Analysis Overview
SHA256
a9c2ceb933f283ace77d83eb3d8cfd497675dea59e11069ebe89c3f9035c878b
Threat Level: Known bad
The file da0a59474c6e5ea11965c20a57651037_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Cybergate family
CyberGate, Rebhip
Boot or Logon Autostart Execution: Active Setup
Adds policy Run key to start application
Loads dropped DLL
UPX packed file
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-11 09:19
Signatures
Cybergate family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-11 09:19
Reported
2024-09-11 09:21
Platform
win7-20240903-en
Max time kernel
148s
Max time network
148s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FQ1GNFW-PH15-HF18-1B32-E0F63TX8326I}\StubPath = "C:\\Windows\\install\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FQ1GNFW-PH15-HF18-1B32-E0F63TX8326I} | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FQ1GNFW-PH15-HF18-1B32-E0F63TX8326I}\StubPath = "C:\\Windows\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FQ1GNFW-PH15-HF18-1B32-E0F63TX8326I} | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\install\server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\install\server.exe | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\install\server.exe | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe"
C:\Windows\install\server.exe
"C:\Windows\install\server.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/1236-3-0x0000000002E10000-0x0000000002E11000-memory.dmp
memory/632-2-0x0000000010410000-0x0000000010475000-memory.dmp
memory/1112-247-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/1112-248-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/1112-526-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | e2efeb981f61bcbf7a9b1f13d1fd3b78 |
| SHA1 | a469b425adf2bfeac3cc97bb46f9ecfa3a437303 |
| SHA256 | e0375b92bcbe76fbb55d9a22553dddfbfbd359b24708180891e2e88e8cff5bf3 |
| SHA512 | 3b4b75cc65d825e69cd782ab483ac01d9356a7e1cc449cf9561201a9c20c5b60bedc16b6d18e63cac5eedc996c2d453043d34ea1a2a811aaf23799785339da83 |
C:\Windows\install\server.exe
| MD5 | da0a59474c6e5ea11965c20a57651037 |
| SHA1 | 2ead2fa59cc821e6d8d608ad67fe192e2232001b |
| SHA256 | a9c2ceb933f283ace77d83eb3d8cfd497675dea59e11069ebe89c3f9035c878b |
| SHA512 | b5b63181c5a8e879b4797c4fc684bde44bfd2f3a7e491bb2de21e3ff0f6b73bf2f788ab21ebc5e99fd4c1113648f0a139f03306afa271703b4e440f37a446b36 |
memory/956-857-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/1112-879-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/956-883-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 82b83b770b303dd5831bad4095389d41 |
| SHA1 | be8922857e6accec6dafb9d1b3e717b0d6aeb3f1 |
| SHA256 | 4e2c3eb3983367f9ce9b1d8b270cff543c0bee4c7b273d2bbf71f27121cf2964 |
| SHA512 | 72f8c86c2818837c3ed8934875b949133fa805789071345b66d60d58dbbbfdce46a0ff8aa11ca3cb158c08060b5aba2e2fab2ce1930bac5d23f4c6f2254e41f5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d44dd2533e8453dccffd167efb002e35 |
| SHA1 | ee4d37380d398bfa680e1ad7313643e3832a1d52 |
| SHA256 | 5f172e6d6bbd35664da9997762939fefcc4a22f142b3ae698d03ab3ed14b43df |
