Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 08:06
Static task
static1
Behavioral task
behavioral1
Sample
ce85e5c2e193af4c2dd9a09771adfa916680d6ebd02c4263e9cd9f3ab5f9aae8N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
ce85e5c2e193af4c2dd9a09771adfa916680d6ebd02c4263e9cd9f3ab5f9aae8N.exe
Resource
win10v2004-20241007-en
General
-
Target
ce85e5c2e193af4c2dd9a09771adfa916680d6ebd02c4263e9cd9f3ab5f9aae8N.exe
-
Size
347KB
-
MD5
b6cb419d72a573297ec3810c011bc1a0
-
SHA1
51fa6be53a9bd15652423f6e764aa9fb0c735891
-
SHA256
ce85e5c2e193af4c2dd9a09771adfa916680d6ebd02c4263e9cd9f3ab5f9aae8
-
SHA512
0c88b77194bd2477f4254466066ffc2a5743a42f8ea4c65c16a31d1f9c84d4d3c655680ee90dd8ac7bf35d0fe7ca1813251091a090ed146378070e4ebbf4e65b
-
SSDEEP
6144:Dp87yuVz45Rx4brq2Ah1FM6234lKm3mo8Yvi4KsLTFM6234lKm3qk9:DuXex4brRGFB24lwR45FB24lEk
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkhhhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad ce85e5c2e193af4c2dd9a09771adfa916680d6ebd02c4263e9cd9f3ab5f9aae8N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcnghpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dnpciaef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqbdkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccmpce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbblda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjakccop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cegoqlof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbpenco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmnnkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbblda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cebeem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjonncab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aqbdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkhhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmnnkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ceebklai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cegoqlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjonncab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceebklai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgcnghpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbbpenco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjakccop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfkmgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" ce85e5c2e193af4c2dd9a09771adfa916680d6ebd02c4263e9cd9f3ab5f9aae8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccmpce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cebeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgfkmgnj.exe -
Berbew family
-
Executes dropped EXE 15 IoCs
pid Process 624 Aqbdkk32.exe 1028 Bkhhhd32.exe 2504 Bbbpenco.exe 3056 Bmnnkl32.exe 2220 Ccmpce32.exe 2924 Cbblda32.exe 2664 Cebeem32.exe 536 Cjonncab.exe 1340 Ceebklai.exe 236 Cgcnghpl.exe 1048 Cjakccop.exe 1516 Cegoqlof.exe 2952 Cgfkmgnj.exe 2188 Dnpciaef.exe 3024 Dpapaj32.exe -
Loads dropped DLL 30 IoCs
pid Process 956 ce85e5c2e193af4c2dd9a09771adfa916680d6ebd02c4263e9cd9f3ab5f9aae8N.exe 956 ce85e5c2e193af4c2dd9a09771adfa916680d6ebd02c4263e9cd9f3ab5f9aae8N.exe 624 Aqbdkk32.exe 624 Aqbdkk32.exe 1028 Bkhhhd32.exe 1028 Bkhhhd32.exe 2504 Bbbpenco.exe 2504 Bbbpenco.exe 3056 Bmnnkl32.exe 3056 Bmnnkl32.exe 2220 Ccmpce32.exe 2220 Ccmpce32.exe 2924 Cbblda32.exe 2924 Cbblda32.exe 2664 Cebeem32.exe 2664 Cebeem32.exe 536 Cjonncab.exe 536 Cjonncab.exe 1340 Ceebklai.exe 1340 Ceebklai.exe 236 Cgcnghpl.exe 236 Cgcnghpl.exe 1048 Cjakccop.exe 1048 Cjakccop.exe 1516 Cegoqlof.exe 1516 Cegoqlof.exe 2952 Cgfkmgnj.exe 2952 Cgfkmgnj.exe 2188 Dnpciaef.exe 2188 Dnpciaef.exe -
