Analysis
-
max time kernel
140s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
30-04-2024 01:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c7adce3459f21a1afb62f779d8baaa2ea3e7614b8fa312ac67725d532c15c54b.exe
Resource
win7-20240221-en
windows7-x64
26 signatures
150 seconds
Behavioral task
behavioral2
Sample
c7adce3459f21a1afb62f779d8baaa2ea3e7614b8fa312ac67725d532c15c54b.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
28 signatures
150 seconds
General
-
Target
c7adce3459f21a1afb62f779d8baaa2ea3e7614b8fa312ac67725d532c15c54b.exe
-
Size
2.4MB
-
MD5
2a613d677cc3e2991dcd954e9413c40c
-
SHA1
26f49090585d31dca8dde83106c0a851f00f2f18
-
SHA256
c7adce3459f21a1afb62f779d8baaa2ea3e7614b8fa312ac67725d532c15c54b
-
SHA512
b3edc9f56aa9c1f3685bb7e14d7dad27f23346bb1f21618acb3091c2031c1c5f48f77f375d97763b2da1b4658efd12a1147114bd65190b9f8c772d302d0f7a44
-
SSDEEP
49152:I/oSNzCxuPz3v/EekOEQ5ZlC2WQcyDJFD6BaKAjB8eJMv+8KwXkZx+jau:I/oCCQv/EeJESlC2WbyDukrBDJMGXjG
Score
10/10
Malware Config
Signatures
-
Detects Mimic ransomware 1 IoCs
resource yara_rule behavioral2/files/0x000a000000023b82-6.dat family_mimic -
Mimic
Ransomware family was first exploited in the wild in 2022.
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" encrypt.exe -
Clears Windows event logs 1 TTPs 3 IoCs
pid Process 3044 wevtutil.exe 3980 wevtutil.exe 1328 wevtutil.exe -
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 1 IoCs
resource yara_rule behavioral2/files/0x000a000000023b82-6.dat INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM -
Detects command variations typically used by ransomware 1 IoCs
resource yara_rule behavioral2/files/0x000a000000023b82-6.dat INDICATOR_SUSPICIOUS_GENRansomware -
Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware 1 IoCs
resource yara_rule behavioral2/files/0x000a000000023b82-6.dat INDICATOR_SUSPICIOUS_USNDeleteJournal -
Detects executables containing commands for clearing Windows Event Logs 1 IoCs
resource yara_rule behavioral2/files/0x000a000000023b82-6.dat INDICATOR_SUSPICIOUS_ClearWinLogs -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1392 bcdedit.exe 2284 bcdedit.exe -
pid Process 4012 wbadmin.exe -
pid Process 4460 wbadmin.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydesktopservice.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocssd.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tv_x64.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\httpd.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsDtSrvr.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineElevatedCfg.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer_Service.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocssd.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pvlsvr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBW64.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xfssvccon.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\r.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocautoupds.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineElevatedCfg.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld-opt.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBIDPService.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchProtocolHost.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msaccess.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydesktopqos.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\java.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon64.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tomcat6.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xfssvccon.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsnapvss.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemExplorer.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbeng50.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld-nt.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAgui.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlservr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchApp.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\python.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\node.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\python.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VeeamDeploymentSvc.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon64.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EnterpriseClient.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fdhost.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ssms.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vxmon.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServerView.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbeng50.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBW64.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine_x86.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlwriter.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isqlplussvc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspub.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydesktopqos.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qbupdate.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\raw_agent_svc.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlservrs.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Creative Cloud.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation c7adce3459f21a1afb62f779d8baaa2ea3e7614b8fa312ac67725d532c15c54b.exe -
