Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 15:00
Static task
static1
Behavioral task
behavioral1
Sample
e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe
-
Size
512KB
-
MD5
e2cc01f9e278119400e4894f1c7262fa
-
SHA1
829942f7749fe8058d082ad3fc711182ca0cefca
-
SHA256
c3adf3a04f27b2dab14b14b4849ff6f6562af277b2f2592770717489ab7e806a
-
SHA512
164b351c73a58dfa99586663966023602e4e6d641a998839e9cc5e4552c139b0aa122d1e64f071598c51f82e24882447dbb160cf002da236cc23ce88a655945b
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj67:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm54
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ldpfbqzbmr.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ldpfbqzbmr.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ldpfbqzbmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ldpfbqzbmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ldpfbqzbmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ldpfbqzbmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ldpfbqzbmr.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ldpfbqzbmr.exe -
Executes dropped EXE 5 IoCs
pid Process 1940 ldpfbqzbmr.exe 2696 gpqjcxzqgyxvyzz.exe 2736 ssnhmibd.exe 2568 kyihcaptjsodn.exe 2572 ssnhmibd.exe -
Loads dropped DLL 5 IoCs
pid Process 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 1940 ldpfbqzbmr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ldpfbqzbmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ldpfbqzbmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ldpfbqzbmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ldpfbqzbmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ldpfbqzbmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ldpfbqzbmr.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ialycbwk = "ldpfbqzbmr.exe" gpqjcxzqgyxvyzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ojaqouou = "gpqjcxzqgyxvyzz.exe" gpqjcxzqgyxvyzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "kyihcaptjsodn.exe" gpqjcxzqgyxvyzz.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: ldpfbqzbmr.exe File opened (read-only) \??\t: ldpfbqzbmr.exe File opened (read-only) \??\u: ssnhmibd.exe File opened (read-only) \??\x: ssnhmibd.exe File opened (read-only) \??\n: ldpfbqzbmr.exe File opened (read-only) \??\v: ldpfbqzbmr.exe File opened (read-only) \??\a: ssnhmibd.exe File opened (read-only) \??\b: ssnhmibd.exe File opened (read-only) \??\e: ssnhmibd.exe File opened (read-only) \??\w: ssnhmibd.exe File opened (read-only) \??\j: ldpfbqzbmr.exe File opened (read-only) \??\h: ssnhmibd.exe File opened (read-only) \??\v: ssnhmibd.exe File opened (read-only) \??\x: ssnhmibd.exe File opened (read-only) \??\q: ssnhmibd.exe File opened (read-only) \??\l: ssnhmibd.exe File opened (read-only) \??\u: ssnhmibd.exe File opened (read-only) \??\h: ldpfbqzbmr.exe File opened (read-only) \??\u: ldpfbqzbmr.exe File opened (read-only) \??\g: ssnhmibd.exe File opened (read-only) \??\p: ssnhmibd.exe File opened (read-only) \??\g: ssnhmibd.exe File opened (read-only) \??\m: ssnhmibd.exe File opened (read-only) \??\p: ssnhmibd.exe File opened (read-only) \??\l: ldpfbqzbmr.exe File opened (read-only) \??\w: ldpfbqzbmr.exe File opened (read-only) \??\x: ldpfbqzbmr.exe File opened (read-only) \??\l: ssnhmibd.exe File opened (read-only) \??\n: ssnhmibd.exe File opened (read-only) \??\q: ldpfbqzbmr.exe File opened (read-only) \??\r: ldpfbqzbmr.exe File opened (read-only) \??\n: ssnhmibd.exe File opened (read-only) \??\r: ssnhmibd.exe File opened (read-only) \??\y: ssnhmibd.exe File opened (read-only) \??\b: ssnhmibd.exe File opened (read-only) \??\t: ssnhmibd.exe File opened (read-only) \??\q: ssnhmibd.exe File opened (read-only) \??