Drops file in System32 directory 45 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kmhnlgkg.dll ce85e5c2e193af4c2dd9a09771adfa916680d6ebd02c4263e9cd9f3ab5f9aae8N.exe File created C:\Windows\SysWOW64\Bkhhhd32.exe Aqbdkk32.exe File created C:\Windows\SysWOW64\Godonkii.dll Bbbpenco.exe File created C:\Windows\SysWOW64\Fchook32.dll Bmnnkl32.exe File created C:\Windows\SysWOW64\Fnbkfl32.dll Cbblda32.exe File created C:\Windows\SysWOW64\Cjonncab.exe Cebeem32.exe File opened for modification C:\Windows\SysWOW64\Cgcnghpl.exe Ceebklai.exe File created C:\Windows\SysWOW64\Aqbdkk32.exe ce85e5c2e193af4c2dd9a09771adfa916680d6ebd02c4263e9cd9f3ab5f9aae8N.exe File created C:\Windows\SysWOW64\Cgfkmgnj.exe Cegoqlof.exe File created C:\Windows\SysWOW64\Cebeem32.exe Cbblda32.exe File created C:\Windows\SysWOW64\Oeopijom.dll Cebeem32.exe File opened for modification C:\Windows\SysWOW64\Ceebklai.exe Cjonncab.exe File created C:\Windows\SysWOW64\Cegoqlof.exe Cjakccop.exe File created C:\Windows\SysWOW64\Bbbpenco.exe Bkhhhd32.exe File created C:\Windows\SysWOW64\Kgloog32.dll Cjonncab.exe File created C:\Windows\SysWOW64\Pmiljc32.dll Cgfkmgnj.exe File created C:\Windows\SysWOW64\Pdkefp32.dll Dnpciaef.exe File opened for modification C:\Windows\SysWOW64\Cebeem32.exe Cbblda32.exe File created C:\Windows\SysWOW64\Qcamkjba.dll Aqbdkk32.exe File created C:\Windows\SysWOW64\Ceebklai.exe Cjonncab.exe File opened for modification C:\Windows\SysWOW64\Cgfkmgnj.exe Cegoqlof.exe File created C:\Windows\SysWOW64\Cpmahlfd.dll Cegoqlof.exe File opened for modification C:\Windows\SysWOW64\Aqbdkk32.exe ce85e5c2e193af4c2dd9a09771adfa916680d6ebd02c4263e9cd9f3ab5f9aae8N.exe File opened for modification C:\Windows\SysWOW64\Cegoqlof.exe Cjakccop.exe File opened for modification C:\Windows\SysWOW64\Dnpciaef.exe Cgfkmgnj.exe File opened for modification C:\Windows\SysWOW64\Dpapaj32.exe Dnpciaef.exe File opened for modification C:\Windows\SysWOW64\Cjonncab.exe Cebeem32.exe File created C:\Windows\SysWOW64\Jcojqm32.dll Bkhhhd32.exe File created C:\Windows\SysWOW64\Ccmpce32.exe Bmnnkl32.exe File created C:\Windows\SysWOW64\Cbblda32.exe Ccmpce32.exe File created C:\Windows\SysWOW64\Ednoihel.dll Ccmpce32.exe File created C:\Windows\SysWOW64\Cgcnghpl.exe Ceebklai.exe File created C:\Windows\SysWOW64\Omakjj32.dll Ceebklai.exe File created C:\Windows\SysWOW64\Dnpciaef.exe Cgfkmgnj.exe File opened for modification C:\Windows\SysWOW64\Bbbpenco.exe Bkhhhd32.exe File opened for modification C:\Windows\SysWOW64\Bmnnkl32.exe Bbbpenco.exe File opened for modification C:\Windows\SysWOW64\Ccmpce32.exe Bmnnkl32.exe File opened for modification C:\Windows\SysWOW64\Cjakccop.exe Cgcnghpl.exe File created C:\Windows\SysWOW64\Gpajfg32.dll Cgcnghpl.exe File created C:\Windows\SysWOW64\Dpapaj32.exe Dnpciaef.exe File created C:\Windows\SysWOW64\Bmnnkl32.exe Bbbpenco.exe File opened for modification C:\Windows\SysWOW64\Cbblda32.exe Ccmpce32.exe File created C:\Windows\SysWOW64\Cjakccop.exe Cgcnghpl.exe File created C:\Windows\SysWOW64\Nloone32.dll Cjakccop.exe File opened for modification C:\Windows\SysWOW64\Bkhhhd32.exe Aqbdkk32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\system32†Edggmg32.¾ll Dpapaj32.exe -
