Overview
overview
10Static
static
100f178bc093...35.exe
windows7-x64
100f178bc093...35.exe
windows10-2004-x64
101b109db549...18.exe
windows7-x64
101b109db549...18.exe
windows10-2004-x64
101dbe9f9565...92.exe
windows7-x64
101dbe9f9565...92.exe
windows10-2004-x64
101e3bf358c7...70.exe
windows7-x64
101e3bf358c7...70.exe
windows10-2004-x64
1026b6a9fecf...39.exe
windows7-x64
1026b6a9fecf...39.exe
windows10-2004-x64
10286bffaa9c...3f.exe
windows7-x64
10286bffaa9c...3f.exe
windows10-2004-x64
10410c884d88...77.exe
windows7-x64
10410c884d88...77.exe
windows10-2004-x64
105072678821...db.exe
windows7-x64
105072678821...db.exe
windows10-2004-x64
1069d9dd7fdd...97.exe
windows7-x64
1069d9dd7fdd...97.exe
windows10-2004-x64
1076a77def28...78.exe
windows7-x64
1076a77def28...78.exe
windows10-2004-x64
1091d1ab6c30...31.exe
windows7-x64
1091d1ab6c30...31.exe
windows10-2004-x64
10ca57455fd1...75.exe
windows7-x64
10ca57455fd1...75.exe
windows10-2004-x64
10e3f236e4ae...77.exe
windows7-x64
10e3f236e4ae...77.exe
windows10-2004-x64
10faa3453ceb...69.exe
windows7-x64
10faa3453ceb...69.exe
windows10-2004-x64
10ffbb6c4d8d...4d.exe
windows7-x64
10ffbb6c4d8d...4d.exe
windows10-2004-x64
10Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28-12-2024 23:40
Behavioral task
behavioral1
Sample
0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335.exe
Resource
win7-20240903-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral2
Sample
0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
20 signatures
150 seconds
Behavioral task
behavioral3
Sample
1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
Resource
win7-20241010-en
windows7-x64
24 signatures
150 seconds
Behavioral task
behavioral4
Sample
1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
24 signatures
150 seconds
Behavioral task
behavioral5
Sample
1dbe9f956514460774290197ffccb11d817d1a5a5aeab81877ae7b74daa1b592.exe
Resource
win7-20240903-en
windows7-x64
23 signatures
150 seconds
Behavioral task
behavioral6
Sample
1dbe9f956514460774290197ffccb11d817d1a5a5aeab81877ae7b74daa1b592.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
20 signatures
150 seconds
Behavioral task
behavioral7
Sample
1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770.exe
Resource
win7-20240903-en
windows7-x64
24 signatures
150 seconds
Behavioral task
behavioral8
Sample
1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
25 signatures
150 seconds
Behavioral task
behavioral9
Sample
26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739.exe
Resource
win7-20240708-en
windows7-x64
23 signatures
150 seconds
Behavioral task
behavioral10
Sample
26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
24 signatures
150 seconds
Behavioral task
behavioral11
Sample
286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe
Resource
win7-20240903-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral12
Sample
286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
20 signatures
150 seconds
Behavioral task
behavioral13
Sample
410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe
Resource
win7-20241010-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral14
Sample
410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
20 signatures
150 seconds
Behavioral task
behavioral15
Sample
5072678821b490853eff0a97191f262c4e8404984dd8d5be1151fef437ca26db.exe
Resource
win7-20240903-en
windows7-x64
24 signatures
150 seconds
Behavioral task
behavioral16
Sample
5072678821b490853eff0a97191f262c4e8404984dd8d5be1151fef437ca26db.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
24 signatures
150 seconds
Behavioral task
behavioral17
Sample
69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
Resource
win7-20241023-en
windows7-x64
24 signatures
150 seconds
Behavioral task
behavioral18
Sample
69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
24 signatures
150 seconds
Behavioral task
behavioral19
Sample
76a77def28acf51b2b7cdcbfaa182fe5726dd3f9e891682a4efc3226640b9c78.exe
Resource
win7-20240903-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral20
Sample
76a77def28acf51b2b7cdcbfaa182fe5726dd3f9e891682a4efc3226640b9c78.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
21 signatures
150 seconds
Behavioral task
behavioral21
Sample
91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631.exe
Resource
win7-20240729-en
windows7-x64
24 signatures
150 seconds
Behavioral task
behavioral22
Sample
91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
26 signatures
150 seconds
Behavioral task
behavioral23
Sample
ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75.exe
Resource
win7-20240903-en
windows7-x64
24 signatures
150 seconds
Behavioral task
behavioral24
Sample
ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
24 signatures
150 seconds
Behavioral task
behavioral25
Sample
e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877.exe
Resource
win7-20240708-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral26
Sample
e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
20 signatures
150 seconds
Behavioral task
behavioral27
Sample
faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe
