Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
15/08/2024, 10:51
Behavioral task
behavioral1
Sample
e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe
Resource
win7-20240705-en
General
-
Target
e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe
-
Size
5.2MB
-
MD5
6c5862dd6742b207080c3bf04987ed32
-
SHA1
28cefb613aac4959f44677a2348391cae9e89e6b
-
SHA256
e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1
-
SHA512
9582818d8a419bb34e979980b259fdbbd9c92c1c42f695fc3e490080d14fbe7822304d7a0c196a4fedd03541ee874bfe5d3dd0dafdb39d50410da17cf7e901e0
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lx:RWWBibf56utgpPFotBER/mQ32lUt
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral1/files/0x0008000000015d5f-14.dat cobalt_reflective_dll behavioral1/files/0x0008000000015d3f-8.dat cobalt_reflective_dll behavioral1/files/0x00090000000120f8-6.dat cobalt_reflective_dll behavioral1/files/0x0008000000015d78-18.dat cobalt_reflective_dll behavioral1/files/0x0006000000018c2e-57.dat cobalt_reflective_dll behavioral1/files/0x0006000000018c27-78.dat cobalt_reflective_dll behavioral1/files/0x0006000000018d74-94.dat cobalt_reflective_dll behavioral1/files/0x0006000000018d40-81.dat cobalt_reflective_dll behavioral1/files/0x0006000000018d87-111.dat cobalt_reflective_dll behavioral1/files/0x0006000000018f94-121.dat cobalt_reflective_dll behavioral1/files/0x00050000000191fe-131.dat cobalt_reflective_dll behavioral1/files/0x0005000000019221-136.dat cobalt_reflective_dll behavioral1/files/0x000600000001904f-126.dat cobalt_reflective_dll behavioral1/files/0x0006000000018d89-116.dat cobalt_reflective_dll behavioral1/files/0x0006000000018d80-105.dat cobalt_reflective_dll behavioral1/files/0x0009000000015dac-77.dat cobalt_reflective_dll behavioral1/files/0x0008000000015db6-56.dat cobalt_reflective_dll behavioral1/files/0x0006000000018d6b-85.dat cobalt_reflective_dll behavioral1/files/0x0007000000015d98-37.dat cobalt_reflective_dll behavioral1/files/0x0007000000015da2-52.dat cobalt_reflective_dll behavioral1/files/0x0007000000015d8b-33.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 42 IoCs
resource yara_rule behavioral1/memory/2636-91-0x000000013FE60000-0x00000001401B1000-memory.dmp xmrig behavioral1/memory/2520-95-0x000000013FCC0000-0x0000000140011000-memory.dmp xmrig behavioral1/memory/2680-97-0x0000000002170000-0x00000000024C1000-memory.dmp xmrig behavioral1/memory/2644-102-0x000000013FB80000-0x000000013FED1000-memory.dmp xmrig behavioral1/memory/2468-138-0x000000013F620000-0x000000013F971000-memory.dmp xmrig behavioral1/memory/2752-139-0x000000013F6B0000-0x000000013FA01000-memory.dmp xmrig behavioral1/memory/2616-93-0x000000013F770000-0x000000013FAC1000-memory.dmp xmrig behavioral1/memory/2680-92-0x000000013F770000-0x000000013FAC1000-memory.dmp xmrig behavioral1/memory/2904-76-0x000000013F890000-0x000000013FBE1000-memory.dmp xmrig behavioral1/memory/2820-75-0x000000013F2F0000-0x000000013F641000-memory.dmp xmrig behavioral1/memory/2680-71-0x000000013F890000-0x000000013FBE1000-memory.dmp xmrig behavioral1/memory/2728-70-0x000000013F0C0000-0x000000013F411000-memory.dmp xmrig behavioral1/memory/2900-90-0x000000013F210000-0x000000013F561000-memory.dmp xmrig behavioral1/memory/2804-89-0x000000013F560000-0x000000013F8B1000-memory.dmp