Analysis Overview
SHA256
493e8ffa6dd24941faedd2a72e119f09f85835c7743191fa036b609886071d21
Threat Level: Known bad
The file 0fd0023347fcef8ac888d4a0e3c61fe1_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Ramnit
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Program crash
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-25 22:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-25 22:48
Reported
2024-06-25 22:50
Platform
win7-20240220-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Ramnit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32mgr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32mgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32mgr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\regsvr32mgr.exe | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92A3A302-DA7C-4A1F-BA7E-1802BB5D2D02}\NumMethods\ = "4" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29840822-5B84-11D0-BD3B-00A0C911CE86}\ = "ICreateDevEnum" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B79BB0B1-33C1-11D1-ABE1-00A0C905F375}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4444AC9E-242E-471B-A3C7-45DCD46352BC}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56A868AB-0AD4-11CE-B03A-0020AF0BA770} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D3588AB0-0781-11CE-B03A-0020AF0BA770}\CLSID = "{D3588AB0-0781-11CE-B03A-0020AF0BA770}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92980B30-C1DE-11D2-ABF5-00A0C905F375} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00855B90-CE1B-11D0-BD4F-00A0C911CE86}\ = "IFileSinkFilter2" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56ED71A0-AF5F-11D0-B3F0-00AA003761C5}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C6545BF0-E76B-11D0-BD52-00A0C911CE86}\NumMethods\ = "8" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62EA93BA-EC62-11D2-B770-00C04FB6BD3D}\ProxyStubClsid32\ = "{92A3A302-DA7C-4A1F-BA7E-1802BB5D2D02}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B496CE2-811B-11CF-8C77-00AA006B6814}\ProxyStubClsid32\ = "{92A3A302-DA7C-4A1F-BA7E-1802BB5D2D02}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D51BD5A1-7548-11CF-A520-0080C77EF58A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A5-7548-11CF-A520-0080C77EF58A}\FilterData = 02000000000040000200000000000000307069330000000000000000010000000000000000000000307479330000000060000000700000003170693308000000000000000100000000000000000000003074793300000000700000007000000066696c6500001000800000aa00389b7100000000000000000000000000000000 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B79BB0B1-33C1-11D1-ABE1-00A0C905F375}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E4206432-01A1-4BEE-B3E1-3702C8EDC574}\FilterData = 02000000020060000200000000000000307069330000000000000000010000000000000000000000307479330000000060000000700000003170693308000000000000000100000000000000000000003074793300000000800000007000000080ea0a67823ad011b79b00aa003767a7000000000000000000000000000000007669647300001000800000aa00389b71 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92A3A302-DA7C-4A1F-BA7E-1802BB5D2D02}\ = "IDVSplitter" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92A3A302-DA7C-4A1F-BA7E-1802BB5D2D02}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E1C39A1-DE53-11CF-AA63-0080C744528D}\ = "IAMOpenProgress" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDA42200-BD88-11D0-BD4E-00A0C911CE86} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5738E040-B67F-11D0-BD4D-00A0C911CE86}\ = "IPersistMediaPropertyBag" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56A868AC-0AD4-11CE-B03A-0020AF0BA770}\ = "IResourceManager" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33FACFE0-A9BE-11D0-A520-00A0D10129C0} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5A4A97E4-94EE-4A55-9751-74B5643AA27D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29840822-5B84-11D0-BD3B-00A0C911CE86}\ProxyStubClsid32\ = "{92A3A302-DA7C-4A1F-BA7E-1802BB5D2D02}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31EFAC30-515C-11D0-A9AA-00AA0061BE93}\ = "IKsPropertySet" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{02997C3B-8E1B-460E-9270-545E0DE9563E}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BF87B6E0-8C27-11D0-B3F0-00AA003761C5}\ProxyStubClsid32\ = "{92A3A302-DA7C-4A1F-BA7E-1802BB5D2D02}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6F26A6CD-967B-47FD-874A-7AED2C9D25A2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4A2286E0-7BEF-11CE-9BD9-0000E202599C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DA08500-9EDC-11CF-BC10-00AA00AC74F6}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D51BD5A5-7548-11CF-A520-0080C77EF58A}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92A3A302-DA7C-4A1F-BA7E-1802BB5D2D02}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0fd0023347fcef8ac888d4a0e3c61fe1_JaffaCakes118.