| SHA512 | 5d29dbe0d845ee79d4d392c9fe058e4ca0d4f05a57b713f1434d0b31bfc4230227aa341e7d998dcb9e20f905e5485978a2e381dcdf5b9b36fe21143b06df95b2 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 20ef875ff0b5999adb961708c224becd |
| SHA1 | c73ae0ef66949e0d77968632d297d96a88204ec4 |
| SHA256 | 1a7c734d2f08eb32864273e0064b365a5f6903b11c2366c6b8d30ebcf20d8040 |
| SHA512 | 6841139324c26bc9160ed4a13b149e63c8f6cec174ac95093eea74982a6edc66d23ace5f4a4492d7297933cb9cd783e55c918052f08229cf1278d2a531492c21 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 846ba634d163366ae36697c356215c9c |
| SHA1 | d3b084ccdbee294438af533ca7705322cd5e9f93 |
| SHA256 | c8066c686b3b0f302e39c5cf59756716e0ac72aad8b9c0f80fa2c2773c806d86 |
| SHA512 | 1a2595fde95f8397087e2d107c20b9e97904f6b4837714cfee1157d86595ff0e522f68de23c3ea6b5717e6a8e0a538fbfdc8bb32c61853303509e3491fdfe7a1 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 7599025639f3194f4b9ebb9898addb74 |
| SHA1 | 7645e49b0f94e014d38a5af65e0f43d9d1fc497e |
| SHA256 | b9d09565e7b7e766d443622a20fad8bde5bb314a98e05c158b6352e299534f92 |
| SHA512 | 290b59a25b77e58580992f56db02c75d414b2f4af0e61c8286edc37e05ca5168452143756b3c2ccd66fa7e918ec512e6b0e206dca906ca08c9b3123c7df62e8f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6e4ee40c485fd6b80d49429ccfd5bd8c |
| SHA1 | b731c2c7652606a02cd5c15a2fa17af69b42922b |
| SHA256 | 59853edbc416e1460456d90a2151ad715b100b8fcc4a1a2a88218ee97363932a |
| SHA512 | 69a90b03bd4c51199c4c150d57aae8837980be16006b6f807b774619a9239d9a3f330cfb9e5c090358b1da2012f1412f94b958151025369f24c4e486eb53fff3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 161851dc0b0fb3a1d4668a98b0001cc9 |
| SHA1 | 78238d27adaa2710b48d3d703c6ab9f9f8407ed0 |
| SHA256 | ebee44071325d7f8e3988d7687e10007813d81676150e4351027d9c0f7cf954d |
| SHA512 | 4f49988a1560cf38fcb850d73648ed8c333d9e9e22edd78abb47fc76c54864e4aed5a8bdbe3d1bc7401475d90d8dcc0fa175a52cee3124210956bf6d763195e5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b4bd5e5129730475b6256d53cb6972e4 |
| SHA1 | 0b3d8f7b8b3b4cdc2ebfc8db7597ec80d18658fb |
| SHA256 | 94de9a1ccb02864ab29c59318f84b570b4f41f1eb517815c0ffcfe107331d5e0 |
| SHA512 | fa7dd5826a5279753af15021e92a349f4d87e9118b38ea8e8133071c7b64d468c23a6e17dfca885679062ef9771dcaf0d1165f13f87d0ce53bd8ee7e751aeced |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2632dce56f367c65c5384d6d0f4cbc77 |
| SHA1 | 34275891d66826ae2538091e5b2f9677efdcdb03 |
| SHA256 | b8133d4748d1f4df99a061020f31bb5010e03803214e112927313a77f4e88b84 |
| SHA512 | de94fdfaa53b868d295ac785904262898703d518629ed4fae64fb741f004cb234f6bd816890e9f6ea3fd3748f439d1de430152e00846186e1dce38acd0c7c758 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fa3ade80bf407c0e9314a657cce8ba9b |
| SHA1 | 47ca17d1589fec24d06bde3041fc9cb49af2cfa1 |
| SHA256 | 6aa46992cb5f4a73c10f12c58ea67fb63d870ca1bce65b8c2f056b347fa2a350 |
| SHA512 | 9b795b78a887f2e56cdc2ea782d07fe2f0632cb8a065dc6d8624b162c87d73678a79debcc149d2ab132c8932e8fbac866e70d7c26b4924a6529352e56d00cbeb |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | eb84aa2f5cdc93a0726571dcf73bea11 |
| SHA1 | 8352e213e481d8ca6891b32dfc3fe6113f19c4f3 |
| SHA256 | 2fec5a4b8e7704bb0164e69ebc7cb65106ddc0e7a813d2e1447890dbacdeb94f |