Executes dropped EXE 5 IoCs
pid Process 4192 encrypt.exe 4144 encrypt.exe 4552 encrypt.exe 5116 encrypt.exe 4696 encrypt.exe -
Loads dropped DLL 5 IoCs
pid Process 4192 encrypt.exe 4144 encrypt.exe 4552 encrypt.exe 4696 encrypt.exe 5116 encrypt.exe -
Modifies system executable filetype association 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open\command encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open encrypt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell encrypt.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open\command encrypt.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\encrypt = "\"C:\\Users\\Admin\\AppData\\Local\\encrypt\\encrypt.exe\" " encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\encrypt.exe = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\HACKLENDINIZ.txt\"" encrypt.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: encrypt.exe File opened (read-only) \??\V: encrypt.exe File opened (read-only) \??\G: encrypt.exe File opened (read-only) \??\N: encrypt.exe File opened (read-only) \??\P: encrypt.exe File opened (read-only) \??\K: encrypt.exe File opened (read-only) \??\L: encrypt.exe File opened (read-only) \??\Q: encrypt.exe File opened (read-only) \??\S: encrypt.exe File opened (read-only) \??\W: encrypt.exe File opened (read-only) \??\A: encrypt.exe File opened (read-only) \??\E: encrypt.exe File opened (read-only) \??\J: encrypt.exe File opened (read-only) \??\X: encrypt.exe File opened (read-only) \??\T: encrypt.exe File opened (read-only) \??\U: encrypt.exe File opened (read-only) \??\Y: encrypt.exe File opened (read-only) \??\B: encrypt.exe File opened (read-only) \??\H: encrypt.exe File opened (read-only) \??\M: encrypt.exe File opened (read-only) \??\I: encrypt.exe File opened (read-only) \??\O: encrypt.exe File opened (read-only) \??\Z: encrypt.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile encrypt.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command encrypt.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open encrypt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open\command encrypt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open\command encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell encrypt.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 740 notepad.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 4696 encrypt.exe 4696 encrypt.exe 5116 encrypt.exe 5116 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe 4144 encrypt.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4192 encrypt.exe Token: SeSecurityPrivilege 4192 encrypt.exe Token: SeTakeOwnershipPrivilege 4192 encrypt.exe Token: SeLoadDriverPrivilege 4192 encrypt.exe Token: SeSystemProfilePrivilege 4192 encrypt.exe Token: SeSystemtimePrivilege 4192 encrypt.exe Token: SeProfSingleProcessPrivilege 4192 encrypt.exe Token: SeIncBasePriorityPrivilege 4192 encrypt.exe Token: SeCreatePagefilePrivilege 4192 encrypt.exe Token: SeBackupPrivilege 4192 encrypt.exe Token: SeRestorePrivilege 4192 encrypt.exe Token: SeShutdownPrivilege 4192 encrypt.exe Token: SeDebugPrivilege 4192 encrypt.exe Token: SeSystemEnvironmentPrivilege 4192 encrypt.exe Token: SeChangeNotifyPrivilege 4192 encrypt.exe Token: SeRemoteShutdownPrivilege 4192 encrypt.exe Token: SeUndockPrivilege 4192 encrypt.exe Token: SeManageVolumePrivilege 4192 encrypt.exe Token: SeImpersonatePrivilege 4192 encrypt.exe Token: SeCreateGlobalPrivilege 4192 encrypt.exe Token: 33 4192 encrypt.exe Token: 34 4192 encrypt.exe Token: 35 4192 encrypt.exe Token: 36 4192 encrypt.exe Token: SeIncreaseQuotaPrivilege 4144 encrypt.exe Token: SeSecurityPrivilege 4144 encrypt.exe Token: SeTakeOwnershipPrivilege 4144 encrypt.exe Token: SeLoadDriverPrivilege 4144 encrypt.exe Token: SeSystemProfilePrivilege 4144 encrypt.exe Token: SeSystemtimePrivilege 4144 encrypt.exe Token: SeProfSingleProcessPrivilege 4144 encrypt.exe Token: SeIncBasePriorityPrivilege 4144 encrypt.exe Token: SeCreatePagefilePrivilege 4144 encrypt.exe Token: SeBackupPrivilege 4144 encrypt.exe Token: SeRestorePrivilege 4144 encrypt.exe Token: SeShutdownPrivilege 4144 encrypt.exe Token: SeDebugPrivilege 4144 encrypt.exe Token: SeSystemEnvironmentPrivilege 4144 encrypt.exe Token: SeChangeNotifyPrivilege 4144 encrypt.exe Token: SeRemoteShutdownPrivilege 4144 encrypt.exe