Analysis Overview
SHA256
b217b5ea2241fd7e935b1338c125dbb065d3aa4fcc8dbea51caf8d21f03ffe9a
Threat Level: Known bad
The file 9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Cybergate family
Boot or Logon Autostart Execution: Active Setup
Adds policy Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-25 16:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-25 16:05
Reported
2024-11-25 16:08
Platform
win7-20240903-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
CyberGate, Rebhip
Cybergate family
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O1CKK13E-7660-NSV2-Y1Y2-0357YD1AP17N} | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O1CKK13E-7660-NSV2-Y1Y2-0357YD1AP17N}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe
"C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\directory\CyberGate\install\server.exe
"C:\directory\CyberGate\install\server.exe"
C:\directory\CyberGate\install\server.exe
"C:\directory\CyberGate\install\server.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/268-0-0x000007FEF592E000-0x000007FEF592F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | b4c2453ec83037d2cb018903469ae3d2 |
| SHA1 | f7a0d3dc15fdfb932ec252ab68a86e59f32e5f01 |
| SHA256 | c65bd349584d41d031e0177a9ce6ae77457c5513dbeb281358c3ac5509202bfe |
| SHA512 | 911264c770ad94468c6e652b4dacdc2c9a040697cf1e5b7a743e6588c834365be53fbc9881cd95ceaebb3290a2527ab60e7837bcfd4a6475f5f59e0c053ac7aa |
memory/268-12-0x000007FEF5670000-0x000007FEF600D000-memory.dmp
memory/2332-17-0x0000000000400000-0x000000000049F000-memory.dmp
memory/268-16-0x000007FEF5670000-0x000007FEF600D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe
| MD5 | 105e2de7ff993e325b0afbc8bd9085a7 |
| SHA1 | ee9eb98832870352141c680934ea3caa98dce6a3 |
| SHA256 | 8d01394f944bc4b98cab4623ed4a0beaa2d70bf781c15f1db61c89e1b12bd16c |
| SHA512 | eb4042aaa98831ca32738029ecb3885b07255a23f6738cdc32583a1770a4e375c314c133abc7b3946f9e93b4cf747b7c32bc30b962222758000ca881d78772f0 |
memory/2060-13-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2332-23-0x0000000000280000-0x000000000031F000-memory.dmp
memory/2332-22-0x0000000000280000-0x000000000031F000-memory.dmp
memory/2332-21-0x0000000000280000-0x000000000031F000-memory.dmp
memory/268-24-0x000007FEF5670000-0x000007FEF600D000-memory.dmp
memory/2060-33-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/2060-28-0x0000000010410000-0x0000000010475000-memory.dmp
memory/2768-40-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2768-52-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2060-50-0x0000000000220000-0x0000000000278000-memory.dmp
memory/2768-49-0x0000000000350000-0x0000000000351000-memory.dmp
memory/2768-34-0x00000000001B0000-0x00000000001B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 8036fb4553ba25098196cc66f530bda3 |
| SHA1 | aed57d29093099db4e42766b72190a5d0aca8eeb |
| SHA256 | 0069f112b5a0c7ef77275e1c965873e993359e47676ef1db053b96c5c346bbdf |
| SHA512 | 05d610ee1089c77c39d24111fb724e5de7e6733cace00d6ecc2dd6110ee4e0a12e4197179f92b423159f4415352a4855d319674be7e9e9471dede4e3ded526c6 |
