Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14/06/2024, 20:47
Static task
static1
Behavioral task
behavioral1
Sample
ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
-
Size
512KB
-
MD5
ab62eae5f5ab1247553f9e43c703b05a
-
SHA1
bf3c54fe6ee69d0a854e27ab1a9fb195edebfdfe
-
SHA256
762ba6421a898f1929e1a2ebfdcb3bd6872e0e6ce1f2ecd698b176542e6677c9
-
SHA512
6a32b7057e2e2e82506680d249bae0a675006598671cfef8e613e18d621c24810b07d5e6bf64bc9d4d0af32f33632be9dec887d1f61effe3edbed456b4ab3664
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6T:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5g
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cpnaibpudi.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cpnaibpudi.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cpnaibpudi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cpnaibpudi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cpnaibpudi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cpnaibpudi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" cpnaibpudi.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cpnaibpudi.exe -
Executes dropped EXE 5 IoCs
pid Process 3056 cpnaibpudi.exe 2132 rmlsqoxmjmptacf.exe 2680 piujclyl.exe 2636 mlzstnahcltyx.exe 2088 piujclyl.exe -
Loads dropped DLL 5 IoCs
pid Process 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 3056 cpnaibpudi.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cpnaibpudi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" cpnaibpudi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cpnaibpudi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" cpnaibpudi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cpnaibpudi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cpnaibpudi.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vblznlcn = "cpnaibpudi.exe" rmlsqoxmjmptacf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bwrekxmj = "rmlsqoxmjmptacf.exe" rmlsqoxmjmptacf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mlzstnahcltyx.exe" rmlsqoxmjmptacf.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\x: piujclyl.exe File opened (read-only) \??\k: piujclyl.exe File opened (read-only) \??\b: piujclyl.exe File opened (read-only) \??\e: piujclyl.exe File opened (read-only) \??\w: piujclyl.exe File opened (read-only) \??\y: piujclyl.exe File opened (read-only) \??\e: cpnaibpudi.exe File opened (read-only) \??\g: cpnaibpudi.exe File opened (read-only) \??\r: piujclyl.exe File opened (read-only) \??\i: piujclyl.exe File opened (read-only) \??\n: piujclyl.exe File opened (read-only) \??\m: cpnaibpudi.exe File opened (read-only) \??\y: cpnaibpudi.exe File opened (read-only) \??\t: piujclyl.exe File opened (read-only) \??\x: piujclyl.exe File opened (read-only) \??\n: piujclyl.exe File opened (read-only) \??\p: piujclyl.exe File opened (read-only) \??\s: piujclyl.exe File opened (read-only) \??\i: cpnaibpudi.exe File opened (read-only) \??\s: piujclyl.exe File opened (read-only) \??\z: piujclyl.exe File opened (read-only) \??\v: piujclyl.exe File opened (read-only) \??\j: piujclyl.exe File opened (read-only) \??\o: piujclyl.exe File opened (read-only) \??\p: piujclyl.exe File opened (read-only) \??\b: cpnaibpudi.exe File opened (read-only) \??\r: cpnaibpudi.exe File opened (read-only) \??\x: cpnaibpudi.exe File opened (read-only) \??\r: piujclyl.exe File opened (read-only) \??\a: cpnaibpudi.exe File opened (read-only) \??\h: cpnaibpudi.exe File opened (read-only) \??\u: cpnaibpudi.exe File opened (read-only) \??\i: piujclyl.exe File opened (read-only) \??\h: piujclyl.exe File opened (read-only) \??\j: piujclyl.exe File opened (read-only) \??\k: piujclyl.exe File opened (read-only) \??\o: piujclyl.exe File opened (read-only) \??\m: piujclyl.exe File opened (read-only) \??\u: piujclyl.exe File opened (read-only) \??