\a: ldpfbqzbmr.exe File opened (read-only) \??\y: ldpfbqzbmr.exe File opened (read-only) \??\o: ssnhmibd.exe File opened (read-only) \??\z: ssnhmibd.exe File opened (read-only) \??\s: ldpfbqzbmr.exe File opened (read-only) \??\z: ldpfbqzbmr.exe File opened (read-only) \??\i: ssnhmibd.exe File opened (read-only) \??\g: ldpfbqzbmr.exe File opened (read-only) \??\o: ldpfbqzbmr.exe File opened (read-only) \??\a: ssnhmibd.exe File opened (read-only) \??\t: ssnhmibd.exe File opened (read-only) \??\m: ldpfbqzbmr.exe File opened (read-only) \??\e: ldpfbqzbmr.exe File opened (read-only) \??\i: ldpfbqzbmr.exe File opened (read-only) \??\e: ssnhmibd.exe File opened (read-only) \??\r: ssnhmibd.exe File opened (read-only) \??\s: ssnhmibd.exe File opened (read-only) \??\v: ssnhmibd.exe File opened (read-only) \??\b: ldpfbqzbmr.exe File opened (read-only) \??\k: ldpfbqzbmr.exe File opened (read-only) \??\w: ssnhmibd.exe File opened (read-only) \??\y: ssnhmibd.exe File opened (read-only) \??\i: ssnhmibd.exe File opened (read-only) \??\m: ssnhmibd.exe File opened (read-only) \??\k: ssnhmibd.exe File opened (read-only) \??\o: ssnhmibd.exe File opened (read-only) \??\j: ssnhmibd.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ldpfbqzbmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ldpfbqzbmr.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/3048-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x0020000000015594-9.dat autoit_exe behavioral1/files/0x000b0000000121c5-17.dat autoit_exe behavioral1/files/0x000d00000001226f-23.dat autoit_exe behavioral1/files/0x0007000000015bd4-34.dat autoit_exe behavioral1/files/0x00020000000001bf-49.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe File created C:\Windows\SysWOW64\ssnhmibd.exe e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ssnhmibd.exe e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kyihcaptjsodn.exe e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ldpfbqzbmr.exe File created C:\Windows\SysWOW64\ldpfbqzbmr.exe e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ldpfbqzbmr.exe e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe File created C:\Windows\SysWOW64\kyihcaptjsodn.exe e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe -
Drops file in Program Files directory 21 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ssnhmibd.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ssnhmibd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ssnhmibd.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ssnhmibd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ssnhmibd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ssnhmibd.exe File created \??\c:\Program Files\DisableStop.doc.exe ssnhmibd.exe File opened for modification C:\Program Files\DisableStop.nal ssnhmibd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ssnhmibd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ssnhmibd.exe File opened for modification \??\c:\Program Files\DisableStop.doc.exe ssnhmibd.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ssnhmibd.exe File opened for modification C:\Program Files\DisableStop.doc.exe ssnhmibd.exe File opened for modification \??\c:\Program Files\DisableStop.doc.exe ssnhmibd.exe File opened for modification C:\Program Files\DisableStop.nal ssnhmibd.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ssnhmibd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ssnhmibd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ssnhmibd.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ssnhmibd.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ssnhmibd.exe File opened for modification C:\Program Files\DisableStop.doc.exe ssnhmibd.