Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
66s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2022, 13:52
Static task
static1
Behavioral task
behavioral1
Sample
0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
Resource
win10v2004-20220812-en
General
-
Target
0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
-
Size
225KB
-
MD5
eae3f9f84a8b6756db599963aa4f49d1
-
SHA1
c40909226c102ceb3cf97e9037c590f1623af013
-
SHA256
0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028
-
SHA512
dddcee2f12c1a0d8f0dd9a95e4b8f0841519361880d280beab3befd4afcebdecc9b8a32b1aedb9b9f542a22f6dc7c00af3afff93a0dc588f80d6a292a5a96602
-
SSDEEP
6144:pROGJmXiQwAP5GXJHcTV50DErd5xgTw7ozFz254W:pROYeiQwAIHLD6GcoxfW
Malware Config
Extracted
C:\README.html
us:<br><strong><br>email:[email protected]<br>tox:9DA3D60F51FB83B539BA0CC79B6D4BE83003F8E7A294B531B6EA05102486855ADEEFFF5A90C8<br>jabber:[email protected]</strong><br><br>VuXokCcRnGJ2yw1dZ6DSt2jUohdnWW8KeowQwBbwdk7wARjPe+d30uevttyHMflR
Extracted
C:\Users\Admin\AppData\Local\Temp\5415296051972527219.hta
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
pid Process 6384 bcdedit.exe -
pid Process 5964 wbadmin.exe -
Executes dropped EXE 1 IoCs
pid Process 3404 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe -
Modifies extensions of user files 14 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\ResumeWait.tiff.venus 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File renamed C:\Users\Admin\Pictures\SaveDismount.tif => C:\Users\Admin\Pictures\SaveDismount.tif.venus 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Admin\Pictures\SaveDismount.tif.venus 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Admin\Pictures\ResumeWait.tiff 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File renamed C:\Users\Admin\Pictures\ResumeWait.tiff => C:\Users\Admin\Pictures\ResumeWait.tiff.venus 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Admin\Pictures\FindEnable.tif.venus 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File renamed C:\Users\Admin\Pictures\LockGroup.crw => C:\Users\Admin\Pictures\LockGroup.crw.venus 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File renamed C:\Users\Admin\Pictures\DebugApprove.tiff => C:\Users\Admin\Pictures\DebugApprove.tiff.venus 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File renamed C:\Users\Admin\Pictures\FindEnable.tif => C:\Users\Admin\Pictures\FindEnable.tif.venus 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Admin\Pictures\LockGroup.crw.venus 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File renamed C:\Users\Admin\Pictures\PingDebug.crw => C:\Users\Admin\Pictures\PingDebug.crw.venus 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Admin\Pictures\PingDebug.crw.venus 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Admin\Pictures\DebugApprove.tiff 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Admin\Pictures\DebugApprove.tiff.venus 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe = "C:\\Windows\\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe" 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe -
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2295526160-1155304984-640977766-1000\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Admin\Music\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Public\Music\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Admin\Links\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Public\Documents\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-2295526160-1155304984-640977766-1000\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Public\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files (x86)\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification \Device\HarddiskVolume1\$RECYCLE.BIN\S-1-5-21-2295526160-1155304984-640977766-1000\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Users\Public\Videos\desktop.ini 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened (read-only) \??\F: 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\5415296051972527219.jpg" 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.venus 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_ja_4.4.0.v20140623020002.jar 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Riblet.eftx.venus 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-phn.xrm-ms.venus 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\music_offline_demo_page1.jpg 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt58.dll.venus 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-150.png 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-GB\en-GB_female_TTS\platform_format.lua 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms.venus 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\URLREDIR.DLL.venus 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageSplashScreen.scale-100_contrast-black.png 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxAccountsStoreLogo.scale-100.png 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-20_altform-unplated.png 