Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 13:11
Static task
static1
Behavioral task
behavioral1
Sample
8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe
-
Size
512KB
-
MD5
8441f9b5930b9ac744a512ef31fa8362
-
SHA1
17e1c9b51b782e6013a213d1eaed9606601492a3
-
SHA256
61344f96b80699a7fe8c95840205245c3c0acde18d860e015496e9da190ba9b9
-
SHA512
a003c494c5b22606255b55d00b994be22dd14fd6cd97424fe3269d52fd804f166e91974743f496c83c9db3935ffeb64ca7656c47db3e44388925532e1b7d33a3
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6i:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5J
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" kosuamcfpi.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" kosuamcfpi.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" kosuamcfpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" kosuamcfpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" kosuamcfpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" kosuamcfpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" kosuamcfpi.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" kosuamcfpi.exe -
Executes dropped EXE 5 IoCs
pid Process 2628 kosuamcfpi.exe 2680 ivpytuxdedtlali.exe 2728 ogcxpecg.exe 2692 plwldzpeinxtc.exe 2560 ogcxpecg.exe -
Loads dropped DLL 5 IoCs
pid Process 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 2628 kosuamcfpi.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" kosuamcfpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" kosuamcfpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" kosuamcfpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" kosuamcfpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" kosuamcfpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" kosuamcfpi.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ytoqvitg = "ivpytuxdedtlali.exe" ivpytuxdedtlali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "plwldzpeinxtc.exe" ivpytuxdedtlali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scoskqci = "kosuamcfpi.exe" ivpytuxdedtlali.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\x: ogcxpecg.exe File opened (read-only) \??\r: kosuamcfpi.exe File opened (read-only) \??\x: kosuamcfpi.exe File opened (read-only) \??\i: ogcxpecg.exe File opened (read-only) \??\x: ogcxpecg.exe File opened (read-only) \??\g: ogcxpecg.exe File opened (read-only) \??\n: ogcxpecg.exe File opened (read-only) \??\t: kosuamcfpi.exe File opened (read-only) \??\o: ogcxpecg.exe File opened (read-only) \??\t: ogcxpecg.exe File opened (read-only) \??\b: ogcxpecg.exe File opened (read-only) \??\k: ogcxpecg.exe File opened (read-only) \??\p: ogcxpecg.exe File opened (read-only) \??\w: ogcxpecg.exe File opened (read-only) \??\e: kosuamcfpi.exe File opened (read-only) \??\h: kosuamcfpi.exe File opened (read-only) \??\s: kosuamcfpi.exe File opened (read-only) \??\z: kosuamcfpi.exe File opened (read-only) \??\q: ogcxpecg.exe File opened (read-only) \??\b: kosuamcfpi.exe File opened (read-only) \??\k: kosuamcfpi.exe File opened (read-only) \??\q: kosuamcfpi.exe File opened (read-only) \??\a: ogcxpecg.exe File opened (read-only) \??\b: ogcxpecg.exe File opened (read-only) \??\e: ogcxpecg.exe File opened (read-only) \??\m: ogcxpecg.exe File opened (read-only) \??\a: kosuamcfpi.exe File opened (read-only) \??\n: ogcxpecg.exe File opened (read-only) \??\y: ogcxpecg.exe File opened (read-only) \??\o: ogcxpecg.exe File opened (read-only) \??\j: ogcxpecg.exe File opened (read-only) \??\h: ogcxpecg.exe File opened (read-only) \??\k: ogcxpecg.exe File opened (read-only) \??\y: ogcxpecg.exe File opened (read-only) \??\v: ogcxpecg.exe File opened (read-only) \??\m: kosuamcfpi.exe File opened (read-only) \??\u: kosuamcfpi.exe File opened (read-only) \??\h: ogcxpecg.exe File opened (read-only) \??\j: ogcxpecg.exe File opened (read-only) \??\t: ogcxpecg.exe File opened (read-only) \??