\w: piujclyl.exe File opened (read-only) \??\z: cpnaibpudi.exe File opened (read-only) \??\z: piujclyl.exe File opened (read-only) \??\l: cpnaibpudi.exe File opened (read-only) \??\o: cpnaibpudi.exe File opened (read-only) \??\p: cpnaibpudi.exe File opened (read-only) \??\b: piujclyl.exe File opened (read-only) \??\e: piujclyl.exe File opened (read-only) \??\g: piujclyl.exe File opened (read-only) \??\m: piujclyl.exe File opened (read-only) \??\y: piujclyl.exe File opened (read-only) \??\k: cpnaibpudi.exe File opened (read-only) \??\n: cpnaibpudi.exe File opened (read-only) \??\q: cpnaibpudi.exe File opened (read-only) \??\l: piujclyl.exe File opened (read-only) \??\a: piujclyl.exe File opened (read-only) \??\t: cpnaibpudi.exe File opened (read-only) \??\v: cpnaibpudi.exe File opened (read-only) \??\g: piujclyl.exe File opened (read-only) \??\l: piujclyl.exe File opened (read-only) \??\q: piujclyl.exe File opened (read-only) \??\s: cpnaibpudi.exe File opened (read-only) \??\u: piujclyl.exe File opened (read-only) \??\a: piujclyl.exe File opened (read-only) \??\h: piujclyl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" cpnaibpudi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" cpnaibpudi.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2188-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x0036000000015f05-5.dat autoit_exe behavioral1/files/0x000a0000000122ec-17.dat autoit_exe behavioral1/files/0x000c000000016103-32.dat autoit_exe behavioral1/files/0x0008000000016255-34.dat autoit_exe behavioral1/files/0x00050000000186f1-75.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\cpnaibpudi.exe ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\piujclyl.exe ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe File created C:\Windows\SysWOW64\mlzstnahcltyx.exe ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll cpnaibpudi.exe File opened for modification C:\Windows\SysWOW64\cpnaibpudi.exe ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe File created C:\Windows\SysWOW64\rmlsqoxmjmptacf.exe ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rmlsqoxmjmptacf.exe ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe File created C:\Windows\SysWOW64\piujclyl.exe ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mlzstnahcltyx.exe ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe -
Drops file in Program Files directory 21 IoCs
description ioc Process File opened for modification C:\Program Files\PushMount.nal piujclyl.exe File created \??\c:\Program Files\PushMount.doc.exe piujclyl.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe piujclyl.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal piujclyl.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe piujclyl.exe File opened for modification \??\c:\Program Files\PushMount.doc.exe piujclyl.exe File opened for modification C:\Program Files\PushMount.nal piujclyl.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal piujclyl.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal piujclyl.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe piujclyl.exe File opened for modification C:\Program Files\PushMount.doc.exe piujclyl.exe File opened for modification \??\c:\Program Files\PushMount.doc.exe piujclyl.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal piujclyl.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe piujclyl.exe File opened for modification C:\Program Files\PushMount.doc.exe piujclyl.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe piujclyl.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe piujclyl.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe piujclyl.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe piujclyl.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe piujclyl.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe piujclyl.