Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
14/06/2024, 06:13
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe
Resource
win7-20231129-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe
-
Size
512KB
-
MD5
a8477d3ca529aea43cd06a3e9e70360f
-
SHA1
1785efcb6447185043b5c0501b232f2229df9d4a
-
SHA256
88c224d410f03525341083253ab2a38f460f613cbeff633aee88c7af00e7e7ee
-
SHA512
2b630a32f5c1a972dc356f6b7b249c131fd240d8ba416cf6b1e2264548de897482b4dcc4f36021b668d0d3443ef4d6d6815c43d95fcac13ad72ac276a2f18e78
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6t:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5G
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" yaowoaqfmq.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yaowoaqfmq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" yaowoaqfmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" yaowoaqfmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" yaowoaqfmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" yaowoaqfmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" yaowoaqfmq.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" yaowoaqfmq.exe -
Executes dropped EXE 5 IoCs
pid Process 3016 yaowoaqfmq.exe 2724 vghaxuikkeyfxks.exe 2624 hanwnyolssjld.exe 2024 xhyhlrca.exe 2100 xhyhlrca.exe -
Loads dropped DLL 5 IoCs
pid Process 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 3016 yaowoaqfmq.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" yaowoaqfmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" yaowoaqfmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" yaowoaqfmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" yaowoaqfmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" yaowoaqfmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" yaowoaqfmq.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zdsavfkz = "yaowoaqfmq.exe" vghaxuikkeyfxks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hydeaptb = "vghaxuikkeyfxks.exe" vghaxuikkeyfxks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hanwnyolssjld.exe" vghaxuikkeyfxks.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\a: xhyhlrca.exe File opened (read-only) \??\k: xhyhlrca.exe File opened (read-only) \??\t: yaowoaqfmq.exe File opened (read-only) \??\i: xhyhlrca.exe File opened (read-only) \??\i: xhyhlrca.exe File opened (read-only) \??\r: xhyhlrca.exe File opened (read-only) \??\v: yaowoaqfmq.exe File opened (read-only) \??\x: xhyhlrca.exe File opened (read-only) \??\m: xhyhlrca.exe File opened (read-only) \??\t: xhyhlrca.exe File opened (read-only) \??\l: xhyhlrca.exe File opened (read-only) \??\q: xhyhlrca.exe File opened (read-only) \??\z: yaowoaqfmq.exe File opened (read-only) \??\h: xhyhlrca.exe File opened (read-only) \??\g: yaowoaqfmq.exe File opened (read-only) \??\g: xhyhlrca.exe File opened (read-only) \??\h: xhyhlrca.exe File opened (read-only) \??\n: xhyhlrca.exe File opened (read-only) \??\t: xhyhlrca.exe File opened (read-only) \??\b: xhyhlrca.exe File opened (read-only) \??\i: yaowoaqfmq.exe File opened (read-only) \??\j: xhyhlrca.exe File opened (read-only) \??\k: yaowoaqfmq.exe File opened (read-only) \??\l: yaowoaqfmq.exe File opened (read-only) \??\s: yaowoaqfmq.exe File opened (read-only) \??\u: xhyhlrca.exe File opened (read-only) \??\v: xhyhlrca.exe File opened (read-only) \??\e: yaowoaqfmq.exe File opened (read-only) \??\z: xhyhlrca.exe File opened (read-only) \??\h: yaowoaqfmq.exe File opened (read-only) \??\x: yaowoaqfmq.exe File opened (read-only) \??\q: xhyhlrca.exe File opened (read-only) \??\m: yaowoaqfmq.exe File opened (read-only) \??\o: yaowoaqfmq.exe File opened (read-only) \??\a: xhyhlrca.exe File opened (read-only) \??\o: xhyhlrca.exe File opened (read-only) \??\s: xhyhlrca.exe File opened (read-only) \??\j: yaowoaqfmq.exe File opened (read-only) \??\n: yaowoaqfmq.exe File opened (read-only) \??\b: yaowoaqfmq.exe File opened (read-only) \??\l: xhyhlrca.exe File opened (read-only) \??\o: xhyhlrca.exe File opened (read-only) \??\v: xhyhlrca.exe File opened (read-only) \??\b: xhyhlrca.exe File opened (read-only) \??\k: xhyhlrca.exe File opened (read-only) \??\y: xhyhlrca.exe File opened (read-only) \??\w: xhyhlrca.exe File opened (read-only) \??\m: xhyhlrca.exe File opened (read-only) \??\z: xhyhlrca.exe File opened (read-only) \??\q: yaowoaqfmq.exe File opened (read-only) \??\u: yaowoaqfmq.exe File opened (read-only) \??\w: yaowoaqfmq.exe File opened (read-only) \??\y: yaowoaqfmq.exe File opened (read-only) \??\j: xhyhlrca.exe File opened (read-only) \??\u: xhyhlrca.exe File opened (read-only) \??\a: yaowoaqfmq.exe File opened (read-only) \??\p: yaowoaqfmq.exe File opened (read-only) \??\e: xhyhlrca.exe File opened (read-only) \??\r: yaowoaqfmq.exe File opened (read-only) \??\g: xhyhlrca.exe File opened (read-only) \??\n: xhyhlrca.exe File opened (read-only) \??\p: xhyhlrca.exe File opened (read-only) \??\e: xhyhlrca.exe File opened (read-only) \??\p: xhyhlrca.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" yaowoaqfmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" yaowoaqfmq.exe -
