Analysis
-
max time kernel
14s -
max time network
40s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
09-10-2024 08:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe
Resource
win7-20240729-en
windows7-x64
24 signatures
150 seconds
General
-
Target
21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe
-
Size
232KB
-
MD5
1240c2b02ccf18357e1bff94f0b4afdc
-
SHA1
62dba22a7214051e7f6d21df13dca10d551364ce
-
SHA256
21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c
-
SHA512
8c357fd51281e9954fa8a654fe2f7c150624c05646fcb29e547df84cb3b6fcd05b92e192e2dd7c1027e246dfaae671e0f67f6300d21f92cafdb239bc96c9161a
-
SSDEEP
3072:Wn+htWMtf+7GZYGVA2QJgi8xJLDoUiLGCHObD+g6jBRnRvtrmBT0FHm:oEGqZYGVd82PD2yLIRnBtaBTcG
Malware Config
Extracted
Family
bdaejec
C2
ddos.dnsnb8.net
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Detects Bdaejec Backdoor. 3 IoCs
Bdaejec is backdoor written in C++.
resource yara_rule behavioral1/memory/2900-17-0x0000000000AF0000-0x0000000000AF9000-memory.dmp family_bdaejec_backdoor behavioral1/memory/3064-98-0x0000000001000000-0x0000000001009000-memory.dmp family_bdaejec_backdoor behavioral1/memory/2900-97-0x0000000000AF0000-0x0000000000AF9000-memory.dmp family_bdaejec_backdoor -
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" Stuvwx.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" Stuvwx.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Stuvwx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Stuvwx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" Stuvwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" Stuvwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" Stuvwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" Stuvwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" Stuvwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" Stuvwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" Stuvwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Stuvwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Stuvwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Stuvwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" Stuvwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Stuvwx.exe -
Fatal Rat payload 5 IoCs
resource yara_rule behavioral1/memory/1656-47-0x0000000010000000-0x000000001001C000-memory.dmp fatalrat behavioral1/memory/1656-64-0x0000000000400000-0x000000000043B000-memory.dmp fatalrat behavioral1/memory/2708-255-0x0000000000400000-0x000000000043B000-memory.dmp fatalrat behavioral1/memory/1740-281-0x0000000000400000-0x000000000043B000-memory.dmp fatalrat behavioral1/memory/1740-367-0x0000000000400000-0x000000000043B000-memory.dmp fatalrat -
resource yara_rule behavioral1/files/0x00080000000120fd-9.dat aspack_v212_v242 -
Executes dropped EXE 3 IoCs
pid Process 2900 alkFi.exe 2708 Stuvwx.exe 3064 alkFi.exe -
Loads dropped DLL 4 IoCs
pid Process 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe 2708 Stuvwx.exe 2708 Stuvwx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Stuvwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Stuvwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Stuvwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" Stuvwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" Stuvwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" Stuvwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" Stuvwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" Stuvwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" Stuvwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Stuvwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" Stuvwx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc Stuvwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" Stuvwx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Stuvwx.exe -
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe File opened (read-only) \??\L: 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe File opened (read-only) \??\M: 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe File opened (read-only) \??\E: 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe File opened (read-only) \??\H: 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe File opened (read-only) \??\J: 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe File opened (read-only) \??\K: 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe File opened (read-only) \??\N: 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe File opened (read-only) \??\E: Stuvwx.exe File opened (read-only) \??\G: 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat alkFi.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\k1[1].rar alkFi.exe -
resource yara_rule behavioral1/memory/1656-38-0x00000000006A0000-0x000000000172E000-memory.dmp upx behavioral1/memory/1656-40-0x00000000006A0000-0x000000000172E000-memory.dmp upx behavioral1/memory/1656-37-0x00000000006A0000-0x000000000172E000-memory.dmp upx behavioral1/memory/1656-20-0x00000000006A0000-0x000000000172E000-memory.dmp upx behavioral1/memory/1656-15-0x00000000006A0000-0x000000000172E000-memory.dmp upx behavioral1/memory/1656-12-0x00000000006A0000-0x000000000172E000-memory.dmp upx behavioral1/memory/1656-13-0x00000000006A0000-0x000000000172E000-memory.dmp upx behavioral1/memory/1656-14-0x00000000006A0000-0x000000000172E000-memory.dmp upx behavioral1/memory/1656-8-0x00000000006A0000-0x000000000172E000-memory.dmp upx behavioral1/memory/1656-19-0x00000000006A0000-0x000000000172E000-memory.dmp upx behavioral1/memory/1656-45-0x00000000006A0000-0x000000000172E000-memory.dmp upx behavioral1/memory/1656-46-0x00000000006A0000-0x000000000172E000-memory.dmp upx behavioral1/memory/1656-58-0x00000000006A0000-0x000000000172E000-memory.dmp upx behavioral1/memory/1656-59-0x00000000006A0000-0x000000000172E000-memory.dmp upx behavioral1/memory/1656-60-0x00000000006A0000-0x000000000172E000-memory.dmp upx behavioral1/memory/1656-62-0x00000000006A0000-0x000000000172E000-memory.dmp upx behavioral1/memory/1656-63-0x00000000006A0000-0x000000000172E000-memory.dmp upx behavioral1/memory/1656-67-0x00000000006A0000-0x000000000172E000-memory.dmp upx behavioral1/memory/1656-66-0x00000000006A0000-0x000000000172E000-memory.dmp upx behavioral1/memory/1656-75-0x00000000006A0000-0x000000000172E000-memory.dmp upx behavioral1/memory/2708-91-0x0000000000540000-0x00000000015CE000-memory.dmp upx behavioral1/memory/2708-96-0x0000000000540000-0x00000000015CE000-memory.dmp upx behavioral1/memory/2708-94-0x0000000000540000-0x00000000015CE000-memory.dmp upx behavioral1/memory/2708-93-0x0000000000540000-0x00000000015CE000-memory.dmp upx behavioral1/memory/1656-200-0x00000000006A0000-0x000000000172E000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe alkFi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe alkFi.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe alkFi.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alkFi.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alkFi.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE alkFi.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alkFi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe alkFi.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe alkFi.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE alkFi.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE alkFi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe alkFi.