memory/2888-370-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2060-369-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/2768-389-0x0000000005050000-0x00000000050A8000-memory.dmp
memory/2516-392-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2768-390-0x0000000005050000-0x00000000050A8000-memory.dmp
memory/2332-396-0x0000000000400000-0x000000000049F000-memory.dmp
memory/2332-397-0x0000000000280000-0x000000000031F000-memory.dmp
memory/2332-398-0x0000000000280000-0x000000000031F000-memory.dmp
memory/2888-400-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2516-402-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2768-403-0x0000000005050000-0x00000000050A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1c30bb12a97ca0191cf1570ed38a6475 |
| SHA1 | edd4d1bce431d2847723eaf23c139fdca75998a4 |
| SHA256 | c4cd3d9555d27784ec3815bb47f4e84134b1ec0e064d13dbbc3e6c46e2f79105 |
| SHA512 | 4e39bb98161e7cd6fcac7404c32f07182005b5d2dce3cc8d1169210fa058b8b4667aa6e8942dd2a59581095765456a993d432e736fa24ee360c42f28d30a6985 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0d225c68cd3929211686a6b247b597bc |
| SHA1 | ad38259fded536242c118db718b4be62b312536c |
| SHA256 | 35a3be75e972ac80f5d759705843044fbe5bc257a1993339fa67ccd485079bc1 |
| SHA512 | c95708c495d49cf0c38e92715e6964fe59975f8117a784524899ab22864bc94bd0ae3910ed54a5117e2a46bf3f207e69e8710f248d2a34890ff493514de34552 |
memory/2332-500-0x0000000000400000-0x000000000049F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 67de8b393f82783ab52e2aa089b49a02 |
| SHA1 | 268e1d399a4bb97dca01d3caeaa241824a14bc59 |
| SHA256 | d8180698a61f6c255adc4e84aed9ca3376b2594c65dcd6d5a9a4a9f878d11670 |
| SHA512 | c88dc37a018ba0948c929d6fae1ee00fe37d2bf3754d993122a4cfcd0161b3b9813dd53a689290359b9115e11baf18be1f7a292d433bbaeedc5e7ac541ddda97 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 559f6b9a49b3798b723ccac46751a028 |
| SHA1 | 85f2972a30e497be55e949c74c65168616dbab7f |
| SHA256 | 3a900b817bd5b90f3d485517e938efa667ff6c61afea03e8bbface1844f4636b |
| SHA512 | 147c4da80f58d6c21add778fd10191643adf8016622215ed85c46efab4efa324b0d371478a585b68562698459d87e2fc76a66c70fce4f04b086a2d9b09088474 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4191ac91e3e58003dcdb3bf3234be668 |
| SHA1 | af99cca328704a1cc9870d3b972ff2e65885a6e3 |
| SHA256 | 950c2c1e504e3944a65baeb786172f89a725dddea1ab80ceeb5eeecdf4edb0a2 |
| SHA512 | 5ecdc3438e0a0241a86e1534c664fdf228abe489368f4764c54cdbb6e02d0f4b291f2b976d8211d30b63592df1038132c6de184fa53dede08fcad597d38b0a06 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 58680eb2aea34ab682b19d9ae420cfdb |
| SHA1 | 321fb8893600982bd28ed6d0ae3e0e1c4666c33b |
| SHA256 | 7deb7b47d76fcc7bdbd8b6c2f52d22a8469f31ab284abe59f82e511cdd28f16f |
| SHA512 | ef5f42e4bad18b134355582633f06613434f2b2b785abcd393f575c7ba5924a2478c59c8ae105ae05e2cee85a4d95fcd064cbab4a96c25ae21e8725311d60228 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c56e32a8722bec9b049d7878bf36fc0a |