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402D789C2783276A3576D277262DDB7DF364AB" ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCEFAB9F961F2E3840E3B3781EC39E3B0FC02F94268023DE1CF429C08D3" ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh cpnaibpudi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" cpnaibpudi.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECBB158449239E853CDBAA5339CD7CA" ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F76BB7FE6822A9D27ED0A28A7A9164" ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" cpnaibpudi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc cpnaibpudi.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFCFF8B4F2A8212903CD7297D94BDE5E131594B66436237D69C" ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2628 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2132 rmlsqoxmjmptacf.exe 2132 rmlsqoxmjmptacf.exe 2132 rmlsqoxmjmptacf.exe 2132 rmlsqoxmjmptacf.exe 3056 cpnaibpudi.exe 3056 cpnaibpudi.exe 3056 cpnaibpudi.exe 3056 cpnaibpudi.exe 3056 cpnaibpudi.exe 2132 rmlsqoxmjmptacf.exe 2636 mlzstnahcltyx.exe 2636 mlzstnahcltyx.exe 2636 mlzstnahcltyx.exe 2636 mlzstnahcltyx.exe 2636 mlzstnahcltyx.exe 2636 mlzstnahcltyx.exe 2680 piujclyl.exe 2680 piujclyl.exe 2680 piujclyl.exe 2680 piujclyl.exe 2088 piujclyl.exe 2088 piujclyl.exe 2088 piujclyl.exe 2088 piujclyl.exe 2132 rmlsqoxmjmptacf.exe 2636 mlzstnahcltyx.exe 2636 mlzstnahcltyx.exe 2132 rmlsqoxmjmptacf.exe 2132 rmlsqoxmjmptacf.exe 2636 mlzstnahcltyx.exe 2636 mlzstnahcltyx.exe 2132 rmlsqoxmjmptacf.exe 2636 mlzstnahcltyx.exe 2636 mlzstnahcltyx.exe 2132 rmlsqoxmjmptacf.exe 2636 mlzstnahcltyx.exe 2636 mlzstnahcltyx.exe 2132 rmlsqoxmjmptacf.exe 2636 mlzstnahcltyx.exe 2636 mlzstnahcltyx.exe 2132 rmlsqoxmjmptacf.exe 2636 mlzstnahcltyx.exe 2636 mlzstnahcltyx.exe 2132 rmlsqoxmjmptacf.exe 2636 mlzstnahcltyx.exe 2636 mlzstnahcltyx.exe 2132 rmlsqoxmjmptacf.exe 2636 mlzstnahcltyx.exe 2636 mlzstnahcltyx.exe 2132 rmlsqoxmjmptacf.exe 2636 mlzstnahcltyx.exe 2636 mlzstnahcltyx.exe 2132 rmlsqoxmjmptacf.exe 2636 mlzstnahcltyx.exe 2636 mlzstnahcltyx.exe 2132 rmlsqoxmjmptacf.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2132 rmlsqoxmjmptacf.exe 2132 rmlsqoxmjmptacf.exe 2132 rmlsqoxmjmptacf.exe 3056 cpnaibpudi.exe 3056 cpnaibpudi.exe 3056 cpnaibpudi.exe 2636 mlzstnahcltyx.exe 2636 mlzstnahcltyx.exe 2636 mlzstnahcltyx.exe 2680 piujclyl.exe 2680 piujclyl.exe 2680 piujclyl.exe 2088 piujclyl.exe 2088 piujclyl.exe 2088 piujclyl.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2132 rmlsqoxmjmptacf.exe 2132 rmlsqoxmjmptacf.exe 2132 rmlsqoxmjmptacf.exe 3056 cpnaibpudi.exe 3056 cpnaibpudi.exe 3056 cpnaibpudi.exe 2636 mlzstnahcltyx.exe 2636 mlzstnahcltyx.exe 2636 mlzstnahcltyx.exe 2680 piujclyl.exe 2680 piujclyl.exe 2680 piujclyl.exe 2088 piujclyl.exe 2088 piujclyl.exe 2088 piujclyl.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2628 WINWORD.EXE 2628 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2188 wrote to memory of 3056 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 28 PID 2188 wrote to memory of 3056 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 28 PID 2188 wrote to memory of 3056 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 28 PID 2188 wrote to memory of 3056 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 28 PID 2188 wrote to memory of 2132 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 29 PID 2188 wrote to memory of 2132 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 29 PID 2188 wrote to memory of 2132 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 29 PID 2188 wrote to memory of 2132 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 29 PID 2188 wrote to memory of 2680 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 30 PID 2188 wrote to memory of 2680 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 30 PID 