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alkFi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe alkFi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe alkFi.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe alkFi.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe alkFi.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE alkFi.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe alkFi.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE alkFi.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE alkFi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe alkFi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe alkFi.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe alkFi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe alkFi.exe File opened for modification C:\Program Files\Windows Journal\Journal.exe alkFi.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe alkFi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe alkFi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe alkFi.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe alkFi.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\sidebar.exe alkFi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe alkFi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe alkFi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe alkFi.exe File opened for modification C:\Program Files\Windows Defender\MpCmdRun.exe alkFi.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe alkFi.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE alkFi.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alkFi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe alkFi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe alkFi.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe alkFi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe alkFi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe alkFi.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alkFi.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe alkFi.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alkFi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe alkFi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe alkFi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe alkFi.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe alkFi.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alkFi.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE alkFi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe alkFi.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe alkFi.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe alkFi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe alkFi.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alkFi.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE alkFi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe alkFi.exe File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe alkFi.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alkFi.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE alkFi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe alkFi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe alkFi.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Stuvwx.exe 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe File opened for modification C:\Windows\Stuvwx.exe 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe File opened for modification C:\Windows\SYSTEM.INI 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Stuvwx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alkFi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alkFi.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_258 = "4227859878" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_27 = "3838471105" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_47 = "2051935252" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_96 = "2671869728" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_139 = "3359828536" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_170 = "4284042253" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_61 = "400318423" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_101 = "1155672804" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_154 = "3122904046" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_223 = "1956304758" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_33 = "3737027507" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_132 = "2582794401" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_270 = "4008402851" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_280 = "992588488" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_239 = "1878749510" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_100 = "4052586053" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_115 = "3765586528" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_125 = "749911987" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_215 = "3540217500" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_222 = "541548861" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_98 = "1206397553" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_98 = "1189829615" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_169 = "2869295051" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\-50721799 = "0" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_3 = "4244254259" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_85 = "855206619" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_199 = "2362077061" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_253 = "1465658670" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_15 = "4164244369" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_64 = "349590720" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_138 = "1978485911" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_165 = "2508256049" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_234 = "338671829" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_20 = "2694291522" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_175 = "2767853024" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_4 = "1410191389" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_27 = "3662222949" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_100 = "4035896428" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_104 = "1104955832" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_145 = "3275069443" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_281 = "2407339267" Stuvwx.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings alkFi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_47 = "2068670013" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_139 = "1330098767" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_186 = "3743896081" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_282 = "3822085486" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_11 = "2677328230" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_97 = "4086618227" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_153 = "67628518" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_293 = "2187743702" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_28 = "4070238801" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_49 = "1473328314" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_114 = "818110612" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_229 = "1854859071" Stuvwx.