Resource
win7-20240903-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral28
Sample
faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
20 signatures
150 seconds
Behavioral task
behavioral29
Sample
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe
Resource
win7-20240903-en
windows7-x64
32 signatures
150 seconds
Behavioral task
behavioral30
Sample
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
32 signatures
150 seconds
General
-
Target
faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe
-
Size
762KB
-
MD5
a04a99d946fb08b2f65ba664ad7faebd
-
SHA1
1fe7e2f8fbd98d6b5505fd9ee66da5b4f11720a1
-
SHA256
faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869
-
SHA512
1afde06049a7132e552681a71f74fbb09ac5b26e05c0570af95de0ce4484eb647f2afb781c0683fdba6cb37daacf1c6be690b5208df477158a4d8d45e4c2e374
-
SSDEEP
12288:S1kx1gjdatSK411nhuGvv6DuQ4yPcFy62eaFsvXPAVVRSPq2hv:S1kfoatSK41dhuGvQgy6GWQxSv
Malware Config
Extracted
Path
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Restore-My-Files.txt
Family
lockbit
Ransom Note
All your important files are encrypted!
Any attempts to restore your files with the thrid-party software will be fatal for your files!
RESTORE YOU DATA POSIBLE ONLY BUYING private key from us.
There is only one way to get your files back:
| 1. Download Tor browser - https://www.torproject.org/ and install it.
| 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?C841D0BEAB3F0D59A74326F99B316385
This link only works in Tor Browser!
| 3. Follow the instructions on this page
### Attention! ###
# Do not rename encrypted files.
# Do not try to decrypt using third party software, it may cause permanent data loss.
# Decryption of your files with the help of third parties may cause increased price(they add their fee to our).
# Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN.
# Tor Browser user manual https://tb-manual.torproject.org/about
URLs
http://lockbitks2tvnmwk.onion/?C841D0BEAB3F0D59A74326F99B316385
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 872 bcdedit.exe 3212 bcdedit.exe -
Renames multiple (6440) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 4340 wbadmin.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe\"" faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Dark.scale-200.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.scale-100.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-100_contrast-white.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Tented\TentMobile_24x20.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\MusicStoreLogo.scale-100_contrast-black.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\msipc.dll.mui faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\10px.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\es-es\ui-strings.js faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-phn.xrm-ms faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-16_altform-unplated.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-64_contrast-high.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreLargeTile.scale-200.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\share.svg faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-left-pressed.gif faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\ui-strings.js faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\MedTile.scale-125.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-100.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\messaging\bookmark_empty_state.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ro-ro\Restore-My-Files.txt faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteSmallTile.scale-200.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_altform-unplated_contrast-black.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-72.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\MedTile.scale-100.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\cs-cz\Restore-My-Files.txt faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\Restore-My-Files.txt faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-100_contrast-black.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-125.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-200.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-48_altform-unplated.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailLargeTile.scale-150.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\Restore-My-Files.txt faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-100_contrast-white.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\AppxManifest.xml faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\LargeTile.scale-125.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\162.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-200_contrast-black.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\webviewCore.min.js faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Info.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\VideoLAN\VLC\skins\default.vlt faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\offsymxl.ttf faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerLargeTile.contrast-white_scale-100.