Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 01:16
Behavioral task
behavioral1
Sample
10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe
-
Size
323KB
-
MD5
10390fb17b9a12721e70919f9b15131e
-
SHA1
a5bea9f6ef3ce30976783ef093f024e5dbf87806
-
SHA256
37654388123af77ef3b7fbd90c0ed9c18058ad69fc717362519af470ec03e0bb
-
SHA512
bfa62e61b34232dd9656dd576c336319f2d7da6f882a573b22529728995d4228c7ae50fd3081f3e032844d626be2b0d1bed2a135f63daef441dfa5ae309c984c
-
SSDEEP
6144:1xlZaFDLrItkluXRuBvusFjJemp8dqoOiEzfZiHpXHJ9m2AXI6wue6JTtCQr4X:PlQ8fXEBvuwjInnLEzRiHXpx9Qq
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe scvshosts.exe" 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe -
Processes:
10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe -
Processes:
10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 4824 netsh.exe -
Processes:
resource yara_rule behavioral2/memory/1412-0-0x0000000000400000-0x00000000004A9000-memory.dmp upx behavioral2/memory/1412-1-0x0000000003030000-0x0000000004063000-memory.dmp upx behavioral2/memory/1412-5-0x0000000003030000-0x0000000004063000-memory.dmp upx behavioral2/memory/1412-13-0x0000000003030000-0x0000000004063000-memory.dmp upx C:\Windows\scvshosts.exe upx behavioral2/memory/1412-22-0x0000000003030000-0x0000000004063000-memory.dmp upx behavioral2/memory/1412-29-0x0000000003030000-0x0000000004063000-memory.dmp upx behavioral2/memory/1412-74-0x0000000003030000-0x0000000004063000-memory.dmp upx behavioral2/memory/1412-77-0x0000000000400000-0x00000000004A9000-memory.dmp upx behavioral2/memory/1412-80-0x0000000003030000-0x0000000004063000-memory.dmp upx behavioral2/memory/1412-84-0x0000000003030000-0x0000000004063000-memory.dmp upx behavioral2/memory/1412-96-0x0000000000400000-0x00000000004A9000-memory.dmp upx behavioral2/memory/1412-97-0x0000000000400000-0x00000000004A9000-memory.dmp upx behavioral2/memory/1412-112-0x0000000003030000-0x0000000004063000-memory.dmp upx -
Processes:
10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Windows\\system32\\scvshosts.exe" 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe -
Processes:
10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exedescription ioc process File opened (read-only) \??\u: 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened (read-only) \??\a: 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened (read-only) \??\e: 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened (read-only) \??\g: 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened (read-only) \??\j: 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened (read-only) \??\p: 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened (read-only) \??\s: 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened (read-only) \??\t: 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened (read-only) \??\y: 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened (read-only) \??\k: 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened (read-only) \??\l: 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened (read-only) \??\n: 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened (read-only) \??\o: 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened (read-only) \??\r: 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened (read-only) \??\w: 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened (read-only) \??\m: 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened (read-only) \??\q: 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened (read-only) \??\x: 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened (read-only) \??\z: 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened (read-only) \??\b: 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened (read-only) \??\h: 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened (read-only) \??\i: 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened (read-only) \??\v: 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/1412-77-0x0000000000400000-0x00000000004A9000-memory.dmp autoit_exe behavioral2/memory/1412-96-0x0000000000400000-0x00000000004A9000-memory.dmp autoit_exe behavioral2/memory/1412-97-0x0000000000400000-0x00000000004A9000-memory.dmp autoit_exe -
Drops file in System32 directory 8 IoCs
Processes:
10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\blastclnnn.exe 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\autorun.ini 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File created C:\Windows\SysWOW64\setting.ini 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\setting.ini 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened for modification C:\WINDOWS\SysWOW64\SCVSHOSTS.EXE 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File created C:\Windows\SysWOW64\scvshosts.exe 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\scvshosts.exe 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File created C:\Windows\SysWOW64\blastclnnn.exe 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe -
Drops file in Program Files directory 13 IoCs
Processes:
10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exedescription ioc process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\JAVA\JAVA UPDATE\JUSCHED.EXE 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT\EDGE\APPLICATION\MSEDGE.EXE 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe -
Drops file in Windows directory 4 IoCs
Processes:
10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exedescription ioc process File created C:\Windows\hinhem.scr 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File created C:\Windows\scvshosts.exe 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened for modification C:\Windows\scvshosts.exe 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe File opened for modification C:\Windows\SYSTEM.INI 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exepid process 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Token: SeDebugPrivilege 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
10390fb17b9a12721e70919f9b15131e_JaffaCakes118.execmd.execmd.exedescription pid process target process PID 1412 wrote to memory of 792 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe fontdrvhost.exe PID 1412 wrote to memory of 800 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe fontdrvhost.exe PID 1412 wrote to memory of 60 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe dwm.exe PID 1412 wrote to memory of 2616 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe sihost.exe PID 1412 wrote to memory of 2648 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe svchost.exe PID 1412 wrote to memory of 2752 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe taskhostw.exe PID 1412 wrote to memory of 3520 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Explorer.EXE PID 1412 wrote to memory of 3648 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe svchost.exe PID 1412 wrote to memory of 3844 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe DllHost.exe PID 1412 wrote to memory of 3940 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe StartMenuExperienceHost.exe PID 1412 wrote to memory of 4000 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe RuntimeBroker.exe PID 1412 wrote to memory of 672 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe SearchApp.exe PID 1412 wrote to memory of 3976 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe RuntimeBroker.exe PID 1412 wrote to memory of 388 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe RuntimeBroker.exe PID 1412 wrote to memory