E-380C3672D1AF}\WpadDecisionReason = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings ~tl6C4.tmp Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f002b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5D5D0CBD-F2E4-43FC-978E-380C3672D1AF}\WpadDecisionReason = "1" ~tl401C.tmp Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-1e-c5-3d-80-44\WpadDecisionTime = a0946bd1458ada01 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-1e-c5-3d-80-44 ~tl401C.tmp Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-1e-c5-3d-80-44\WpadDecision = "0" ~tl401C.tmp Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5D5D0CBD-F2E4-43FC-978E-380C3672D1AF}\WpadDecision = "0" ~tl401C.tmp Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-1e-c5-3d-80-44\WpadDetectedUrl svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f002b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-1e-c5-3d-80-44\WpadDecisionReason = "1" ~tl401C.tmp Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f002b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ~tl6C4.tmp Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-1e-c5-3d-80-44\WpadDecisionTime = c0d945dc468ada01 ~tl401C.tmp Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-1e-c5-3d-80-44\WpadDetectedUrl ~tl6C4.tmp Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" ~tl401C.tmp Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-1e-c5-3d-80-44\WpadDecision = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 2660 powershell.exe 2416 powershell.exe 3064 svchost_dump_SCY - Copy.exe 1464 powershell.exe 2244 powershell.exe 1964 ~tl57D.tmp 1596 powershell.exe 2648 powershell.exe 1964 ~tl57D.tmp 2724 svchost.exe 2640 powershell.exe 1516 powershell.exe 1068 ~tl6C4.tmp 1912 powershell.exe 1456 powershell.exe 1452 svchost.exe 2760 powershell.exe 2216 powershell.exe 1188 ~tl401C.tmp 652 powershell.exe 852 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2592 WMIC.exe Token: SeSecurityPrivilege 2592 WMIC.exe Token: SeTakeOwnershipPrivilege 2592 WMIC.exe Token: SeLoadDriverPrivilege 2592 WMIC.exe Token: SeSystemProfilePrivilege 2592 WMIC.exe Token: SeSystemtimePrivilege 2592 WMIC.exe Token: SeProfSingleProcessPrivilege 2592 WMIC.exe Token: SeIncBasePriorityPrivilege 2592 WMIC.exe Token: SeCreatePagefilePrivilege 2592 WMIC.exe Token: SeBackupPrivilege 2592 WMIC.exe Token: SeRestorePrivilege 2592 WMIC.exe Token: SeShutdownPrivilege 2592 WMIC.exe Token: SeDebugPrivilege 2592 WMIC.exe Token: SeSystemEnvironmentPrivilege 2592 WMIC.exe Token: SeRemoteShutdownPrivilege 2592 WMIC.exe Token: SeUndockPrivilege 2592 WMIC.exe Token: SeManageVolumePrivilege 2592 WMIC.exe Token: 33 2592 WMIC.exe Token: 34 2592 WMIC.exe Token: 35 2592 WMIC.exe Token: SeIncreaseQuotaPrivilege 2592 WMIC.exe Token: SeSecurityPrivilege 2592 WMIC.exe Token: SeTakeOwnershipPrivilege 2592 WMIC.exe Token: SeLoadDriverPrivilege 2592 WMIC.exe Token: SeSystemProfilePrivilege 2592 WMIC.exe Token: SeSystemtimePrivilege 2592 WMIC.exe Token: SeProfSingleProcessPrivilege 2592 WMIC.exe Token: SeIncBasePriorityPrivilege 2592 WMIC.exe Token: SeCreatePagefilePrivilege 2592 WMIC.exe Token: SeBackupPrivilege 2592 WMIC.exe Token: SeRestorePrivilege 2592 WMIC.exe Token: SeShutdownPrivilege 2592 WMIC.exe Token: SeDebugPrivilege 2592 WMIC.exe Token: SeSystemEnvironmentPrivilege 2592 WMIC.exe Token: SeRemoteShutdownPrivilege 2592 WMIC.exe Token: SeUndockPrivilege 2592 WMIC.exe Token: SeManageVolumePrivilege 2592 WMIC.exe Token: 33 2592 WMIC.exe Token: 34 2592 WMIC.exe Token: 35 2592 WMIC.exe Token: SeDebugPrivilege 2660 powershell.