\v: ogcxpecg.exe File opened (read-only) \??\g: kosuamcfpi.exe File opened (read-only) \??\m: ogcxpecg.exe File opened (read-only) \??\i: ogcxpecg.exe File opened (read-only) \??\r: ogcxpecg.exe File opened (read-only) \??\s: ogcxpecg.exe File opened (read-only) \??\y: kosuamcfpi.exe File opened (read-only) \??\l: ogcxpecg.exe File opened (read-only) \??\p: ogcxpecg.exe File opened (read-only) \??\v: kosuamcfpi.exe File opened (read-only) \??\e: ogcxpecg.exe File opened (read-only) \??\u: ogcxpecg.exe File opened (read-only) \??\i: kosuamcfpi.exe File opened (read-only) \??\l: kosuamcfpi.exe File opened (read-only) \??\p: kosuamcfpi.exe File opened (read-only) \??\s: ogcxpecg.exe File opened (read-only) \??\a: ogcxpecg.exe File opened (read-only) \??\r: ogcxpecg.exe File opened (read-only) \??\o: kosuamcfpi.exe File opened (read-only) \??\w: ogcxpecg.exe File opened (read-only) \??\z: ogcxpecg.exe File opened (read-only) \??\j: kosuamcfpi.exe File opened (read-only) \??\u: ogcxpecg.exe File opened (read-only) \??\g: ogcxpecg.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" kosuamcfpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" kosuamcfpi.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2288-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x003700000001451d-5.dat autoit_exe behavioral1/files/0x000b0000000122ee-17.dat autoit_exe behavioral1/files/0x00080000000146a7-26.dat autoit_exe behavioral1/files/0x000700000001474b-33.dat autoit_exe behavioral1/files/0x0006000000016020-72.dat autoit_exe behavioral1/files/0x0006000000016126-78.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\kosuamcfpi.exe 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe File created C:\Windows\SysWOW64\ivpytuxdedtlali.exe 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ogcxpecg.exe 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\plwldzpeinxtc.exe 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kosuamcfpi.exe 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ivpytuxdedtlali.exe 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe File created C:\Windows\SysWOW64\ogcxpecg.exe 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe File created C:\Windows\SysWOW64\plwldzpeinxtc.exe 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll kosuamcfpi.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ogcxpecg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ogcxpecg.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ogcxpecg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ogcxpecg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ogcxpecg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ogcxpecg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ogcxpecg.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ogcxpecg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ogcxpecg.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ogcxpecg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ogcxpecg.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ogcxpecg.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ogcxpecg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ogcxpecg.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8EFF8B4F27851D913CD62D7E95BD93E1405932664F6243D7EE" 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B12D479438EA52CEBAD732EFD7BE" 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc kosuamcfpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg kosuamcfpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" kosuamcfpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C77515EDDBC5B9B97C92ECE534CE" 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABCF9C9FE14F29084743A4481EC3995B08A02F04213034CE1CF42EC08A3" 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat kosuamcfpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh kosuamcfpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33332C779D5182236A4676DD70252CD87C8E64AB" 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 768 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 2628 kosuamcfpi.exe 2628 kosuamcfpi.exe 2628 kosuamcfpi.exe 2628 kosuamcfpi.exe 2628 kosuamcfpi.exe 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 2728 ogcxpecg.exe 2728 ogcxpecg.exe 2728 ogcxpecg.exe 2728 ogcxpecg.exe 2680 ivpytuxdedtlali.exe 2680 ivpytuxdedtlali.exe 2680 ivpytuxdedtlali.exe 2680 ivpytuxdedtlali.exe 2680 ivpytuxdedtlali.exe 2692 plwldzpeinxtc.exe 2692 plwldzpeinxtc.exe 2692 plwldzpeinxtc.exe 2692 plwldzpeinxtc.exe 2692 plwldzpeinxtc.exe 2692 plwldzpeinxtc.exe 2560 ogcxpecg.exe 2560 ogcxpecg.exe 2560 ogcxpecg.exe 2560 ogcxpecg.exe 2680 ivpytuxdedtlali.exe 2692 plwldzpeinxtc.exe 2692 plwldzpeinxtc.exe 2680 ivpytuxdedtlali.exe 2680 ivpytuxdedtlali.exe 2692 plwldzpeinxtc.exe 2692 plwldzpeinxtc.exe 2680 ivpytuxdedtlali.exe 2692 plwldzpeinxtc.exe 2692 plwldzpeinxtc.exe 2680 ivpytuxdedtlali.exe 2692 plwldzpeinxtc.exe 2692 plwldzpeinxtc.exe 2680 ivpytuxdedtlali.exe 2692 plwldzpeinxtc.exe 2692 plwldzpeinxtc.exe 2680 ivpytuxdedtlali.exe 2692 plwldzpeinxtc.exe 2692 plwldzpeinxtc.exe 2680 ivpytuxdedtlali.exe 2692 plwldzpeinxtc.exe 2692 plwldzpeinxtc.exe 2680 ivpytuxdedtlali.exe 2692 plwldzpeinxtc.exe 2692 plwldzpeinxtc.exe 2680 ivpytuxdedtlali.exe 2692 plwldzpeinxtc.exe 2692 plwldzpeinxtc.exe 2680 ivpytuxdedtlali.exe 2692 plwldzpeinxtc.exe 2692 plwldzpeinxtc.exe 2680 ivpytuxdedtlali.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 2628 kosuamcfpi.exe 2628 kosuamcfpi.exe 2628 kosuamcfpi.exe 2728 ogcxpecg.exe 2680 ivpytuxdedtlali.exe 2728 ogcxpecg.exe 2680 ivpytuxdedtlali.exe 2728 ogcxpecg.exe 2680 ivpytuxdedtlali.exe 2692 plwldzpeinxtc.exe 2692 plwldzpeinxtc.exe 2692 plwldzpeinxtc.exe 2560 ogcxpecg.exe 2560 ogcxpecg.exe 2560 ogcxpecg.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 2628 kosuamcfpi.exe 2628 kosuamcfpi.exe 2628 kosuamcfpi.exe 2728 ogcxpecg.exe 2680 ivpytuxdedtlali.exe 2728 ogcxpecg.exe 2680 ivpytuxdedtlali.exe 2728 ogcxpecg.exe 2680 ivpytuxdedtlali.exe 2692 plwldzpeinxtc.exe 2692 plwldzpeinxtc.exe 2692 plwldzpeinxtc.exe 2560 ogcxpecg.exe 2560 ogcxpecg.exe 2560 ogcxpecg.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 768 WINWORD.EXE 768 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2288 wrote to memory of 2628 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 28 PID 2288 wrote to memory of 2628 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 28 PID 2288 wrote to memory of 2628 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 28 PID 2288 wrote to memory of 2628 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 28 PID 2288 wrote to memory of 2680 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 29 PID 2288 wrote to memory of 2680 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 29 PID 2288 wrote to memory of 2680 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 29 PID 2288 wrote to memory of 2680 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 29 PID 2288 wrote to memory of 2728 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 30 PID 2288 wrote to memory of 2728 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 30 PID 2288 wrote to memory of 2728 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 30 PID 2288 wrote to memory of 2728 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 30 PID 2288 wrote to memory of 2692 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 31 PID 2288 wrote to memory of 2692 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 31 PID 2288 wrote to memory of 2692 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 31 PID 2288 wrote to memory of 2692 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 31 PID 2628 wrote to memory of 2560 2628 