Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-09-2024 17:02
Static task
static1
Behavioral task
behavioral1
Sample
f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe
-
Size
1.7MB
-
MD5
f6760b30fc256e6e923b646c9ddd5909
-
SHA1
8e1f8f9346dd26911584f78ad6ccf361c24289f9
-
SHA256
64695ef72a53eee76b6055e025af7fbed11cf9c38a765503d7b8637e416229a2
-
SHA512
2fedebe7946de24b0b2c6ea24a08e5cec84d9d1758205b5c9b4bb75081b8e5aa3af9d025fb31a7455918214891e3b533c40485944cdd3a997daaa91b1ad88435
-
SSDEEP
24576:RaIMsNScd/taTkBc2quTRMxtBVrYa4P3g0tY6Sa2jCed51z5m/lru15w17+zh4T8:l3IcDa4c2bTRGBVrv4tM19m9ruIJ+7
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral1/memory/1604-2-0x0000000000401000-0x0000000000403000-memory.dmp modiloader_stage2 behavioral1/memory/2884-34-0x00000000025D0000-0x000000000269A000-memory.dmp modiloader_stage2 behavioral1/memory/1604-26-0x0000000000400000-0x00000000005CE110-memory.dmp modiloader_stage2 -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 25 IoCs
pid Process 2884 1.exe 1756 winrar-32Bit-400.exe 1808 1.exe 2908 1.exe 2308 uninstall.exe 1300 WinRAR.exe 1680 WinRAR.exe 948 WinRAR.exe 860 WinRAR.exe 2072 WinRAR.exe 2176 WinRAR.exe 2144 WinRAR.exe 2256 WinRAR.exe 1572 WinRAR.exe 2084 WinRAR.exe 2056 WinRAR.exe 2644 WinRAR.exe 1972 WinRAR.exe 2972 WinRAR.exe 2504 WinRAR.exe 2068 WinRAR.exe 660 WinRAR.exe 2136 WinRAR.exe 1784 WinRAR.exe 2244 WinRAR.exe -
Loads dropped DLL 60 IoCs
pid Process 1604 f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe 1604 f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe 1604 f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe 2884 1.exe 1808 1.exe 1756 winrar-32Bit-400.exe 2308 uninstall.exe 2308 uninstall.exe 2308 uninstall.exe 2308 uninstall.exe 1300 WinRAR.exe 1300 WinRAR.exe 1300 WinRAR.exe 1300 WinRAR.exe 1300 WinRAR.exe 1300 WinRAR.exe 1300 WinRAR.exe 1300 WinRAR.exe 1300 WinRAR.exe 1300 WinRAR.exe 1300 WinRAR.exe 1300 WinRAR.exe 2308 uninstall.exe 1680 WinRAR.exe 2308 uninstall.exe 948 WinRAR.exe 2308 uninstall.exe 860 WinRAR.exe 2308 uninstall.exe 2072 WinRAR.exe 2308 uninstall.exe 2176 WinRAR.exe 2308 uninstall.exe 2144 WinRAR.exe 2308 uninstall.exe 2256 WinRAR.exe 2308 uninstall.exe 1572 WinRAR.exe 2308 uninstall.exe 2084 WinRAR.exe 2308 uninstall.exe 2056 WinRAR.exe 2308 uninstall.exe 2644 WinRAR.exe 2308 uninstall.exe 1972 WinRAR.exe 2308 uninstall.exe 2972 WinRAR.exe 2308 uninstall.exe 2504 WinRAR.exe 2308 uninstall.exe 2068 WinRAR.exe 2308 uninstall.exe 660 WinRAR.exe 2308 uninstall.exe 2136 WinRAR.exe 2308 uninstall.exe 1784 WinRAR.exe 2308 uninstall.exe 2244 WinRAR.exe -
Modifies system executable filetype association 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2884 set thread context of 1808 2884 1.exe 30 PID 1808 set thread context of 2908 1808 1.exe 31 -
resource yara_rule behavioral1/memory/1808-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1808-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1808-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1808-29-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\WinRAR\Formats\arj.fmt winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\Formats\bz2.fmt winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\Formats\gz.fmt winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\UnrarSrc.txt winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\Formats\7z.fmt winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\RarExt64.dll winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\Formats\ace.fmt winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\Formats\lzh.fmt winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\Descript.ion winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\RarExt64.dll winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\Formats\7z.fmt winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\Zip.SFX winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\License.txt winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\Rar.exe winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\Formats\tar.fmt winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\Formats\cab.fmt winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\Formats\tar.fmt winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\Formats\iso.fmt winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\WinCon.SFX winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\__tmp_rar_sfx_access_check_259434997 winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\ReadMe.txt winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\WinCon.SFX winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\Rar.txt winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\RarExt.dll winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\UnRAR.exe winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\WinRAR.chm winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\File_Id.diz winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\RarFiles.lst winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\WinRAR.exe winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\Formats\7zxa.dll winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\Formats winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\Formats\cab.fmt winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\Formats\lzh.fmt winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\Formats\uue.fmt winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\WhatsNew.txt winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\Uninstall.lst winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\Formats\uue.fmt winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\Formats\z.fmt winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\zipnew.dat uninstall.exe File created C:\Program Files (x86)\WinRAR\File_Id.diz winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\Formats\bz2.fmt winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\TechNote.txt winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\RarFiles.lst winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\Default.SFX winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\License.txt winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\ReadMe.txt winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\UnrarSrc.txt winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\Uninstall.exe winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\Formats\UNACEV2.DLL winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\Formats\UNACEV2.DLL winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\Formats\arj.fmt winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\Formats\gz.fmt winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\Rar.txt winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\TechNote.txt winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\Formats\iso.fmt winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\Default.SFX winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\Uninstall.lst winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\Formats\ace.fmt winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\Formats\z.fmt winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\WhatsNew.txt winrar-32Bit-400.exe File opened for modification C:\Program Files (x86)\WinRAR\WinRAR.chm winrar-32Bit-400.exe File created C:\Program Files (x86)\WinRAR\rarnew.dat uninstall.exe File created C:\Program Files (x86)\WinRAR\RarExt.dll winrar-32Bit-400.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 25 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinRAR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinRAR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinRAR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinRAR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinRAR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinRAR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinRAR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinRAR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinRAR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinRAR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinRAR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinRAR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinRAR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinRAR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinRAR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinRAR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinRAR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinRAR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winrar-32Bit-400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uninstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinRAR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinRAR.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main winrar-32Bit-400.