Analysis
-
max time kernel
148s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 22:13
Static task
static1
Behavioral task
behavioral1
Sample
04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe
-
Size
149KB
-
MD5
04148cc87304ef7a3ceebbad09c09084
-
SHA1
d8921c3e5480704c173b061ba48be3bba73883ce
-
SHA256
5f8cfcf6ac7e58a3d0ab6a6f6ad171bb210eb23ac97e5e4c872a2aad18a015e6
-
SHA512
8884f7ba8e917644e4333c528d63443ceb513cb6d5939828db60d0c6bca5da263031fa0fce0e1b9e57543c50193b5277259d4302a3c2bb87dac18a047a8c419a
-
SSDEEP
3072:RKsjlMON2+MEjIU/3aO/iXkwvCF4oW4YyYxXlmfRrJOwWrhUZ:fl3g+ML4Kfv4474YyYx1m5JgUZ
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 30 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exe04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wmisvrdf.exe -
Deletes itself 1 IoCs
Processes:
wmisvrdf.exepid process 3488 wmisvrdf.exe -
Executes dropped EXE 60 IoCs
Processes:
wmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exepid process 1424 wmisvrdf.exe 3488 wmisvrdf.exe 4188 wmisvrdf.exe 3244 wmisvrdf.exe 2972 wmisvrdf.exe 396 wmisvrdf.exe 2292 wmisvrdf.exe 5060 wmisvrdf.exe 2896 wmisvrdf.exe 2340 wmisvrdf.exe 5052 wmisvrdf.exe 2824 wmisvrdf.exe 4192 wmisvrdf.exe 4176 wmisvrdf.exe 2912 wmisvrdf.exe 4040 wmisvrdf.exe 3296 wmisvrdf.exe 5004 wmisvrdf.exe 4984 wmisvrdf.exe 2068 wmisvrdf.exe 4644 wmisvrdf.exe 4612 wmisvrdf.exe 116 wmisvrdf.exe 756 wmisvrdf.exe 2584 wmisvrdf.exe 4220 wmisvrdf.exe 1224 wmisvrdf.exe 1424 wmisvrdf.exe 3832 wmisvrdf.exe 4592 wmisvrdf.exe 3648 wmisvrdf.exe 1304 wmisvrdf.exe 4312 wmisvrdf.exe 2888 wmisvrdf.exe 2456 wmisvrdf.exe 1064 wmisvrdf.exe 4868 wmisvrdf.exe 3192 wmisvrdf.exe 712 wmisvrdf.exe 3360 wmisvrdf.exe 4840 wmisvrdf.exe 1240 wmisvrdf.exe 464 wmisvrdf.exe 2992 wmisvrdf.exe 4020 wmisvrdf.exe 3996 wmisvrdf.exe 2560 wmisvrdf.exe 424 wmisvrdf.exe 836 wmisvrdf.exe 3708 wmisvrdf.exe 3532 wmisvrdf.exe 4408 wmisvrdf.exe 3096 wmisvrdf.exe 2452 wmisvrdf.exe 2336 wmisvrdf.exe 4448 wmisvrdf.exe 3136 wmisvrdf.exe 3516 wmisvrdf.exe 4480 wmisvrdf.exe 1532 wmisvrdf.exe -
Processes:
resource yara_rule behavioral2/memory/2384-0-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/2384-2-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/2384-3-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/2384-4-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/2384-40-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/3488-45-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/3488-47-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/3244-54-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/3244-56-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/396-64-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/5060-71-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/2340-78-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/2824-83-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/2824-86-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/4176-92-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/4176-94-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/4040-102-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/5004-108-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/5004-109-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/2068-118-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/4612-124-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/4612-126-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/756-131-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/756-137-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/4220-145-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/1424-150-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/1424-155-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/4592-163-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/1304-172-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/2888-180-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/1064-188-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/3192-193-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/3192-197-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/3360-205-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/1240-209-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/1240-214-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/2992-219-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/2992-223-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