xmrig behavioral1/memory/2680-88-0x000000013FC80000-0x000000013FFD1000-memory.dmp xmrig behavioral1/memory/2036-29-0x000000013F2E0000-0x000000013F631000-memory.dmp xmrig behavioral1/memory/2384-27-0x000000013F7A0000-0x000000013FAF1000-memory.dmp xmrig behavioral1/memory/2680-26-0x000000013F7A0000-0x000000013FAF1000-memory.dmp xmrig behavioral1/memory/1272-24-0x000000013F950000-0x000000013FCA1000-memory.dmp xmrig behavioral1/memory/2680-141-0x000000013FC80000-0x000000013FFD1000-memory.dmp xmrig behavioral1/memory/1520-157-0x000000013FAA0000-0x000000013FDF1000-memory.dmp xmrig behavioral1/memory/2944-161-0x000000013F970000-0x000000013FCC1000-memory.dmp xmrig behavioral1/memory/2668-160-0x000000013F620000-0x000000013F971000-memory.dmp xmrig behavioral1/memory/2128-159-0x000000013F440000-0x000000013F791000-memory.dmp xmrig behavioral1/memory/2920-158-0x000000013F390000-0x000000013F6E1000-memory.dmp xmrig behavioral1/memory/2504-156-0x000000013F650000-0x000000013F9A1000-memory.dmp xmrig behavioral1/memory/2936-163-0x000000013F8D0000-0x000000013FC21000-memory.dmp xmrig behavioral1/memory/2680-164-0x000000013FC80000-0x000000013FFD1000-memory.dmp xmrig behavioral1/memory/2520-224-0x000000013FCC0000-0x0000000140011000-memory.dmp xmrig behavioral1/memory/1272-226-0x000000013F950000-0x000000013FCA1000-memory.dmp xmrig behavioral1/memory/2384-228-0x000000013F7A0000-0x000000013FAF1000-memory.dmp xmrig behavioral1/memory/2036-230-0x000000013F2E0000-0x000000013F631000-memory.dmp xmrig behavioral1/memory/2468-232-0x000000013F620000-0x000000013F971000-memory.dmp xmrig behavioral1/memory/2820-235-0x000000013F2F0000-0x000000013F641000-memory.dmp xmrig behavioral1/memory/2752-236-0x000000013F6B0000-0x000000013FA01000-memory.dmp xmrig behavioral1/memory/2728-238-0x000000013F0C0000-0x000000013F411000-memory.dmp xmrig behavioral1/memory/2904-240-0x000000013F890000-0x000000013FBE1000-memory.dmp xmrig behavioral1/memory/2804-242-0x000000013F560000-0x000000013F8B1000-memory.dmp xmrig behavioral1/memory/2900-244-0x000000013F210000-0x000000013F561000-memory.dmp xmrig behavioral1/memory/2616-248-0x000000013F770000-0x000000013FAC1000-memory.dmp xmrig behavioral1/memory/2636-246-0x000000013FE60000-0x00000001401B1000-memory.dmp xmrig behavioral1/memory/2644-257-0x000000013FB80000-0x000000013FED1000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 2520 pNeUTif.exe 1272 obsqxNl.exe 2036 QPXJSxo.exe 2384 hcKEmuA.exe 2468 fFUTFtA.exe 2752 TKWVWjn.exe 2820 ZGaSjhh.exe 2728 ZxCNvtS.exe 2904 YkkUYjw.exe 2804 oXtzcXT.exe 2900 bbdvqTT.exe 2636 mXHhqKr.exe 2616 GMdwZHW.exe 2644 YHnqPjN.exe 2504 sACSDfI.exe 1520 bTXGbch.exe 2920 unZvjEf.exe 2128 HJeYymq.exe 2668 DFWgMil.exe 2944 QiAhZMx.exe 2936 wdiLCzd.exe -
Loads dropped DLL 21 IoCs
pid Process 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe -
resource yara_rule behavioral1/memory/2680-0-0x000000013FC80000-0x000000013FFD1000-memory.dmp upx behavioral1/memory/2520-15-0x000000013FCC0000-0x0000000140011000-memory.dmp upx behavioral1/files/0x0008000000015d5f-14.dat upx behavioral1/files/0x0008000000015d3f-8.dat upx behavioral1/files/0x00090000000120f8-6.dat upx behavioral1/files/0x0008000000015d78-18.dat upx behavioral1/files/0x0006000000018c2e-57.dat upx behavioral1/memory/2636-91-0x000000013FE60000-0x00000001401B1000-memory.dmp upx behavioral1/files/0x0006000000018c27-78.dat upx behavioral1/memory/2520-95-0x000000013FCC0000-0x0000000140011000-memory.dmp upx behavioral1/files/0x0006000000018d74-94.dat upx behavioral1/files/0x0006000000018d40-81.dat upx behavioral1/memory/2644-102-0x000000013FB80000-0x000000013FED1000-memory.dmp upx behavioral1/files/0x0006000000018d87-111.dat upx behavioral1/files/0x0006000000018f94-121.dat upx behavioral1/files/0x00050000000191fe-131.dat upx behavioral1/files/0x0005000000019221-136.dat upx behavioral1/files/0x000600000001904f-126.dat upx behavioral1/memory/2468-138-0x000000013F620000-0x000000013F971000-memory.dmp upx behavioral1/files/0x0006000000018d89-116.dat upx behavioral1/memory/2752-139-0x000000013F6B0000-0x000000013FA01000-memory.dmp upx behavioral1/files/0x0006000000018d80-105.dat upx behavioral1/memory/2616-93-0x000000013F770000-0x000000013FAC1000-memory.dmp upx behavioral1/files/0x0009000000015dac-77.dat upx behavioral1/memory/2904-76-0x000000013F890000-0x000000013FBE1000-memory.dmp upx behavioral1/memory/2820-75-0x000000013F2F0000-0x000000013F641000-memory.dmp upx behavioral1/memory/2728-70-0x000000013F0C0000-0x000000013F411000-memory.dmp upx behavioral1/files/0x0008000000015db6-56.dat upx behavioral1/memory/2752-48-0x000000013F6B0000-0x000000013FA01000-memory.dmp upx behavioral1/memory/2900-90-0x000000013F210000-0x000000013F561000-memory.dmp upx behavioral1/memory/2804-89-0x000000013F560000-0x000000013F8B1000-memory.dmp upx behavioral1/memory/2680-88-0x000000013FC80000-0x000000013FFD1000-memory.dmp upx behavioral1/files/0x0006000000018d6b-85.dat upx behavioral1/files/0x0007000000015d98-37.dat upx behavioral1/files/0x0007000000015da2-52.dat upx behavioral1/memory/2468-36-0x000000013F620000-0x000000013F971000-memory.dmp upx behavioral1/files/0x0007000000015d8b-33.dat upx behavioral1/memory/2036-29-0x000000013F2E0000-0x000000013F631000-memory.dmp upx behavioral1/memory/2384-27-0x000000013F7A0000-0x000000013FAF1000-memory.dmp upx behavioral1/memory/1272-24-0x000000013F950000-0x000000013FCA1000-memory.dmp upx behavioral1/memory/2680-141-0x000000013FC80000-0x000000013FFD1000-memory.dmp upx behavioral1/memory/1520-157-0x000000013FAA0000-0x000000013FDF1000-memory.dmp upx behavioral1/memory/2944-161-0x000000013F970000-0x000000013FCC1000-memory.dmp upx behavioral1/memory/2668-160-0x000000013F620000-0x000000013F971000-memory.dmp upx behavioral1/memory/2128-159-0x000000013F440000-0x000000013F791000-memory.dmp upx behavioral1/memory/2920-158-0x000000013F390000-0x000000013F6E1000-memory.dmp upx behavioral1/memory/2504-156-0x000000013F650000-0x000000013F9A1000-memory.dmp upx behavioral1/memory/2936-163-0x000000013F8D0000-0x000000013FC21000-memory.dmp upx behavioral1/memory/2680-164-0x000000013FC80000-0x000000013FFD1000-memory.dmp upx behavioral1/memory/2520-224-0x000000013FCC0000-0x0000000140011000-memory.dmp upx behavioral1/memory/1272-226-0x000000013F950000-0x000000013FCA1000-memory.dmp upx behavioral1/memory/2384-228-0x000000013F7A0000-0x000000013FAF1000-memory.dmp upx behavioral1/memory/2036-230-0x000000013F2E0000-0x000000013F631000-memory.dmp upx behavioral1/memory/2468-232-0x000000013F620000-0x000000013F971000-memory.dmp upx