Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 02:49
Static task
static1
Behavioral task
behavioral1
Sample
2345pic_x64.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2345pic_x64.msi
Resource
win10v2004-20241007-en
General
-
Target
2345pic_x64.msi
-
Size
79.4MB
-
MD5
fe984489b63aa7cd7aee6c48fe69e08d
-
SHA1
b5cac8c66311b7601e0ef2a1d134bf06a8079497
-
SHA256
092ff5eeddfd265d8f37c5a9afbf7c3018ba65fcd0dd59c0237f7e04d1915060
-
SHA512
806872b46c843727d4a980e46fef0a662115a6429868e74c8889d9363323008797c5b11ad54bb524709cb26087a8bec42b0051f701af4766ee7227068a7a0e92
-
SSDEEP
1572864:NmsJ8LVVmCjLbWQVZq/5u3dOdYMBWkAhIo/qQXAbJqWOm9uUQerttNG2MZ7dE:ojyCjLLZq/5ukpBVMWchl5erttNXMZ7S
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3504-111-0x000000002B8E0000-0x000000002BA9D000-memory.dmp purplefox_rootkit behavioral2/memory/3504-113-0x000000002B8E0000-0x000000002BA9D000-memory.dmp purplefox_rootkit behavioral2/memory/3504-114-0x000000002B8E0000-0x000000002BA9D000-memory.dmp purplefox_rootkit behavioral2/memory/3504-115-0x000000002B8E0000-0x000000002BA9D000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 4 IoCs
resource yara_rule behavioral2/memory/3504-111-0x000000002B8E0000-0x000000002BA9D000-memory.dmp family_gh0strat behavioral2/memory/3504-113-0x000000002B8E0000-0x000000002BA9D000-memory.dmp family_gh0strat behavioral2/memory/3504-114-0x000000002B8E0000-0x000000002BA9D000-memory.dmp family_gh0strat behavioral2/memory/3504-115-0x000000002B8E0000-0x000000002BA9D000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4332 powershell.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: aAvapbvtIRjv.exe File opened (read-only) \??\O: aAvapbvtIRjv.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: aAvapbvtIRjv.exe File opened (read-only) \??\R: aAvapbvtIRjv.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: aAvapbvtIRjv.exe File opened (read-only) \??\T: aAvapbvtIRjv.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: aAvapbvtIRjv.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: aAvapbvtIRjv.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Q: aAvapbvtIRjv.exe File opened (read-only) \??\Y: aAvapbvtIRjv.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: aAvapbvtIRjv.exe File opened (read-only) \??\G: aAvapbvtIRjv.exe File opened (read-only) \??\U: aAvapbvtIRjv.exe File opened (read-only) \??\Z: aAvapbvtIRjv.exe File opened (read-only) \??\S: aAvapbvtIRjv.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: aAvapbvtIRjv.exe File opened (read-only) \??\V: aAvapbvtIRjv.exe File opened (read-only) \??\W: aAvapbvtIRjv.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: aAvapbvtIRjv.exe File opened (read-only) \??\P: aAvapbvtIRjv.exe File opened (read-only) \??\B: msiexec.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\jnSNQNClfnFm.exe.log jnSNQNClfnFm.exe -
Drops file in Program Files directory 17 IoCs
description ioc Process File created C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe wBtkOfXYmrXB.exe File created C:\Program Files\EnableMagneticOverseer\wBtkOfXYmrXB.exe msiexec.exe File opened for modification C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.wrapper.log jnSNQNClfnFm.exe File opened for modification C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.wrapper.log jnSNQNClfnFm.exe File created C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe wBtkOfXYmrXB.exe File created C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.vbs aAvapbvtIRjv.exe File opened for modification C:\Program Files\EnableMagneticOverseer aAvapbvtIRjv.exe File opened for modification C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.wrapper.log jnSNQNClfnFm.exe File created C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv wBtkOfXYmrXB.exe File created C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.xml wBtkOfXYmrXB.exe File opened