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeIncreaseQuotaPrivilege 2748 WMIC.exe Token: SeSecurityPrivilege 2748 WMIC.exe Token: SeTakeOwnershipPrivilege 2748 WMIC.exe Token: SeLoadDriverPrivilege 2748 WMIC.exe Token: SeSystemProfilePrivilege 2748 WMIC.exe Token: SeSystemtimePrivilege 2748 WMIC.exe Token: SeProfSingleProcessPrivilege 2748 WMIC.exe Token: SeIncBasePriorityPrivilege 2748 WMIC.exe Token: SeCreatePagefilePrivilege 2748 WMIC.exe Token: SeBackupPrivilege 2748 WMIC.exe Token: SeRestorePrivilege 2748 WMIC.exe Token: SeShutdownPrivilege 2748 WMIC.exe Token: SeDebugPrivilege 2748 WMIC.exe Token: SeSystemEnvironmentPrivilege 2748 WMIC.exe Token: SeRemoteShutdownPrivilege 2748 WMIC.exe Token: SeUndockPrivilege 2748 WMIC.exe Token: SeManageVolumePrivilege 2748 WMIC.exe Token: 33 2748 WMIC.exe Token: 34 2748 WMIC.exe Token: 35 2748 WMIC.exe Token: SeIncreaseQuotaPrivilege 2748 WMIC.exe Token: SeSecurityPrivilege 2748 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3064 wrote to memory of 2592 3064 svchost_dump_SCY - Copy.exe 29 PID 3064 wrote to memory of 2592 3064 svchost_dump_SCY - Copy.exe 29 PID 3064 wrote to memory of 2592 3064 svchost_dump_SCY - Copy.exe 29 PID 3064 wrote to memory of 1636 3064 svchost_dump_SCY - Copy.exe 31 PID 3064 wrote to memory of 1636 3064 svchost_dump_SCY - Copy.exe 31 PID 3064 wrote to memory of 1636 3064 svchost_dump_SCY - Copy.exe 31 PID 3064 wrote to memory of 2552 3064 svchost_dump_SCY - Copy.exe 33 PID 3064 wrote to memory of 2552 3064 svchost_dump_SCY - Copy.exe 33 PID 3064 wrote to memory of 2552 3064 svchost_dump_SCY - Copy.exe 33 PID 3064 wrote to memory of 2416 3064 svchost_dump_SCY - Copy.exe 35 PID 3064 wrote to memory of 2416 3064 svchost_dump_SCY - Copy.exe 35 PID 3064 wrote to memory of 2416 3064 svchost_dump_SCY - Copy.exe 35 PID 3064 wrote to memory of 2660 3064 svchost_dump_SCY - Copy.exe 37 PID 3064 wrote to memory of 2660 3064 svchost_dump_SCY - Copy.exe 37 PID 3064 wrote to memory of 2660 3064 svchost_dump_SCY - Copy.exe 37 PID 3064 wrote to memory of 2788 3064 svchost_dump_SCY - Copy.exe 39 PID 3064 wrote to memory of 2788 3064 svchost_dump_SCY - Copy.exe 39 PID 3064 wrote to memory of 2788 3064 svchost_dump_SCY - Copy.exe 39 PID 3064 wrote to memory of 544 3064 svchost_dump_SCY - Copy.exe 41 PID 3064 wrote to memory of 544 3064 svchost_dump_SCY - Copy.exe 41 PID 3064 wrote to memory of 544 3064 svchost_dump_SCY - Copy.exe 41 PID 3064 wrote to memory of 1612 3064 svchost_dump_SCY - Copy.exe 43 PID 3064 wrote to memory of 1612 3064 svchost_dump_SCY - Copy.exe 43 PID 3064 wrote to memory of 1612 3064 svchost_dump_SCY - Copy.exe 43 PID 1612 wrote to memory of 2748 1612 svchost.exe 45 PID 1612 wrote to memory of 2748 1612 svchost.exe 45 PID 1612 wrote to memory of 2748 1612 svchost.exe 45 PID 1612 wrote to memory of 1900 1612 svchost.exe 49 PID 1612 wrote to memory of 1900 1612 svchost.exe 49 PID 1612 wrote to memory of 