kosuamcfpi.exe 32 PID 2628 wrote to memory of 2560 2628 kosuamcfpi.exe 32 PID 2628 wrote to memory of 2560 2628 kosuamcfpi.exe 32 PID 2628 wrote to memory of 2560 2628 kosuamcfpi.exe 32 PID 2288 wrote to memory of 768 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 33 PID 2288 wrote to memory of 768 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 33 PID 2288 wrote to memory of 768 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 33 PID 2288 wrote to memory of 768 2288 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe 33 PID 768 wrote to memory of 2596 768 WINWORD.EXE 37 PID 768 wrote to memory of 2596 768 WINWORD.EXE 37 PID 768 wrote to memory of 2596 768 WINWORD.EXE 37 PID 768 wrote to memory of 2596 768 WINWORD.EXE 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\kosuamcfpi.exekosuamcfpi.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\ogcxpecg.exeC:\Windows\system32\ogcxpecg.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2560
-
-
-
C:\Windows\SysWOW64\ivpytuxdedtlali.exeivpytuxdedtlali.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2680
-
-
C:\Windows\SysWOW64\ogcxpecg.exeogcxpecg.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2728
-
-
C:\Windows\SysWOW64\plwldzpeinxtc.exeplwldzpeinxtc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2692
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2596
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD52a49ae7afc52d19a61f4bc23ae1b6757
SHA174d9d7bbe4ec477033eff7c64af930fbedaefc83
SHA25651c2ac8ced20195e7c1e8ff5da5975bf90cd6efb2ee55ddc913cf5dafb6bcc94
SHA512394a942c48ded76a7e5c78370284ff48414aaa7ba22ad7b1b1df7d417ed121fb5ef4a7aa44359cde0372727baaf3fc7d31f09478a420da74c101d99688764d38
-
Filesize
68B
MD575c4180f0045f72b322a9b6509118eb0
SHA1687b3566ad728813edef80568be23c4c911146b2
SHA2567e8cbcf762b16922cc84d4fbef0dca4a0d6182794e2e0370ce99f98b3e2a4e0f
SHA512e78ed9857532a06472247b1200890758ab3aa7326549601531b40de9b2069fdbcb84e8b9f2da8951f7955382e2b7a04ff2ad8deb1c5dfa3516fe05ebb834de4d
-
Filesize
20KB
MD55cfeef74d511d97667beccd3286303b2
SHA1d0b44507bf2de410d25a92ef0a1d5c7317b84862
SHA256ff2d15de67f6479b8837531028e104008f10871084bb1c832f0ddd91878ecd9f
SHA512ab377e3b6ad10ba8adae048d438c6364dd635880d26905f6c87bd11582b541acd9b5ff7ed13af71234c509a538d01d51b16cadb920432c8ae1fbc2e2a9f22053
-
Filesize
512KB
MD5c07f939bb4bb03f3089555c1e4fb4548
SHA1236935339182f3822bfa8b9420c8b8c8e3df099f
SHA25695cdce6fb39a00cd9c34294225e0d5a1ae8f7263ade3ab983be609d519dce537
SHA512ee0792a1dce4381a0c665a62c58d2fac1c0dbe68450138e0ff4835a4fecae6bd032816207d0e088b38bddcba582053d7612f0d9bc563def5ad3b7feeafd24531
-
Filesize
512KB
MD56b7a1bd01f20e882bc2b9dcd4a433bf6
SHA12ef85bb4ff4d7114938f081e1cbb1d7aa0c2f32f
SHA25648520f96bac462fa848a67dbf864d28879d02e68f1b8445b69490bcc092dc813
SHA5126b8a2a9e7b2e93811f87152b8ac932562ccfcc510f62b11637de94154faaf41420c16b27c55788737ad01018aaa7fab404f2f1c48c1d9335f316f5926c9ccd3a
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD53cf973830c2648a112f4b1def74330c1
SHA1fd2e8c076625ff3e61aa371e6abf334c35d02c6d
SHA256daced9c5f6f9313b4a70da05da0fdd350a1690b8d570956ce282bc07728f2b83
SHA512d4dffe922084a46423cd090b060de0259afcdcbbfd74dca6dbc985794a9ae95b4858a4d2509cd207ceebbc942b6f0cdd465d7020d25c8a5014f9d690023db565
-
Filesize
512KB
MD584ff5c2a0c507cc565af66fc1ceea748
SHA1ce48887399ece50251b16bafd2e649317b4c9805
SHA2562157714bbce486b777fa2215e280b4847989a3cfb7026429f90d9cb671348f4c
SHA51253e4b78e627e2169034c47ddedb5a15b364e809b33d30e04e8638fbd36464e74f63d741a7deb9f7ecbb522f57b5922eee5cfcd6a230faf68e74002afd9d8b926
-
Filesize
512KB
MD50c686706ac65fe68449447b49bc4508d
SHA175a6600f5c9bb956640f8cdf7fe8f9419f8d3f79
SHA256bb49bced59a3c36d9f07f64392aa541f7b625e7f2edf185b57b6373552da1bc4
SHA5129df29d0ce812a5c38ffbf83583dd9e35b78d03d667526e4127a77c18001d4c907d433dae2e274c8aeee28bc857bb5d5c256d68f04f6d0d026564a5fa4334a1d7