for modification C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.xml wBtkOfXYmrXB.exe File opened for modification C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe wBtkOfXYmrXB.exe File opened for modification C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe wBtkOfXYmrXB.exe File created C:\Program Files\EnableMagneticOverseer\2345pic_x64.exe msiexec.exe File created C:\Program Files\EnableMagneticOverseer\oFRhddqMXWXkbbeDGqHg msiexec.exe File created C:\Program Files\EnableMagneticOverseer\valibclang2d.dll msiexec.exe File opened for modification C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv wBtkOfXYmrXB.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{944047DE-2AC8-485B-B376-DA72238E3394} msiexec.exe File opened for modification C:\Windows\Installer\MSID467.tmp msiexec.exe File created C:\Windows\Installer\e57d275.msi msiexec.exe File created C:\Windows\Installer\e57d273.msi msiexec.exe File opened for modification C:\Windows\Installer\e57d273.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Executes dropped EXE 8 IoCs
pid Process 1020 wBtkOfXYmrXB.exe 2860 aAvapbvtIRjv.exe 1860 2345pic_x64.exe 2424 jnSNQNClfnFm.exe 2760 jnSNQNClfnFm.exe 3448 jnSNQNClfnFm.exe 2436 aAvapbvtIRjv.exe 3504 aAvapbvtIRjv.exe -
Loads dropped DLL 5 IoCs
pid Process 1860 2345pic_x64.exe 1860 2345pic_x64.exe 1860 2345pic_x64.exe 1860 2345pic_x64.exe 1860 2345pic_x64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2220 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wBtkOfXYmrXB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aAvapbvtIRjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2345pic_x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aAvapbvtIRjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aAvapbvtIRjv.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001a73a27760024bf60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001a73a2770000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001a73a277000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1a73a277000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001a73a27700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 aAvapbvtIRjv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz aAvapbvtIRjv.exe -
Modifies data under HKEY_USERS 56 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WScript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host WScript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software WScript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings WScript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft WScript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1EC50D645954B34429904554B396BE7B msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\PackageName = "2345pic_x64.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\ED7404498CA2B5843B67AD2732E83349 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1EC50D645954B34429904554B396BE7B\ED7404498CA2B5843B67AD2732E83349 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\ProductName = "EnableMagneticOverseer" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\PackageCode = "4FD2201DFC0C4BE40B0948F4609DD271" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\ED7404498CA2B5843B67AD2732E83349\ProductFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\Version = "16973827" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\DeploymentFlags = "3" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4476 msiexec.exe 4476 msiexec.exe 4332 powershell.exe 4332 powershell.exe 4332 powershell.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe 2860 aAvapbvtIRjv.