Token: SeUndockPrivilege 4144 encrypt.exe Token: SeManageVolumePrivilege 4144 encrypt.exe Token: SeImpersonatePrivilege 4144 encrypt.exe Token: SeCreateGlobalPrivilege 4144 encrypt.exe Token: 33 4144 encrypt.exe Token: 34 4144 encrypt.exe Token: 35 4144 encrypt.exe Token: 36 4144 encrypt.exe Token: SeIncreaseQuotaPrivilege 4552 encrypt.exe Token: SeIncreaseQuotaPrivilege 4696 encrypt.exe Token: SeSecurityPrivilege 4552 encrypt.exe Token: SeSecurityPrivilege 4696 encrypt.exe Token: SeTakeOwnershipPrivilege 4552 encrypt.exe Token: SeTakeOwnershipPrivilege 4696 encrypt.exe Token: SeLoadDriverPrivilege 4552 encrypt.exe Token: SeLoadDriverPrivilege 4696 encrypt.exe Token: SeSystemProfilePrivilege 4552 encrypt.exe Token: SeSystemProfilePrivilege 4696 encrypt.exe Token: SeSystemtimePrivilege 4552 encrypt.exe Token: SeSystemtimePrivilege 4696 encrypt.exe Token: SeProfSingleProcessPrivilege 4552 encrypt.exe Token: SeProfSingleProcessPrivilege 4696 encrypt.exe Token: SeIncBasePriorityPrivilege 4552 encrypt.exe Token: SeIncBasePriorityPrivilege 4696 encrypt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3280 wrote to memory of 4192 3280 c7adce3459f21a1afb62f779d8baaa2ea3e7614b8fa312ac67725d532c15c54b.exe 85 PID 3280 wrote to memory of 4192 3280 c7adce3459f21a1afb62f779d8baaa2ea3e7614b8fa312ac67725d532c15c54b.exe 85 PID 3280 wrote to memory of 4192 3280 c7adce3459f21a1afb62f779d8baaa2ea3e7614b8fa312ac67725d532c15c54b.exe 85 PID 4192 wrote to memory of 4144 4192 encrypt.exe 89 PID 4192 wrote to memory of 4144 4192 encrypt.exe 89 PID 4192 wrote to memory of 4144 4192 encrypt.exe 89 PID 4144 wrote to memory of 4552 4144 encrypt.exe 92 PID 4144 wrote to memory of 4552 4144 encrypt.exe 92 PID 4144 wrote to memory of 4552 4144 encrypt.exe 92 PID 4144 wrote to memory of 5116 4144 encrypt.exe 93 PID 4144 wrote to memory of 5116 4144 encrypt.exe 93 PID 4144 wrote to memory of 5116 4144 encrypt.exe 93 PID 4144 wrote to memory of 4696 4144 encrypt.exe 94 PID 4144 wrote to memory of 4696 4144 encrypt.exe 94 PID 4144 wrote to memory of 4696 4144 encrypt.exe 94 PID 4144 wrote to memory of 444 4144 encrypt.exe 115 PID 4144 wrote to memory of 444 4144 encrypt.exe 115 PID 4144 wrote to memory of 4880 4144 encrypt.exe 116 PID 4144 wrote to memory of 4880 4144 encrypt.exe 116 PID 4144 wrote to memory of 3688 4144 encrypt.exe 117 PID 4144 wrote to memory of 3688 4144 encrypt.exe 117 PID 4144 wrote to memory of 4968 4144 encrypt.exe 118 PID 4144 wrote to memory of 4968 4144 encrypt.exe 118 PID 4144 wrote to memory of 4276 4144 encrypt.exe 119 PID 4144 wrote to memory of 4276 4144 encrypt.exe 119 PID 4144 wrote to memory of 3720 4144 encrypt.exe 120 PID 4144 wrote to memory of 3720 4144 encrypt.exe 120 PID 4144 wrote to memory of 4484 4144 encrypt.exe 121 PID 4144 wrote to memory of 4484 4144 encrypt.exe 121 PID 4144 wrote to memory of 1248 4144 encrypt.exe 122 PID 4144 wrote to memory of 1248 4144 encrypt.exe 122 PID 4144 wrote to memory of 1144 4144 encrypt.exe 123 PID 4144 wrote to memory of 1144 4144 encrypt.exe 123 PID 4144 wrote to memory of 5004 4144 encrypt.exe 124 PID 4144 wrote to memory of 5004 4144 encrypt.exe 124 PID 4144 wrote to memory of 4644 4144 encrypt.exe 125 PID 4144 wrote to memory of 4644 4144 encrypt.exe 125 PID 4144 wrote to memory of 2592 4144 encrypt.exe 126 PID 4144 wrote to memory of 2592 4144 encrypt.exe 126 PID 4144 wrote to memory of 5084 4144 encrypt.exe 127 PID 4144 wrote to memory of 5084 4144 encrypt.exe 127 PID 4144 wrote to memory of 3892 4144 encrypt.exe 128 PID 4144 wrote to memory of 3892 4144 encrypt.exe 128 PID 4144 wrote to memory of 1968 4144 encrypt.exe 129 PID 4144 wrote to memory of 1968 4144 encrypt.exe 129 PID 4144 wrote to memory of 1392 4144 encrypt.exe 142 PID 4144 wrote to memory of 1392 4144 encrypt.exe 142 PID 4144 wrote to memory of 2284 4144 encrypt.exe 143 PID 4144 wrote to memory of 2284 4144 encrypt.exe 143 PID 4144 wrote to memory of 4012 4144 encrypt.exe 145 PID 4144 wrote to memory of 4012 4144 encrypt.exe 145 PID 4144 wrote to memory of 4460 4144 encrypt.exe 147 PID 4144 wrote to memory of 4460 4144 encrypt.exe 147 PID 4144 wrote to memory of 740 4144 encrypt.exe 153 PID 4144 wrote to memory of 740 4144 encrypt.exe 153 PID 4144 wrote to memory of 740 4144 encrypt.exe 153 PID 4144 wrote to memory of 1328 4144 encrypt.exe 154 PID 4144 wrote to memory of 1328 4144 encrypt.exe 154 PID 4144 wrote to memory of 1328 4144 encrypt.exe 154 PID 4144 wrote to memory of 3980 4144 encrypt.exe 155 PID 4144 wrote to memory of 3980 4144 encrypt.exe 155 PID 4144 wrote to memory of 3980 4144 encrypt.exe 155 PID 4144 wrote to memory of 3044 4144 encrypt.exe 156 PID 4144 wrote to memory of 3044 4144 encrypt.exe 156 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System encrypt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection encrypt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" encrypt.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer encrypt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HidePowerOptions = "1" encrypt.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7adce3459f21a1afb62f779d8baaa2ea3e7614b8fa312ac67725d532c15c54b.exe"C:\Users\Admin\AppData\Local\Temp\c7adce3459f21a1afb62f779d8baaa2ea3e7614b8fa312ac67725d532c15c54b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\tempcrc\encrypt.exe"C:\tempcrc\encrypt.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"3⤵