AutoIT Executable 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2044-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x000a000000016176-5.dat autoit_exe behavioral1/files/0x000b000000015d31-17.dat autoit_exe behavioral1/files/0x0009000000016287-35.dat autoit_exe behavioral1/files/0x00080000000167d5-34.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\vghaxuikkeyfxks.exe a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vghaxuikkeyfxks.exe a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xhyhlrca.exe a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe File created C:\Windows\SysWOW64\hanwnyolssjld.exe a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe File created C:\Windows\SysWOW64\yaowoaqfmq.exe a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\yaowoaqfmq.exe a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe File created C:\Windows\SysWOW64\xhyhlrca.exe a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hanwnyolssjld.exe a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll yaowoaqfmq.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe xhyhlrca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe xhyhlrca.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe xhyhlrca.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe xhyhlrca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal xhyhlrca.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe xhyhlrca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal xhyhlrca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal xhyhlrca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe xhyhlrca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal xhyhlrca.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe xhyhlrca.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe xhyhlrca.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe xhyhlrca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe xhyhlrca.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe xhyhlrca.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAFACAF965F19884783A4486EB39E1B0FB02F14261033FE2BD42EB09A9" a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" yaowoaqfmq.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" yaowoaqfmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0806BB1FF6721D9D109D0A88A0B9060" a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1848C77815E6DABEB8BC7FE4ECE534CB" a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352C799C2682586A3376D177272CD87D8365D8" a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" yaowoaqfmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2840 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 2724 vghaxuikkeyfxks.exe 2724 vghaxuikkeyfxks.exe 2724 vghaxuikkeyfxks.exe 2724 vghaxuikkeyfxks.exe 2724 vghaxuikkeyfxks.exe 2624 hanwnyolssjld.exe 2624 hanwnyolssjld.exe 2624 hanwnyolssjld.exe 2624 hanwnyolssjld.exe 2624 hanwnyolssjld.exe 2624 hanwnyolssjld.exe 2024 xhyhlrca.exe 2024 xhyhlrca.exe 2024 xhyhlrca.exe 2024 xhyhlrca.exe 3016 yaowoaqfmq.exe 3016 yaowoaqfmq.exe 3016 yaowoaqfmq.exe 3016 yaowoaqfmq.exe 3016 yaowoaqfmq.exe 2100 xhyhlrca.exe 2100 xhyhlrca.exe 2100 xhyhlrca.exe 2100 xhyhlrca.exe 2724 vghaxuikkeyfxks.exe 2624 hanwnyolssjld.exe 2624 hanwnyolssjld.exe 2724 vghaxuikkeyfxks.exe 2724 vghaxuikkeyfxks.exe 2624 hanwnyolssjld.exe 2624 hanwnyolssjld.exe 2724 vghaxuikkeyfxks.exe 2624 hanwnyolssjld.exe 2624 hanwnyolssjld.exe 2724 vghaxuikkeyfxks.exe 2624 hanwnyolssjld.exe 2624 hanwnyolssjld.exe 2724 vghaxuikkeyfxks.exe 2624 hanwnyolssjld.exe 2624 hanwnyolssjld.exe 2724 vghaxuikkeyfxks.exe 2624 hanwnyolssjld.exe 2624 hanwnyolssjld.exe 2724 vghaxuikkeyfxks.exe 2624 hanwnyolssjld.exe 2624 hanwnyolssjld.exe 2724 vghaxuikkeyfxks.exe 2624 hanwnyolssjld.exe 2624 hanwnyolssjld.exe 2724 vghaxuikkeyfxks.exe 2624 hanwnyolssjld.exe 2624 hanwnyolssjld.exe 2724 vghaxuikkeyfxks.exe 2624 hanwnyolssjld.exe 2624 hanwnyolssjld.exe 2724 vghaxuikkeyfxks.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 2724 vghaxuikkeyfxks.exe 2724 vghaxuikkeyfxks.exe 2724 vghaxuikkeyfxks.exe 2024 xhyhlrca.exe 2024 xhyhlrca.exe 2024 xhyhlrca.exe 2624 hanwnyolssjld.exe 2624 hanwnyolssjld.exe 2624 hanwnyolssjld.exe 3016 yaowoaqfmq.exe 3016 yaowoaqfmq.exe 3016 yaowoaqfmq.exe 2100 xhyhlrca.exe 2100 xhyhlrca.exe 2100 xhyhlrca.