2188 wrote to memory of 2680 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 30 PID 2188 wrote to memory of 2680 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 30 PID 2188 wrote to memory of 2636 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 31 PID 2188 wrote to memory of 2636 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 31 PID 2188 wrote to memory of 2636 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 31 PID 2188 wrote to memory of 2636 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 31 PID 3056 wrote to memory of 2088 3056 cpnaibpudi.exe 32 PID 3056 wrote to memory of 2088 3056 cpnaibpudi.exe 32 PID 3056 wrote to memory of 2088 3056 cpnaibpudi.exe 32 PID 3056 wrote to memory of 2088 3056 cpnaibpudi.exe 32 PID 2188 wrote to memory of 2628 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 33 PID 2188 wrote to memory of 2628 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 33 PID 2188 wrote to memory of 2628 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 33 PID 2188 wrote to memory of 2628 2188 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 33 PID 2628 wrote to memory of 2812 2628 WINWORD.EXE 37 PID 2628 wrote to memory of 2812 2628 WINWORD.EXE 37 PID 2628 wrote to memory of 2812 2628 WINWORD.EXE 37 PID 2628 wrote to memory of 2812 2628 WINWORD.EXE 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\cpnaibpudi.execpnaibpudi.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\piujclyl.exeC:\Windows\system32\piujclyl.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2088
-
-
-
C:\Windows\SysWOW64\rmlsqoxmjmptacf.exermlsqoxmjmptacf.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2132
-
-
C:\Windows\SysWOW64\piujclyl.exepiujclyl.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2680
-
-
C:\Windows\SysWOW64\mlzstnahcltyx.exemlzstnahcltyx.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2636
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2812
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD50bd0689f44a4e33c87f04633478c571d
SHA1f6eb7a9826c3e6964a669a42b7a5c07d7bd91411
SHA25668cc02dd45614a586707f71e0f1f030f65393dd889602fef405ad5837a818790
SHA512a734e0b8e8ac2a947e7e4809d745e2bda45a3070b70b630374f7d539abf531acc670998af3bc80d07a350f7100ec8e6b484a03bd53473323596842064142e8e6
-
Filesize
20KB
MD5a9f4d558572c3a841b84915be2b01897
SHA1ea05563406ea5b2b08d985b1deb187c146020770
SHA25610ed55ae2df6642e0685d5d1b4a3168dd5a045ac2c598eaf3536e4e51bba3eb4
SHA512bd87b5e8fedbb1930cec83a73f7ed1adb3332d74d421a29f905941005381d3ad6b0d75f7f9bc7bcee8a687ab1ee92940af76c484edf268d172c9098ca3408fa3
-
Filesize
512KB
MD527391b0c1bd8ae76fd67ab43c158aa97
SHA1d0f38e3682b24aa09c0fe2a60749639000069232
SHA2567619ca56920c233509b4dfb480a3fd62995292c0741955129343d51d77ca37cb
SHA512133f721041b8f22f44adb94511a56bc4a1a44df563f34f5e62c88d68e357ad0d138681f82ad28cc1edfe8eb2e14fb6525a0451464ff2a87c62b8e81702ba397f
-
Filesize
512KB
MD534bde89a1317a2472b460b49e9940e79
SHA1181e9e27191aac2a77af31db82101b42ea4fd5df
SHA256ac7b5434370aff720bbba0b809b59d1848188f5409be4ba555961594d35e984d
SHA512d47fd1058d7124f8c1ecfd02880a35e0b56444780931c6d9dcfa9554d11c30080807b18fd56272d318f48178fc23cf2e95412261410aca7afa64a37f37fb9055
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5dcccc41e1b55806a27b529fb759d9ee6
SHA116d55a23409ccf1861d810426d4b68d1fe156bca
SHA256e426e6ac4920090516d0d8be4ea71c47d622c4c3fd8620500ea2dfd958153df1
SHA51294abc80911aee004e11fdb0703441d930147a8ce2180b2ca8b7501d9f49bb96f366eb176e783a5cebc42f3934857916831ab5a2223522247e1e03a3684094b3f
-
Filesize
512KB
MD59eebbbe3115e5ce0d43359dd6a9926c9
SHA1702d3d255aa5847bde10ce8d6274c9778d971691
SHA2569477eed36f6f39086a8b90db732e50ce4bd6ccf46f7ab3dcd8093e2fc22ca7de
SHA5128a8b96ec207bd0187a71a28138a06822d2569c8da22caad2ec093640ac6af9110183f30856f5d1b568d853fd21fe72b64b189c9279a7c3648e67e6306560c77f