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xxe\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r02 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r04 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew\FileName = "C:\\Program Files (x86)\\WinRAR\\zipnew.dat" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r08 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r22 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew\FileName = "C:\\Program Files (x86)\\WinRAR\\rarnew.dat" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ = "WinRAR.ZIP" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.taz\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r16\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r17 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r05 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r10 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r13 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r21 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tar\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.uue\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lha\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r12 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r13\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r14 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r15\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r28\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tar uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r29 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lzh\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r01 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r21\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Program Files (x86)\\WinRAR\\WinRAR.exe\" \"%1\"" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r10\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files (x86)\\WinRAR\\rarext64.dll" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r14\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r24\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon\ = "C:\\Program Files (x86)\\WinRAR\\WinRAR.exe,1" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r06 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r26\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r27\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ace uninstall.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2908 1.exe 2908 1.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1300 WinRAR.exe 2308 uninstall.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2884 1.exe 1808 1.exe 1756 winrar-32Bit-400.exe 1756 winrar-32Bit-400.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1604 wrote to memory of 2884 1604 f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe 28 PID 1604 wrote to memory of 2884 1604 f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe 28 PID 1604 wrote to memory of 2884 1604 f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe 28 PID 1604 wrote to memory of 2884 1604 f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe 28 PID 1604 wrote to memory of 1756 1604 f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe 29 PID 1604 wrote to memory of 1756 1604 f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe 29 PID 1604 wrote to memory of 1756 1604 f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe 29 PID 1604 wrote to memory of 1756 1604 f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe 29 PID 1604 wrote to memory of 1756 1604 f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe 29 PID 1604 wrote to memory of 1756 1604 f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe 29 PID 1604 wrote to memory of 1756 1604 f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe 29 PID 2884 wrote to memory of 1808 2884 1.exe 30 PID 2884 wrote to memory of 1808 2884 1.exe 30 PID 2884 wrote to memory of 1808 2884 1.exe 30 PID 2884 wrote to memory of 1808 2884 1.exe 30 PID 2884 wrote to memory of 1808 2884 1.exe 30 PID 2884 wrote to memory of 1808 2884 1.exe 30 PID 2884 wrote to memory of 1808 2884 1.exe 30 PID 2884 wrote to memory of 1808 2884 1.exe 30 PID 2884 wrote to memory of 1808 2884 1.exe 30 PID 1808 wrote to memory of 2908 1808 1.exe 31 PID 1808 wrote to memory of 2908 1808 1.exe 31 PID 1808 wrote to memory of 2908 1808 1.exe 31 PID 1808 wrote to memory of 2908 1808 1.exe 31 PID 1808 wrote to memory of 2908 1808 1.exe 31 PID 1808 wrote to memory of 2908 1808 1.exe 31 PID 1808 wrote to memory of 2908 1808 1.exe 31 PID 1808 wrote to memory of 2908 1808 1.exe 31 PID 2908 wrote to memory of 1244 2908 1.exe 21 PID 2908 wrote to memory of 1244 2908 1.exe 21 PID 2908 wrote to memory of 1244 2908 1.exe 21 PID 2908 wrote to memory of 1244 2908 1.exe 21 PID 1756 wrote to memory of 2308 1756 winrar-32Bit-400.exe 32 PID 1756 wrote to memory of 2308 1756 winrar-32Bit-400.exe 32 PID 1756 wrote to memory of 2308 1756 winrar-32Bit-400.exe 32 PID 1756 wrote to memory of 2308 1756 winrar-32Bit-400.exe 32 PID 1756 wrote to memory of 2308 1756 winrar-32Bit-400.exe 32 PID 1756 wrote to memory of 2308 1756 winrar-32Bit-400.exe 32 