- Modifies security service
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4144 -
C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"C:\Users\Admin\AppData\Local\encrypt\encrypt.exe" -e watch -pid 4144 -!4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4552
-
-
C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"C:\Users\Admin\AppData\Local\encrypt\encrypt.exe" -e ul14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5116
-
-
C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"C:\Users\Admin\AppData\Local\encrypt\encrypt.exe" -e ul24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4696
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -H off4⤵PID:444
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:4880
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:3688
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:4968
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:4276
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:3720
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:4484
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:1248
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:1144
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:5004
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:4644
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:2592
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:5084
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c4⤵PID:3892
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb614⤵PID:1968
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:1392
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:2284
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin.exe DELETE SYSTEMSTATEBACKUP4⤵
- Deletes System State backups
- Drops file in Windows directory
PID:4012
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin.exe delete catalog -quiet4⤵
- Deletes backup catalog
PID:4460
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe "C:\Users\Admin\AppData\Local\HACKLENDINIZ.txt"4⤵
- Opens file in notepad (likely ransom note)
PID:740
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl security4⤵
- Clears Windows event logs
PID:1328
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl system4⤵
- Clears Windows event logs
PID:3980
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl application4⤵
- Clears Windows event logs
PID:3044
-
-
-
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2932
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5060
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4444
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4548
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2680
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2548
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:660
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1916
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4852
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4504
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:3628
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:832
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:4184
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2468
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32B
MD53d9bb2217dacf008addb33d7829beb36
SHA16ca42c85cfa1b8bc5a4c4efb6f2061e65f4181b1
SHA2569691a9586a3345efb4c3943609929859eb1f0a80be50b06ced1a6144f9a7f796
SHA512eec3e5b7011dcc4cb70c2977e70db776ec9d7bced671f67426b3b6e8fe5ceef77cd93503658537106ab09e7f49e214206584f813aab9c44d07140338b1776889
-
Filesize
1KB
MD5041aa2e3cf34ee4658241e9372800f7c
SHA1bf1bc09650cb6f7b49db8761b728d3795a8fa46b
SHA2566d7b60f83c282c41c2df03b98f4b307ea3c4b0950ac24a9c259b7f44ff5959b5
SHA5120a9ee614a83493874b92596c5798d86fe469ebda9ce0315a5825bced6f4b4c750362f8a18f3d11c507df40e3ebef22efc4625a80231d55d8a3e1b9c911ee1449
-
Filesize
84KB
MD53b03324537327811bbbaff4aafa4d75b
SHA11218bd8165a2e0ec56a88b5a8bb4b27e52b564e7
SHA2568cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880
SHA512ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62
-
Filesize
3.0MB
MD5a48ee000e248741247c24dc70fa2f936
SHA14c814fe7c94e6fb4d1d89cdae7e6e83905c459d7
SHA256bb28adc32ff1b9dcfaac6b7017b4896d2807b48080f9e6720afde3f89d69676c
SHA5128bdd60732bf105b9ade5d4dbc5c722a866119e0a284692afc1bd5b530a4afc3954536a14946a87f72213c92020def2ac7b5c1cbcc51b6e0ad5671b7c58543f34