Analysis
-
max time kernel
20s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 20:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
120 seconds
General
-
Target
40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe
-
Size
292KB
-
MD5
eab583259bde4b70b251e103bd7ac490
-
SHA1
15d86e4289881fbcc6cebaba6bb88f80867d1870
-
SHA256
40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92
-
SHA512
7cde0823ae4697c95b611c6ed21ff8a7ed0d70bf9ed46878f2487c3c78b47eb3f42a1c01055ebb31f9d631c5211a12ba5c39f093e8ce1fc5164a4ee6b161841d
-
SSDEEP
6144:/vEF2U+T6i5LirrllHy4HUcMQY68AzQR5PSV1:nEFN+T5xYrllrU7QY68ZSH
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Deletes itself 1 IoCs
pid Process 4720 explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 4720 explorer.exe 1124 spoolsv.exe 4168 svchost.exe 4880 spoolsv.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
Enumerates connected drives 3 TTPs 5 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: explorer.exe File opened (read-only) \??\G: explorer.exe File opened (read-only) \??\H: explorer.exe File opened (read-only) \??\I: explorer.exe File opened (read-only) \??\J: explorer.exe -
resource yara_rule behavioral2/memory/436-3-0x0000000002BF0000-0x0000000003C7E000-memory.dmp upx behavioral2/memory/436-8-0x0000000002BF0000-0x0000000003C7E000-memory.dmp upx behavioral2/memory/436-4-0x0000000002BF0000-0x0000000003C7E000-memory.dmp upx behavioral2/memory/436-5-0x0000000002BF0000-0x0000000003C7E000-memory.dmp upx behavioral2/memory/436-11-0x0000000002BF0000-0x0000000003C7E000-memory.dmp upx behavioral2/memory/436-12-0x0000000002BF0000-0x0000000003C7E000-memory.dmp upx behavioral2/memory/436-18-0x0000000002BF0000-0x0000000003C7E000-memory.dmp upx behavioral2/memory/436-9-0x0000000002BF0000-0x0000000003C7E000-memory.dmp upx behavioral2/memory/436-14-0x0000000002BF0000-0x0000000003C7E000-memory.dmp upx behavioral2/memory/436-27-0x0000000002BF0000-0x0000000003C7E000-memory.dmp upx behavioral2/memory/436-25-0x0000000002BF0000-0x0000000003C7E000-memory.dmp upx behavioral2/memory/436-43-0x0000000002BF0000-0x0000000003C7E000-memory.dmp upx behavioral2/memory/436-59-0x0000000002BF0000-0x0000000003C7E000-memory.dmp upx behavioral2/memory/4720-76-0x0000000003570000-0x00000000045FE000-memory.dmp upx behavioral2/memory/4720-79-0x0000000003570000-0x00000000045FE000-memory.dmp upx behavioral2/memory/4720-75-0x0000000003570000-0x00000000045FE000-memory.dmp upx behavioral2/memory/4720-80-0x0000000003570000-0x00000000045FE000-memory.dmp upx behavioral2/memory/4720-78-0x0000000003570000-0x00000000045FE000-memory.dmp upx behavioral2/memory/4720-77-0x0000000003570000-0x00000000045FE000-memory.dmp upx behavioral2/memory/4720-74-0x0000000003570000-0x00000000045FE000-memory.dmp upx behavioral2/memory/4720-81-0x0000000003570000-0x00000000045FE000-memory.dmp upx behavioral2/memory/4720-72-0x0000000003570000-0x00000000045FE000-memory.dmp upx behavioral2/memory/4720-88-0x0000000003570000-0x00000000045FE000-memory.dmp upx behavioral2/memory/4720-89-0x0000000003570000-0x00000000045FE000-memory.dmp upx behavioral2/memory/4720-90-0x0000000003570000-0x00000000045FE000-memory.dmp upx behavioral2/memory/4720-91-0x0000000003570000-0x00000000045FE000-memory.dmp upx behavioral2/memory/4720-92-0x0000000003570000-0x00000000045FE000-memory.dmp upx behavioral2/memory/4720-94-0x0000000003570000-0x00000000045FE000-memory.dmp upx behavioral2/memory/4720-95-0x0000000003570000-0x00000000045FE000-memory.dmp upx behavioral2/memory/4720-96-0x0000000003570000-0x00000000045FE000-memory.dmp upx behavioral2/memory/4720-98-0x0000000003570000-0x00000000045FE000-memory.dmp upx behavioral2/memory/4720-99-0x0000000003570000-0x00000000045FE000-memory.dmp upx behavioral2/memory/4720-101-0x0000000003570000-0x00000000045FE000-memory.dmp upx behavioral2/memory/4720-102-0x0000000003570000-0x00000000045FE000-memory.dmp upx behavioral2/memory/4720-105-0x0000000003570000-0x00000000045FE000-memory.dmp