Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2024 04:08
Behavioral task
behavioral1
Sample
286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe
Resource
win10v2004-20240226-en
General
-
Target
286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe
-
Size
200KB
-
MD5
da44b75688848eaad3b888d4ffa3eb8a
-
SHA1
1e18f8d613b31426bf7c3cad82ecee94e94f4fdb
-
SHA256
286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f
-
SHA512
ee19553d7816dc82dac7dd7bc7e9f05e9360074e7870e032da02f12bc29f2487085bc89aadb8712c687f1f844361eab18c09a92b965eb96c0c14491e630411f2
-
SSDEEP
3072:sr85Cua1U197bzhVsmftsZzSY2h1OSzlezR9P32euJ9OlKolb:k9Ri1dNVsmfte2Y2hvMX32eufj0b
Malware Config
Extracted
C:\Users\sdBuuG2px.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
Signatures
-
Detect Neshta payload 9 IoCs
Processes:
resource yara_rule C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe family_neshta behavioral2/memory/3104-398-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3104-399-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3104-468-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3104-487-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3104-491-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3104-496-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\Windows\svchost.com family_neshta behavioral2/memory/4748-507-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe family_lockbit -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe92DB.tmpdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation 92DB.tmp -
Executes dropped EXE 3 IoCs
Processes:
286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe92DB.tmpsvchost.compid process 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe 4360 92DB.tmp 4748 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe -
Drops file in System32 directory 4 IoCs
Processes:
printfilterpipelinesvc.exesplwow64.exedescription ioc process File created C:\Windows\system32\spool\PRINTERS\PPv3hd27bpzks8xux6ipqo6oaec.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP30ugzr3m2kp01639l6rgxh0u.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPt899z3v1cp0b6ucwhv3vi8t7.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\sdBuuG2px.bmp" 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\sdBuuG2px.bmp" 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe92DB.tmppid process 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe 4360 92DB.tmp 4360 92DB.tmp 4360 92DB.tmp 4360 92DB.tmp 4360 92DB.tmp 4360 92DB.tmp -
Drops file in Program Files directory 64 IoCs
Processes:
286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~4.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~3\PACKAG~1\{FB050~1\WINDOW~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~3.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MIA062~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MI391D~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~2.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MI9C33~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.17\MICROS~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe -
Drops file in Windows directory 3 IoCs
Processes:
286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exesvchost.comdescription ioc process File opened for modification C:\Windows\svchost.com 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE -
Modifies Control Panel 2 IoCs
Processes:
286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\WallpaperStyle = "10" 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe -
Modifies registry class 7 IoCs
Processes:
286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe92DB.tmpdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sdBuuG2px 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sdBuuG2px\ = "sdBuuG2px" 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sdBuuG2px\DefaultIcon 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sdBuuG2px 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sdBuuG2px\DefaultIcon\ = "C:\\ProgramData\\sdBuuG2px.ico" 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings 92DB.tmp -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exeONENOTE.EXEpid process 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe 2608 ONENOTE.EXE 2608 ONENOTE.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeBackupPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeDebugPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: 36 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeImpersonatePrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeIncBasePriorityPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeIncreaseQuotaPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: 33 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeManageVolumePrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeProfSingleProcessPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeRestorePrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeSecurityPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeSystemProfilePrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeTakeOwnershipPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeShutdownPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeDebugPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeBackupPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeBackupPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeSecurityPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeSecurityPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeBackupPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeBackupPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeSecurityPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeSecurityPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeBackupPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeBackupPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeSecurityPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeSecurityPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeBackupPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeBackupPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeSecurityPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeSecurityPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeBackupPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeBackupPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeSecurityPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeSecurityPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeBackupPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeBackupPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeSecurityPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeSecurityPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeBackupPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeBackupPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeSecurityPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeSecurityPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeBackupPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeBackupPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeSecurityPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeSecurityPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeBackupPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeBackupPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeSecurityPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeSecurityPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeBackupPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeBackupPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeSecurityPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeSecurityPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeBackupPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeBackupPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeSecurityPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeSecurityPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeBackupPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeBackupPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeSecurityPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe Token: SeSecurityPrivilege 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid process 2608 ONENOTE.EXE 2608 ONENOTE.EXE 2608 ONENOTE.EXE 2608 ONENOTE.EXE 2608 ONENOTE.EXE 2608 ONENOTE.EXE 2608 ONENOTE.EXE 2608 ONENOTE.EXE 2608 ONENOTE.EXE 2608 ONENOTE.EXE 2608 ONENOTE.EXE 2608 ONENOTE.EXE 2608 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exeprintfilterpipelinesvc.exe92DB.tmpsvchost.comdescription pid process target process PID 3104 wrote to memory of 4652 3104 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe PID 3104 wrote to memory of 4652 3104 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe PID 3104 wrote to memory of 4652 3104 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe PID 4652 wrote to memory of 4204 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe splwow64.exe PID 4652 wrote to memory of 4204 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe splwow64.exe PID 3940 wrote to memory of 2608 3940 printfilterpipelinesvc.exe ONENOTE.EXE PID 3940 wrote to memory of 2608 3940 printfilterpipelinesvc.exe ONENOTE.EXE PID 4652 wrote to memory of 4360 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe 92DB.tmp PID 4652 wrote to memory of 4360 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe 92DB.tmp PID 4652 wrote to memory of 4360 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe 92DB.tmp PID 4652 wrote to memory of 4360 4652 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe 92DB.tmp PID 4360 wrote to memory of 4748 4360 92DB.tmp svchost.com PID 4360 wrote to memory of 4748 4360 92DB.tmp svchost.com PID 4360 wrote to memory of 4748 4360 92DB.tmp svchost.com PID 4748 wrote to memory of 3876 4748 svchost.com cmd.exe PID 4748 wrote to memory of 3876 4748 svchost.com cmd.exe PID 4748 wrote to memory of 3876 4748 svchost.com cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe"C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
- Drops file in System32 directory
PID:4204 -
C:\ProgramData\92DB.tmp"C:\ProgramData\92DB.tmp"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\92DB.tmp >> NUL4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /C DEL /F /Q C:\PROGRA~3\92DB.tmp >> NUL5⤵PID:3876
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2564
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{16169DD0-6581-4DDF-8D09-77A5B97C122C}.xps" 1335486290230200002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD53707665e2e19b050dcc8b824b48db163
SHA1a9025e94f3001b4ad52d62dbc5459928e797671b
SHA256b952de0ba8d532c651947a1bde26b26367050f38260dd00eb1c142926e907f41
SHA512c723223ed3325610d94f78dd351c99a890534ea295aef9bc32ff805605382f3f7aec8701a3c8ee5ead3e1418e94d57fa722487ee1b67dfc3903ac8aea61eb1cd
-
Filesize
2.4MB
MD58ffc3bdf4a1903d9e28b99d1643fc9c7
SHA1919ba8594db0ae245a8abd80f9f3698826fc6fe5
SHA2568268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6
SHA5120b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe
Filesize159KB
MD599bcce4f1d96c6ef25c157c9762d7fba
SHA185125f8f6ddc5dddca55c3c162eadffc7c10c231
SHA2562e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9
SHA512aa31d760be90faf8c2cad5901cdd7ca609f97d327f1c3660af661a43f77e865f5380fa1743969a10642ac4ba4219244d6890a70b4594ff260b34fb71a3518e47
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize159KB
MD583fc9b3159da9da4a8712bbb16680321
SHA1371f3b1da816a0ca34a4b621efcaf869bd582ef3
SHA256a46d29b169abbd56c363ffab67eb9147eae02af082924dafa8695b5ff3063554
SHA512a542d9b8d5668fbead1cf73f62ca332f01589d1d60f7190ea4b74d8980ee2efd78d853bcd05a2e04c55a25bad0bebad53632b097399b00ae0ba1c20456b5c7ac
-
Filesize
8B
MD516ebc67874bd1b1d0ee50cd8524f2bba
SHA17d4846a4038ebb1c678bffb83588cb5642a4d8b5
SHA256a58352f4d5e39518b537caf7dac7a26ef83742b0cd0b8181a7b6e5013b928c6e
SHA512cf507b0f60b0e285f326a191884ea144058ce38de4870d5ab0e6315e1babbc95cb776525412275d09cf18341413985d5106bd57b54a74d08125dec2514265757
-
Filesize
4KB
MD5931b4ed0a95fd45f8eb63c89bbf5fad0
SHA1124d4b2469cff6322f4573c65d89d796b9348ed4
SHA256274db83e9afc6bacf68f95bef55db4ff861c18989c3dab7cb9b1e43e3519c44f
SHA5129edc6dde3bb7a3caf21da2aa0c65a20bc57f3e45a75c51118e8e98eec83d33d3a228fe781a3d1c1b5aeafa1923048832b458cb7a996e35930c4e039d1ab05952
-
Filesize
10KB
MD5492fa217c781e01582e5edb7a180b343
SHA140027558c381ce6798a5b58a4d760be07616b5af
SHA25665962c9200871eba3b2cdad318c7a0e7b8197a515cd6eee8b5345cfbae4f352c
SHA5120436369dc0727a810eed168bedce59d3b12ef73b925edaf86c51081fbe2252ebc7ce08d4592ac0de4e96315f4cedd9f068a9a8095b1d64a9e1fa235fbe981ee0
-
Filesize
40KB
MD536fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
Filesize
129B
MD56aa0144b2e042f1e9a9574f9a2d0df2f
SHA14d245ba5c69c486fc9cdc74e014c75705c75ff87
SHA2568b5a7e6d4bcaab3f658c328ea9b8d354287ca5b4ad241261a17f4de32166be90
SHA512e64a9ba808a0e9d22a154b610170ed2b1924e9c3f9b34f92f117c667dc2f6578eb4792b25ecc28be3aa01b59394d5a4cca46b896ac46483e9ffa079c5a306aa5