behavioral1/memory/2820-235-0x000000013F2F0000-0x000000013F641000-memory.dmp upx behavioral1/memory/2752-236-0x000000013F6B0000-0x000000013FA01000-memory.dmp upx behavioral1/memory/2728-238-0x000000013F0C0000-0x000000013F411000-memory.dmp upx behavioral1/memory/2904-240-0x000000013F890000-0x000000013FBE1000-memory.dmp upx behavioral1/memory/2804-242-0x000000013F560000-0x000000013F8B1000-memory.dmp upx behavioral1/memory/2900-244-0x000000013F210000-0x000000013F561000-memory.dmp upx behavioral1/memory/2616-248-0x000000013F770000-0x000000013FAC1000-memory.dmp upx behavioral1/memory/2636-246-0x000000013FE60000-0x00000001401B1000-memory.dmp upx behavioral1/memory/2644-257-0x000000013FB80000-0x000000013FED1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\hcKEmuA.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\bbdvqTT.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\HJeYymq.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\pNeUTif.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\QPXJSxo.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\YkkUYjw.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\DFWgMil.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\QiAhZMx.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\wdiLCzd.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\TKWVWjn.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\ZxCNvtS.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\oXtzcXT.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\unZvjEf.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\fFUTFtA.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\ZGaSjhh.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\GMdwZHW.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\YHnqPjN.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\sACSDfI.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\bTXGbch.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\obsqxNl.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\mXHhqKr.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe Token: SeLockMemoryPrivilege 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 2680 wrote to memory of 2520 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 31 PID 2680 wrote to memory of 2520 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 31 PID 2680 wrote to memory of 2520 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 31 PID 2680 wrote to memory of 2036 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 32 PID 2680 wrote to memory of 2036 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 32 PID 2680 wrote to memory of 2036 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 32 PID 2680 wrote to memory of 1272 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 33 PID 2680 wrote to memory of 1272 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 33 PID 2680 wrote to memory of 1272 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 33 PID 2680 wrote to memory of 2384 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 34 PID 2680 wrote to memory of 2384 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 34 PID 2680 wrote to memory of 2384 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 34 PID 2680 wrote to memory of 2468 