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2220 msiexec.exe Token: SeIncreaseQuotaPrivilege 2220 msiexec.exe Token: SeSecurityPrivilege 4476 msiexec.exe Token: SeCreateTokenPrivilege 2220 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2220 msiexec.exe Token: SeLockMemoryPrivilege 2220 msiexec.exe Token: SeIncreaseQuotaPrivilege 2220 msiexec.exe Token: SeMachineAccountPrivilege 2220 msiexec.exe Token: SeTcbPrivilege 2220 msiexec.exe Token: SeSecurityPrivilege 2220 msiexec.exe Token: SeTakeOwnershipPrivilege 2220 msiexec.exe Token: SeLoadDriverPrivilege 2220 msiexec.exe Token: SeSystemProfilePrivilege 2220 msiexec.exe Token: SeSystemtimePrivilege 2220 msiexec.exe Token: SeProfSingleProcessPrivilege 2220 msiexec.exe Token: SeIncBasePriorityPrivilege 2220 msiexec.exe Token: SeCreatePagefilePrivilege 2220 msiexec.exe Token: SeCreatePermanentPrivilege 2220 msiexec.exe Token: SeBackupPrivilege 2220 msiexec.exe Token: SeRestorePrivilege 2220 msiexec.exe Token: SeShutdownPrivilege 2220 msiexec.exe Token: SeDebugPrivilege 2220 msiexec.exe Token: SeAuditPrivilege 2220 msiexec.exe Token: SeSystemEnvironmentPrivilege 2220 msiexec.exe Token: SeChangeNotifyPrivilege 2220 msiexec.exe Token: SeRemoteShutdownPrivilege 2220 msiexec.exe Token: SeUndockPrivilege 2220 msiexec.exe Token: SeSyncAgentPrivilege 2220 msiexec.exe Token: SeEnableDelegationPrivilege 2220 msiexec.exe Token: SeManageVolumePrivilege 2220 msiexec.exe Token: SeImpersonatePrivilege 2220 msiexec.exe Token: SeCreateGlobalPrivilege 2220 msiexec.exe Token: SeBackupPrivilege 3496 vssvc.exe Token: SeRestorePrivilege 3496 vssvc.exe Token: SeAuditPrivilege 3496 vssvc.exe Token: SeBackupPrivilege 4476 msiexec.exe Token: SeRestorePrivilege 4476 msiexec.exe Token: SeRestorePrivilege 4476 msiexec.exe Token: SeTakeOwnershipPrivilege 4476 msiexec.exe Token: SeRestorePrivilege 4476 msiexec.exe Token: SeTakeOwnershipPrivilege 4476 msiexec.exe Token: SeDebugPrivilege 4332 powershell.exe Token: SeRestorePrivilege 1020 wBtkOfXYmrXB.exe Token: 35 1020 wBtkOfXYmrXB.exe Token: SeSecurityPrivilege 1020 wBtkOfXYmrXB.exe Token: SeSecurityPrivilege 1020 wBtkOfXYmrXB.exe Token: SeRestorePrivilege 4476 msiexec.exe Token: SeTakeOwnershipPrivilege 4476 msiexec.exe Token: SeRestorePrivilege 4476 msiexec.exe Token: SeTakeOwnershipPrivilege 4476 msiexec.exe Token: SeRestorePrivilege 4476 msiexec.exe Token: SeTakeOwnershipPrivilege 4476 msiexec.exe Token: SeRestorePrivilege 4476 msiexec.exe Token: SeTakeOwnershipPrivilege 4476 msiexec.exe Token: SeRestorePrivilege 4476 msiexec.exe Token: SeTakeOwnershipPrivilege 4476 msiexec.exe Token: SeRestorePrivilege 4476 msiexec.exe Token: SeTakeOwnershipPrivilege 4476 msiexec.exe Token: SeRestorePrivilege 4476 msiexec.exe Token: SeTakeOwnershipPrivilege 4476 msiexec.exe Token: SeRestorePrivilege 4476 msiexec.exe Token: SeTakeOwnershipPrivilege 4476 msiexec.exe Token: SeRestorePrivilege 4476 msiexec.exe Token: SeTakeOwnershipPrivilege 4476 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2220 msiexec.exe 2220 msiexec.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4476 wrote to memory of 1380 4476 msiexec.exe 104 PID 4476 wrote to memory of 1380 4476 msiexec.exe 104 PID 4476 wrote to memory of 1160 4476 msiexec.exe 106 PID 4476 wrote to memory of 1160 4476 msiexec.exe 106 PID 1160 wrote to memory of 4332 1160 MsiExec.exe 107 PID 1160 wrote to memory of 4332 1160 MsiExec.exe 107 PID 1160 wrote to memory of 2540 1160 MsiExec.exe 109 PID 1160 wrote to memory of 2540 1160 MsiExec.exe 109 PID 2540 wrote to memory of 1020 2540 cmd.exe 111 PID 2540 wrote to memory of 1020 2540 cmd.exe 111 PID 2540 wrote to memory of 1020 2540 cmd.exe 111 PID 1160 wrote to memory of 2860 1160 MsiExec.exe 113 PID 1160 wrote to memory of 2860 1160 MsiExec.exe 113 PID 1160 wrote to memory of 2860 1160 MsiExec.exe 113 PID 1160 wrote to memory of 1860 1160 MsiExec.exe 114 PID 1160 wrote to memory of 1860 1160 MsiExec.exe 114 PID 1160 wrote to memory of 1860 1160 MsiExec.exe 114 PID 3448 wrote to memory of 2436 3448 jnSNQNClfnFm.exe 125 PID 3448 wrote to memory of 2436 3448 jnSNQNClfnFm.exe 125 PID 3448 wrote to memory of 2436 3448 jnSNQNClfnFm.exe 125 PID 2436 wrote to memory of 3504 2436 aAvapbvtIRjv.exe 127 PID 2436 wrote to memory of 3504 2436 aAvapbvtIRjv.exe 127 PID 2436 wrote to memory of 3504 2436 aAvapbvtIRjv.exe 127 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2345pic_x64.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2220