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56A868A4-0AD4-11CE-B03A-0020AF0BA770}\ProxyStubClsid32\ = "{92A3A302-DA7C-4A1F-BA7E-1802BB5D2D02}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9FD52741-176D-4B36-8F51-CA8F933223BE}\ProxyStubClsid32\ = "{92A3A302-DA7C-4A1F-BA7E-1802BB5D2D02}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C6E13380-30AC-11D0-A18C-00A0C9118956}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F938C991-3029-11CF-8C44-00AA006B6814}\ = "IAMPhysicalPinInfo" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C1960960-17F5-11D1-ABE1-00A0C905F375}\ProxyStubClsid32\ = "{92A3A302-DA7C-4A1F-BA7E-1802BB5D2D02}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A70EFE60-E2A3-11D0-A9BE-00AA0061BE93}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{211A8766-03AC-11D1-8D13-00AA00BD8339}\NumMethods\ = "29" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56A86893-0AD4-11CE-B03A-0020AF0BA770}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C6545BF1-E76B-11D0-BD52-00A0C911CE86}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D51BD5A2-7548-11CF-A520-0080C77EF58A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{336475D0-942A-11CE-A870-00AA002FEAB5}\CLSID = "{336475D0-942A-11CE-A870-00AA002FEAB5}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A70EFE60-E2A3-11D0-A9BE-00AA0061BE93} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{36B73883-C2C8-11CF-8B46-00805F6CEF60} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{22320CB2-D41A-11D2-BF7C-D7CB9DF0BF93}\ProxyStubClsid32\ = "{92A3A302-DA7C-4A1F-BA7E-1802BB5D2D02}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B5730A90-1A2C-11CF-8C23-00AA006B6814}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00855B90-CE1B-11D0-BD4F-00A0C911CE86}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56A86892-0AD4-11CE-B03A-0020AF0BA770}\ProxyStubClsid32\ = "{92A3A302-DA7C-4A1F-BA7E-1802BB5D2D02}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A760-90C8-11D0-BD43-00A0C911CE86}\Instance\MJPEG Compressor\FilterData = 02000000000020000000000000000000 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92A3A302-DA7C-4A1F-BA7E-1802BB5D2D02}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29840822-5B84-11D0-BD3B-00A0C911CE86}\NumMethods\ = "4" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C6E13344-30AC-11D0-A18C-00A0C9118956}\ProxyStubClsid32\ = "{92A3A302-DA7C-4A1F-BA7E-1802BB5D2D02}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C1960960-17F5-11D1-ABE1-00A0C905F375}\ = "IAMStreamSelect" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56A868A9-0AD4-11CE-B03A-0020AF0BA770}\ProxyStubClsid32\ = "{92A3A302-DA7C-4A1F-BA7E-1802BB5D2D02}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B496CE1-811B-11CF-8C77-00AA006B6814}\NumMethods\ = "8" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{D51BD5A3-7548-11CF-A520-0080C77EF58A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{211A8760-03AC-11D1-8D13-00AA00BD8339}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56A868AA-0AD4-11CE-B03A-0020AF0BA770}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C6E133B0-30AC-11D0-A18C-00A0C9118956}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E436EBB2-524F-11CE-9F53-0020AF0BA770} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E4206432-01A1-4BEE-B3E1-3702C8EDC574} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0fd0023347fcef8ac888d4a0e3c61fe1_JaffaCakes118.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\0fd0023347fcef8ac888d4a0e3c61fe1_JaffaCakes118.dll
C:\Windows\SysWOW64\regsvr32mgr.exe
C:\Windows\SysWOW64\regsvr32mgr.exe
Network
Files
\Windows\SysWOW64\regsvr32mgr.exe
| MD5 | d22c44525dacffd850f75b082f18071e |
| SHA1 | 229fa56324707512687e75de17e574dc91b08d95 |
| SHA256 | 0e896aab1b9e222cdc0978f0adb780fc5acfa492314eedc1ce9250bc1bdff029 |
| SHA512 | 7ff9a98b45bab4140e31b6be32ba80100124975371f106b78eb1f153b3f15f89516dfb03c6f9faad58e5137b76d8a70ce3d9ba5422aab495dc279d9d77e61c68 |
memory/2184-2-0x00000000023C0000-0x0000000002555000-memory.dmp
memory/2972-10-0x0000000000220000-0x0000000000286000-memory.dmp
memory/2972-11-0x0000000000400000-0x0000000000466000-memory.dmp
\Users\Admin\AppData\Local\Temp\~TM118E.tmp
| MD5 | d124f55b9393c976963407dff51ffa79 |
| SHA1 | 2c7bbedd79791bfb866898c85b504186db610b5d |
| SHA256 | ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef |
| SHA512 | 278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06 |
\Users\Admin\AppData\Local\Temp\~TM11BD.tmp
| MD5 | 9b98d47916ead4f69ef51b56b0c2323c |
| SHA1 | 290a80b4ded0efc0fd00816f373fcea81a521330 |
| SHA256 | 96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b |
| SHA512 | 68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94 |
memory/2972-18-0x0000000000400000-0x0000000000466000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-25 22:48
Reported
2024-06-25 22:50