| SHA512 | 0e7cd3712cf6e60ccbb17b5f8a01c434331f974ad227ff20ed2956b27559a63dc40fee61cda009c46353feef7ea14b2795364de36ec78fe04a0bafb0c3e4c934 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1fa8b3b2bdbba96264809a8bce379343 |
| SHA1 | 76c145f0334f653098ce046fcdff756992b78ec7 |
| SHA256 | dd519089a799eb49dfcb465eb41ecca26367629c2f0997ee2ce7659a098231ec |
| SHA512 | 3d6706abaf3af2afc9f0cf297b3db581cdcf35709e9a198a27f045fb84c424276fe094dee423ef6022b8e7b62c47106d4ad417c3fa2cbb19d2e360c218e90181 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9383cf925e2773be76a54d4cdaae3c8a |
| SHA1 | e991dc006b15cda399180bce937d5e03616cdd15 |
| SHA256 | c85e427195582008e3dbb02f97bf1b1c3a3fff31b87009af89acf3d8a4779fce |
| SHA512 | c2d269b2b67a770b2d3bc1e95b8be9f78d27d5dfecef79f4ba42cb6143bcf12dd9832cc29e7c86577d310b0c58e2d61b468da39a12063355f93f051d5380bde2 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1eb11d7edb09d09b5569046a851b645c |
| SHA1 | a92ac13561597213bf72ee46437c1438cd87ab4e |
| SHA256 | 3a2ea623677f69edc89df30dbcd5250e9f43de82a35f7fd46bc3c1da711dc037 |
| SHA512 | ccdb3793e10163d99d7ecfd68af31ea91d691ac969a42746ba4de9dbbeaf30adcf30bfed9c48442208c5c0487fd9561212c938a76c6239214f5d4136f6ef4926 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c7003d916e371365c44cc9ed1c3c9435 |
| SHA1 | 4b562fce68e26681bf8959a60008f738fb99a651 |
| SHA256 | e1c34263043f915537f468ee53aa600bbbc1bcaa36b30a324bcd32c41ec569c9 |
| SHA512 | a24755d836722069a3eeacd515437395482df95536698ecb1f2c70f80ca10ce75253b1380e457d1fb514576f852eb5876f3c0d82b744120a2e74da2133e158c4 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5af8d18efe2ea38a4b7436beff83f317 |
| SHA1 | 7157b0bfefd79532867779c4400b31f18d18303d |
| SHA256 | 938084a61280b2ab6634469a7bfffddee2801b008b761ec4f9a794c3a6201dc0 |
| SHA512 | b9c908758e725ba7fd3a4638d76a10b8987739e385400cb7f1353aa3595e8a72f42c4b0cb495dd608252dc54026aba5e0d413b9b5ff1dd6b0207bb7b5671d557 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 96eeb0776a6163325351ce920c4cb785 |
| SHA1 | e491f6fa2a69f76952f1846f351fd9eafecde22f |
| SHA256 | 767610920f3c4938d6438800e4483c711012013280e6d5ce265675544ea3ee63 |
| SHA512 | a92c7b86e5b65dff79eebae204eb856f0f1bce22291660843e0f05aa2e85a1a785a807f97c29efe47014abae2d147baf84b734122f8ec64d39636407d92cb90c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9b870fdedbbd27efbf968c25c27fe097 |
| SHA1 | 4178865aba5ab845bc43bd8fd821c105d30a2192 |
| SHA256 | 1bcbb0de59651eac331576003b81b52d16966d0939d45ec7c76ddf4e220278b2 |
| SHA512 | f7c5e3ad33d2c4172410012bada3980cdcc6473e662ef8531a7651c919cecc0b7eb88393554044915ccafb4ddd68a1f1d598ee0bbbaf808e26c4983f5d5f81a6 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ced8c41671c3995f09366371dd1b28e0 |
| SHA1 | 3f9efd5608e1dea701e1b868a49691421926e975 |
| SHA256 | c11c68e5a4c633aa2459099128928e6c194998073d8accff6fc261899e399be4 |
| SHA512 | 3369346c83f3c82b58b3bc88614a3cc98a52f9c56e22b63e865e343e92da9b3b9e4561e2d4a5f2b67e301e759b9819d118034b97da233580c09764a3391e2242 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9ada3d0b24979954dbbbb817e2ac3ff0 |
| SHA1 | cf0c91bc174c2475f0888ada6c7beadde825686c |
| SHA256 | c967cbe7467c201d6828dbd8a9e0e3c4e61eec0a6b86734ace96e45675832432 |
