Analysis
-
max time kernel
4294211s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
06-03-2022 06:41
Static task
static1
Behavioral task
behavioral1
Sample
332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe
Resource
win10v2004-en-20220113
General
-
Target
332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe
-
Size
214KB
-
MD5
42ea94ee3adca8b82fba15ecdde25f26
-
SHA1
ca17412cd44d186db91c4b2fa7df03363533ffd2
-
SHA256
332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a
-
SHA512
cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 272 svchost.exe 1480 svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exepid process 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start" 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\V: svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 geoiptool.com -
Drops file in Program Files directory 64 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_ja.jar.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198494.WMF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG.822-7B1-847 svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe.822-7B1-847 svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Easter svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01139_.WMF.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199727.WMF svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7MDT.822-7B1-847 svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp_5.5.0.165303.jar.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_K_COL.HXK.822-7B1-847 svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21316_.GIF svchost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Azores.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086384.WMF svchost.exe File created C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL011.XML svchost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Lisbon.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\RELAY.CER svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Maroon.css.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281008.WMF.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02082_.GIF.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\ACT3R.SAM svchost.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt.822-7B1-847 svchost.exe File created C:\Program Files\Java\jdk1.7.0_80\db\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT svchost.exe File opened for modification C:\Program Files\Java\jre7\lib\security\java.policy svchost.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\de-DE\Solitaire.exe.mui svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLPERF.H svchost.exe File opened for modification C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\DELETE.GIF svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf_1.1.0.v20140408-1354.jar.822-7B1-847 svchost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Pangnirtung.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341559.JPG svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217872.WMF.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ACTIP10.HLP svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePage.gif svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02120_.WMF.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\messageboxinfo.ico.822-7B1-847 svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Tell_City svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GreenTea.css.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.JP.XML svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALENDAR.DPV svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00269_.WMF.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02413_.WMF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01734_.GIF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14800_.GIF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\CLNTWRAP.HTM.822-7B1-847 svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\ct.sym svchost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Port_Moresby.822-7B1-847 svchost.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\it-IT\Hearts.exe.mui.