| SHA1 | d10830d523c06146bf817aa0d456b19fd435e1b1 |
| SHA256 | 32f0f5f17352de603ec1db20e231311c880bfcc6eec708ac97b8c70945f5d41d |
| SHA512 | 76ff851212dbf0f1615c0e6e5d3a17b642db0cb7d368652ae9b033b77ada34c9b05a8b1609d1ccbf088fb345c720f3694613829e162723d6df716bd35d17936e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fd3345b62bd083a38a22c70960d82227 |
| SHA1 | bfee1bdcd960a4ce765595423c91dce82c0ff128 |
| SHA256 | 1b55cf216d1cb70dd5228a4d3e985480d998f5ead357879deb53115653dbd555 |
| SHA512 | ef454944a042f3ef8a82c7c05a626f6f5f1b56bb9fa9c22d42e0ea4a501c8328e737304f297d9cf15b564aa92db15a5a671e6e8285908a11b1d84c80ca7b30bd |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 057b19fbe0313974e9e9e05f989c7d5a |
| SHA1 | 493815a61fa40d01ddcdb30c22d35cd36720d6d4 |
| SHA256 | d0d247fb801979e92904003992916a67203c91b567af678c4c53f46792d275c8 |
| SHA512 | 6e511a0f4ddf16093c01db7afd93d76ddc70e88c940101666d1e1f8acfedd6b467e406fd8aca6a22994b8c4316da2042436f52bb6779e7333dfcd2d3fb72d68c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4bc397ef89114eea542b917ae4705f8e |
| SHA1 | f3d8f5e677c78956ed8634e52d315d8e653ea49d |
| SHA256 | 06c587ae46e8b63b0421bb030db721c8a93ee4b85ec3b0ad8ad72ad073eca50e |
| SHA512 | 403cdc0af5dbb902415ddc91c11d655b24e1d5d85299f9aefbeb826a7bb3c74bccfcf04c942d01cf41a25b4f0fb16cff24d1a7c53865e1beb198016473ae5744 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f394ed6152663fe6a7899eadf89231ea |
| SHA1 | af067a6f680d5accd0422def09a11595ba51d23f |
| SHA256 | 305dc23393ebeaf7195d56ff74a5684d6b48fb5dcee1d932e51be1342ecaea35 |
| SHA512 | 81bf5a2560575fd14b36f38cd242ec8a56378024781bc5d6aeaeb71c694d08dad2671a21959af58340d00b6ecde278dd08220e9c2c4f65d7142d306a292b7b63 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | cbb705b5c90bf2158e00e93842ce8439 |
| SHA1 | f632b1b5b672afe4bca242dab80f4dc60ec090ac |
| SHA256 | 300b967e8f1fa5adb9301ca728aba3368cd302dfbd510ec069715f0001618b4b |
| SHA512 | b0b21db2632f9b2bc20457e73811ef540898cd35aae966d12e19834a79bf7d98559e6999be763ed7a5b7c1ddc3aa28f66ccec2d49599948fa9699d52a7606395 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 93a22fb8ba2c0c34403c0f1f82f1c96d |
| SHA1 | 5dbc4337983e72cd9413ea64d81cd65ef30f38db |
| SHA256 | dd9207bf575506ab6a2409cbf3210a24a0bb1d05c82f2d8dc948cbc42a0bd068 |
| SHA512 | 190b80f4330445336b69f4877151b053e3ab953a78edd87a9e4ff93d811cbd9359dcbd028c2dae4d8fcd45ed99de00107eb68e24f2ccd95cec83754975e2eb83 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1591eb0454e2b152fa2b1780fdce1b35 |
| SHA1 | c0ca61d18d0503a5731acd005be3fdd46c140832 |
| SHA256 | da615d4c9170a4a01c0ad7549abb42a1c0a2b87d6c1b6d605d5553215d5523cd |
| SHA512 | 6f13154fbe2db7b3eac314b6226dfb00f7bd0529066c1d79d4416dadfd6fe7a6c70af4eab034e9fdae1f0da366a64cb91588fc0239df108cc25bc755d2a0cd2e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | dcc41ede84ea2c314ef5818effadff08 |
| SHA1 | 486006c75a4804581d6490a10e0bee7b5ebd6476 |
| SHA256 | 5c3e83dd91e837b6ee926e5f83906b61f1145030754e6fe03532440b4c9babfb |