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 35 PID 2680 wrote to memory of 2468 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 35 PID 2680 wrote to memory of 2468 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 35 PID 2680 wrote to memory of 2752 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 36 PID 2680 wrote to memory of 2752 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 36 PID 2680 wrote to memory of 2752 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 36 PID 2680 wrote to memory of 2820 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 37 PID 2680 wrote to memory of 2820 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 37 PID 2680 wrote to memory of 2820 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 37 PID 2680 wrote to memory of 2804 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 38 PID 2680 wrote to memory of 2804 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 38 PID 2680 wrote to memory of 2804 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 38 PID 2680 wrote to memory of 2728 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 39 PID 2680 wrote to memory of 2728 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 39 PID 2680 wrote to memory of 2728 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 39 PID 2680 wrote to memory of 2900 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 40 PID 2680 wrote to memory of 2900 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 40 PID 2680 wrote to memory of 2900 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 40 PID 2680 wrote to memory of 2904 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 41 PID 2680 wrote to memory of 2904 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 41 PID 2680 wrote to memory of 2904 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 41 PID 2680 wrote to memory of 2636 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 42 PID 2680 wrote to memory of 2636 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 42 PID 2680 wrote to memory of 2636 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 42 PID 2680 wrote to memory of 2616 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 43 PID 2680 wrote to memory of 2616 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 43 PID 2680 wrote to memory of 2616 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 43 PID 2680 wrote to memory of 2644 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 44 PID 2680 wrote to memory of 2644 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 44 PID 2680 wrote to memory of 2644 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 44 PID 2680 wrote to memory of 2504 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 45 PID 2680 wrote to memory of 2504 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 45 PID 2680 wrote to memory of 2504 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 45 PID 2680 wrote to memory of 1520 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 46 PID 2680 wrote to memory of 1520 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 46 PID 2680 wrote to memory of 1520 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 46 PID 2680 wrote to memory of 2920 