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_contrast-black.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\Restore-My-Files.txt faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-48.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-96_altform-unplated_contrast-black_devicefamily-colorfulunplated.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\resources.pri faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_SplashScreen.scale-100.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Config\View3DConfig.json faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.winmd faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-100.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-phn.xrm-ms faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\Restore-My-Files.txt faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\ImagePlaceholderBlack.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL001.XML faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageLargeTile.scale-125.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\Restore-My-Files.txt faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\TURABIAN.XSL faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-200.png faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3120 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe Token: SeDebugPrivilege 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe Token: SeBackupPrivilege 4220 vssvc.exe Token: SeRestorePrivilege 4220 vssvc.exe Token: SeAuditPrivilege 4220 vssvc.exe Token: SeIncreaseQuotaPrivilege 5016 WMIC.exe Token: SeSecurityPrivilege 5016 WMIC.exe Token: SeTakeOwnershipPrivilege 5016 WMIC.exe Token: SeLoadDriverPrivilege 5016 WMIC.exe Token: SeSystemProfilePrivilege 5016 WMIC.exe Token: SeSystemtimePrivilege 5016 WMIC.exe Token: SeProfSingleProcessPrivilege 5016 WMIC.exe Token: SeIncBasePriorityPrivilege 5016 WMIC.exe Token: SeCreatePagefilePrivilege 5016 WMIC.exe Token: SeBackupPrivilege 5016 WMIC.exe Token: SeRestorePrivilege 5016 WMIC.exe Token: SeShutdownPrivilege 5016 WMIC.exe Token: SeDebugPrivilege 5016 WMIC.exe Token: SeSystemEnvironmentPrivilege 5016 WMIC.exe Token: SeRemoteShutdownPrivilege 5016 WMIC.exe Token: SeUndockPrivilege 5016 WMIC.exe Token: SeManageVolumePrivilege 5016 WMIC.exe Token: 33 5016 WMIC.exe Token: 34 5016 WMIC.exe Token: 35 5016 WMIC.exe Token: 36 5016 WMIC.exe Token: SeIncreaseQuotaPrivilege 5016 WMIC.exe Token: SeSecurityPrivilege 5016 WMIC.exe Token: SeTakeOwnershipPrivilege 5016 WMIC.exe Token: SeLoadDriverPrivilege 5016 WMIC.exe Token: SeSystemProfilePrivilege 5016 WMIC.exe Token: SeSystemtimePrivilege 5016 WMIC.exe Token: SeProfSingleProcessPrivilege 5016 WMIC.exe Token: SeIncBasePriorityPrivilege 5016 WMIC.exe Token: SeCreatePagefilePrivilege 5016 WMIC.exe Token: SeBackupPrivilege 5016 WMIC.exe Token: SeRestorePrivilege 5016 WMIC.exe Token: SeShutdownPrivilege 5016 WMIC.exe Token: SeDebugPrivilege 5016 WMIC.exe Token: SeSystemEnvironmentPrivilege 5016 WMIC.exe Token: SeRemoteShutdownPrivilege 5016 WMIC.exe Token: SeUndockPrivilege 5016 WMIC.exe Token: SeManageVolumePrivilege 5016 WMIC.exe Token: 33 5016 WMIC.exe Token: 34 5016 WMIC.exe Token: 35 5016 WMIC.exe Token: 36 5016 WMIC.exe Token: SeBackupPrivilege 1936 wbengine.exe Token: SeRestorePrivilege 1936 wbengine.exe Token: SeSecurityPrivilege 1936 wbengine.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3532 wrote to memory of 4148 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 91 PID 3532 wrote to memory of 4148 3532 faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe 91 PID 4148 wrote to memory of 3120 4148 cmd.exe 93 PID 4148 wrote to memory of 3120 4148 cmd.exe 93 PID 4148 wrote to memory of 5016 4148 cmd.exe 96 PID 4148 wrote to memory of 5016 4148 cmd.exe 96 PID 4148 wrote to memory of 872 4148 cmd.exe 97 PID 4148 wrote to memory of 872 4148 cmd.exe 97 PID 4148 wrote to memory of 3212 4148 cmd.exe 99 PID 4148 wrote to memory of 3212 4148 cmd.exe 99 PID 4148 wrote to memory of 4340 4148 cmd.exe 100 PID 4148 wrote to memory of 4340 4148 cmd.exe 100 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe"C:\Users\Admin\AppData\Local\Temp\faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3120
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5016
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:872
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:3212
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:4340
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4220
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:4640
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:2896
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
960B
MD56271d1fa72e550c242029aa9cfb2d40c
SHA131ff24e34b3075f4b699c1188f43fdfa63190eb8
SHA25649d947f611c7781fcb4135527dc62e1795636e5a8e3745b199304bf567f5acd0
SHA5121facada6701a9baf88664df2a30a54683499f2531bf4299473cd646ef2f48b5bd32c9d7d56fdbfb190ee2d876f7b4115769d51ec42756e6323acb0b48338d0f6