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1380
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 0E311BA5C80FBF9496B5BE399D19FB9C E Global\MSI00002⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\EnableMagneticOverseer'3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4332
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start "" "C:\Program Files\EnableMagneticOverseer\wBtkOfXYmrXB.exe" x "C:\Program Files\EnableMagneticOverseer\oFRhddqMXWXkbbeDGqHg" -o"C:\Program Files\EnableMagneticOverseer\" -phZJcWScQuNgsiGBeBDtN -y3⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Program Files\EnableMagneticOverseer\wBtkOfXYmrXB.exe"C:\Program Files\EnableMagneticOverseer\wBtkOfXYmrXB.exe" x "C:\Program Files\EnableMagneticOverseer\oFRhddqMXWXkbbeDGqHg" -o"C:\Program Files\EnableMagneticOverseer\" -phZJcWScQuNgsiGBeBDtN -y4⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
-
-
C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe"C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe" -number 182 -file file3 -mode mode3 -flag flag33⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2860
-
-
C:\Program Files\EnableMagneticOverseer\2345pic_x64.exe"C:\Program Files\EnableMagneticOverseer\2345pic_x64.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1860
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3496
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.vbs"1⤵
- Modifies data under HKEY_USERS
PID:4392
-
C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe"C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe" install1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
PID:2424
-
C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe"C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe" start1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:2760
-
C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe"C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe"C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe" -number 250 -file file3 -mode mode3 -flag flag32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe"C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe" -number 132 -file file3 -mode mode3 -flag flag33⤵
- Enumerates connected drives
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:3504
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5c8dc4ab472defe7fc733961fb6f2cd02
SHA1e0f6c22a6b68feb723561c3440a0d93a805dcf0e
SHA2561fbcc1926a95f7fea21d7c344298da37c82d350c3e1bbe49da756b4fd6bca0bb
SHA512ac4a99f2f05a24193b72bc01cac8006d630ca0eee7ab7935228fed907714bfefa14b682e3a6ff3b8fdf0a2994cc9cc8f0eae1d6eedabc058c1714e5256805b58
-
Filesize
3.2MB
MD590a521d21169049fdf1a244fc2989377
SHA1e9b0db47e89683444ba886fa8091167e160f6b30
SHA2567dd65fb863051edda07d0f84c65c36cd7388aa28464eb3f6c541f73c9f195f41
SHA512e20e25cf49489861dcb00cb4b38f9c96b26b016b55a9b92ab082ef422db98dad3936b6918b65f1874ba4fe1a0208e8bae701aaf3d7e3bdcca3f046eb0826f8dc
-
Filesize
2KB
MD51e0499cb02d625084bc87bdc378c766f
SHA14a28d0d6b3f69ab3254a08be8a102bf5690d661f
SHA2560a3a48ab6d2e8cb621cef3949557ee289d566f788e99d1091fb1a4fa838273b7
SHA51237b147378920a187bb9d18ef930d9e86d12b238657e794398f32065b77211c165a6c680421d44742508d3bdbd0143431b0c37cc05056e9ce5ad1fc54727ff370
-
Filesize
832KB
MD5d305d506c0095df8af223ac7d91ca327
SHA1679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA51294d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796
-
Filesize
266B
MD5d18f87f7004e3ac55561aa704e26282c