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Ramnit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32mgr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32mgr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\regsvr32mgr.exe | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\regsvr32mgr.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99D54F63-1A69-41AE-AA4D-C976EB3F0713} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB7-524F-11CE-9F53-0020AF0BA770} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{FEB50740-7BEF-11CE-9BD9-0000E202599C}\FilterData = 020000000100004002000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b7180eb36e44f52ce119f530020af0ba77081eb36e44f52ce119f530020af0ba77000000000000000000000000000000000 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{36B73880-C2C8-11CF-8B46-00805F6CEF60}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56A868AA-0AD4-11CE-B03A-0020AF0BA770}\ProxyStubClsid32\ = "{92A3A302-DA7C-4A1F-BA7E-1802BB5D2D02}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31EFAC30-515C-11D0-A9AA-00AA0061BE93}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A03CD5F0-3045-11CF-8C44-00AA006B6814}\ = "IAMExtTransport" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{CF49D4E0-1115-11CE-B03A-0020AF0BA770} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1DA08500-9EDC-11CF-BC10-00AA00AC74F6} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{211A8761-03AC-11D1-8D13-00AA00BD8339}\ProxyStubClsid32\ = "{92A3A302-DA7C-4A1F-BA7E-1802BB5D2D02}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A70EFE61-E2A3-11D0-A9BE-00AA0061BE93}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56A8689C-0AD4-11CE-B03A-0020AF0BA770}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B496CE1-811B-11CF-8C77-00AA006B6814}\NumMethods\ = "8" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF49D4E0-1115-11CE-B03A-0020AF0BA770}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{92980B30-C1DE-11D2-ABF5-00A0C905F375}\ProxyStubClsid32\ = "{92A3A302-DA7C-4A1F-BA7E-1802BB5D2D02}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56A868A2-0AD4-11CE-B03A-0020AF0BA770}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A2-7548-11CF-A520-0080C77EF58A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C1960960-17F5-11D1-ABE1-00A0C905F375}\ProxyStubClsid32\ = "{92A3A302-DA7C-4A1F-BA7E-1802BB5D2D02}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56A868A6-0AD4-11CE-B03A-0020AF0BA770}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9FD52741-176D-4B36-8F51-CA8F933223BE}\NumMethods\ = "5" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C6E13343-30AC-11D0-A18C-00A0C9118956}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{22320CB2-D41A-11D2-BF7C-D7CB9DF0BF93} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1643E180-90F5-11CE-97D5-00AA0055595A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{89C31040-846B-11CE-97D3-00AA0055595A}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A70EFE61-E2A3-11D0-A9BE-00AA0061BE93}\ = "IDvdControl" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B79BB0B0-33C1-11D1-ABE1-00A0C905F375}\ProxyStubClsid32\ = "{92A3A302-DA7C-4A1F-BA7E-1802BB5D2D02}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C6E13350-30AC-11D0-A18C-00A0C9118956}\ = "IAMAnalogVideoDecoder" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E436EBB6-524F-11CE-9F53-0020AF0BA770} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56A868A3-0AD4-11CE-B03A-0020AF0BA770} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{211A8766-03AC-11D1-8D13-00AA00BD8339}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B79BB0B0-33C1-11D1-ABE1-00A0C905F375}\NumMethods\ = "7" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56A868A5-0AD4-11CE-B03A-0020AF0BA770}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB86-524F-11CE-9F53-0020AF0BA770} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5738E040-B67F-11D0-BD4D-00A0C911CE86}\NumMethods\ = "7" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B8E8BD60-0BFE-11D0-AF91-00AA00B67A42}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E1C39A1-DE53-11CF-AA63-0080C744528D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56A868A9-0AD4-11CE-B03A-0020AF0BA770} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56A868AD-0AD4-11CE-B03A-0020AF0BA770}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E651CC0-B199-11D0-8212-00C04FC32C45} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{301056D0-6DFF-11D2-9EEB-006008039E37}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56A8689F-0AD4-11CE-B03A-0020AF0BA770}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56A868AB-0AD4-11CE-B03A-0020AF0BA770}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D18E17A0-AACB-11D0-AFB0-00AA00B67A42}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C6545BF1-E76B-11D0-BD52-00A0C911CE86}\ = "IAMDevMemoryControl" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{A888DF60-1E90-11CF-AC98-00AA004C0FA9}\CLSID = "{A888DF60-1E90-11CF-AC98-00AA004C0FA9}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{4A2286E0-7BEF-11CE-9BD9-0000E202599C}\FriendlyName = "MPEG Audio Decoder" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6A08CF80-0E18-11CF-A24D-0020AFD79767}\FilterData = 0200000000006000020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000700000006175647300001000800000aa00389b7100000000000000000000000000000000 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F185FE76-E64E-11D2-B76E-00C04FB6BD3D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56A8689D-0AD4-11CE-B03A-0020AF0BA770}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{D51BD5A3-7548-11CF-A520-0080C77EF58A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5ACD6AA0-F482-11CE-8B67-00AA00A3F1A6}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{89C31040-846B-11CE-97D3-00AA0055595A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F938C991-3029-11CF-8C44-00AA006B6814} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D18E17A0-AACB-11D0-AFB0-00AA00B67A42}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51B4ABF3-748F-4E3B-A276-C828330E926A}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{336475D0-942A-11CE-A870-00AA002FEAB5}\FilterData = 020000000000600003000000000000003070693300000000000000000400000000000000000000003074793300000000d8000000e80000003174793300000000d8000000f80000003274793300000000d8000000080100003374793300000000d8000000180100003170693309000000000000000200000000000000000000003074793300000000280100003801000031747933000000002801000048010000327069330900000000000000020000000000000000000000307479330000000058010000380100003174793300000000580100006801000083eb36e44f52ce119f530020af0ba77084eb36e44f52ce119f530020af0ba77085eb36e44f52ce119f530020af0ba77086eb36e44f52ce119f530020af0ba77087eb36e44f52ce119f530020af0ba7706175647300001000800000aa00389b7180eb36e44f52ce119f530020af0ba7705000000000001000800000aa00389b717669647300001000800000aa00389b7181eb36e44f52ce119f530020af0ba770 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\Source Filter = "{E436EBB6-524F-11CE-9F53-0020AF0BA770}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B8E8BD60-0BFE-11D0-AF91-00AA00B67A42}\NumMethods\ = "5" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56A86895-0AD4-11CE-B03A-0020AF0BA770}\ = "IBaseFilter" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{944D4C00-DD52-11CE-BF0E-00AA0055595A}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33BC7430-EEC0-11D2-8201-00A0C9D74842}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E1C39A1-DE53-11CF-AA63-0080C744528D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56A868AA-0AD4-11CE-B03A-0020AF0BA770}\ = "IAsyncReader" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{632105FA-072E-11D3-8AF9-00C04FB6BD3D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5116 wrote to memory of 3192 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 5116 wrote to memory of 3192 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 5116 wrote to memory of 3192 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3192 wrote to memory of 3084 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\regsvr32mgr.exe |
| PID 3192 wrote to memory of 3084 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\regsvr32mgr.exe |
| PID 3192 wrote to memory of 3084 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\regsvr32mgr.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0fd0023347fcef8ac888d4a0e3c61fe1_JaffaCakes118.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\0fd0023347fcef8ac888d4a0e3c61fe1_JaffaCakes118.dll
C:\Windows\SysWOW64\regsvr32mgr.exe
C:\Windows\SysWOW64\regsvr32mgr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3084 -ip 3084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 10176
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| BE | 2.17.107.122:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/3192-3-0x0000000074810000-0x00000000749A5000-memory.dmp
C:\Windows\SysWOW64\regsvr32mgr.exe
| MD5 | d22c44525dacffd850f75b082f18071e |
| SHA1 | 229fa56324707512687e75de17e574dc91b08d95 |
| SHA256 | 0e896aab1b9e222cdc0978f0adb780fc5acfa492314eedc1ce9250bc1bdff029 |
| SHA512 | 7ff9a98b45bab4140e31b6be32ba80100124975371f106b78eb1f153b3f15f89516dfb03c6f9faad58e5137b76d8a70ce3d9ba5422aab495dc279d9d77e61c68 |
memory/3084-5-0x0000000002110000-0x0000000002176000-memory.dmp
memory/3084-7-0x0000000000400000-0x0000000000466000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\~TM351A.tmp
| MD5 | 4f3387277ccbd6d1f21ac5c07fe4ca68 |
| SHA1 | e16506f662dc92023bf82def1d621497c8ab5890 |
| SHA256 | 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac |
| SHA512 | 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219 |