1900 1612 svchost.exe 49 PID 1612 wrote to memory of 1872 1612 svchost.exe 51 PID 1612 wrote to memory of 1872 1612 svchost.exe 51 PID 1612 wrote to memory of 1872 1612 svchost.exe 51 PID 1612 wrote to memory of 1464 1612 svchost.exe 53 PID 1612 wrote to memory of 1464 1612 svchost.exe 53 PID 1612 wrote to memory of 1464 1612 svchost.exe 53 PID 1612 wrote to memory of 2244 1612 svchost.exe 55 PID 1612 wrote to memory of 2244 1612 svchost.exe 55 PID 1612 wrote to memory of 2244 1612 svchost.exe 55 PID 1612 wrote to memory of 1964 1612 svchost.exe 57 PID 1612 wrote to memory of 1964 1612 svchost.exe 57 PID 1612 wrote to memory of 1964 1612 svchost.exe 57 PID 1964 wrote to memory of 884 1964 ~tl57D.tmp 59 PID 1964 wrote to memory of 884 1964 ~tl57D.tmp 59 PID 1964 wrote to memory of 884 1964 ~tl57D.tmp 59 PID 1964 wrote to memory of 1676 1964 ~tl57D.tmp 61 PID 1964 wrote to memory of 1676 1964 ~tl57D.tmp 61 PID 1964 wrote to memory of 1676 1964 ~tl57D.tmp 61 PID 1964 wrote to memory of 2104 1964 ~tl57D.tmp 63 PID 1964 wrote to memory of 2104 1964 ~tl57D.tmp 63 PID 1964 wrote to memory of 2104 1964 ~tl57D.tmp 63 PID 1964 wrote to memory of 1596 1964 ~tl57D.tmp 65 PID 1964 wrote to memory of 1596 1964 ~tl57D.tmp 65 PID 1964 wrote to memory of 1596 1964 ~tl57D.tmp 65 PID 1964 wrote to memory of 2648 1964 ~tl57D.tmp 67 PID 1964 wrote to memory of 2648 1964 ~tl57D.tmp 67 PID 1964 wrote to memory of 2648 1964 ~tl57D.tmp 67 PID 2408 wrote to memory of 2724 2408 taskeng.exe 70 PID 2408 wrote to memory of 2724 2408 taskeng.exe 70 PID 2408 wrote to memory of 2724 2408 taskeng.exe 70 PID 1964 wrote to memory of 2816 1964 ~tl57D.tmp 71 PID 1964 wrote to memory of 2816 1964 ~tl57D.tmp 71 PID 1964 wrote to memory of 2816 1964 ~tl57D.tmp 71 PID 1964 wrote to memory of 2440 1964 ~tl57D.tmp 73 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
PID:1636
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
PID:2552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "Timer"2⤵PID:2788
-
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM2⤵
- Creates scheduled task(s)
PID:544
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:1900
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:1872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2244
-
-
C:\Users\Admin\AppData\Local\Temp\~tl57D.tmpC:\Users\Admin\AppData\Local\Temp\~tl57D.tmp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645114⤵PID:884
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:1676
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:2104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2648
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "Timer"4⤵PID:2816
-
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM4⤵
- Creates scheduled task(s)
PID:2440
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal4⤵
- Executes dropped EXE
PID:652
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {370C3B2F-E85D-4143-8BEC-12F7D0A5BC7E} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2724 -
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645113⤵
- Modifies data under HKEY_USERS
PID:308
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:2840
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2640
-
-