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix alkFi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_87 = "2840604956" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_121 = "3680841442" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_126 = "2164649761" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_168 = "1471280209" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_287 = "2254754009" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_103 = "3985173458" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_111 = "4269568141" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_193 = "3547428810" Stuvwx.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_45 = "1598608590" Stuvwx.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe 2708 Stuvwx.exe 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe 2708 Stuvwx.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Token: SeDebugPrivilege 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Token: SeDebugPrivilege 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Token: SeDebugPrivilege 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Token: SeDebugPrivilege 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Token: SeDebugPrivilege 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Token: SeDebugPrivilege 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Token: SeDebugPrivilege 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Token: SeDebugPrivilege 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Token: SeDebugPrivilege 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Token: SeDebugPrivilege 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Token: SeDebugPrivilege 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Token: SeDebugPrivilege 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Token: SeDebugPrivilege 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Token: SeDebugPrivilege 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Token: SeDebugPrivilege 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Token: SeDebugPrivilege 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Token: SeDebugPrivilege 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Token: SeDebugPrivilege 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Token: SeDebugPrivilege 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Token: SeDebugPrivilege 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Token: SeDebugPrivilege 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Token: SeDebugPrivilege 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Token: SeDebugPrivilege 2708 Stuvwx.exe Token: SeDebugPrivilege 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Token: SeDebugPrivilege 2708 Stuvwx.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1656 wrote to memory of 2900 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe 30 PID 1656 wrote to memory of 2900 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe 30 PID 1656 wrote to memory of 2900 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe 30 PID 1656 wrote to memory of 2900 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe 30 PID 1656 wrote to memory of 1292 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe 19 PID 1656 wrote to memory of 1360 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe 20 PID 1656 wrote to memory of 1388 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe 21 PID 1656 wrote to memory of 1028 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe 25 PID 1656 wrote to memory of 2900 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe 30 PID 1656 wrote to memory of 2900 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe 30 PID 2708 wrote to memory of 3064 2708 Stuvwx.exe 33 PID 2708 wrote to memory of 3064 2708 Stuvwx.exe 33 PID 2708 wrote to memory of 3064 2708 Stuvwx.exe 33 PID 2708 wrote to memory of 3064 2708 Stuvwx.exe 33 PID 2708 wrote to memory of 1292 2708 Stuvwx.exe 19 PID 2708 wrote to memory of 1360 2708 Stuvwx.exe 20 PID 2708 wrote to memory of 1388 2708 Stuvwx.exe 21 PID 2708 wrote to memory of 1028 2708 Stuvwx.exe 25 PID 2708 wrote to memory of 1656 2708 Stuvwx.exe 29 PID 2708 wrote to memory of 2900 2708 Stuvwx.exe 30 PID 1656 wrote to memory of 1292 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe 19 PID 1656 wrote to memory of 1360 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe 20 PID 1656 wrote to memory of 1388 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe 21 PID 1656 wrote to memory of 1028 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe 25 PID 1656 wrote to memory of 2900 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe 30 PID 1656 wrote to memory of 2900 1656 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe 30 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Stuvwx.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1292
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1360
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe"C:\Users\Admin\AppData\Local\Temp\21774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\alkFi.exeC:\Users\Admin\AppData\Local\Temp\alkFi.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\131a76ff.bat" "4⤵PID:2932
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1028
-
C:\Windows\Stuvwx.exeC:\Windows\Stuvwx.exe1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2708 -
C:\Windows\TEMP\alkFi.exeC:\Windows\TEMP\alkFi.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3064
-
-
C:\Windows\Stuvwx.exeC:\Windows\Stuvwx.exe Win72⤵PID:1740
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272KB
MD5f0a669d49b8f0fc4c309c195295cbfda
SHA1ed36767cae9665ce44e3506a918f423196203995
SHA256d3240db00595da121683548f0839d0306532a7d6258845063d3169f91edb8416
SHA51247178199d633976b933807e3aa1aa1d6eaaab875b1bd0c0143a79d67fe8526a42e652e271f5f71953498bedff4a1a72b872873b092bf98c4cee5540936bff5fc
-
Filesize
31KB
MD592a5aee49da3baf414468c79182df6b4
SHA1c1623fff4c6575a67185ab76284786d3a1eac663
SHA256fb08ed133c9ea109c6e9ade968844e50e127c26f3caf89c1d9626af881311060
SHA512d9c40153e0fc431127a25395f099e789ceaa6262e7a57e07524a1f97158f1f53d1461062c574b45a86c4b1848dd101bcb939b95d347324c2322e135870ebd1f2
-
Filesize
185B
MD58b4c797d6339ddfe288e2eba2cc894b4
SHA1e47469a1d3fe4aa19fc6e82e54c86ecaab9262bc
SHA256ba0a0cff5b6340ed637834f4335dfec15c4428c28b5fcf0e068a589ce69d8164
SHA5123b7f8214fbccc468e427538c16805101f8f2fd4904b0814d779c5059d818ea29bfbd3694022e86edd4772a30fc31472eff94d10ece4d463d7e25394bc7e0f5b9
-
Filesize
4B
MD520879c987e2f9a916e578386d499f629
SHA1c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA2569f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
Filesize
257B
MD5609fc84c38f1a89502daff75030cae33
SHA11a0413325f97267a4b1b000daa7ae3c74fa449b2
SHA256a49364db50d78b935fe266f3128a1d2a853e868ae6077b1af7a69edd2bd23833
SHA512d315add977a7b6a8a8504692028f631cfa4cfa26993361ca09e57f8f954a79a199ba0642ec8d368e21dc8953dab154320bd7a6315b415209ffbc387ac34e9189
-
Filesize
232KB
MD51240c2b02ccf18357e1bff94f0b4afdc
SHA162dba22a7214051e7f6d21df13dca10d551364ce
SHA25621774c4738539daf6f2e348afe5159d9a5e8e85b034acb239176ce27bebffb9c
SHA5128c357fd51281e9954fa8a654fe2f7c150624c05646fcb29e547df84cb3b6fcd05b92e192e2dd7c1027e246dfaae671e0f67f6300d21f92cafdb239bc96c9161a