upx behavioral2/memory/4720-107-0x0000000003570000-0x00000000045FE000-memory.dmp upx -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\SYSTEM.INI 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 4720 explorer.exe 4720 explorer.exe 4720 explorer.exe 4720 explorer.exe 4720 explorer.exe 4720 explorer.exe 4720 explorer.exe 4720 explorer.exe 4720 explorer.exe 4720 explorer.exe 4720 explorer.exe 4720 explorer.exe 4720 explorer.exe 4720 explorer.exe 4720 explorer.exe 4720 explorer.exe 4720 explorer.exe 4720 explorer.exe 4168 svchost.exe 4168 svchost.exe 4168 svchost.exe 4168 svchost.exe 4168 svchost.exe 4720 explorer.exe 4168 svchost.exe 4720 explorer.exe 4168 svchost.exe 4168 svchost.exe 4720 explorer.exe 4720 explorer.exe 4720 explorer.exe 4168 svchost.exe 4720 explorer.exe 4168 svchost.exe 4720 explorer.exe 4168 svchost.exe 4168 svchost.exe 4720 explorer.exe 4720 explorer.exe 4720 explorer.exe 4168 svchost.exe 4168 svchost.exe 4720 explorer.exe 4168 svchost.exe 4720 explorer.exe 4168 svchost.exe 4720 explorer.exe 4168 svchost.exe 4720 explorer.exe 4168 svchost.exe 4720 explorer.exe 4168 svchost.exe 4720 explorer.exe 4168 svchost.exe 4720 explorer.exe 4168 svchost.exe 4720 explorer.exe 4168 svchost.exe 4168 svchost.exe 4720 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4720 explorer.exe 4168 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 4720 explorer.exe 4720 explorer.exe 1124 spoolsv.exe 1124 spoolsv.exe 4168 svchost.exe 4168 svchost.exe 4880 spoolsv.exe 4880 spoolsv.exe 4720 explorer.exe 4720 explorer.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 436 wrote to memory of 776 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 8 PID 436 wrote to memory of 780 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 9 PID 436 wrote to memory of 64 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 13 PID 436 wrote to memory of 3016 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 50 PID 436 wrote to memory of 3036 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 51 PID 436 wrote to memory of 2700 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 52 PID 436 wrote to memory of 3436 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 56 PID 436 wrote to memory of 3540 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 57 PID 436 wrote to memory of 3740 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 58 PID 436 wrote to memory of 3888 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 59 PID 436 wrote to memory of 3952 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 60 PID 436 wrote to memory of 4044 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 61 PID 436 wrote to memory of 4128 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 62 PID 436 wrote to memory of 2012 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 64 PID 436 wrote to memory of 1564 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 75 PID 436 wrote to memory of 4720 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 82 PID 436 wrote to memory of 4720 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 82 PID 436 wrote to memory of 4720 436 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 82 PID 4720 wrote to memory of 1124 4720 explorer.exe 83 PID 4720 wrote to memory of 1124 4720 explorer.exe 83 PID 4720 wrote to memory of 1124 4720 explorer.exe 83 PID 1124 wrote to memory of 4168 1124 spoolsv.exe 84 PID 1124 wrote to memory of 4168 1124 spoolsv.exe 84 PID 1124 wrote to memory of 4168 1124 spoolsv.exe 84 PID 4168 wrote to memory of 4880 4168 svchost.exe 85 PID 4168 wrote to memory of 4880 4168 svchost.exe 85 PID 4168 wrote to memory of 4880 4168 svchost.exe 85 PID 4168 wrote to memory of 1088 4168 svchost.exe 86 PID 4168 wrote to memory of 1088 4168 svchost.exe 86 PID 4168 wrote to memory of 1088 4168 svchost.exe 86 PID 4720 wrote to memory of 776 4720 explorer.exe 8 PID 