C:\Windows\TEMP\~tl6C4.tmpC:\Windows\TEMP\~tl6C4.tmp3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1068 -
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645114⤵
- Modifies data under HKEY_USERS
PID:2232
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:1060
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1456
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {BB5F83E3-E063-4FC5-9C88-D58142345155} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
PID:3008 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1452 -
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645113⤵PID:1996
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1640
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2216
-
-
C:\Windows\TEMP\~tl401C.tmpC:\Windows\TEMP\~tl401C.tmp3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1188 -
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645114⤵
- Modifies data under HKEY_USERS
PID:3064
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1660
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:652
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD55c30577b7e8f38aa586bb2ae42aedbb4
SHA120f1a29b7931e738745b9f42e6012732ed9efe5b
SHA2565e3c005ff479f854eec73bb2dd49562d4911a241f6053b9c8fa293fd3fe92ffb
SHA512cef8e6a37e995f230c506dcf3732040c66d78581a4348b284efabe8947c5e705ceb3270ad1cf543283a3b21bb7eccb21e1eb47529296bcdddb55169bedcd1f31
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5408a3906f286da816db7c9db54e12f94
SHA14e89b1f0307047c43957ee9ea97c816c6ace0529
SHA256f9f0955a49df388500f353c2f0deac1c28e0a975992d0f23dd7b81fb86291664
SHA512201cdc49cd8ab7126c93ea6c6ec03c1bc22f3c20f70aa3e90cc003b89c7937fd51414875f80d882ea045f9200e22bd5ed16dadd8b6aaaa0651f7fabab90cb7fc
-
Filesize
2.6MB
MD59bae03d3dc0f5cfd40507ee03ba5a765
SHA1bbb2ea791c2e53e615f7c4b17246b4d465e6a4fe
SHA256ff1af3cc0eff747f5425287eea2910d8d69cd9d30af5a90a41a03a023bb0313f
SHA5122263b74eefd835f92a085f1b35e156b79c37996b1976d6b93ad94cfce8454411131d4b3dc1d3d3cee175b37d05433f3061060023219d7d3da86e034e510b7b81
-
Filesize
6.4MB
MD51430c89ec309cf12802d8e723fe32c6e
SHA11f4b6ee07d47e827a4c3bd53784c8fa7b140c5c3
SHA2565996c136d3e6ffffec826c881eda0a56d952d08a87d889fd3d76597615b080fb
SHA5126942964e07560e288d2c0d53eb6bebbe0bc55fac881b60a7fb13bc9457dd724d5c72f9b22dd4d733c8321db2ae7c02cc96da91aef38fa935e07d18f847d4534c
-
Filesize
385KB
MD5e0a5211e22aa205f5c5c5042b0a572e4
SHA1f645ec5db1ce143b38b72bb27942f78a74640e64
SHA256984d7da9ef6efe325c7216c9b3d731200865a0bff5f2a8f288ebc9a6e6c5de1f
SHA51274d071590695fda8108083745015d1f8e1d6ae5f66701d3be8cdc096c0e62ee4ec52c489fda2b8060db87ee09800ba819e2bc44955ee3775cbfafef5529ebe45
-
Filesize
385KB
MD5e802c96760e48c5139995ffb2d891f90
SHA1bba3d278c0eb1094a26e5d2f4c099ad685371578
SHA256cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c
SHA51297300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0
-
Filesize
393KB
MD59dbdd43a2e0b032604943c252eaf634a
SHA19584dc66f3c1cce4210fdf827a1b4e2bb22263af
SHA25633c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86
SHA512b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1
-
Filesize
5.2MB
MD55fd3d21a968f4b8a1577b5405ab1c36a
SHA1710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA2567ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f