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 2724 vghaxuikkeyfxks.exe 2724 vghaxuikkeyfxks.exe 2724 vghaxuikkeyfxks.exe 2024 xhyhlrca.exe 2024 xhyhlrca.exe 2024 xhyhlrca.exe 2624 hanwnyolssjld.exe 2624 hanwnyolssjld.exe 2624 hanwnyolssjld.exe 3016 yaowoaqfmq.exe 3016 yaowoaqfmq.exe 3016 yaowoaqfmq.exe 2100 xhyhlrca.exe 2100 xhyhlrca.exe 2100 xhyhlrca.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2840 WINWORD.EXE 2840 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2044 wrote to memory of 3016 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 28 PID 2044 wrote to memory of 3016 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 28 PID 2044 wrote to memory of 3016 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 28 PID 2044 wrote to memory of 3016 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 28 PID 2044 wrote to memory of 2724 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 29 PID 2044 wrote to memory of 2724 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 29 PID 2044 wrote to memory of 2724 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 29 PID 2044 wrote to memory of 2724 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 29 PID 2044 wrote to memory of 2024 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 30 PID 2044 wrote to memory of 2024 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 30 PID 2044 wrote to memory of 2024 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 30 PID 2044 wrote to memory of 2024 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 30 PID 2044 wrote to memory of 2624 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 31 PID 2044 wrote to memory of 2624 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 31 PID 2044 wrote to memory of 2624 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 31 PID 2044 wrote to memory of 2624 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 31 PID 3016 wrote to memory of 2100 3016 yaowoaqfmq.exe 32 PID 3016 wrote to memory of 2100 3016 yaowoaqfmq.exe 32 PID 3016 wrote to memory of 2100 3016 yaowoaqfmq.exe 32 PID 3016 wrote to memory of 2100 3016 yaowoaqfmq.exe 32 PID 2044 wrote to memory of 2840 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 33 PID 2044 wrote to memory of 2840 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 33 PID 2044 wrote to memory of 2840 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 33 PID 2044 wrote to memory of 2840 2044 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 33 PID 2840 wrote to memory of 1884 2840 WINWORD.EXE 36 PID 2840 wrote to memory of 1884 2840 WINWORD.EXE 36 PID 2840 wrote to memory of 1884 2840 WINWORD.EXE 36 PID 2840 wrote to memory of 1884 2840 WINWORD.EXE 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\yaowoaqfmq.exeyaowoaqfmq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\xhyhlrca.exeC:\Windows\system32\xhyhlrca.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2100
-
-
-
C:\Windows\SysWOW64\vghaxuikkeyfxks.exevghaxuikkeyfxks.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2724
-
-
C:\Windows\SysWOW64\xhyhlrca.exexhyhlrca.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2024
-
-
C:\Windows\SysWOW64\hanwnyolssjld.exehanwnyolssjld.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2624
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1884
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5d94ff870d277cc7357770d3be6993da1
SHA12c3a981c44e3627b9ea8b567c261576dcb9e979d
SHA256099e012f5935fb3ae733aacd566f17f8ebf6ccec27b57f3f2d737dc0f9950872
SHA512e83ab92f8e7c5d288fd7c1c9c6004218bd560e84c9bd14844b17cc322f631d2e6fc8d6656a058118bff956edec9e5eff875f1dea2ae773907fbd6d66891ff86b
-
Filesize
512KB
MD58826daab2da4e65e7946d5601ed13371
SHA1e9add863ced2bc6297bc2fc6ede4e74bd4c1e169
SHA25688126403fc2974faef40b037591649d584aefe49accaf4ec61af74045021280f
SHA512f96ee1d64b10e51809bdb8ec642668e23a55b0cd5d30d54e0d108c9806a378fb5f7fbcf07bea31e89c98f2342879a58f52bc39051c8264e94f26cc381770b6a7
-
Filesize
512KB
MD5b17e0f25e7d0a0d69ced960f244d1dc5
SHA1cfd93b630a22b6d3771b6a0652c0c634d19bd9f8
SHA256198be3f9604aa41bf78d80e3e944dece134f8e0327b5e1539dc9090ee3b9efbf
SHA512605e39144523172ccd9eed944d41a3f7201e3ae0f147628f034a397bd9e775fef42d3101096a9f7c06e0fc5bbdf51400baa15a4efe89b2167024e71d01036f75
-
Filesize
512KB
MD5c0278c728b36adee9b28d423060d367d
SHA13de4f12752f141e53c7cdb49ac435856a9957645
SHA2562a3fb73c8f60f7b2844ec409eac567c8dde37aca484142b0837b91c1edf5ec81
SHA51249c419b1b9540ce937b70ecdca486e07ab963210fabdd92f8a1799ba57015d8985883265f9b7da848b5410848994d8c1c4b68e78dd6789338ae807a6af1a6f56
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD59fb362b423e65683480fb651ccb462b2
SHA156a2df75b321aef30df9ef13401ea6e2d460327c
SHA2568afd38a54cf23a82cb0cdfb7b5de51ea969283a4ae4d8d98dce04437818b4c7c
SHA512dd210b53a532a57589fd7ff8250ba99e9c65331836dd5467f36c4335a777d54b05cf3c979599b88430fc910ae2116cec69faab3e0f0b49b22cdc483c60845a1e