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms.venus 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msql.xsl 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-125_contrast-black.png 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldBeLessThan.snippets.ps1xml 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\uninstall.log 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\SmallTile.scale-125.png 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\xmlrwbin_xl.dll.venus 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageWideTile.scale-200.png 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageLargeTile.scale-100.png 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d9.png 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\MedTile.scale-200.png 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\manifest.json 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_fr.properties 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-pl.xrm-ms 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ppd.xrm-ms.venus 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ppd.xrm-ms 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\zlibwapi.dll 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSmallTile.scale-100.png 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleLargeTile.scale-125.png 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-oob.xrm-ms 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Rotate.png 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll.venus 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\Mozilla Firefox\removed-files.venus 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\gui\libskins2_plugin.dll 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\moe_default_icon.png 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60.png 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GooglePromoTile.scale-100.png 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\MSFT_PackageManagementSource.schema.mfl 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe.venus 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RInt.16.msi 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png.venus 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml.venus 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-200.png 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionEditor\UserControls\SuperSlowMotionCheckbox.xbf 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyReport.dotx 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\DEEPBLUE.INF.venus 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Config\ExportConfig.json 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare-Dark.scale-125.png 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-72_altform-lightunplated.png 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.scale-200.png 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\MANIFEST.MF 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe File created C:\Windows\5415296051972527219.png 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 5836 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 1688 taskkill.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.venus 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.venus\DefaultIcon 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.venus\DefaultIcon\ = "C:\\Windows\\5415296051972527219.png" 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5068 PING.EXE -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeDebugPrivilege 3404 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe Token: SeTcbPrivilege 3404 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe Token: SeTakeOwnershipPrivilege 3404 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe Token: SeSecurityPrivilege 3404 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe Token: SeDebugPrivilege 1688 taskkill.exe Token: SeBackupPrivilege 6000 wbengine.exe Token: SeRestorePrivilege 6000 wbengine.exe Token: SeSecurityPrivilege 6000 wbengine.exe Token: SeBackupPrivilege 4060 vssvc.exe Token: SeRestorePrivilege 4060 vssvc.exe Token: SeAuditPrivilege 4060 vssvc.exe Token: SeIncreaseQuotaPrivilege 6408 WMIC.exe Token: SeSecurityPrivilege 6408 WMIC.exe Token: SeTakeOwnershipPrivilege 6408 WMIC.exe Token: SeLoadDriverPrivilege 6408 WMIC.exe Token: SeSystemProfilePrivilege 6408 WMIC.exe Token: SeSystemtimePrivilege 6408 WMIC.exe Token: SeProfSingleProcessPrivilege 6408 WMIC.exe Token: SeIncBasePriorityPrivilege 6408 WMIC.exe Token: SeCreatePagefilePrivilege 6408 WMIC.exe Token: SeBackupPrivilege 6408 WMIC.exe Token: SeRestorePrivilege 6408 WMIC.exe Token: SeShutdownPrivilege 6408 WMIC.exe Token: SeDebugPrivilege 6408 WMIC.exe Token: SeSystemEnvironmentPrivilege 6408 WMIC.exe Token: SeRemoteShutdownPrivilege 6408 WMIC.exe Token: SeUndockPrivilege 6408 WMIC.exe Token: SeManageVolumePrivilege 6408 WMIC.exe Token: 33 6408 WMIC.exe Token: 34 6408 WMIC.exe Token: 35 6408 WMIC.exe Token: 36 6408 WMIC.exe Token: SeIncreaseQuotaPrivilege 6408 WMIC.exe