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ldpfbqzbmr.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ldpfbqzbmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7816BB4FE6822D1D273D0D38B7E9161" e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ldpfbqzbmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ldpfbqzbmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ldpfbqzbmr.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2448 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 1940 ldpfbqzbmr.exe 1940 ldpfbqzbmr.exe 1940 ldpfbqzbmr.exe 1940 ldpfbqzbmr.exe 1940 ldpfbqzbmr.exe 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 2696 gpqjcxzqgyxvyzz.exe 2696 gpqjcxzqgyxvyzz.exe 2696 gpqjcxzqgyxvyzz.exe 2696 gpqjcxzqgyxvyzz.exe 2696 gpqjcxzqgyxvyzz.exe 2736 ssnhmibd.exe 2736 ssnhmibd.exe 2736 ssnhmibd.exe 2736 ssnhmibd.exe 2568 kyihcaptjsodn.exe 2568 kyihcaptjsodn.exe 2568 kyihcaptjsodn.exe 2568 kyihcaptjsodn.exe 2568 kyihcaptjsodn.exe 2568 kyihcaptjsodn.exe 2696 gpqjcxzqgyxvyzz.exe 2572 ssnhmibd.exe 2572 ssnhmibd.exe 2572 ssnhmibd.exe 2572 ssnhmibd.exe 2696 gpqjcxzqgyxvyzz.exe 2568 kyihcaptjsodn.exe 2568 kyihcaptjsodn.exe 2696 gpqjcxzqgyxvyzz.exe 2568 kyihcaptjsodn.exe 2568 kyihcaptjsodn.exe 2696 gpqjcxzqgyxvyzz.exe 2568 kyihcaptjsodn.exe 2568 kyihcaptjsodn.exe 2696 gpqjcxzqgyxvyzz.exe 2568 kyihcaptjsodn.exe 2568 kyihcaptjsodn.exe 2696 gpqjcxzqgyxvyzz.exe 2568 kyihcaptjsodn.exe 2568 kyihcaptjsodn.exe 2696 gpqjcxzqgyxvyzz.exe 2568 kyihcaptjsodn.exe 2568 kyihcaptjsodn.exe 2696 gpqjcxzqgyxvyzz.exe 2568 kyihcaptjsodn.exe 2568 kyihcaptjsodn.exe 2696 gpqjcxzqgyxvyzz.exe 2568 kyihcaptjsodn.exe 2568 kyihcaptjsodn.exe 2696 gpqjcxzqgyxvyzz.exe 2568 kyihcaptjsodn.exe 2568 kyihcaptjsodn.exe 2696 gpqjcxzqgyxvyzz.exe 2568 kyihcaptjsodn.exe 2568 kyihcaptjsodn.exe 2696 gpqjcxzqgyxvyzz.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 1940 ldpfbqzbmr.exe 1940 ldpfbqzbmr.exe 1940 ldpfbqzbmr.exe 2696 gpqjcxzqgyxvyzz.exe 2696 gpqjcxzqgyxvyzz.exe 2696 gpqjcxzqgyxvyzz.exe 2736 ssnhmibd.exe 2736 ssnhmibd.exe 2736 ssnhmibd.exe 2568 kyihcaptjsodn.exe 2568 kyihcaptjsodn.exe 2568 kyihcaptjsodn.exe 2572 ssnhmibd.exe 2572 ssnhmibd.exe 2572 ssnhmibd.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 1940 ldpfbqzbmr.exe 1940 ldpfbqzbmr.exe 1940 ldpfbqzbmr.exe 2696 gpqjcxzqgyxvyzz.exe 2696 gpqjcxzqgyxvyzz.exe 2696 gpqjcxzqgyxvyzz.exe 2736 ssnhmibd.exe 2736 ssnhmibd.exe 2736 ssnhmibd.exe 2568 kyihcaptjsodn.exe 2568 kyihcaptjsodn.exe 2568 kyihcaptjsodn.exe 2572 ssnhmibd.exe 2572 ssnhmibd.exe 2572 ssnhmibd.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2448 WINWORD.EXE 2448 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3048 wrote to memory of 1940 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 28 PID 3048 wrote to memory of 1940 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 28 PID 3048 wrote to memory of 1940 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 28 PID 3048 wrote to memory of 1940 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 28 PID 3048 wrote to memory of 2696 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 29 PID 3048 wrote to memory of 2696 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 29 PID 3048 wrote to memory of 2696 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 29 PID 3048 wrote to memory of 2696 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 29 PID 3048 wrote to memory of 2736 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 30 PID 3048 wrote to memory of 2736 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 30 PID 3048 wrote to memory of 2736 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 30 PID 3048 wrote to memory of 2736 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 