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqbdkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjonncab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpciaef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkhhhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbbpenco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cegoqlof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgfkmgnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmnnkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpapaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceebklai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcnghpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjakccop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ce85e5c2e193af4c2dd9a09771adfa916680d6ebd02c4263e9cd9f3ab5f9aae8N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccmpce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbblda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cebeem32.exe -
Modifies registry class 53 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjonncab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll" Cjonncab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ceebklai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dnpciaef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è Dpapaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll" Cebeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcamkjba.dll" Aqbdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aqbdkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bbbpenco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll" Ceebklai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cegoqlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è\ = "C:\\Windows\\system32†Edggmg32.¾ll" Dpapaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" ce85e5c2e193af4c2dd9a09771adfa916680d6ebd02c4263e9cd9f3ab5f9aae8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll" Cgfkmgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmnnkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll" Cbblda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cegoqlof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjakccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll" Cegoqlof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs Dpapaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID ce85e5c2e193af4c2dd9a09771adfa916680d6ebd02c4263e9cd9f3ab5f9aae8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bkhhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cebeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è\Th¨ead³ngMµdelÚ = "›par®men®" Dpapaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmnnkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcojqm32.dll" Bkhhhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cgcnghpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgcnghpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cgfkmgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgfkmgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmhnlgkg.dll" ce85e5c2e193af4c2dd9a09771adfa916680d6ebd02c4263e9cd9f3ab5f9aae8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll" Cgcnghpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkhhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll" Bbbpenco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cbblda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ceebklai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll" Cjakccop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aqbdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll" Bmnnkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cbblda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cebeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjonncab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID Dpapaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll" Ccmpce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 ce85e5c2e193af4c2dd9a09771adfa916680d6ebd02c4263e9cd9f3ab5f9aae8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node ce85e5c2e193af4c2dd9a09771adfa916680d6ebd02c4263e9cd9f3ab5f9aae8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bbbpenco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ccmpce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ccmpce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} ce85e5c2e193af4c2dd9a09771adfa916680d6ebd02c4263e9cd9f3ab5f9aae8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjakccop.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 956 wrote to memory of 624 956 ce85e5c2e193af4c2dd9a09771adfa916680d6ebd02c4263e9cd9f3ab5f9aae8N.exe 31 PID 956 wrote to memory of 624 956 ce85e5c2e193af4c2dd9a09771adfa916680d6ebd02c4263e9cd9f3ab5f9aae8N.exe 31 PID 956 wrote to memory of 624 956 ce85e5c2e193af4c2dd9a09771adfa916680d6ebd02c4263e9cd9f3ab5f9aae8N.exe 31 PID 956 wrote to memory of 624 956 ce85e5c2e193af4c2dd9a09771adfa916680d6ebd02c4263e9cd9f3ab5f9aae8N.exe 31 PID 624 wrote to memory of 1028 624 Aqbdkk32.exe 32 PID 624 wrote to memory of 1028 624 Aqbdkk32.exe 32 PID 624 wrote to memory of 1028 624 Aqbdkk32.exe 32 PID 624 wrote to memory of 1028 624 Aqbdkk32.exe 32 PID 1028 wrote to memory of 2504 1028 Bkhhhd32.exe 33 PID 1028 wrote to memory of 2504 1028 Bkhhhd32.exe 33 PID 1028 wrote to memory of 2504 1028 Bkhhhd32.exe 33 PID 1028 wrote to memory of 2504 1028 Bkhhhd32.exe 33 PID 2504 wrote to memory of 3056 2504 Bbbpenco.exe 34 PID 2504 wrote to memory of 3056 2504 Bbbpenco.exe 34 PID 2504 wrote to memory of 3056 2504 Bbbpenco.exe 34 PID 2504 wrote to memory of 3056 2504 Bbbpenco.exe 34 PID 3056 wrote to memory of 2220 3056 Bmnnkl32.exe 35 PID 3056 wrote to memory of 2220 3056 Bmnnkl32.exe 35 PID 3056 wrote to memory of 2220 3056 Bmnnkl32.exe 35 PID 3056 wrote to memory of 2220 3056 Bmnnkl32.exe 35 PID 2220 wrote to memory of 2924 2220 Ccmpce32.exe 36 PID 2220 wrote to memory of 2924 2220 Ccmpce32.exe 36 PID 2220 wrote to memory of 2924 2220 Ccmpce32.exe 36 PID 2220 wrote to memory of 2924 2220 Ccmpce32.exe 36 PID 2924 wrote to memory of 2664 2924 Cbblda32.exe 37 PID 2924 wrote to memory of 2664 2924 Cbblda32.exe 37 PID 2924 wrote to memory of 2664 2924 Cbblda32.exe 37 PID 2924 wrote to memory of 2664 2924 Cbblda32.exe 37 PID 2664 wrote to memory of 536 2664 Cebeem32.exe 38 PID 2664 wrote to memory of 536 2664 Cebeem32.exe 38 PID 2664 wrote to memory of 536 2664 Cebeem32.exe 38 PID 2664 wrote to memory of 536 2664 Cebeem32.exe 38 PID 536 wrote to memory of 1340 536 Cjonncab.exe 39 PID 536 wrote to memory of 1340 536 Cjonncab.exe 39 PID 536 wrote to memory of 1340 536 Cjonncab.exe 39 PID 536 wrote to memory of 1340 536 Cjonncab.exe 39 PID 1340 wrote to memory of 236 1340 Ceebklai.exe 40 PID 1340 wrote to memory of 236 1340 Ceebklai.exe 40 PID 1340 wrote to memory of 236 1340 Ceebklai.exe 40 PID 1340 wrote to memory of 236 1340 Ceebklai.exe 40 PID 236 wrote to memory of 1048 236 Cgcnghpl.exe 41 PID 236 wrote to memory of 1048 236 Cgcnghpl.exe 41 PID 236 wrote to memory of 1048 236 Cgcnghpl.exe 41 PID 236 wrote to memory of 1048 236 Cgcnghpl.exe 41 PID 1048 wrote to memory of 1516 1048 Cjakccop.exe 42 PID 1048 wrote to memory of 1516 1048 Cjakccop.exe 42 PID 1048 wrote to memory of 1516 1048 Cjakccop.exe 42 PID 1048 wrote to memory of 1516 1048 Cjakccop.exe 42 PID 1516 wrote to memory of 2952 1516 Cegoqlof.exe 43 PID 1516 wrote to