| SHA512 | 84ef55a50f2bb3a10293956936a39e00711a41484f736600488896df77554e6ee2776986f9e6f8ffeff6f341ef127282201e440ca4f41b3e0f54cbb9f532dee4 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c0eac95b86a1fbef6809c03036dff2e7 |
| SHA1 | 0df4b5f9b827f501616958623976d97c4cb09c98 |
| SHA256 | ad7b002dbd13f53a891b14fa369ee9f9ed6de8dced631cb2733e4d67bdd0faf0 |
| SHA512 | 56bc39d34f25413df30499fafa88b78644b847b54656c3050af36433d29eb77e410e58cfe71c88ee621d8ebeecd023f7723c5d2d88261fb845a15752671e5e27 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-11 09:19
Reported
2024-09-11 09:21
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FQ1GNFW-PH15-HF18-1B32-E0F63TX8326I}\StubPath = "C:\\Windows\\install\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FQ1GNFW-PH15-HF18-1B32-E0F63TX8326I} | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FQ1GNFW-PH15-HF18-1B32-E0F63TX8326I}\StubPath = "C:\\Windows\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FQ1GNFW-PH15-HF18-1B32-E0F63TX8326I} | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\install\server.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\install\server.exe | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\install\server.exe | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\install\server.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\install\server.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da0a59474c6e5ea11965c20a57651037_JaffaCakes118.exe"
C:\Windows\install\server.exe
"C:\Windows\install\server.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3080 -ip 3080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 576
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/1460-2-0x0000000010410000-0x0000000010475000-memory.dmp
memory/2588-7-0x0000000000A80000-0x0000000000A81000-memory.dmp
memory/2588-8-0x0000000000B40000-0x0000000000B41000-memory.dmp
memory/2588-66-0x0000000003620000-0x0000000003621000-memory.dmp
memory/1460-63-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/2588-68-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Windows\install\server.exe
| MD5 | da0a59474c6e5ea11965c20a57651037 |
| SHA1 | 2ead2fa59cc821e6d8d608ad67fe192e2232001b |
| SHA256 | a9c2ceb933f283ace77d83eb3d8cfd497675dea59e11069ebe89c3f9035c878b |
| SHA512 | b5b63181c5a8e879b4797c4fc684bde44bfd2f3a7e491bb2de21e3ff0f6b73bf2f788ab21ebc5e99fd4c1113648f0a139f03306afa271703b4e440f37a446b36 |
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | e2efeb981f61bcbf7a9b1f13d1fd3b78 |
| SHA1 | a469b425adf2bfeac3cc97bb46f9ecfa3a437303 |
| SHA256 | e0375b92bcbe76fbb55d9a22553dddfbfbd359b24708180891e2e88e8cff5bf3 |
| SHA512 | 3b4b75cc65d825e69cd782ab483ac01d9356a7e1cc449cf9561201a9c20c5b60bedc16b6d18e63cac5eedc996c2d453043d34ea1a2a811aaf23799785339da83 |
memory/1740-138-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/2588-158-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/1740-160-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d44dd2533e8453dccffd167efb002e35 |
| SHA1 | ee4d37380d398bfa680e1ad7313643e3832a1d52 |
| SHA256 | 5f172e6d6bbd35664da9997762939fefcc4a22f142b3ae698d03ab3ed14b43df |
| SHA512 | 5d29dbe0d845ee79d4d392c9fe058e4ca0d4f05a57b713f1434d0b31bfc4230227aa341e7d998dcb9e20f905e5485978a2e381dcdf5b9b36fe21143b06df95b2 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 20ef875ff0b5999adb961708c224becd |