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00932_.WMF.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Adjacency.eftx svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21314_.GIF.822-7B1-847 svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_zh_CN.jar svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00236_.WMF.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0228823.WMF.822-7B1-847 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIcon.jpg svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\Attachments.jpg.822-7B1-847 svchost.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\dnsns.jar.822-7B1-847 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1672 1988 WerFault.exe notepad.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1980 vssadmin.exe 1092 vssadmin.exe -
Processes:
svchost.exe332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe Token: SeDebugPrivilege 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe Token: SeIncreaseQuotaPrivilege 1596 WMIC.exe Token: SeSecurityPrivilege 1596 WMIC.exe Token: SeTakeOwnershipPrivilege 1596 WMIC.exe Token: SeLoadDriverPrivilege 1596 WMIC.exe Token: SeSystemProfilePrivilege 1596 WMIC.exe Token: SeSystemtimePrivilege 1596 WMIC.exe Token: SeProfSingleProcessPrivilege 1596 WMIC.exe Token: SeIncBasePriorityPrivilege 1596 WMIC.exe Token: SeCreatePagefilePrivilege 1596 WMIC.exe Token: SeBackupPrivilege 1596 WMIC.exe Token: SeRestorePrivilege 1596 WMIC.exe Token: SeShutdownPrivilege 1596 WMIC.exe Token: SeDebugPrivilege 1596 WMIC.exe Token: SeSystemEnvironmentPrivilege 1596 WMIC.exe Token: SeRemoteShutdownPrivilege 1596 WMIC.exe Token: SeUndockPrivilege 1596 WMIC.exe Token: SeManageVolumePrivilege 1596 WMIC.exe Token: 33 1596 WMIC.exe Token: 34 1596 WMIC.exe Token: 35 1596 WMIC.exe Token: SeIncreaseQuotaPrivilege 2004 WMIC.exe Token: SeSecurityPrivilege 2004 WMIC.exe Token: SeTakeOwnershipPrivilege 2004 WMIC.exe Token: SeLoadDriverPrivilege 2004 WMIC.exe Token: SeSystemProfilePrivilege 2004 WMIC.exe Token: SeSystemtimePrivilege 2004 WMIC.exe Token: SeProfSingleProcessPrivilege 2004 WMIC.exe Token: SeIncBasePriorityPrivilege 2004 WMIC.exe Token: SeCreatePagefilePrivilege 2004 WMIC.exe Token: SeBackupPrivilege 2004 WMIC.exe Token: SeRestorePrivilege 2004 WMIC.exe Token: SeShutdownPrivilege 2004 WMIC.exe Token: SeDebugPrivilege 2004 WMIC.exe Token: SeSystemEnvironmentPrivilege 2004 WMIC.exe Token: SeRemoteShutdownPrivilege 2004 WMIC.exe Token: SeUndockPrivilege 2004 WMIC.exe Token: SeManageVolumePrivilege 2004 WMIC.exe Token: 33 2004 WMIC.exe Token: 34 2004 WMIC.exe Token: 35 2004 WMIC.exe Token: SeIncreaseQuotaPrivilege 1596 WMIC.exe Token: SeSecurityPrivilege 1596 WMIC.exe Token: SeTakeOwnershipPrivilege 1596 WMIC.exe Token: SeLoadDriverPrivilege 1596 WMIC.exe Token: SeSystemProfilePrivilege 1596 WMIC.exe Token: SeSystemtimePrivilege 1596 WMIC.exe Token: SeProfSingleProcessPrivilege 1596 WMIC.exe Token: SeIncBasePriorityPrivilege 1596 WMIC.exe Token: SeCreatePagefilePrivilege 1596 WMIC.exe Token: SeBackupPrivilege 1596 WMIC.exe Token: SeRestorePrivilege 1596 WMIC.exe Token: SeShutdownPrivilege 1596 WMIC.exe Token: SeDebugPrivilege 1596 WMIC.exe Token: SeSystemEnvironmentPrivilege 1596 WMIC.exe Token: SeRemoteShutdownPrivilege 1596 WMIC.exe Token: SeUndockPrivilege 1596 WMIC.exe Token: SeManageVolumePrivilege 1596 WMIC.exe Token: 33 1596 WMIC.exe Token: 34 1596 WMIC.exe Token: 35 1596 WMIC.exe Token: SeIncreaseQuotaPrivilege 2004 WMIC.exe Token: SeSecurityPrivilege 2004 WMIC.exe -
Suspicious use of WriteProcessMemory 59 IoCs
Processes:
332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exenotepad.exesvchost.execmd.execmd.execmd.exedescription pid process target process PID 1620 wrote to memory of 272 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe svchost.exe PID 1620 wrote to memory of 272 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe svchost.exe PID 1620 wrote to memory of 272 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe svchost.exe PID 1620 wrote to memory of 272 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe svchost.exe PID 1620 wrote to memory of 1988 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe notepad.exe PID 1620 wrote to memory of 1988 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe notepad.exe PID 1620 wrote to memory of 1988 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe notepad.exe PID 1620 wrote to memory of 1988 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe notepad.exe PID 1620 wrote to memory of 1988 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe notepad.exe PID 1620 wrote to memory of 1988 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe notepad.exe PID 1620 wrote to memory of 1988 1620 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe notepad.exe PID 1988 wrote to memory of 1672 1988 notepad.exe WerFault.exe PID 1988 wrote to memory of 1672 1988 notepad.exe WerFault.exe PID 1988 wrote to memory of 1672 1988 notepad.exe WerFault.exe PID 1988 wrote to memory of 1672 1988 notepad.exe WerFault.exe PID 272 wrote to memory of 1380 272 svchost.exe cmd.exe PID 272 wrote to memory of 1380 272 svchost.exe cmd.exe PID 272 wrote to memory of 1380 272 svchost.exe cmd.exe PID 272 wrote to memory of 1380 272 svchost.exe cmd.exe PID 272 wrote to memory of 916 272 svchost.exe cmd.exe PID 272 wrote to memory of 916 272 svchost.exe cmd.exe PID 272 wrote to memory of 916 272 svchost.exe cmd.exe PID 272 wrote to memory of 916 272 svchost.exe cmd.exe PID 272 wrote to memory of 456 272 svchost.exe cmd.exe PID 272 wrote to memory of 456 272 svchost.exe cmd.exe PID 272 wrote to memory of 456 272 svchost.exe cmd.exe PID 272 wrote to memory of 456 272 svchost.exe cmd.exe PID 272 wrote to memory of 1472 272 svchost.exe cmd.exe PID 272 wrote to memory of 1472 272 svchost.exe cmd.exe PID 272 wrote to memory of 1472 272 svchost.exe cmd.exe PID 272 wrote to memory of 1472 272 svchost.exe cmd.exe PID 272 wrote to memory of 1504 272 svchost.exe cmd.exe PID 272 wrote to memory of 1504 272 svchost.exe cmd.exe PID 272 wrote to memory of 1504 272 svchost.exe cmd.exe PID 272 wrote to memory of 1504 272 svchost.exe cmd.exe PID 272 wrote to memory of 612 272 svchost.exe cmd.exe PID 272 wrote to memory of 612 272 svchost.exe cmd.exe PID 272 wrote to memory of 612 272 svchost.exe cmd.exe PID 272 wrote to memory of 612 272 svchost.exe cmd.exe PID 272 wrote to memory of 1480 272 svchost.exe svchost.exe PID 272 wrote to memory of 1480 272 svchost.exe svchost.exe PID 272 wrote to memory of 1480 272 svchost.exe svchost.exe PID 272 wrote to memory of 1480 272 svchost.exe svchost.exe PID 1380 wrote to memory of 1596 1380 cmd.exe WMIC.exe PID 1380 wrote to memory of 1596 1380 cmd.exe WMIC.exe PID 1380 wrote to memory of 1596 1380 cmd.exe WMIC.exe PID 1380 wrote to memory of 1596 1380 cmd.exe WMIC.exe PID 1504 wrote to memory of 1980 1504 cmd.exe vssadmin.exe PID 1504 wrote to memory of 1980 1504 cmd.exe vssadmin.exe PID 1504 wrote to memory of 1980 1504 cmd.exe vssadmin.exe PID 1504 wrote to memory of 1980 1504 cmd.exe vssadmin.exe PID 612 wrote to memory of 2004 612 cmd.exe WMIC.exe PID 612 wrote to memory of 2004 612 cmd.exe WMIC.exe PID 612 wrote to memory of 2004 612 cmd.exe WMIC.exe PID 612 wrote to memory of 2004 612 cmd.exe WMIC.exe PID 612 wrote to memory of 1092 612 cmd.exe vssadmin.exe PID 612 wrote to memory of 1092 612 cmd.exe vssadmin.exe PID 612 wrote to memory of 1092 612 cmd.exe vssadmin.exe PID 612 wrote to memory of 1092 612 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe"C:\Users\Admin\AppData\Local\Temp\332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1596 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵PID:916
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵PID:456
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1480 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1092 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1980 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵PID:1472
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1963⤵
- Program crash
PID:1672
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1448
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD51c7207d15a7f303c73d5d89d6aae43be
SHA119fe550a31cf89ab706e3ebcd6fcc78ca57bdeac
SHA25652a8f1b16a9d4bcec89850a5f6d30488cd8390d0e6bc19eaea5a138d5dc64dc9