SHA17fde867b93d5df3d213299288dbfb7b286afbec1
SHA256b9d847d037dbedb3bbcacbc26eb9f74cc88bac0dd3b90dbb56d7a609113e65e9
SHA512911373d38898f2e743bfc4ccb5e518e7dc5ef14d28fc537603efd1114103369a2978a2b000e8712e9c3b7908f0030f1f2172fd6da451fc00e89153d28eb43d05
-
Filesize
422B
MD587b2d528ed00646fd75b4817f725032a
SHA1e648eed484a5b1f25538144cda80d28fb6e3dea4
SHA2568609d5b44d1cab003e0fc814b5cca783909f7121e2aa88ff873465ea68a52503
SHA512a4fe9bfc4d4c1f093186df5bcaae6b369ebd8aefbc57518059f7a4bf9d2c06be72e9cd8883971a8be296b8b7b8d0bc804ec4967824054792dd157c42e30f402e
-
Filesize
588B
MD5757c15a14e12c68efbd01019dff55da0
SHA18e69abb44a442891fa6331643f180c5a95936c62
SHA2561fc34ab60fe69645e7fba20ae74ef73c25de06df3cb766c491cd145f7f5c1310
SHA512f39268a01c693c6bb5b348b69ed5c4c008877f7c0f0f6c9a9420aedf58c1577374bc69996d2fb2d0ee392587239e35aba66ace4067690bb81855d3875651eae2
-
Filesize
437B
MD55bb0d373e349c5b338e75bb61087c8a7
SHA17f1ef7fdfd8be7d238dbda9a8742abd0e584e788
SHA25682c7224a57ffe8384766daf2c00acb148d9ca79db5cb2bc222ec9f385bcd966c
SHA512f887e41966eda84cafb7e003f946116be2d9dcc8fe1578050f296771ff8735fee06730de5cd1c7408148d91b61f5c87515c1b53440191e5a31f08317c6758a49
-
Filesize
2.4MB
MD55ac34b87f21ae7fedf4dc629181decf0
SHA13890201e28d44a46b6e810b5bc5eddfec78d92b9
SHA256ffc5b747ee4183aa7b298e7e296981d19321c208ae40b0052f1965033da5ebb4
SHA512fbfee20bf2795f2e67ef24a1add342d61c131226ab74638447c5be70f4acd0ad9e51db1f58e69e4785446e2af71208a729636c0a79db1415712e67ebad8c2eda
-
Filesize
577KB
MD5c31c4b04558396c6fabab64dcf366534
SHA1fa836d92edc577d6a17ded47641ba1938589b09a
SHA2569d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
624KB
MD5cc7eab4f83339cca63f763114ca04c6c
SHA14da526e8b270dc16865813801dc5bcda8162c09d
SHA256a1c9c3b3bc8e75aa91f639da10835210e81aeb7fb5db79ac0703e1594e516b5b
SHA512d1df9bdb61dcc95e579adf4891c000feee83f9f4a3f82debca617fb62afff16707707681c2f2655aa02756873d5251db74d5b843ec56c3e12ab1120355360ef0
-
Filesize
2.4MB
MD52f2ae26fd88c512ac0feb39fa42ee894
SHA1ac50a5fd61933bdd2a54e6503e39438f05af3304
SHA2569117cafe403e445a291141ee898845799a165c383d3dfcf76c1870f66782e6b1
SHA512b919244cd08118a2258cb062e5ce3a4626d82ed0ca3600a018bdb97962b9f96d57d1a08d338fd41fbae4af72debf7840707f67d442e53ec8a15cb8002ee725e6
-
Filesize
27KB
MD5a568feaa357f44dd50c5e447fa8ee1b2
SHA15c765fad342b756d5ea522087c6f7567b5f3ed57
SHA25657947a15ad3215185c7e15a5f0da393570845a13ab7b184a07fcefbf97537e48
SHA5127c8c36c0123de839e677beeba65c1af56c5e85d8f1ff2c94950aed33e026dff3fbda8c49859012862110117977c928b814c0d91c477583a2b8f83d73f3cdf174
-
Filesize
2.1MB
MD5a26e75c0407c87786eea42febdb32532
SHA127e52fdca023cb8f031cd55ac37965d93f7f7da7
SHA256635f988beb849c6510f54f681387bf810c2266bd27834c5a9c160cbfe6df44d4
SHA512fdd9760442579ad2a3df4f31464f9e66bc19a4390fa1c81afb516cce817097b5324024f712d9c1bf1a11ad30324f5a8aa83c72a732e1197e8804ab806d3859e6
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\jnSNQNClfnFm.exe.log
Filesize1KB
MD5122cf3c4f3452a55a92edee78316e071
SHA1f2caa36d483076c92d17224cf92e260516b3cbbf
SHA25642f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0
SHA512c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c
-
Filesize
24.1MB
MD5df26b32c0d5372231cab50e082ea36d1
SHA15549f80198d7bcfa70e2dcc29b7c2ca74674b702
SHA256372d3aebdbe30737198d4af177b4d30b3bb361717404c169135caf7ccfa1ccf8
SHA5126a916066a5aa7aeac81cd221917005104303c0f8a62631b566c18e9b28145635551eae4b40e9b4ac19bba1a6b5c370dfdf61e7fa078a5d94e395a0f09ffdf4d6
-
\??\Volume{77a2731a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{362a17aa-4295-4ed9-ab1b-84bf7668cf61}_OnDiskSnapshotProp
Filesize6KB
MD5cecbe3a64cdd057f48d8cc93c89df349
SHA1922538d893d4f608443b37badaab9883827d0772
SHA256d7268ae513381e4fb0a20bf404683973d8db3319578cd5277a5677f80815d48f
SHA512052912baec91f573a95814b5d49c82d7fb6e43947ec49253fccf1063e57966056550df283c50709c8fe8816be0fcfa731f33812e7dba13465d06c9d43cdc2b74