| SHA1 | c73ae0ef66949e0d77968632d297d96a88204ec4 |
| SHA256 | 1a7c734d2f08eb32864273e0064b365a5f6903b11c2366c6b8d30ebcf20d8040 |
| SHA512 | 6841139324c26bc9160ed4a13b149e63c8f6cec174ac95093eea74982a6edc66d23ace5f4a4492d7297933cb9cd783e55c918052f08229cf1278d2a531492c21 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 846ba634d163366ae36697c356215c9c |
| SHA1 | d3b084ccdbee294438af533ca7705322cd5e9f93 |
| SHA256 | c8066c686b3b0f302e39c5cf59756716e0ac72aad8b9c0f80fa2c2773c806d86 |
| SHA512 | 1a2595fde95f8397087e2d107c20b9e97904f6b4837714cfee1157d86595ff0e522f68de23c3ea6b5717e6a8e0a538fbfdc8bb32c61853303509e3491fdfe7a1 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 7599025639f3194f4b9ebb9898addb74 |
| SHA1 | 7645e49b0f94e014d38a5af65e0f43d9d1fc497e |
| SHA256 | b9d09565e7b7e766d443622a20fad8bde5bb314a98e05c158b6352e299534f92 |
| SHA512 | 290b59a25b77e58580992f56db02c75d414b2f4af0e61c8286edc37e05ca5168452143756b3c2ccd66fa7e918ec512e6b0e206dca906ca08c9b3123c7df62e8f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6e4ee40c485fd6b80d49429ccfd5bd8c |
| SHA1 | b731c2c7652606a02cd5c15a2fa17af69b42922b |
| SHA256 | 59853edbc416e1460456d90a2151ad715b100b8fcc4a1a2a88218ee97363932a |
| SHA512 | 69a90b03bd4c51199c4c150d57aae8837980be16006b6f807b774619a9239d9a3f330cfb9e5c090358b1da2012f1412f94b958151025369f24c4e486eb53fff3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 161851dc0b0fb3a1d4668a98b0001cc9 |
| SHA1 | 78238d27adaa2710b48d3d703c6ab9f9f8407ed0 |
| SHA256 | ebee44071325d7f8e3988d7687e10007813d81676150e4351027d9c0f7cf954d |
| SHA512 | 4f49988a1560cf38fcb850d73648ed8c333d9e9e22edd78abb47fc76c54864e4aed5a8bdbe3d1bc7401475d90d8dcc0fa175a52cee3124210956bf6d763195e5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b4bd5e5129730475b6256d53cb6972e4 |
| SHA1 | 0b3d8f7b8b3b4cdc2ebfc8db7597ec80d18658fb |
| SHA256 | 94de9a1ccb02864ab29c59318f84b570b4f41f1eb517815c0ffcfe107331d5e0 |
| SHA512 | fa7dd5826a5279753af15021e92a349f4d87e9118b38ea8e8133071c7b64d468c23a6e17dfca885679062ef9771dcaf0d1165f13f87d0ce53bd8ee7e751aeced |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2632dce56f367c65c5384d6d0f4cbc77 |
| SHA1 | 34275891d66826ae2538091e5b2f9677efdcdb03 |
| SHA256 | b8133d4748d1f4df99a061020f31bb5010e03803214e112927313a77f4e88b84 |
| SHA512 | de94fdfaa53b868d295ac785904262898703d518629ed4fae64fb741f004cb234f6bd816890e9f6ea3fd3748f439d1de430152e00846186e1dce38acd0c7c758 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fa3ade80bf407c0e9314a657cce8ba9b |
| SHA1 | 47ca17d1589fec24d06bde3041fc9cb49af2cfa1 |
| SHA256 | 6aa46992cb5f4a73c10f12c58ea67fb63d870ca1bce65b8c2f056b347fa2a350 |
| SHA512 | 9b795b78a887f2e56cdc2ea782d07fe2f0632cb8a065dc6d8624b162c87d73678a79debcc149d2ab132c8932e8fbac866e70d7c26b4924a6529352e56d00cbeb |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | eb84aa2f5cdc93a0726571dcf73bea11 |
| SHA1 | 8352e213e481d8ca6891b32dfc3fe6113f19c4f3 |
| SHA256 | 2fec5a4b8e7704bb0164e69ebc7cb65106ddc0e7a813d2e1447890dbacdeb94f |
| SHA512 | 0e7cd3712cf6e60ccbb17b5f8a01c434331f974ad227ff20ed2956b27559a63dc40fee61cda009c46353feef7ea14b2795364de36ec78fe04a0bafb0c3e4c934 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1fa8b3b2bdbba96264809a8bce379343 |