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 47 PID 2680 wrote to memory of 2920 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 47 PID 2680 wrote to memory of 2920 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 47 PID 2680 wrote to memory of 2128 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 48 PID 2680 wrote to memory of 2128 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 48 PID 2680 wrote to memory of 2128 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 48 PID 2680 wrote to memory of 2668 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 49 PID 2680 wrote to memory of 2668 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 49 PID 2680 wrote to memory of 2668 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 49 PID 2680 wrote to memory of 2944 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 50 PID 2680 wrote to memory of 2944 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 50 PID 2680 wrote to memory of 2944 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 50 PID 2680 wrote to memory of 2936 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 51 PID 2680 wrote to memory of 2936 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 51 PID 2680 wrote to memory of 2936 2680 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe"C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\System\pNeUTif.exeC:\Windows\System\pNeUTif.exe2⤵
- Executes dropped EXE
PID:2520
-
-
C:\Windows\System\QPXJSxo.exeC:\Windows\System\QPXJSxo.exe2⤵
- Executes dropped EXE
PID:2036
-
-
C:\Windows\System\obsqxNl.exeC:\Windows\System\obsqxNl.exe2⤵
- Executes dropped EXE
PID:1272
-
-
C:\Windows\System\hcKEmuA.exeC:\Windows\System\hcKEmuA.exe2⤵
- Executes dropped EXE
PID:2384
-
-
C:\Windows\System\fFUTFtA.exeC:\Windows\System\fFUTFtA.exe2⤵
- Executes dropped EXE
PID:2468
-
-
C:\Windows\System\TKWVWjn.exeC:\Windows\System\TKWVWjn.exe2⤵
- Executes dropped EXE
PID:2752
-
-
C:\Windows\System\ZGaSjhh.exeC:\Windows\System\ZGaSjhh.exe2⤵
- Executes dropped EXE
PID:2820
-
-
C:\Windows\System\oXtzcXT.exeC:\Windows\System\oXtzcXT.exe2⤵
- Executes dropped EXE
PID:2804
-
-
C:\Windows\System\ZxCNvtS.exeC:\Windows\System\ZxCNvtS.exe2⤵
- Executes dropped EXE
PID:2728
-
-
C:\Windows\System\bbdvqTT.exeC:\Windows\System\bbdvqTT.exe2⤵
- Executes dropped EXE
PID:2900
-
-
C:\Windows\System\YkkUYjw.exeC:\Windows\System\YkkUYjw.exe2⤵
- Executes dropped EXE
PID:2904
-
-
C:\Windows\System\mXHhqKr.exeC:\Windows\System\mXHhqKr.exe2⤵
- Executes dropped EXE
PID:2636
-
-
C:\Windows\System\GMdwZHW.exeC:\Windows\System\GMdwZHW.exe2⤵
- Executes dropped EXE
PID:2616
-
-
C:\Windows\System\YHnqPjN.exeC:\Windows\System\YHnqPjN.exe2⤵
- Executes dropped EXE
PID:2644
-
-
C:\Windows\System\sACSDfI.exeC:\Windows\System\sACSDfI.exe2⤵
- Executes dropped EXE
PID:2504
-
-
C:\Windows\System\bTXGbch.exeC:\Windows\System\bTXGbch.exe2⤵
- Executes dropped EXE
PID:1520
-
-
C:\Windows\System\unZvjEf.exeC:\Windows\System\unZvjEf.exe2⤵
- Executes dropped EXE
PID:2920
-
-
C:\Windows\System\HJeYymq.exeC:\Windows\System\HJeYymq.exe2⤵
- Executes dropped EXE
PID:2128
-
-
C:\Windows\System\DFWgMil.exeC:\Windows\System\DFWgMil.exe2⤵
- Executes dropped EXE
PID:2668
-
-
C:\Windows\System\QiAhZMx.exeC:\Windows\System\QiAhZMx.exe2⤵
- Executes dropped EXE
