Analysis Overview
SHA256
3e186472c2020abca4cef8673cac61fac90dd135f58dca13221c66bea62e4b9d
Threat Level: Known bad
The file Syaaz.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Process spawned unexpected child process
Detect ZGRat V1
ZGRat
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-04 15:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-04 15:23
Reported
2024-05-04 15:36
Platform
win7-20240221-en
Max time kernel
150s
Max time network
119s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\themes\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\syaaz.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Syaaz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Syaaz.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Resources\Themes\icsys.icn.exe | C:\Users\Admin\AppData\Local\Temp\Syaaz.exe | N/A |
| File opened for modification | \??\c:\windows\resources\themes\explorer.exe | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| File opened for modification | \??\c:\windows\resources\spoolsv.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\resources\svchost.exe | \??\c:\windows\resources\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Resources\tjud.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Syaaz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Syaaz.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Syaaz.exe
"C:\Users\Admin\AppData\Local\Temp\Syaaz.exe"
\??\c:\users\admin\appdata\local\temp\syaaz.exe
c:\users\admin\appdata\local\temp\syaaz.exe
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2356 -s 156
\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:35 /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:36 /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:37 /f
Network
Files
memory/1032-0-0x0000000000400000-0x000000000041F000-memory.dmp
\Users\Admin\AppData\Local\Temp\syaaz.exe
| MD5 | 18bcc3e896b173891e2f16cb7ea99662 |
| SHA1 | 4c67259d87428752f34cb22a3acbc0f2d5dfdc1f |
| SHA256 | 5427611cbbdea8ef4ce6b8306939dd35ee6b5bd939875cc26587885ff95dff9b |
| SHA512 | 0149efb58d8241ff7d50ed9bce0f4e61c061173ad5a83442e08a16f412c3448fe74633cff0283103e1f299165335864e1dc817301bc17da7c70965abcac3b48d |
\Windows\Resources\Themes\icsys.icn.exe
| MD5 | 2d272a9e71c1e0b670e5a666416dfe84 |
| SHA1 | 9a64430763c537f978115383f5ba69017a18c9e7 |
| SHA256 | ce8ea4132f3627cd1d823b481973c3790e4b0f3453e16537920c65ced84ba118 |
| SHA512 | 194dd053ebf8ed722229207b39dea1c76bc5d6ca5279ba5ce8bd2fc9d72bdf8bd29f961a0ea24c9ea9d602a0cefc9aa26f097ec8e10d33fdd62b71b2039ad6a7 |
C:\Windows\Resources\Themes\explorer.exe
| MD5 | c4d7bc66a27fd889e4723a08762726fc |
| SHA1 | 6978b539cf9bc46e5d5922d5e141361f5da7cb71 |
| SHA256 | 7ace49fb27732368b2136773d13210a37d9b01dfb8fc6cc52977a55633b562f2 |
| SHA512 | 2f9204cc0e2b0983d4ba9424d849774bada1794bb0be2ae567ac3e6f5c6e5af3b072fbddf9c9587cf16b7a065e9f4f5ddcd286790aacead3db29445c12ad7414 |
\Windows\Resources\spoolsv.exe
| MD5 | d81d40537f0ef3b47ef59f6e16b6afb7 |
| SHA1 | 0bc9eecddac26ae1ee79045be997f82240e40dfc |
| SHA256 | d7485ebaea2ab9a4a1390afc9d023896facf1cd1632c803e8b3de9111eb6f60f |
| SHA512 | a471ad1ab3a06996d9b886c84102595dd6fc6eef001c3ee89165b320ca1f17f556e291439527956be88590856859f43db69b09d0bb874403294764d598445c3a |
memory/2828-35-0x0000000000500000-0x000000000051F000-memory.dmp
\Windows\Resources\svchost.exe
| MD5 | 98e84845beeb16fcbd79c14abc5e3146 |
| SHA1 | 889c7484f0462d81d740457062768ef97de1c2cd |
| SHA256 | 12983ce41d6ce092b4f86b5d587a11e7d6e801c8218260f6cb9c4e2e28dcff05 |
| SHA512 | 04aa7a444a6da750636565b0fc360660692b5137f3d86cd9d455d6aeeb5a5bb38208426fbaa4fa16990ba37a706eea89f80f1ff49a4c886b1cc0baf60d420087 |
memory/2648-48-0x0000000000360000-0x000000000037F000-memory.dmp
memory/2844-55-0x00000000002C0000-0x00000000002DF000-memory.dmp
memory/2648-61-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2708-60-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1028-62-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1032-63-0x0000000000400000-0x000000000041F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-04 15:23
Reported
2024-05-04 15:36
Platform
win10v2004-20240419-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\svchost.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
ZGRat
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation | \??\c:\users\admin\appdata\local\temp\syaaz.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\ntoskrnl2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\syaaz.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | C:\Windows\System32\ntoskrnl2.exe | N/A |
| N/A | N/A | C:\Users\Default\RuntimeBroker.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\svchost.exe | N/A |