SHA512d6216aa45ffcd9345139792c94a55d53fe40f775d42a6d6127fc2cb066c653bdc005d133ed85d73aa34f1bcf634c221c7624a7e840c2424cf1f29a2bcd088342
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD55bfa51f3a417b98e7443eca90fc94703
SHA18c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA5124cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399
-
MD5
637481df32351129e60560d5a5c100b5
SHA1a46aee6e5a4a4893fba5806bcc14fc7fb3ce80ae
SHA2561f1029d94ca4656a577d554cedd79d447658f475af08620084897a5523587052
SHA512604bfd0a78a57dfddd45872803501ad89491e37e89e0778b0f13644fa9164ff509955a57469dfdd65a05bbedaf0acb669f68430e84800d17efe7d360a70569e3
-
MD5
0f96cf32580efc867ff48db74bc92e4b
SHA12d16ce1151807b1cc5445db9bd511d0a2c90cf01
SHA2567176b87dd59195a7e0fb8624010b143d1ca991161748e2cd38a88a4eec91a8da
SHA5129d9e74180ef53053ebcfe25dd50659b002a4422c9253b82c78804b97329b57ea1ee19edf9eadec09d45f1b034270a15a7da5e5943406415dc259ca58fa459dbe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5c167da7b8b4c7fcda6675c7e0088f400
SHA1994596505635ae1ea5d515c3812bde4da71453da
SHA256393c90d40294d1f9e4875acc639b3c1b0207a68c7ca49aaf715f97746c128062
SHA5128fbb72b5d58e34709eb545ab324112d4392f3af389b68b1e184d885ea210f529dede92167578687f47c1b40e49341cbbd62eaf8d71dc09397b5d44a4c9b767f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5df11f60c99660e0f3c18219ac6895d4d
SHA148557bccad64d790260c9a54b7da53cedca59264
SHA256d564d9c1619d57a750ff9b1abb77243762a241be2b7e522e76d5ec9b5f0aef9f
SHA5122a8e92ab42bc66dba988f4d0c22660a586bebe4f432c6bfbd39888e0a6d8daf084c19facb832c1edefcc515d1fe6db15eb0a8aed3ed27c16f78e04666f120beb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD54d5e6b72ea8cbcfecc5ed2b559b7592a
SHA178fe98d962ea819f10f0587159be39d1e165e836
SHA256ee5bfb791cb2c81ae849e4d5c04d32a2f146538cda065343f660c5abb5a1dc58
SHA51227fc2c3563d8a00f35e3ec34eecc8f32d8148b582fdcc19b877bfb6e9acf9ab3c52ee3445d939c54d27537ed5c7f62a914f319e52550658f560b3d4488d64686
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD50e590cdf32cf927048e86f07e3355f1e
SHA19179cdf36b337082cd753109f194115c6ee7ae65
SHA256083bdf51ae117948b80ccdedf1f6764431df465de903fe4dab1fb2240c698d07
SHA51290adbe65c26c1c33757bc9778f8cc2ae5a0cee60e399b8d49bdcb3673a272c66b16355f678efaa36eee57aff5c8bfcf42e64944777e85e94d253ac86cf3fed2f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B1230D967FD647CD5194F3FFA6C7E7E4
MD5bf51e4ccb5c6ef38fc1f2fb1bfdc4a4b
SHA1b6fcb32b035a0b033dd2a923a5cbba35c54a9c31
SHA256af6a047e8ae74bb157a5c6d9263b700848e80996065255089735da5c1822f09c
SHA512f16cbb9adfdd728b569a2580193e742f30b895075629121e81756d11e67e2ac04bba2dc62d803c01a5546355ab9d21f46a577590f59e4fd57cbc9cd0dffbbbe0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5157a16117ddc2466c0eb9137e921c46d
SHA1a54644a23b9a80e1743bf9913156fa76792217d9
SHA2564897a9afbfa9ddbb017cabf6d8df16d4730e56eeb1aefcaed7c24b8bf9f93031
SHA5126b9b36573b7e4a69f5840cee2a533fa51972ee5c04006ddd67c78c609ec81c073d75de209b4f18abca32003352cae35bca6ec01496a6c36582f672ceadedcacf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z12QDLN4\J6390Z7V.htm
MD5b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
MD5
42ea94ee3adca8b82fba15ecdde25f26
SHA1ca17412cd44d186db91c4b2fa7df03363533ffd2
SHA256332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a
SHA512cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874
-
MD5
42ea94ee3adca8b82fba15ecdde25f26
SHA1ca17412cd44d186db91c4b2fa7df03363533ffd2
SHA256332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a
SHA512cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874
-
MD5
42ea94ee3adca8b82fba15ecdde25f26
SHA1ca17412cd44d186db91c4b2fa7df03363533ffd2
SHA256332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a
SHA512cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874
-
MD5
42ea94ee3adca8b82fba15ecdde25f26
SHA1ca17412cd44d186db91c4b2fa7df03363533ffd2
SHA256332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a
SHA512cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874
-
MD5
42ea94ee3adca8b82fba15ecdde25f26
SHA1ca17412cd44d186db91c4b2fa7df03363533ffd2
SHA256332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a
SHA512cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874