memory of 2952 1516 Cegoqlof.exe 43 PID 1516 wrote to memory of 2952 1516 Cegoqlof.exe 43 PID 1516 wrote to memory of 2952 1516 Cegoqlof.exe 43 PID 2952 wrote to memory of 2188 2952 Cgfkmgnj.exe 44 PID 2952 wrote to memory of 2188 2952 Cgfkmgnj.exe 44 PID 2952 wrote to memory of 2188 2952 Cgfkmgnj.exe 44 PID 2952 wrote to memory of 2188 2952 Cgfkmgnj.exe 44 PID 2188 wrote to memory of 3024 2188 Dnpciaef.exe 45 PID 2188 wrote to memory of 3024 2188 Dnpciaef.exe 45 PID 2188 wrote to memory of 3024 2188 Dnpciaef.exe 45 PID 2188 wrote to memory of 3024 2188 Dnpciaef.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce85e5c2e193af4c2dd9a09771adfa916680d6ebd02c4263e9cd9f3ab5f9aae8N.exe"C:\Users\Admin\AppData\Local\Temp\ce85e5c2e193af4c2dd9a09771adfa916680d6ebd02c4263e9cd9f3ab5f9aae8N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Aqbdkk32.exeC:\Windows\system32\Aqbdkk32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Bkhhhd32.exeC:\Windows\system32\Bkhhhd32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Bbbpenco.exeC:\Windows\system32\Bbbpenco.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Bmnnkl32.exeC:\Windows\system32\Bmnnkl32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Ccmpce32.exeC:\Windows\system32\Ccmpce32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Cbblda32.exeC:\Windows\system32\Cbblda32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Cebeem32.exeC:\Windows\system32\Cebeem32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Cjonncab.exeC:\Windows\system32\Cjonncab.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Ceebklai.exeC:\Windows\system32\Ceebklai.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\Cgcnghpl.exeC:\Windows\system32\Cgcnghpl.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Windows\SysWOW64\Cjakccop.exeC:\Windows\system32\Cjakccop.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Cegoqlof.exeC:\Windows\system32\Cegoqlof.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Cgfkmgnj.exeC:\Windows\system32\Cgfkmgnj.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Dnpciaef.exeC:\Windows\system32\Dnpciaef.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Dpapaj32.exeC:\Windows\system32\Dpapaj32.exe16⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3024
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
347KB
MD5c51a8fd27c689c08d6722266a238ff72
SHA103996a9085a01cf3619f6d39fc10f28065f090d9
SHA25685209cebaaaad4618d2ddbe6e34ff04c93ecc8b028274a6d30cb536e00f47525
SHA5122799e2e775eb6c8d603d5d0d23821c7416f47dd0eafc70adcd0573fbd972539696910ad700ce1d74850b10d9bcda2d24f6ab0f805884a78328a039bb43ae01cc
-
Filesize
347KB
MD58a721c3e8bbc4ebc69622a11772a3d15
SHA18a9466e082bbc02da642218d9c2e1ca5f673dc9f
SHA2565e554ee1636f4892ea5a4bd61cdc05e9e95b4e0e9a574954409735e315f13f23
SHA51225ed9f55c07d7a5d306e5a108a789736636747aa362df0ff0676242d04eadcdac67005e9b1fd83a67ebbce922c275378b8a809fb87f11d4ee801532038444b2a
-
Filesize
347KB
MD58083c8e76530d8352924bdcdb08d85d6
SHA1fd40d2a07daff3eb4e7ebbc9fa648d57e06da6ef
SHA256a88ae4f886f4693843034db58b7fc3de3432c7d85e9f267a2540d9863a2796c3
SHA5125f73d815bbcd531e1da70cb9da712b20593f6088c7491e8c54c8e04d204708216b222107159a3c4304f81618c6872d66843c2c1f6684857855c0bf115ac4add1
-
Filesize
347KB
MD54bc63afbf7c6640f5caf111f40b4d56e
SHA174eaec433a353f3f9fa09bf3f138dad2c4a7659d
SHA2562ff2fa6dedb14eb956e11491aa8645588a33714484845a963b79fc7f1007e6d8
SHA5124d1d2679b6def596c30867b3c44404b0d274850127728d584dd8bc5df49920d4f1afec774a69cb083741049f22e518e996b853b142e5a85f0f4395662413a164
-
Filesize
347KB
MD5afa46531d4d3057fb541716c01b188a0