30 PID 3048 wrote to memory of 2568 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 31 PID 3048 wrote to memory of 2568 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 31 PID 3048 wrote to memory of 2568 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 31 PID 3048 wrote to memory of 2568 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 31 PID 1940 wrote to memory of 2572 1940 ldpfbqzbmr.exe 32 PID 1940 wrote to memory of 2572 1940 ldpfbqzbmr.exe 32 PID 1940 wrote to memory of 2572 1940 ldpfbqzbmr.exe 32 PID 1940 wrote to memory of 2572 1940 ldpfbqzbmr.exe 32 PID 3048 wrote to memory of 2448 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 33 PID 3048 wrote to memory of 2448 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 33 PID 3048 wrote to memory of 2448 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 33 PID 3048 wrote to memory of 2448 3048 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 33 PID 2448 wrote to memory of 2660 2448 WINWORD.EXE 36 PID 2448 wrote to memory of 2660 2448 WINWORD.EXE 36 PID 2448 wrote to memory of 2660 2448 WINWORD.EXE 36 PID 2448 wrote to memory of 2660 2448 WINWORD.EXE 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\ldpfbqzbmr.exeldpfbqzbmr.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\ssnhmibd.exeC:\Windows\system32\ssnhmibd.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2572
-
-
-
C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exegpqjcxzqgyxvyzz.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2696
-
-
C:\Windows\SysWOW64\ssnhmibd.exessnhmibd.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2736
-
-
C:\Windows\SysWOW64\kyihcaptjsodn.exekyihcaptjsodn.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2568
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2660
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5a03814a7c99a156dbb17cca43d8a10af
SHA1b9fc4cf26e9a9b79cf124780b60cf159bef3b6da
SHA256dac73dc64e7c9a217f9192480b0b5c08751a69a9c6198a6e5fe7db3969a40a2a
SHA512f37142482937646f17e4def6d27c9d9d832e05ba70dfa36397c774bc7b167a235d40a01591d5cdd028cb362dde5103af28a515d310cfde8be031d03cb16e27e3
-
Filesize
512KB
MD5992d1953af176c78f7e0ed6d4ab58684
SHA1b0bfc5f668086fa00fe71d0b5575af3ebfeec437
SHA256be856cfe5dac5dd78994eb2375b716300876350c1b1a48942855bd10a91611fc
SHA512bed8841370b9fc0472945de92d409f9b335d3e5c70d4d5100f90b059cd57f81b9970e73df88545df4c47da2377a24cb0fc9bb9608478df79e56a2a170eb1a8a5
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD55685a90aceeb61cc5d8dc3bdb523d9c0
SHA1f55b4e8cba7fcc3a7f16cbf5c2292ef84cf7f0ae
SHA256a17221afed61569cde271375b7c7f2ef01e4cea72a162d6debdcd60546b3665c
SHA5126a6615e47494351e5849116804d1e523bc27f0ddb0fafe44764c6d2a0a9abcca44b000fdd25b629f2d07d3604409514ff4f5057de694bf0bfe5bdf0d377a4a99
-
Filesize
512KB
MD5a26a121fe7234efa5d8ab0127732013a
SHA1ba6bd159f879e666f35aaae316096b98a7ef30a5
SHA256979248f77e181cbc9fbf68957e1d12152f35695e0b87cd43a0d8cc144f963108
SHA5123ab2d2d98db6019e8ea68a60b3d0a48a1470b17120de88a7344427f9161be03f694b1f6af85879254d7aad38c2fcf23fcc18caec2a4415ce9fb61b83e19e8c00
-
Filesize
512KB
MD5ad61b4bcb302261687c556a48cfd2027
SHA191a6ce758e1084e6a6ced67f888eb1f68f841626
SHA256ece2a3a240729602789df1f2ffd55cfac7be2bb7e75e823723f211312aa59b5d
SHA512a203fb15fbafcd20d63fda69b0077d91cdb417ee623a2db59a6450ae9991426bcbecdf4f2363e046acfc61b155d976bcba48763ed53c36695622ac81afec2048
-
Filesize
512KB
MD517c7aa3fb804b761d5a152f57f6e9c33
SHA111dbd9b1d5603569ae7fbff2fc6649c3fff4261d
SHA25636ef8a87f26fd1799a16c5bbebadc91355c4523b84909a10bc3926980d8d9476
SHA5123e944a2f614f42e30c60818a72600e378df3a79b2c6176f8312ecc8e7bdb4c0c2758ec628e5ff67a8a7217404436564b9ad5db843f89b2168a66460b9bc4a8f8