/3996-231-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/424-234-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/424-238-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/3708-244-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/4408-248-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/4408-251-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/2452-254-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/2452-258-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/4448-264-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/3516-270-0x0000000000400000-0x0000000000469000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 62 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe -
Drops file in System32 directory 60 IoCs
Processes:
wmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exe04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exedescription ioc process File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe -
Suspicious use of SetThreadContext 31 IoCs
Processes:
04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exedescription pid process target process PID 792 set thread context of 2384 792 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe PID 1424 set thread context of 3488 1424 wmisvrdf.exe wmisvrdf.exe PID 4188 set thread context of 3244 4188 wmisvrdf.exe wmisvrdf.exe PID 2972 set thread context of 396 2972 wmisvrdf.exe wmisvrdf.exe PID 2292 set thread context of 5060 2292 wmisvrdf.exe wmisvrdf.exe PID 2896 set thread context of 2340 2896 wmisvrdf.exe wmisvrdf.exe PID 5052 set thread context of 2824 5052 wmisvrdf.exe wmisvrdf.exe PID 4192 set thread context of 4176 4192 wmisvrdf.exe wmisvrdf.exe PID 2912 set thread context of 4040 2912 wmisvrdf.exe wmisvrdf.exe PID 3296 set thread context of 5004 3296 wmisvrdf.exe wmisvrdf.exe PID 4984 set thread context of 2068 4984 wmisvrdf.exe wmisvrdf.exe PID 4644 set thread context of 4612 4644 wmisvrdf.exe wmisvrdf.exe PID 116 set thread context of 756 116 wmisvrdf.exe wmisvrdf.exe PID 2584 set thread context of 4220 2584 wmisvrdf.exe wmisvrdf.exe PID 1224 set thread context of 1424 1224 wmisvrdf.exe wmisvrdf.exe PID 3832 set thread context of 4592 3832 wmisvrdf.exe wmisvrdf.exe PID 3648 set thread context of 1304 3648 wmisvrdf.exe wmisvrdf.exe PID 4312 set thread context of 2888 4312 wmisvrdf.exe wmisvrdf.exe PID 2456 set thread context of 1064 2456 wmisvrdf.exe wmisvrdf.exe PID 4868 set thread context of 3192 4868 wmisvrdf.exe wmisvrdf.exe PID 712 set thread context of 3360 712 wmisvrdf.exe wmisvrdf.exe PID 4840 set thread context of 1240 4840 wmisvrdf.exe wmisvrdf.exe PID 464 set thread context of 2992 464 wmisvrdf.exe wmisvrdf.exe PID 4020 set thread context of 3996 4020 wmisvrdf.exe wmisvrdf.exe PID 2560 set thread context of 424 2560 wmisvrdf.exe wmisvrdf.exe PID 836 set thread context of 3708 836 wmisvrdf.exe wmisvrdf.exe PID 3532 set thread context of 4408 3532 wmisvrdf.exe wmisvrdf.exe PID 3096 set thread context of 2452 3096 wmisvrdf.exe wmisvrdf.exe PID 2336 set thread context of 4448 2336 wmisvrdf.exe wmisvrdf.exe PID 3136 set thread context of 3516 3136 wmisvrdf.exe wmisvrdf.exe PID 4480 set thread context of 1532 4480 wmisvrdf.exe wmisvrdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 30 IoCs
Processes:
wmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exe04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exepid process 2384 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe 2384 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe 3488 wmisvrdf.exe 3488 wmisvrdf.exe 3244 wmisvrdf.exe 3244 wmisvrdf.exe 396 wmisvrdf.exe 396 wmisvrdf.exe 5060 wmisvrdf.exe 5060 wmisvrdf.exe 2340 wmisvrdf.exe 2340 wmisvrdf.exe 2824 wmisvrdf.exe 2824 wmisvrdf.exe 4176 wmisvrdf.exe 4176 wmisvrdf.exe 4040 wmisvrdf.exe 4040 wmisvrdf.exe 5004 wmisvrdf.exe 5004 wmisvrdf.exe 2068 wmisvrdf.exe 2068 wmisvrdf.exe 4612 wmisvrdf.exe 4612 wmisvrdf.exe 756 wmisvrdf.exe 756 wmisvrdf.exe 4220 wmisvrdf.exe 4220 wmisvrdf.exe 1424 wmisvrdf.exe 1424 wmisvrdf.exe 4592 wmisvrdf.exe 4592 wmisvrdf.exe 1304 wmisvrdf.exe 1304 wmisvrdf.exe 2888 wmisvrdf.exe 2888 wmisvrdf.exe 1064 wmisvrdf.exe 1064 wmisvrdf.exe 3192 wmisvrdf.exe 3192 wmisvrdf.exe 3360 wmisvrdf.exe 3360 wmisvrdf.exe 1240 wmisvrdf.exe 1240 wmisvrdf.exe 2992 wmisvrdf.exe 2992 wmisvrdf.exe 3996 wmisvrdf.exe 3996 wmisvrdf.exe 424 wmisvrdf.exe 424 wmisvrdf.exe 3708 wmisvrdf.exe 3708 wmisvrdf.exe 4408 