| SHA1 | 76c145f0334f653098ce046fcdff756992b78ec7 |
| SHA256 | dd519089a799eb49dfcb465eb41ecca26367629c2f0997ee2ce7659a098231ec |
| SHA512 | 3d6706abaf3af2afc9f0cf297b3db581cdcf35709e9a198a27f045fb84c424276fe094dee423ef6022b8e7b62c47106d4ad417c3fa2cbb19d2e360c218e90181 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9383cf925e2773be76a54d4cdaae3c8a |
| SHA1 | e991dc006b15cda399180bce937d5e03616cdd15 |
| SHA256 | c85e427195582008e3dbb02f97bf1b1c3a3fff31b87009af89acf3d8a4779fce |
| SHA512 | c2d269b2b67a770b2d3bc1e95b8be9f78d27d5dfecef79f4ba42cb6143bcf12dd9832cc29e7c86577d310b0c58e2d61b468da39a12063355f93f051d5380bde2 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1eb11d7edb09d09b5569046a851b645c |
| SHA1 | a92ac13561597213bf72ee46437c1438cd87ab4e |
| SHA256 | 3a2ea623677f69edc89df30dbcd5250e9f43de82a35f7fd46bc3c1da711dc037 |
| SHA512 | ccdb3793e10163d99d7ecfd68af31ea91d691ac969a42746ba4de9dbbeaf30adcf30bfed9c48442208c5c0487fd9561212c938a76c6239214f5d4136f6ef4926 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c7003d916e371365c44cc9ed1c3c9435 |
| SHA1 | 4b562fce68e26681bf8959a60008f738fb99a651 |
| SHA256 | e1c34263043f915537f468ee53aa600bbbc1bcaa36b30a324bcd32c41ec569c9 |
| SHA512 | a24755d836722069a3eeacd515437395482df95536698ecb1f2c70f80ca10ce75253b1380e457d1fb514576f852eb5876f3c0d82b744120a2e74da2133e158c4 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5af8d18efe2ea38a4b7436beff83f317 |
| SHA1 | 7157b0bfefd79532867779c4400b31f18d18303d |
| SHA256 | 938084a61280b2ab6634469a7bfffddee2801b008b761ec4f9a794c3a6201dc0 |
| SHA512 | b9c908758e725ba7fd3a4638d76a10b8987739e385400cb7f1353aa3595e8a72f42c4b0cb495dd608252dc54026aba5e0d413b9b5ff1dd6b0207bb7b5671d557 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 96eeb0776a6163325351ce920c4cb785 |
| SHA1 | e491f6fa2a69f76952f1846f351fd9eafecde22f |
| SHA256 | 767610920f3c4938d6438800e4483c711012013280e6d5ce265675544ea3ee63 |
| SHA512 | a92c7b86e5b65dff79eebae204eb856f0f1bce22291660843e0f05aa2e85a1a785a807f97c29efe47014abae2d147baf84b734122f8ec64d39636407d92cb90c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9b870fdedbbd27efbf968c25c27fe097 |
| SHA1 | 4178865aba5ab845bc43bd8fd821c105d30a2192 |
| SHA256 | 1bcbb0de59651eac331576003b81b52d16966d0939d45ec7c76ddf4e220278b2 |
| SHA512 | f7c5e3ad33d2c4172410012bada3980cdcc6473e662ef8531a7651c919cecc0b7eb88393554044915ccafb4ddd68a1f1d598ee0bbbaf808e26c4983f5d5f81a6 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ced8c41671c3995f09366371dd1b28e0 |
| SHA1 | 3f9efd5608e1dea701e1b868a49691421926e975 |
| SHA256 | c11c68e5a4c633aa2459099128928e6c194998073d8accff6fc261899e399be4 |
| SHA512 | 3369346c83f3c82b58b3bc88614a3cc98a52f9c56e22b63e865e343e92da9b3b9e4561e2d4a5f2b67e301e759b9819d118034b97da233580c09764a3391e2242 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9ada3d0b24979954dbbbb817e2ac3ff0 |
| SHA1 | cf0c91bc174c2475f0888ada6c7beadde825686c |
| SHA256 | c967cbe7467c201d6828dbd8a9e0e3c4e61eec0a6b86734ace96e45675832432 |
| SHA512 | 84ef55a50f2bb3a10293956936a39e00711a41484f736600488896df77554e6ee2776986f9e6f8ffeff6f341ef127282201e440ca4f41b3e0f54cbb9f532dee4 |