SHA1610b4569bc8f05f1c7fff2e11ee368a5f4671f4f
SHA2564fb7fafb192414f069dd8c7027ddf3442c7a9cee0d11636ad94c7812afc6cb36
SHA5127787c6f58f94219f791194693b461ee403bdb4662c2a6cebe0fb9131698ae610e1173eb3da3bcf346f2a6505fda6c605d1227c2cb3c12c43d7627506fac70bce
-
Filesize
347KB
MD5206774f849e6138eea46b98571db69ac
SHA183bff5f100af6386a60db87380c67e07bd7239f4
SHA256c2fd6a30404dcf8736b0e7abc5171e0334d46203d542a59f6212ae60bd998a31
SHA5121a37864e3c0ece5921ba0c31c2cbeb9de1dd24f249d272026bfd31a24fe7bc4dfe41535d2fa06c89a9a7cb6e1fe2949bd0357675def2793573225140d5fabfcc
-
Filesize
347KB
MD5d866dff0de660d66c6776e17aac293c0
SHA1db2d88cad5fcb7aac2f05e15c2d244ec334aa9e2
SHA256dbffc1048a2361fb3a70d260ae74e348eb899f1e80b14038e3ae7032de1a294d
SHA512ae90b8d17dbb5b7f02728592ae8d7594a221a24a04d37e3ce3468c89f17fcb4a12479cf47286cc9fa36ac89a1d63bf04e31269c2a94141157790feb1ea7a9413
-
Filesize
347KB
MD52865ae698c63cedf5340ac1833ff906e
SHA1fea6352c6467f170a1e70b4e21e508327cf51935
SHA25632d0377ad5429e8306163a38392eb837fbf2c1d44625361625b6f8afa50098b6
SHA512ed5f569a85d355ed5f83837c81832ffa66e16e9aa571c58cd1f0acd15fd9953484bb12f4d9e4b0000233a35c8a2e1b4fe116d6794e8569bc244b7d5b1f49da5c
-
Filesize
7KB
MD5f3fb6b72acc3562d89c1ecf91f0dec68
SHA113b44816e5d29f94a86d24429a84cb0a27bd1eed
SHA256bc7f1446c343f43eee5f01e660cf9a578f65312fed020bef724db613ee173968
SHA5125c1f89ccd2f25c72dec373c21b5726a64a17c997ce5f85b7e18b9a2d5c3cac42d39f4e22e864e1a096cfbab83ff8ebec0299d5424686dea143fce235245688cc
-
Filesize
347KB
MD518792cab3bb4984e51c8af99c59dabb6
SHA11ca7bcf5e36c6b1f95e6fa71aea3b8423a0b5dbf
SHA25667af4e21b6aa5db5462068970a51822420c7bf3ddd39b7def45f29f6a68c6261
SHA51259e7d4a4d2de8816eee7e2df87537f0c6233255aa20697945f614a4b12c14e875f373000a29b2518a2b7c3a19487eef57dd5d4bfa35e8d2a29a867fbfe406d80
-
Filesize
347KB
MD5a616e9c2c3bd2576e2dc77f5867f5c29
SHA14fc095a4c88e22d17579032c7b3bf710902b9093
SHA256a745bcf781f933183dd138aa38efbce4aa1b643ad540019449d35327da532787
SHA512c4c566d93edb2229d720d89a74fb291443dec22ac40a8952ab6988fc3e2b01c28bede58d470b844c766d75dd95e0660a5dcb652b8192ddc69c43232c0b5705fc
-
Filesize
347KB
MD51ad8c9c95dc754c0b94344662949e3bc
SHA174feba75827fcdeba93ecd52668598b842aaa21c
SHA256fbd3414dda72a5d5434a787149260d53939a69071e0a5f5c987841b5354a0105
SHA512b94057b444ef898c9b5ee3e8adf7c0b09fb4d7d808414dab8e35aab44310f3dc024520cb0d9b6912ce2838aecef4e7d4799f8c7725a81a70d2b610c3029a09f2
-
Filesize
347KB
MD5eff2ce11c26f8065a825c60ed1b10261
SHA12771e5e45f0dbd7e88256159e808f9b8cc99a1db
SHA2567933da39df60e4ddddb40aef03b0c216264bcba211d3f0f28fe96144bb954cba
SHA512b6a0899eaeecbf36085122156de3eb8bf0edb5e7c14f554a1f545c3ad079942227afb45e003e713def31bdf582ebf9da6e51a4a6943c914bb632dbfd8abce238
-
Filesize
347KB
MD5f2933585dc754ff60d7af1666356c6c8
SHA1e36cb858e524d613f53ce8684989c0ef355c9adb
SHA256bc4d53d635666d1c66ad5d14adf813b77db759ae3f81c7773c2896848ed14ce9
SHA51203546f29c70a98f5a29e7237dd16eb6dddc0c353a6088785d813b5bc46ba4270bbf40589626a422672cdcb706cd1f94b671f77423318b467c72c1215dff1ba4e
-
Filesize
347KB
MD513b6229e464613d609579bd089ed5cab
SHA1112a5132088fb803b3e9dd4f9900ee446aff5dd1
SHA256011226a2932c58b87d65f4990e2b4945d59bc44f347383ffafea88144d0e5ee1
SHA5126df5b849f106e090b089fd6994d2d6a01cdd20338d017c91b6f68d7e0a786d7b0e63e8104f63c1f47538035e1bb5d4ba184b5a2641958a9d4c7ef2d225e19ee8
-
Filesize
347KB
MD5cba20d46faff4a29dd242d180bba18e9
SHA1b61490e712d7829451416c59fc1b9af508cf974c
SHA2561c68b1517ed30f5cf53d2a81c3b4a27d43c529a99d0f885de07590ccad1aeb2e
SHA512ae7f784f1f114df73f0ac063c0ec51dcc9e67cf23a4fd923509feaa6345aff3b49d35407ac556aa6ba76ce8aa8b2b84ff8204e686d17fc87fee5074d7481f662