PID 1756 wrote to memory of 2308 1756 winrar-32Bit-400.exe 32 PID 2308 wrote to memory of 1300 2308 uninstall.exe 36 PID 2308 wrote to memory of 1300 2308 uninstall.exe 36 PID 2308 wrote to memory of 1300 2308 uninstall.exe 36 PID 2308 wrote to memory of 1300 2308 uninstall.exe 36 PID 2308 wrote to memory of 1300 2308 uninstall.exe 36 PID 2308 wrote to memory of 1300 2308 uninstall.exe 36 PID 2308 wrote to memory of 1300 2308 uninstall.exe 36 PID 2308 wrote to memory of 1680 2308 uninstall.exe 37 PID 2308 wrote to memory of 1680 2308 uninstall.exe 37 PID 2308 wrote to memory of 1680 2308 uninstall.exe 37 PID 2308 wrote to memory of 1680 2308 uninstall.exe 37 PID 2308 wrote to memory of 1680 2308 uninstall.exe 37 PID 2308 wrote to memory of 1680 2308 uninstall.exe 37 PID 2308 wrote to memory of 1680 2308 uninstall.exe 37 PID 2308 wrote to memory of 948 2308 uninstall.exe 38 PID 2308 wrote to memory of 948 2308 uninstall.exe 38 PID 2308 wrote to memory of 948 2308 uninstall.exe 38 PID 2308 wrote to memory of 948 2308 uninstall.exe 38 PID 2308 wrote to memory of 948 2308 uninstall.exe 38 PID 2308 wrote to memory of 948 2308 uninstall.exe 38 PID 2308 wrote to memory of 948 2308 uninstall.exe 38 PID 2308 wrote to memory of 860 2308 uninstall.exe 39 PID 2308 wrote to memory of 860 2308 uninstall.exe 39 PID 2308 wrote to memory of 860 2308 uninstall.exe 39 PID 2308 wrote to memory of 860 2308 uninstall.exe 39
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\1.exeC:\Users\Admin\AppData\Local\Temp\1.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\1.exeC:\Users\Admin\AppData\Local\Temp\1.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2908
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\winrar-32Bit-400.exe"C:\Users\Admin\AppData\Local\Temp\winrar-32Bit-400.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Program Files (x86)\WinRAR\uninstall.exe"C:\Program Files (x86)\WinRAR\uninstall.exe" /setup4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Program Files (x86)\WinRAR\WinRAR.exe"C:\Program Files (x86)\WinRAR\WinRAR.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:1300
-
-
C:\Program Files (x86)\WinRAR\WinRAR.exe"C:\Program Files (x86)\WinRAR\WinRAR.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1680
-
-
C:\Program Files (x86)\WinRAR\WinRAR.exe"C:\Program Files (x86)\WinRAR\WinRAR.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:948
-
-
C:\Program Files (x86)\WinRAR\WinRAR.exe"C:\Program Files (x86)\WinRAR\WinRAR.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:860
-
-
C:\Program Files (x86)\WinRAR\WinRAR.exe"C:\Program Files (x86)\WinRAR\WinRAR.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2072
-
-
C:\Program Files (x86)\WinRAR\WinRAR.exe"C:\Program Files (x86)\WinRAR\WinRAR.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2176
-
-
C:\Program Files (x86)\WinRAR\WinRAR.exe"C:\Program Files (x86)\WinRAR\WinRAR.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2144
-
-
C:\Program Files (x86)\WinRAR\WinRAR.exe"C:\Program Files (x86)\WinRAR\WinRAR.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2256
-
-
C:\Program Files (x86)\WinRAR\WinRAR.exe"C:\Program Files (x86)\WinRAR\WinRAR.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1572
-
-
C:\Program Files (x86)\WinRAR\WinRAR.exe"C:\Program Files (x86)\WinRAR\WinRAR.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2084
-
-
C:\Program Files (x86)\WinRAR\WinRAR.exe"C:\Program Files (x86)\WinRAR\WinRAR.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2056
-
-
C:\Program Files (x86)\WinRAR\WinRAR.exe"C:\Program Files (x86)\WinRAR\WinRAR.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2644
-
-
C:\Program Files (x86)\WinRAR\WinRAR.exe"C:\Program Files (x86)\WinRAR\WinRAR.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1972
-
-
C:\Program Files (x86)\WinRAR\WinRAR.exe"C:\Program Files (x86)\WinRAR\WinRAR.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2972
-
-
C:\Program Files (x86)\WinRAR\WinRAR.exe"C:\Program Files (x86)\WinRAR\WinRAR.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2504
-
-
C:\Program Files (x86)\WinRAR\WinRAR.exe"C:\Program Files (x86)\WinRAR\WinRAR.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2068
-
-
C:\Program Files (x86)\WinRAR\WinRAR.exe"C:\Program Files (x86)\WinRAR\WinRAR.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:660
-
-
C:\Program Files (x86)\WinRAR\WinRAR.exe"C:\Program Files (x86)\WinRAR\WinRAR.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2136
-
-
C:\Program Files (x86)\WinRAR\WinRAR.exe"C:\Program Files (x86)\WinRAR\WinRAR.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1784
-
-