| File created | C:\Windows\System32\33a22f3fbfeb15 | C:\Windows\System32\ntoskrnl2.exe | N/A |
| File created | C:\Windows\System32\ntoskrnl2.exe | \??\c:\users\admin\appdata\local\temp\syaaz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\syaaz.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\WindowsPowerShell\Configuration\e1ef82546f0b02 | C:\Windows\System32\ntoskrnl2.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\en-US\SearchApp.exe | C:\Windows\System32\ntoskrnl2.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\en-US\38384e6a620884 | C:\Windows\System32\ntoskrnl2.exe | N/A |
| File created | C:\Program Files (x86)\WindowsPowerShell\Configuration\SppExtComObj.exe | C:\Windows\System32\ntoskrnl2.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Resources\tjud.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\Resources\Themes\icsys.icn.exe | C:\Users\Admin\AppData\Local\Temp\Syaaz.exe | N/A |
| File opened for modification | \??\c:\windows\resources\themes\explorer.exe | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| File opened for modification | \??\c:\windows\resources\spoolsv.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\resources\svchost.exe | \??\c:\windows\resources\spoolsv.exe | N/A |
| File created | C:\Windows\OCR\es-es\csrss.exe | C:\Windows\System32\ntoskrnl2.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings | C:\Windows\System32\ntoskrnl2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\ntoskrnl2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default\RuntimeBroker.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Syaaz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Syaaz.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Syaaz.exe
"C:\Users\Admin\AppData\Local\Temp\Syaaz.exe"
\??\c:\users\admin\appdata\local\temp\syaaz.exe
c:\users\admin\appdata\local\temp\syaaz.exe
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mode con cols=55 lines=15
\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
C:\Windows\system32\mode.com
mode con cols=55 lines=15
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
C:\Windows\System32\ntoskrnl2.exe
"C:\Windows\System32\ntoskrnl2.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "c:\users\admin\appdata\local\temp\syaaz.exe " MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "c:\users\admin\appdata\local\temp\syaaz.exe " MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ntoskrnl2n" /sc MINUTE /mo 10 /tr "'C:\Windows\System32\ntoskrnl2.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ntoskrnl2" /sc ONLOGON /tr "'C:\Windows\System32\ntoskrnl2.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ntoskrnl2n" /sc MINUTE /mo 13 /tr "'C:\Windows\System32\ntoskrnl2.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\en-US\SearchApp.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\SppExtComObj.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\ntoskrnl2.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B995gVWHnf.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\RuntimeBroker.exe
"C:\Users\Default\RuntimeBroker.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| BE | 23.55.97.11:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | 57.72.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:55586 | tcp | |
| N/A | 127.0.0.1:55588 | tcp | |
| N/A | 127.0.0.1:55593 | tcp | |
| N/A | 127.0.0.1:55595 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128538cm.n9shteam3.top | udp |
| US | 172.67.145.174:80 | 128538cm.n9shteam3.top | tcp |
| US | 172.67.145.174:80 | 128538cm.n9shteam3.top | tcp |
| US | 8.8.8.8:53 | 174.145.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.191.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
Files
memory/4208-0-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\syaaz.exe
| MD5 | 18bcc3e896b173891e2f16cb7ea99662 |
| SHA1 | 4c67259d87428752f34cb22a3acbc0f2d5dfdc1f |
| SHA256 | 5427611cbbdea8ef4ce6b8306939dd35ee6b5bd939875cc26587885ff95dff9b |
| SHA512 | 0149efb58d8241ff7d50ed9bce0f4e61c061173ad5a83442e08a16f412c3448fe74633cff0283103e1f299165335864e1dc817301bc17da7c70965abcac3b48d |
memory/1612-10-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Windows\Resources\Themes\icsys.icn.exe
| MD5 | 2d272a9e71c1e0b670e5a666416dfe84 |
| SHA1 | 9a64430763c537f978115383f5ba69017a18c9e7 |
| SHA256 | ce8ea4132f3627cd1d823b481973c3790e4b0f3453e16537920c65ced84ba118 |
| SHA512 | 194dd053ebf8ed722229207b39dea1c76bc5d6ca5279ba5ce8bd2fc9d72bdf8bd29f961a0ea24c9ea9d602a0cefc9aa26f097ec8e10d33fdd62b71b2039ad6a7 |
C:\Windows\Resources\Themes\explorer.exe