PID:2944
-
-
C:\Windows\System\wdiLCzd.exeC:\Windows\System\wdiLCzd.exe2⤵
- Executes dropped EXE
PID:2936
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD559eb5ef8d47bfa752ebe4dac72c746af
SHA11882ae6e9f4f2deb37675301203c7d683cb47f5a
SHA256555ae055659589b82e66ade04a808541d8734e23a2bf94c259f8f71d3bbfdfc8
SHA51209a01b7bc07a5323f65240ebf501e29af0e28bf011d18c488bbab2de5903c195fc85dcc84532491e52c8655ad7c6d6b317682e39acf38121b632644fc0da6896
-
Filesize
5.2MB
MD55757d2f11aa55f3aefe39eb8abb23853
SHA110efd588b64624f1142669d9a30f7a3d8b980454
SHA2564f73409ad9b0aaeef417539b1b6501c5301b7907ac2f34b3d9e331a322ec4805
SHA5120fb683e75e249d1c5dcd5b321097aeb8f18155efe99249203edc19bf3c39e9c087d9417387ca01c7a33bc1d984d491fa0f093ed903c93fbdb71ffaa3a57b96c5
-
Filesize
5.2MB
MD55cef17c5d530e1b4b46a650e6054d928
SHA142fa5cac93247b89a37d516e50857bc1d08762c1
SHA2562aeb316c2dafd2a96b1859e3c0ae38be7ca40323b90c386c43ceb086a9717bc4
SHA512ff196b05c723463ec0952122073469e963f55ccc93ebf39605fd398571bc181c69ca604803d694d0b83f730d3c92c7969e57e494b75f4e937f59a322370c3b1a
-
Filesize
5.2MB
MD5d668fd47baaa63f4317ab6283bb61ad8
SHA1ea841838af3ec79ae3da1d10502ce0e304bc8e5a
SHA256f8c6051e1c3a65880f12ab6813a55387c527fd58c97fc32f41da18bb26910feb
SHA5129645436c5195bf302fcbae583e29a48a881eb5d254d4fbff31c3aa068e56f2ed798c8980cdd7f6bc45dcde4828a8b26d4f3bc7f5518372d88d7403c8b00e520b
-
Filesize
5.2MB
MD5641e5f44bf180e7dcebec5672a0faf34
SHA18d686d4d7dd5b2f35f96d2fecec8370e53ad3706
SHA2565fdc6313a2a2ae5e9cab2e1f51c4500b713201a6b95da5b5ccea31de4de777f3
SHA5126fad3aea39d498b4328e6a35ea90029435fa0e6d88b9073e19e7b2dbd7d314ec78f12d279be2d6ef42d0699b5abfb9e4c48c0ec01ca47beba6736370c91bc816
-
Filesize
5.2MB
MD5f7a9c6b5d190b69574ebdb803b312c01
SHA1d9d6b86e7c617cc6ffc287745c9ca038d12016c6
SHA2566329eaa882b3c4c109df8b940d77a8eba04a668cf95966987bf380bd0d2ace11
SHA512afbc729bf44a81e692b2b4788608a7200fb0e6715626da393cdd469094488ee5c7730eb17b29e032c434fe80907f62d2e5740fe2dc73bcbf09b41ae08cd9599f
-
Filesize
5.2MB
MD5d71f67fdaec2c05650b744e4b9bb39ff
SHA1c6dbaa08eb69b8bc4e1743ea355c907dd70c7f52
SHA256bab8af46e5e1df25fb6a35d9a69cf5d8af04e78bda1ba11e1bfc39ee8177a4b7
SHA51232aca56a178acd20cff4e88145fbc2c699b3ea75c5738d265973fa3d049003512b178e96ca0b0f2dc42b0b8d1d2c32a97305919c8c0e604cb787e9448651ce3f
-
Filesize
5.2MB
MD53bc11bbab5ebc181a64f5e24f2bca2e0
SHA12026a10a61b812ca8f2fd55ed54f038aea384165
SHA256292a7e9cd4452283c71c8082111a97abec4642f81a127f928ef2791d1adb4ede
SHA5124e56da5545d1136638bfd693554852d0e53793d302baf06e6d75e8bf2610723e900160a69f1c760202fa9355ced87d082454ae72f65709bb275775209a36a2bb
-
Filesize
5.2MB
MD53f708a9675d5771fc8e97af63804d484
SHA158a09d2d0e18753db3860e83c675941bdbbbe31f
SHA25680197c037897dc2fa70d34b29b3e77bf1efb0445033af9715b6a3d59965dfec8
SHA5124603f4cdf2d6f079f72e393b9e5f5f7d87bf2d32273adbde07b8bc06ea65ea9dc3a126e52fdc53bffc3ecfe47d575e5516f6fdcc5a34d1a445d3994f858f2078
-
Filesize
5.2MB
MD55daed108b3b4cea064efaa10de663e51
SHA13f19e4326b8242c526a9f1b1595696dd327547c4
SHA2564a0ac9355e79662cbcc7fa061f4b7b1a8e1efdb956ab6acf6670da29ee51954a
SHA5125d1e6843584bc16d597fa2c4dc5d3673c125fe8a7b53f72800a610e3795ad6df9c8d1d956ef169f947f27406bc7fc3a89a7e71d366879f05e27b782d106b2207
-
Filesize
5.2MB
MD5e95c32544c2fb0e839640fdfbf726ea0
SHA14ae37b9bfc8317476e16d49d418a5e08175e657d