| SHA512 | 95ec1edf9c0187984b842a5882d88665d0a8a6ec263d1410553911e4eb5204eb8ced6495890016dd6f66484241ca687e5df76a23ec59727e6e482804bd81da78 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 15182f4d8bf2107639aab26d5587186f |
| SHA1 | 5297ca86d14adfb87d2464a78288583c48b766fa |
| SHA256 | 9329a371a1baa9f4e0edf51b3012c43ca886ededf4501564b40df172fcbeb548 |
| SHA512 | aae80852a308abbd8ca96038cd37e2b477a51a14f3599fb3ebf4dda9e114442ff241a1f9ea0b4971183f3a276351187c8be3f1e97cf3efbca88b9ab8059f753b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 92b586e31cd066892602e8c32c2decd9 |
| SHA1 | 1083a3adacd0319301a214d3e8ea46e32e140f7e |
| SHA256 | 59bd849c58540ae46071b9143a66f4cb6ad1acf414e27ccc90a56937be654d8d |
| SHA512 | 5b08b342743d98aade7bf7743f3a70c09b83b1597bc9a00769dbb5904bdce38b49d7a8eadcab312ac7d13fa164bdb2c9b513034809e252581e0b6113ff34fa28 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 7437354ef2c5b1162a436442ddf5d481 |
| SHA1 | 140a1635f007745775f9fe140c6af491aa7abca2 |
| SHA256 | 135952843f0af0c63ee44000b87733e76ebbc323b235f0d2198e6cf0848ca1e2 |
| SHA512 | 12414f65523940226c7b410a5b437b92de8d1231e436bc38539b6d3e098d9baa1d8720c8522f69c0a8a488e412bfd4890bb16068df744c5aadf7897875a31fd5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a5b0e93c3d1159851c24fc6b2719cae3 |
| SHA1 | 784d8f4f72d439a91b2a887d429513ba080b2185 |
| SHA256 | 179e262d0ba82448bbf86813fb6e18dd5fddbd40b9a2670c328b63b9303c95bd |
| SHA512 | f3d7d6d18a7c5df95b6ef516543a5ed7a5a4dfdb7c287015babf999915f7e70e957d180b5c0820529f27592578b8d71715df0cd204f9a5b2174070daa186d0eb |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9f68219f51c6322694b14769a7aa46c0 |
| SHA1 | aceb6102c868568cc15b53bb970db75fa0cebe73 |
| SHA256 | 8d737b0edba706bdda4c69f627a1b6da46d44d9cb6ad39e27e3e93b9a9d81e01 |
| SHA512 | 175be3a7531993f5bdf9f4726c4936bf2f68182201a3f9ca3d4c09aafa65711bbe4c37c081e0dfc6bd8f4bfaf132d2a463e6c5ec27451385018766190b1664dc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-25 16:05
Reported
2024-11-25 16:08
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
CyberGate, Rebhip
Cybergate family
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{O1CKK13E-7660-NSV2-Y1Y2-0357YD1AP17N} | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{O1CKK13E-7660-NSV2-Y1Y2-0357YD1AP17N}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\directory\CyberGate\install\server.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\directory\CyberGate\install\server.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\directory\CyberGate\install\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\directory\CyberGate\install\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9c8a51cb4d779dc24989313c6fe6f93f_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe
"C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\directory\CyberGate\install\server.exe
"C:\directory\CyberGate\install\server.exe"
C:\directory\CyberGate\install\server.exe