wmisvrdf.exe 4408 wmisvrdf.exe 2452 wmisvrdf.exe 2452 wmisvrdf.exe 4448 wmisvrdf.exe 4448 wmisvrdf.exe 3516 wmisvrdf.exe 3516 wmisvrdf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exedescription pid process target process PID 792 wrote to memory of 2384 792 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe PID 792 wrote to memory of 2384 792 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe PID 792 wrote to memory of 2384 792 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe PID 792 wrote to memory of 2384 792 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe PID 792 wrote to memory of 2384 792 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe PID 792 wrote to memory of 2384 792 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe PID 792 wrote to memory of 2384 792 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe PID 2384 wrote to memory of 1424 2384 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe wmisvrdf.exe PID 2384 wrote to memory of 1424 2384 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe wmisvrdf.exe PID 2384 wrote to memory of 1424 2384 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe wmisvrdf.exe PID 1424 wrote to memory of 3488 1424 wmisvrdf.exe wmisvrdf.exe PID 1424 wrote to memory of 3488 1424 wmisvrdf.exe wmisvrdf.exe PID 1424 wrote to memory of 3488 1424 wmisvrdf.exe wmisvrdf.exe PID 1424 wrote to memory of 3488 1424 wmisvrdf.exe wmisvrdf.exe PID 1424 wrote to memory of 3488 1424 wmisvrdf.exe wmisvrdf.exe PID 1424 wrote to memory of 3488 1424 wmisvrdf.exe wmisvrdf.exe PID 1424 wrote to memory of 3488 1424 wmisvrdf.exe wmisvrdf.exe PID 3488 wrote to memory of 4188 3488 wmisvrdf.exe wmisvrdf.exe PID 3488 wrote to memory of 4188 3488 wmisvrdf.exe wmisvrdf.exe PID 3488 wrote to memory of 4188 3488 wmisvrdf.exe wmisvrdf.exe PID 4188 wrote to memory of 3244 4188 wmisvrdf.exe wmisvrdf.exe PID 4188 wrote to memory of 3244 4188 wmisvrdf.exe wmisvrdf.exe PID 4188 wrote to memory of 3244 4188 wmisvrdf.exe wmisvrdf.exe PID 4188 wrote to memory of 3244 4188 wmisvrdf.exe wmisvrdf.exe PID 4188 wrote to memory of 3244 4188 wmisvrdf.exe wmisvrdf.exe PID 4188 wrote to memory of 3244 4188 wmisvrdf.exe wmisvrdf.exe PID 4188 wrote to memory of 3244 4188 wmisvrdf.exe wmisvrdf.exe PID 3244 wrote to memory of 2972 3244 wmisvrdf.exe wmisvrdf.exe PID 3244 wrote to memory of 2972 3244 wmisvrdf.exe wmisvrdf.exe PID 3244 wrote to memory of 2972 3244 wmisvrdf.exe wmisvrdf.exe PID 2972 wrote to memory of 396 2972 wmisvrdf.exe wmisvrdf.exe PID 2972 wrote to memory of 396 2972 wmisvrdf.exe wmisvrdf.exe PID 2972 wrote to memory of 396 2972 wmisvrdf.exe wmisvrdf.exe PID 2972 wrote to memory of 396 2972 wmisvrdf.exe wmisvrdf.exe PID 2972 wrote to memory of 396 2972 wmisvrdf.exe wmisvrdf.exe PID 2972 wrote to memory of 396 2972 wmisvrdf.exe wmisvrdf.exe PID 2972 wrote to memory of 396 2972 wmisvrdf.exe wmisvrdf.exe PID 396 wrote to memory of 2292 396 wmisvrdf.exe wmisvrdf.exe PID 396 wrote to memory of 2292 396 wmisvrdf.exe wmisvrdf.exe PID 396 wrote to memory of 2292 396 wmisvrdf.exe wmisvrdf.exe PID 2292 wrote to memory of 5060 2292 wmisvrdf.exe wmisvrdf.exe PID 2292 wrote to memory of 5060 2292 wmisvrdf.exe wmisvrdf.exe PID 2292 wrote to memory of 5060 2292 wmisvrdf.exe wmisvrdf.exe PID 2292 wrote to memory of 5060 2292 wmisvrdf.exe wmisvrdf.exe PID 2292 wrote to memory of 5060 2292 wmisvrdf.exe wmisvrdf.exe PID 2292 wrote to memory of 5060 2292 wmisvrdf.exe wmisvrdf.exe PID 2292 wrote to memory of 5060 2292 wmisvrdf.exe wmisvrdf.exe PID 5060 wrote to memory of 2896 5060 wmisvrdf.exe wmisvrdf.exe PID 5060 wrote to memory of 2896 5060 wmisvrdf.exe wmisvrdf.exe PID 5060 wrote to memory of 2896 5060 wmisvrdf.exe wmisvrdf.exe PID 2896 wrote to memory of 2340 2896 wmisvrdf.exe wmisvrdf.exe PID 2896 wrote to memory of 2340 2896 wmisvrdf.exe wmisvrdf.exe PID 2896 wrote to memory of 2340 2896 wmisvrdf.exe wmisvrdf.exe PID 2896 wrote to memory of 2340 2896 wmisvrdf.exe wmisvrdf.exe PID 2896 wrote to memory of 2340 2896 wmisvrdf.exe wmisvrdf.exe PID 2896 wrote to memory of 2340 2896 wmisvrdf.exe wmisvrdf.exe PID 2896 wrote to memory of 2340 2896 wmisvrdf.exe wmisvrdf.exe PID 2340 wrote to memory of 5052 2340 wmisvrdf.exe wmisvrdf.exe PID 2340 wrote to memory of 5052 2340 wmisvrdf.exe wmisvrdf.exe PID 2340 wrote to memory of 5052 2340 wmisvrdf.exe wmisvrdf.exe PID 5052 wrote to memory of 2824 5052 wmisvrdf.exe wmisvrdf.exe PID 5052 wrote to memory