| MD5 | 1f1b7758664e3b3f12e62ddaaf872957 |
| SHA1 | 8a26dbc43bcd6d71bc1f674142e50bd0e36be570 |
| SHA256 | 2918027a82aa7f965ce2d287d232d8873f25a3e25c261a5332206ab4e2fa4455 |
| SHA512 | 0548c1c7c96fd2e4973cd0c659275431871001f18dfbb4a53e5bc617cbd214f8237dc9661ea62bb84ce1713190cbc9e7eccc2e6061cfd79545ce1bd5cd0aa37e |
C:\Windows\Resources\spoolsv.exe
| MD5 | ca0fd8761b5171c6c843121599c66055 |
| SHA1 | 73457c7e7061f788032742dbce553e4ec4b7fb2c |
| SHA256 | 07feec4f6e3143f11dde0477e2ed6b0299cb4a20bd522ee6dbd0698c4fb02786 |
| SHA512 | 11864533f99c5c441e6756196be028ee1ebe63d21626fec3a0c15b24d74d654045f8d74bb64d85bb1a5e1c7f49e52c5b7615ac6ce600d0849f767b71efbf01c2 |
C:\Windows\Resources\svchost.exe
| MD5 | a67c565a822eb8a6c845082d6590f980 |
| SHA1 | 8eefe69289a0316ccfda1f00eefaf976255af9ac |
| SHA256 | 8339f1216cd832f96d7e812d4d265e6cd1f92ae564054afd60bbda02f03049cd |
| SHA512 | 32f643e29dd3c78005b23b043f421b4f96853e66363aafd1be8e19c5a23250119a5ced559c7f8740a0456872267be307bdae270d7c21de568c3d2bec063b9e70 |
C:\Windows\System32\ntoskrnl2.exe
| MD5 | c8848d70c25cf0a1e0a4122cab55e5f8 |
| SHA1 | 20e0cffe94951e3201ca5aa3f5a2876b20408702 |
| SHA256 | 6ebed9f6de82360a3724c5148eaaced3273ce3e48826492d87da9d7e978eb6fc |
| SHA512 | b93aada5cdf824c5feb5c2a992a92cb929479241e7895c42c8a6af32b11c72767523d4abd641c44a0b2e310288e533f7aeef3f1931023ac72154171bc83d2cc0 |
memory/892-55-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2728-56-0x00000000009C0000-0x00000000009C8000-memory.dmp
memory/2368-57-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4208-58-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1612-59-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2728-60-0x000000001B5B0000-0x000000001B76A000-memory.dmp
memory/2728-90-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-72-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-64-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-98-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-122-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-124-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-120-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-118-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-116-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-112-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-110-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-106-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-114-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-108-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-104-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-102-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-100-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-96-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-94-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-92-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-88-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-86-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-84-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-82-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-80-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-79-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-76-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-74-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-70-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-68-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-66-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-62-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-61-0x000000001B5B0000-0x000000001B764000-memory.dmp
memory/2728-3619-0x0000000002AD0000-0x0000000002ADE000-memory.dmp
memory/2728-3621-0x000000001B500000-0x000000001B512000-memory.dmp
memory/2728-3623-0x000000001B4C0000-0x000000001B4CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2wwvi3wo.r43.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4412-3648-0x000001FC2B140000-0x000001FC2B162000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B995gVWHnf.bat
| MD5 | 7384b7218388d472337422dbf966c9ce |
| SHA1 | 743bdbe29c0c8d2f7a8fb914bdb9e1b172fd7918 |
| SHA256 | e9cea18398f7ae834ec2b5d6aa706f55243a1bb220150bdcb0aee836a7ef7603 |
| SHA512 | 84ab8426e44172d795e184f2233ed0420f9bb11ee51cc0fcb21b15bc2b794d36a1572f36045ab1c15968992f02910bc84ff325a64b7b2f7d9f64b61d9ff28b05 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e243a38635ff9a06c87c2a61a2200656 |
| SHA1 | ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc |
| SHA256 | af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f |
| SHA512 | 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4 |