4720 wrote to memory of 780 4720 explorer.exe 9 PID 4720 wrote to memory of 64 4720 explorer.exe 13 PID 4720 wrote to memory of 3016 4720 explorer.exe 50 PID 4720 wrote to memory of 3036 4720 explorer.exe 51 PID 4720 wrote to memory of 2700 4720 explorer.exe 52 PID 4720 wrote to memory of 3436 4720 explorer.exe 56 PID 4720 wrote to memory of 3540 4720 explorer.exe 57 PID 4720 wrote to memory of 3740 4720 explorer.exe 58 PID 4720 wrote to memory of 3888 4720 explorer.exe 59 PID 4720 wrote to memory of 3952 4720 explorer.exe 60 PID 4720 wrote to memory of 4044 4720 explorer.exe 61 PID 4720 wrote to memory of 4128 4720 explorer.exe 62 PID 4720 wrote to memory of 2012 4720 explorer.exe 64 PID 4720 wrote to memory of 1564 4720 explorer.exe 75 PID 4720 wrote to memory of 4168 4720 explorer.exe 84 PID 4720 wrote to memory of 4168 4720 explorer.exe 84 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3016
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3036
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2700
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe"C:\Users\Admin\AppData\Local\Temp\40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:436 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4720 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1124 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4168 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4880
-
-
C:\Windows\SysWOW64\at.exeat 21:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:1088
-
-
C:\Windows\SysWOW64\at.exeat 21:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:4684
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3540
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3740
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3888
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3952
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4044
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4128
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2012
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1564
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
292KB
MD5f5d32c368dcf0b20cf6f183d563d23d8
SHA15214d0e5f90449e867919a8ea70e82b93657f825
SHA25621765a61a8c4331ed5d884269e218695be8353224813dcbef53ea8a6f71b48e3
SHA51251a109e508a634bb4a2f28fb32eca30482901ed24a57553a0a7bb2f7031e7a94be04f534459cc991bf71183d4c90f300f963654cc56d47acdf74756828e7ff9d
-
Filesize
257B
MD549dff535ad9e4034d036bd7d5eea4537
SHA1a1cd206e43069e06653fcba6fc63f233b707685b
SHA256fa5cda5285ef2eee734cfe41369664abac9066bbe2f92edebcf19abbf39aa159
SHA512b4e51302ebc5b9cd3516ffe095e69fddec837a5f9e150e70fef202ec41f0ff0a5bbc2e0ea5cc308e93d98fc0da93513984ab8c39c3f5ee9fd8daae336344429c
-
Filesize
292KB
MD50a85795e46ecd424a4d0a256aba52f6c
SHA1169ca650f633209cd8ca4e203b06a803c91b068a
SHA2562ee03d8db296b5dc421c07d5a285a7ef6726ff937e7a09e65a478071522d8114
SHA51282b5d95c13c4edacb079a08b61f75918d12a7786929a6011bd047f65add594b3c53617c6321b322aa65b9336928c6891898848a807135c006bc7ece6431a664c
-
Filesize
292KB
MD54ca8a1fe43d4c40bcdeb42f1a781c60c
SHA1e39a2c3d0f7d31b806e0dcb9ecf21b6f4ce57743
SHA256a8da53dcfe2b21fd77a52051e3c95eed55a60a0c9348d88e9c6483e487adb15b
SHA512b6ada87fd135f6b34fe861e4dd8f050039836208f9f6adad9cf26f24eba7f9828f0f5c77bb99f4148ef408a098e910b6ec5d37b382be0798f69b58ff83aadf1c
-
Filesize
100KB
MD5b00efcee5f250b4963bb6af227186132
SHA12204d14e4f9e16c83aa86c58251ff30804e8b837
SHA2564e4e2975dae5b39824d95fc571f1654e47ef6f1e85ef227e5b228a22fd1819b9
SHA5123545e0503404148d59ba0f8a268105fb2023440d931a4e6bb7b09a426ee91f50c4b9a3d2222b724cd7da208785798abc789e3b14bccbeeda8e9c0e9efde35043
-
Filesize
292KB
MD5642bcf7a5e50c763ebbae5b5e8672b5b
SHA1e1a7391cdb850e29021c2be4ef669f1f1365579c
SHA256a16213c9b4b0632736c2d9f4ee6fad20e0b28a10878b54850a71cb02d246a46e
SHA5129275ae92f5c317ddd5a8632b10ab786fa6a03b509ad7c9a580b175180d16bf2a009ae7dc7ff65cecf00df5c50a95e2806b73c187c8f124467ee61a0cc103301f