Token: SeSecurityPrivilege 6408 WMIC.exe Token: SeTakeOwnershipPrivilege 6408 WMIC.exe Token: SeLoadDriverPrivilege 6408 WMIC.exe Token: SeSystemProfilePrivilege 6408 WMIC.exe Token: SeSystemtimePrivilege 6408 WMIC.exe Token: SeProfSingleProcessPrivilege 6408 WMIC.exe Token: SeIncBasePriorityPrivilege 6408 WMIC.exe Token: SeCreatePagefilePrivilege 6408 WMIC.exe Token: SeBackupPrivilege 6408 WMIC.exe Token: SeRestorePrivilege 6408 WMIC.exe Token: SeShutdownPrivilege 6408 WMIC.exe Token: SeDebugPrivilege 6408 WMIC.exe Token: SeSystemEnvironmentPrivilege 6408 WMIC.exe Token: SeRemoteShutdownPrivilege 6408 WMIC.exe Token: SeUndockPrivilege 6408 WMIC.exe Token: SeManageVolumePrivilege 6408 WMIC.exe Token: 33 6408 WMIC.exe Token: 34 6408 WMIC.exe Token: 35 6408 WMIC.exe Token: 36 6408 WMIC.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4704 wrote to memory of 3404 4704 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe 82 PID 4704 wrote to memory of 3404 4704 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe 82 PID 4704 wrote to memory of 3404 4704 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe 82 PID 4704 wrote to memory of 2616 4704 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe 84 PID 4704 wrote to memory of 2616 4704 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe 84 PID 3404 wrote to memory of 5060 3404 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe 87 PID 3404 wrote to memory of 5060 3404 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe 87 PID 2616 wrote to memory of 5068 2616 cmd.exe 86 PID 2616 wrote to memory of 5068 2616 cmd.exe 86 PID 5060 wrote to memory of 1688 5060 cmd.exe 90 PID 5060 wrote to memory of 1688 5060 cmd.exe 90 PID 3404 wrote to memory of 5912 3404 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe 98 PID 3404 wrote to memory of 5912 3404 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe 98 PID 5912 wrote to memory of 5964 5912 cmd.exe 100 PID 5912 wrote to memory of 5964 5912 cmd.exe 100 PID 3404 wrote to memory of 6136 3404 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe 104 PID 3404 wrote to memory of 6136 3404 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe 104 PID 3404 wrote to memory of 6136 3404 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe 104 PID 5912 wrote to memory of 5836 5912 cmd.exe 106 PID 5912 wrote to memory of 5836 5912 cmd.exe 106 PID 5912 wrote to memory of 6384 5912 cmd.exe 112 PID 5912 wrote to memory of 6384 5912 cmd.exe 112 PID 5912 wrote to memory of 6408 5912 cmd.exe 113 PID 5912 wrote to memory of 6408 5912 cmd.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe"C:\Users\Admin\AppData\Local\Temp\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe"C:\Windows\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe" g g g o n e1232⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\System32\cmd.exe/C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe3⤵
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\system32\taskkill.exetaskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
-
-
C:\Windows\System32\cmd.exe/C wbadmin delete catalog -quiet && vssadmin.exe delete shadows /all /quiet && bcdedit.exe /set {current} nx AlwaysOff && wmic SHADOWCOPY DELETE3⤵
- Suspicious use of WriteProcessMemory
PID:5912 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:5964
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:5836
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} nx AlwaysOff4⤵
- Modifies boot configuration data using bcdedit
PID:6384
-
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6408
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\5415296051972527219.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:6136
-
-
-
C:\Windows\System32\cmd.exe/c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\system32\PING.EXEping localhost -n 33⤵
- Runs ping.exe
PID:5068
-
-
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6000
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:6108
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:1140
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4060
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55615aecd8f5c11fecc543deb66384921
SHA1f4811e649046ad83a01ea3ba6552364cc2f8d72d
SHA25677bd29533dca8a9406dae258a34f8ab934578757ba6f06e13b49c71396a6291b
SHA5127ea9902fae33c73e5bc720d9fc8b58202283d2a17349b0a434cd3fb9da703a0e31fcdb023775d41505465c712a173e06068a7666f2d3777e2cd83f630da8d941
-
Filesize
225KB
MD5eae3f9f84a8b6756db599963aa4f49d1
SHA1c40909226c102ceb3cf97e9037c590f1623af013
SHA2560a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028
SHA512dddcee2f12c1a0d8f0dd9a95e4b8f0841519361880d280beab3befd4afcebdecc9b8a32b1aedb9b9f542a22f6dc7c00af3afff93a0dc588f80d6a292a5a96602
-
Filesize
225KB
MD5eae3f9f84a8b6756db599963aa4f49d1
SHA1c40909226c102ceb3cf97e9037c590f1623af013
SHA2560a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028
SHA512dddcee2f12c1a0d8f0dd9a95e4b8f0841519361880d280beab3befd4afcebdecc9b8a32b1aedb9b9f542a22f6dc7c00af3afff93a0dc588f80d6a292a5a96602