of 3932 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe TextInputHost.exe PID 1412 wrote to memory of 1572 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe msedge.exe PID 1412 wrote to memory of 2200 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe msedge.exe PID 1412 wrote to memory of 4584 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe msedge.exe PID 1412 wrote to memory of 4256 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe msedge.exe PID 1412 wrote to memory of 2628 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe msedge.exe PID 1412 wrote to memory of 4824 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe netsh.exe PID 1412 wrote to memory of 4824 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe netsh.exe PID 1412 wrote to memory of 4824 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe netsh.exe PID 1412 wrote to memory of 184 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe cmd.exe PID 1412 wrote to memory of 184 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe cmd.exe PID 1412 wrote to memory of 184 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe cmd.exe PID 184 wrote to memory of 2492 184 cmd.exe at.exe PID 184 wrote to memory of 2492 184 cmd.exe at.exe PID 184 wrote to memory of 2492 184 cmd.exe at.exe PID 1412 wrote to memory of 3164 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe cmd.exe PID 1412 wrote to memory of 3164 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe cmd.exe PID 1412 wrote to memory of 3164 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe cmd.exe PID 3164 wrote to memory of 3444 3164 cmd.exe at.exe PID 3164 wrote to memory of 3444 3164 cmd.exe at.exe PID 3164 wrote to memory of 3444 3164 cmd.exe at.exe PID 1412 wrote to memory of 792 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe fontdrvhost.exe PID 1412 wrote to memory of 800 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe fontdrvhost.exe PID 1412 wrote to memory of 60 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe dwm.exe PID 1412 wrote to memory of 2616 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe sihost.exe PID 1412 wrote to memory of 2648 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe svchost.exe PID 1412 wrote to memory of 2752 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe taskhostw.exe PID 1412 wrote to memory of 3520 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Explorer.EXE PID 1412 wrote to memory of 3648 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe svchost.exe PID 1412 wrote to memory of 3844 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe DllHost.exe PID 1412 wrote to memory of 3940 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe StartMenuExperienceHost.exe PID 1412 wrote to memory of 4000 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe RuntimeBroker.exe PID 1412 wrote to memory of 672 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe SearchApp.exe PID 1412 wrote to memory of 3976 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe RuntimeBroker.exe PID 1412 wrote to memory of 388 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe RuntimeBroker.exe PID 1412 wrote to memory of 3932 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe TextInputHost.exe PID 1412 wrote to memory of 1572 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe msedge.exe PID 1412 wrote to memory of 2200 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe msedge.exe PID 1412 wrote to memory of 4584 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe msedge.exe PID 1412 wrote to memory of 4256 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe msedge.exe PID 1412 wrote to memory of 2628 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe msedge.exe PID 1412 wrote to memory of 2892 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe msedge.exe PID 1412 wrote to memory of 792 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe fontdrvhost.exe PID 1412 wrote to memory of 800 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe fontdrvhost.exe PID 1412 wrote to memory of 60 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe dwm.exe PID 1412 wrote to memory of 2616 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe sihost.exe PID 1412 wrote to memory of 2648 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe svchost.exe PID 1412 wrote to memory of 2752 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe taskhostw.exe PID 1412 wrote to memory of 3520 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe Explorer.EXE PID 1412 wrote to memory of 3648 1412 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe svchost.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2616
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2648
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2752
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\10390fb17b9a12721e70919f9b15131e_JaffaCakes118.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1412 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4824
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes3⤵
- Suspicious use of WriteProcessMemory
PID:184 -
C:\Windows\SysWOW64\at.exeAT /delete /yes4⤵PID:2492
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\blastclnnn.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\blastclnnn.exe4⤵PID:3444
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵PID:2492
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵PID:1640
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3648
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3844
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3940
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4000
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:672
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3976
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:388
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3932
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵PID:1572
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ffc9f3dceb8,0x7ffc9f3dcec4,0x7ffc9f3dced02⤵PID:2200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2296,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=2292 /prefetch:22⤵PID:4584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1872,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=2428 /prefetch:32⤵PID:4256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2452,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=2432 /prefetch:82⤵PID:2628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4040 /prefetch:82⤵PID:2892
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
106B
MD5461844e7b27354ffb9b1f5cafc529c64
SHA1f3ee2f507999a91ad23366c65f06159d79ec5478
SHA256e7deff408c17012d4a2ed9399301e10253dfb74db882ee557b09c319b7be86ba
SHA512e2e3fe4962ee8a3bbbff1df45782ac2281ccd67cb7598c2d47fcc36ae1c5a667e1465afd138c1e491014348b381f31d75e1ccee739db81892217ada0380c0c57
-
Filesize
143KB
MD53db6579bc49df91fd4776054dbb9365f
SHA1fdc004757e18162c83742af46cc5fd758e981579
SHA2566628dfbe922a5f4b2b778ef2a9ca82f992369036992e4c0b8f074971ebd56469
SHA512e5b9bd3198a662e36461aced490fc59d1d03819eefef6f2954fcb2c704f23db1e8c5ebec454633bb195001836978c787da17c8d32efff28c83862cb20bd8ab12
-
Filesize
323KB
MD510390fb17b9a12721e70919f9b15131e
SHA1a5bea9f6ef3ce30976783ef093f024e5dbf87806
SHA25637654388123af77ef3b7fbd90c0ed9c18058ad69fc717362519af470ec03e0bb
SHA512bfa62e61b34232dd9656dd576c336319f2d7da6f882a573b22529728995d4228c7ae50fd3081f3e032844d626be2b0d1bed2a135f63daef441dfa5ae309c984c