"C:\directory\CyberGate\install\server.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4492 -ip 4492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 368 -ip 368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 592
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/452-0-0x00007FFFD72A5000-0x00007FFFD72A6000-memory.dmp
memory/452-1-0x00007FFFD6FF0000-0x00007FFFD7991000-memory.dmp
memory/452-2-0x000000001B730000-0x000000001B7D6000-memory.dmp
memory/452-4-0x00007FFFD6FF0000-0x00007FFFD7991000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | b4c2453ec83037d2cb018903469ae3d2 |
| SHA1 | f7a0d3dc15fdfb932ec252ab68a86e59f32e5f01 |
| SHA256 | c65bd349584d41d031e0177a9ce6ae77457c5513dbeb281358c3ac5509202bfe |
| SHA512 | 911264c770ad94468c6e652b4dacdc2c9a040697cf1e5b7a743e6588c834365be53fbc9881cd95ceaebb3290a2527ab60e7837bcfd4a6475f5f59e0c053ac7aa |
memory/4424-11-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WLMUninstaller.exe
| MD5 | 105e2de7ff993e325b0afbc8bd9085a7 |
| SHA1 | ee9eb98832870352141c680934ea3caa98dce6a3 |
| SHA256 | 8d01394f944bc4b98cab4623ed4a0beaa2d70bf781c15f1db61c89e1b12bd16c |
| SHA512 | eb4042aaa98831ca32738029ecb3885b07255a23f6738cdc32583a1770a4e375c314c133abc7b3946f9e93b4cf747b7c32bc30b962222758000ca881d78772f0 |
memory/1260-24-0x0000000000400000-0x000000000049F000-memory.dmp
memory/452-26-0x00007FFFD6FF0000-0x00007FFFD7991000-memory.dmp
memory/1260-27-0x00000000005F0000-0x00000000005F1000-memory.dmp
memory/4424-30-0x0000000010410000-0x0000000010475000-memory.dmp
memory/4872-36-0x00000000005C0000-0x00000000005C1000-memory.dmp
memory/4424-34-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/4872-38-0x0000000000400000-0x0000000000458000-memory.dmp
memory/4872-35-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/4424-94-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/4872-98-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 8036fb4553ba25098196cc66f530bda3 |
| SHA1 | aed57d29093099db4e42766b72190a5d0aca8eeb |
| SHA256 | 0069f112b5a0c7ef77275e1c965873e993359e47676ef1db053b96c5c346bbdf |
| SHA512 | 05d610ee1089c77c39d24111fb724e5de7e6733cace00d6ecc2dd6110ee4e0a12e4197179f92b423159f4415352a4855d319674be7e9e9471dede4e3ded526c6 |
memory/4424-122-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1260-123-0x0000000000400000-0x000000000049F000-memory.dmp
memory/1260-124-0x00000000005F0000-0x00000000005F1000-memory.dmp
memory/368-126-0x0000000000400000-0x0000000000458000-memory.dmp
memory/4872-127-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/4492-129-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 67de8b393f82783ab52e2aa089b49a02 |
| SHA1 | 268e1d399a4bb97dca01d3caeaa241824a14bc59 |
| SHA256 | d8180698a61f6c255adc4e84aed9ca3376b2594c65dcd6d5a9a4a9f878d11670 |
| SHA512 | c88dc37a018ba0948c929d6fae1ee00fe37d2bf3754d993122a4cfcd0161b3b9813dd53a689290359b9115e11baf18be1f7a292d433bbaeedc5e7ac541ddda97 |
memory/4492-190-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 559f6b9a49b3798b723ccac46751a028 |