SHA25650da6336326ddd04e5b34f57a2a5a52e3d0a9497c76d288bac2c4461a345803f
SHA51272f5e422b2662574e04e53d17e0d8746e7ea910d1bbc1da47457ee9270bbd21dbab52d07229ac68d2b742c472214d0f491e2591efeb50cf12d0f95af0afdac0e
-
Filesize
5.2MB
MD518d2a5e38db922cc516cddc8ae3abb4c
SHA1acd19990f60de557126b05714c9907428ee263d8
SHA2561c5681f9fcab0b112459882627eee15b7250defc619da722519ef7046ff729a8
SHA5124bbcbcbfdc6af8432a8ac2bfc8a0f8bd1b5d95ea06a7d02da966b74252e07011fcb6b13d8b3c53492138ae1052651faa57b01f5cd77a9040d36fda618b488103
-
Filesize
5.2MB
MD5903d373db2f11f2bb9597d974192ce76
SHA1474b2c62237ac20cf500d912a0f9446850053095
SHA2568e5011e80f22435676a9183b17a976fe8bf3c772c2ddfbd8d24cc5a9aca433d6
SHA512c9025c97468768861688357c67fffa6c7ae71b4f226893f54e4a7d06a65a3bf042c70d1e302dbd2b321228d66c3b5df037178be269ad8a68164224179ba569e6
-
Filesize
5.2MB
MD56ce81c54a0315b87165b806bb4085549
SHA1a92e1aa30df9c5492666f9ef1c8d5d971ec16665
SHA256a506a226c826d60306192ea6540d63644480f60f9ccc07570b9a35f43284b2ab
SHA512f2f927809eda3cd2fd2a812f973417869b0d047618da90030e0bdec26008049c9ba5ef7668267b2056d06d1c8b61adb41821a7b80986a8f5e92edc847257d86a
-
Filesize
5.2MB
MD5c62711399e05115672c6cdccea90ecdd
SHA14e37e34d89598688bac4ece85ce246bfecae797b
SHA2565e3b27c03ccd0c17dbf38a004728b30b2f6917664c6d1f9d7b4951d18314e2be
SHA5126ab25075ffbe41859270b496d2130e2b06c6e8e22ac5dbe5c9fd8b4385e64bdda81dced052030acb543e6319f4f79c19e682b707fc33f84a49a2026ea35aa3ac
-
Filesize
5.2MB
MD5ce36291168304a847d7f55fc496d88d4
SHA131da3a796f4703f0bcd756e126c4dcfbf8a25c1a
SHA256a948197d9a88d0bf1aa129fd73203c18ca34e7ee6f0ebc14126492caa1c1fbd9
SHA512c07813e2d010d4068560ad6e9caa987ca1b7d08e99f887110332430fb73b49bd796ea762028839362211713337329ffe7526b17bf69700e30822c7812542a1dc
-
Filesize
5.2MB
MD535515f313c1f26da9ce294db480cac47
SHA17834c7c6a114faa237e2889fc04e9d92ed517482
SHA256fb9483a57c159d584c6c73b0416f5ad758fde601e76008f95268ddc80db8eb1b
SHA5124d954dc8d8097834bf1c2b7537b62ba10b0657cd85fdd1962477c2ded5049093c755b93933a0c0f690c2c39b46ce4e0da794bb6702636a263c2b832dac85ae2a
-
Filesize
5.2MB
MD5df842d95fb255a9204225c8e4b6850cc
SHA12015f5723fcdf5f1c0b42e4fe2ff91bbdb2db6c0
SHA25625a2d52744b6d510f231710a381d4f183d241d32cb407bb9a8cecd9f3a1aeae8
SHA5127fab9152e877430aea495d014018d0c48834766ef1f70e01ab66d00d59c117e0c0c89e99e2456091382faac1dfc5e5bbba85a9d780136243016cada913fdf774
-
Filesize
5.2MB
MD5f540d381314c595570aff0884615628e
SHA1e172b8cb1e158a02bcc642ff426645b3eb110413
SHA256aa6ad9c5685e10f9bc0a71d310db1d56febd7ea9c6397d500a1c3f711027041a
SHA51221cb72ca807bf032f8e7844b2c33867d91bd9bd54c419f1b7d390fd3b8853e979450f1b988dae0c31450be58a96cda851107bb3cd273b7e19a7280e48dbc6512
-
Filesize
5.2MB
MD5a987252775eaebb7c85f0b4516ef45e7
SHA19d9df9e08127445e734eb8e4c094a2e2daadc6db
SHA2561d1391182cb84cc25b6f94e9e676fb7033ce65b4acd1f63e5ee7c56c0499c360
SHA512cc94e7b2ce921e65e901b84cbb5900656e6708511698d18da836d451500e658b613b679135ee26dd1aa83e980e0a96466bd9d3936a503f48f6974cdee7c6f164
-
Filesize
5.2MB
MD5a83052784b96e368afe241e080dab7fb
SHA15f19cfbf45937c54a30c07d8b80a0850c4f47edf
SHA2564cc347dd33a8f57e5af9d821de8707334870694adffd80e102afe80ac194ca25
SHA5127db23a4ce19ecfd8012f39652a18ce09c959b99df1057bb19cb1aa4302cb3923a51b0a439832ba9fd5dbd8959f1ecc932003ea53c451cb8539ad75ecb222a836