of 2824 5052 wmisvrdf.exe wmisvrdf.exe PID 5052 wrote to memory of 2824 5052 wmisvrdf.exe wmisvrdf.exe PID 5052 wrote to memory of 2824 5052 wmisvrdf.exe wmisvrdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Users\Admin\AppData\Local\Temp\04148C~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Users\Admin\AppData\Local\Temp\04148C~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2824 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4192 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4176 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2912 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4040 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3296 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5004 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4984 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2068 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4644 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4612 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:116 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:756 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2584 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4220 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1224 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1424 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3832 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4592 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3648 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe34⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1304 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4312 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe36⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2888 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2456 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe38⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1064 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4868 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe40⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3192 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:712 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe42⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3360 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4840 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe44⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1240 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:464 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe46⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2992 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4020 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe48⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3996 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2560 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe50⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:424 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:836 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe52⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3708 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3532 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe54⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4408 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3096 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe56⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2452 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2336 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe58⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4448 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3136 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe60⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3516 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4480 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe62⤵
- Executes dropped EXE
- Maps connected drives based on registry
PID:1532
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149KB
MD504148cc87304ef7a3ceebbad09c09084
SHA1d8921c3e5480704c173b061ba48be3bba73883ce
SHA2565f8cfcf6ac7e58a3d0ab6a6f6ad171bb210eb23ac97e5e4c872a2aad18a015e6
SHA5128884f7ba8e917644e4333c528d63443ceb513cb6d5939828db60d0c6bca5da263031fa0fce0e1b9e57543c50193b5277259d4302a3c2bb87dac18a047a8c419a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e