| SHA1 | 85f2972a30e497be55e949c74c65168616dbab7f |
| SHA256 | 3a900b817bd5b90f3d485517e938efa667ff6c61afea03e8bbface1844f4636b |
| SHA512 | 147c4da80f58d6c21add778fd10191643adf8016622215ed85c46efab4efa324b0d371478a585b68562698459d87e2fc76a66c70fce4f04b086a2d9b09088474 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4191ac91e3e58003dcdb3bf3234be668 |
| SHA1 | af99cca328704a1cc9870d3b972ff2e65885a6e3 |
| SHA256 | 950c2c1e504e3944a65baeb786172f89a725dddea1ab80ceeb5eeecdf4edb0a2 |
| SHA512 | 5ecdc3438e0a0241a86e1534c664fdf228abe489368f4764c54cdbb6e02d0f4b291f2b976d8211d30b63592df1038132c6de184fa53dede08fcad597d38b0a06 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 58680eb2aea34ab682b19d9ae420cfdb |
| SHA1 | 321fb8893600982bd28ed6d0ae3e0e1c4666c33b |
| SHA256 | 7deb7b47d76fcc7bdbd8b6c2f52d22a8469f31ab284abe59f82e511cdd28f16f |
| SHA512 | ef5f42e4bad18b134355582633f06613434f2b2b785abcd393f575c7ba5924a2478c59c8ae105ae05e2cee85a4d95fcd064cbab4a96c25ae21e8725311d60228 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c56e32a8722bec9b049d7878bf36fc0a |
| SHA1 | d10830d523c06146bf817aa0d456b19fd435e1b1 |
| SHA256 | 32f0f5f17352de603ec1db20e231311c880bfcc6eec708ac97b8c70945f5d41d |
| SHA512 | 76ff851212dbf0f1615c0e6e5d3a17b642db0cb7d368652ae9b033b77ada34c9b05a8b1609d1ccbf088fb345c720f3694613829e162723d6df716bd35d17936e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fd3345b62bd083a38a22c70960d82227 |
| SHA1 | bfee1bdcd960a4ce765595423c91dce82c0ff128 |
| SHA256 | 1b55cf216d1cb70dd5228a4d3e985480d998f5ead357879deb53115653dbd555 |
| SHA512 | ef454944a042f3ef8a82c7c05a626f6f5f1b56bb9fa9c22d42e0ea4a501c8328e737304f297d9cf15b564aa92db15a5a671e6e8285908a11b1d84c80ca7b30bd |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 057b19fbe0313974e9e9e05f989c7d5a |
| SHA1 | 493815a61fa40d01ddcdb30c22d35cd36720d6d4 |
| SHA256 | d0d247fb801979e92904003992916a67203c91b567af678c4c53f46792d275c8 |
| SHA512 | 6e511a0f4ddf16093c01db7afd93d76ddc70e88c940101666d1e1f8acfedd6b467e406fd8aca6a22994b8c4316da2042436f52bb6779e7333dfcd2d3fb72d68c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4bc397ef89114eea542b917ae4705f8e |
| SHA1 | f3d8f5e677c78956ed8634e52d315d8e653ea49d |
| SHA256 | 06c587ae46e8b63b0421bb030db721c8a93ee4b85ec3b0ad8ad72ad073eca50e |
| SHA512 | 403cdc0af5dbb902415ddc91c11d655b24e1d5d85299f9aefbeb826a7bb3c74bccfcf04c942d01cf41a25b4f0fb16cff24d1a7c53865e1beb198016473ae5744 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f394ed6152663fe6a7899eadf89231ea |
| SHA1 | af067a6f680d5accd0422def09a11595ba51d23f |
| SHA256 | 305dc23393ebeaf7195d56ff74a5684d6b48fb5dcee1d932e51be1342ecaea35 |
| SHA512 | 81bf5a2560575fd14b36f38cd242ec8a56378024781bc5d6aeaeb71c694d08dad2671a21959af58340d00b6ecde278dd08220e9c2c4f65d7142d306a292b7b63 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | cbb705b5c90bf2158e00e93842ce8439 |
| SHA1 | f632b1b5b672afe4bca242dab80f4dc60ec090ac |
| SHA256 | 300b967e8f1fa5adb9301ca728aba3368cd302dfbd510ec069715f0001618b4b |
| SHA512 | b0b21db2632f9b2bc20457e73811ef540898cd35aae966d12e19834a79bf7d98559e6999be763ed7a5b7c1ddc3aa28f66ccec2d49599948fa9699d52a7606395 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 93a22fb8ba2c0c34403c0f1f82f1c96d |
| SHA1 | 5dbc4337983e72cd9413ea64d81cd65ef30f38db |
| SHA256 | dd9207bf575506ab6a2409cbf3210a24a0bb1d05c82f2d8dc948cbc42a0bd068 |
| SHA512 | 190b80f4330445336b69f4877151b053e3ab953a78edd87a9e4ff93d811cbd9359dcbd028c2dae4d8fcd45ed99de00107eb68e24f2ccd95cec83754975e2eb83 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1591eb0454e2b152fa2b1780fdce1b35 |
| SHA1 | c0ca61d18d0503a5731acd005be3fdd46c140832 |
| SHA256 | da615d4c9170a4a01c0ad7549abb42a1c0a2b87d6c1b6d605d5553215d5523cd |
| SHA512 | 6f13154fbe2db7b3eac314b6226dfb00f7bd0529066c1d79d4416dadfd6fe7a6c70af4eab034e9fdae1f0da366a64cb91588fc0239df108cc25bc755d2a0cd2e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | dcc41ede84ea2c314ef5818effadff08 |
| SHA1 | 486006c75a4804581d6490a10e0bee7b5ebd6476 |
| SHA256 | 5c3e83dd91e837b6ee926e5f83906b61f1145030754e6fe03532440b4c9babfb |
| SHA512 | 95ec1edf9c0187984b842a5882d88665d0a8a6ec263d1410553911e4eb5204eb8ced6495890016dd6f66484241ca687e5df76a23ec59727e6e482804bd81da78 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 15182f4d8bf2107639aab26d5587186f |
| SHA1 | 5297ca86d14adfb87d2464a78288583c48b766fa |
| SHA256 | 9329a371a1baa9f4e0edf51b3012c43ca886ededf4501564b40df172fcbeb548 |
| SHA512 | aae80852a308abbd8ca96038cd37e2b477a51a14f3599fb3ebf4dda9e114442ff241a1f9ea0b4971183f3a276351187c8be3f1e97cf3efbca88b9ab8059f753b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 92b586e31cd066892602e8c32c2decd9 |
| SHA1 | 1083a3adacd0319301a214d3e8ea46e32e140f7e |
| SHA256 | 59bd849c58540ae46071b9143a66f4cb6ad1acf414e27ccc90a56937be654d8d |
| SHA512 | 5b08b342743d98aade7bf7743f3a70c09b83b1597bc9a00769dbb5904bdce38b49d7a8eadcab312ac7d13fa164bdb2c9b513034809e252581e0b6113ff34fa28 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 7437354ef2c5b1162a436442ddf5d481 |
| SHA1 | 140a1635f007745775f9fe140c6af491aa7abca2 |
| SHA256 | 135952843f0af0c63ee44000b87733e76ebbc323b235f0d2198e6cf0848ca1e2 |
| SHA512 | 12414f65523940226c7b410a5b437b92de8d1231e436bc38539b6d3e098d9baa1d8720c8522f69c0a8a488e412bfd4890bb16068df744c5aadf7897875a31fd5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a5b0e93c3d1159851c24fc6b2719cae3 |
| SHA1 | 784d8f4f72d439a91b2a887d429513ba080b2185 |
| SHA256 | 179e262d0ba82448bbf86813fb6e18dd5fddbd40b9a2670c328b63b9303c95bd |
| SHA512 | f3d7d6d18a7c5df95b6ef516543a5ed7a5a4dfdb7c287015babf999915f7e70e957d180b5c0820529f27592578b8d71715df0cd204f9a5b2174070daa186d0eb |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9f68219f51c6322694b14769a7aa46c0 |
| SHA1 | aceb6102c868568cc15b53bb970db75fa0cebe73 |
| SHA256 | 8d737b0edba706bdda4c69f627a1b6da46d44d9cb6ad39e27e3e93b9a9d81e01 |
| SHA512 | 175be3a7531993f5bdf9f4726c4936bf2f68182201a3f9ca3d4c09aafa65711bbe4c37c081e0dfc6bd8f4bfaf132d2a463e6c5ec27451385018766190b1664dc |