C:\Program Files (x86)\WinRAR\WinRAR.exe"C:\Program Files (x86)\WinRAR\WinRAR.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2244
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Privilege Escalation
Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD5f6c820af62928b959ed8fde39cce325f
SHA16d297ad5f2768b80e420ca6adafd197c04732432
SHA2560f95203830d6fd7765d07754c4bbf5acc15c7c30a5ace395dd0c33f2ddc9690d
SHA5122d68425f7fa1e037b8f215ec4db3ad7c865e9ad1482df846be02c430dca6b392b465d08e630e367a28c57661581a5c1ef115cd3614c92a7e5c2476678402dfc2
-
Filesize
65KB
MD517472ff497ef1abcbdb10ed57f9d4ae7
SHA18500b8aee45a7de607eeb679663a3a14c95533bb
SHA2567d9bb6839532a8942834f6974c905f19596b17e6d7b9256afa4ae2a709adb837
SHA512c8f4eba82b48ccc6a8e0ab4995ee12db8bfeb9c4154d6c9b06cf1472a3eca6f722450498a49ed8223322e6d913dfeb2c1d0619af2547c25e3eb93062d250368f
-
Filesize
67KB
MD562a7e932bcfae32d6058b5adcaeb3c1b
SHA1d65d8ed3b89c3bf5ef5f7a8320bdacfdb165fbc5
SHA2562f3c744e4a121ea4fae3d67b849c91adc99677801aa64e0f97bbd6ffb90142a3
SHA51236e9d30ec8176b4440265fd9ab5fbcc812b57b69c1935ee1d3de0c3b52ec772dd7fef906559bd2cbd5aa739da7e1e929bab4beb62a910a64c29b37deca1dbef7
-
Filesize
3KB
MD561e5a38df9c011a6b2ff6a1c8128e250
SHA18b107abce8f96ee4684c81687a87241e489de6b0
SHA256f87e3bb7115718592a56e5699bb5f51bf21db332d3588b7d9f59e8092c2c3556
SHA5123d580f9efe1534d36ceb9ce833ff65b9a1ddb52cfd0b8474e72bd71e7c6605444c3ea5d517c91f940043bcbfc9538e70efa35c28ab1c45f8f66ec55b0f59beba
-
Filesize
76KB
MD5224586396df8a52aaeabb1f653c50ae7
SHA1d81615ad110ed68389e60b10d14e8d3cf07271e2
SHA2563da007605d5098328c23da5bcc50135645ba6a7c90a8565c5497f8a59e8257b8
SHA512c40728bbf4ab3a2badfbc09c7c2d5da88a78250b9e364d3b00c35aef4bc9d6c52b42493d34ef95b8ef419d828b0efe6cc97b87d955073ff5888bdcd9b80570e1
-
Filesize
259KB
MD5e10f2ddc395fa3ba7166c28af16db0a2
SHA16ce8d95b24a1bba51fcdcd5ab25ea7a4ca74243d
SHA256553336429f414066ccd0ece397ecf286f6efe218c1de2e72c71a335a2cb79bd9
SHA5125341ee8b4823b15b1cc0e01ea04e526e5d4d18471d590e71d81512e9e0855659aa493a4cec4af6a375c78b91381694ae84f1c37f017deca136d8356fb79fb3ef
-
Filesize
1.4MB
MD5bff4de14e81eacd66167c017fe1872b1
SHA1e5084a96cfb7c385f0f5a20beb198619cc7f2894
SHA256bf433776706a19de55651786d1b76869f95d109bf020981c5c34bf4cb20e4a15
SHA5127658b64cc7ce337cc11f4f9791f1a2dce33f2c82816f3fb008a3e2eae5f5f359de1650232d114dd9da5717a0fdfde49010f3b9baa94297e45afe75a16f0a2eb7
-
Filesize
12B
MD5055ed100f3374f65a3c8aff71c2efe49
SHA168376ade277713f7f5e81deeca25c68a9add37a8
SHA2569657ce895b3cf6576c6e2eb00ca18da7914adfb3ed7648dad06ca13813928030
SHA512b55a8d8af8e227ec9925c1bf049fd44de0a6a1c4dd2102eb151df512b9d21c9f8ed72058d261e3713b61a6a007786bc1c4a52a09b3c5bbdd770f00d730caf57c
-
Filesize
79KB
MD5d5915f37a3633635ab184185bd31c7c3
SHA15c0fdcc30d3c5e6564c470dbe1103a130fb07e89
SHA25632a306f55e71cb965b65ae365a4a1b3952721dd7636863a59ba0e8ea1d6830e1
SHA512dbc889af6c911ae2fd0c44997cbd553f2e0644d0017cb3137003384ad83fda683413bec670ce89ffdee92f9b934c75b0bbd991e7a7e21bb51fc271ff572e6460
-
Filesize
81KB
MD5fc885f43fe6ffc765ede29260227bd6c
SHA1e827046f109a49a23b9eb32d5dd8b874c60e5a80
SHA256a6d41807c7f57d219d57c7065aaa92ec01aac5e26ec4011beec347593b1e2d05
SHA5120ca57096c47cd7963a8bf3c421d855b0e9a7629df238969ef8a5eec7a39a5e7196ad5483bd009545e35e92a1489e993d6428f100312a3301647bb45fd80dae4d
-
Filesize
73KB
MD5550da61de6b674960f2eca14085fc85f
SHA19dcbc54ee6b6411acaebd61664fe811ff04ce68b
SHA256649513b61cebd8b97fd8873cc9f553e02703e184e7a81b655502d71c53055b92
SHA5122d554eba4bd8f7975ad36205f333d676e711c7404f6f983a1247485073ab25f41ceba317d07f3058946beba02f261cb92a194920c2aa808a74e7ea2839048121
-
Filesize
82KB
MD527e54fa62745dfee82d2ae99876aa78b
SHA1138d3f42017fa6c9d3105be328ff2e8de2a9ef4f
SHA25687c0e8e9f48a81d01e1334475dfc62698e40a842c3cb5cef4c9a53e83c0e511b
SHA512c629af257602cae99d30500d10063b94bf1333cc1498473e5c2a4f85790a16670a3518005c87119a86637aea40a05faf89ff53c2a720b281dcdb192602ebabe1
-
Filesize
63KB
MD527069b3a97dfbfde75f1bbbe231b17aa
SHA1601d83ce7b895109edf8be38c2fc42ecf838e35f
SHA256bc370858c08a51c055a81752892eed1deff1ff8b7bd854ce4994d0b5169e24fb
SHA512b3e73798e893a1afa538dc75a6c49f0120874e61cdceb2e09b5f1fae4725a2e3192caccc034bc8dbb078484b28290a61c8e952eacc18de7d581fc91ea8c70943
-
Filesize
73KB
MD55fee8033854a5aa284a168f27a59525e
SHA14240958be9db280bcf99b14b512e050a626c5841
SHA25652f44c4d41ff8eb2f722d9111590966826aeda14311b3d01f1bd0c3a850487cd
SHA51231e543f70b3b034d3d6d2284b20f65011a966d919671936722ffb4eb212905819034d5906e77753896ea872631986a52cf42fab1915bd136677a886543dc6d08
-
Filesize
86KB
MD5e6c137502190151323e9cff8e7bd1681
SHA17f6d796e304513e23df94d5230137ec4eda38d08
SHA2563e234ce90de6aad226d5c057f64106ae984c932e65ae6e8a69279a20e70f0997
SHA5128cc11be61f782158f0df56a38247af39cdba72a3a809c450831d910cdb5b8096550c45c66767c60fe8e1ba4f55926a5532932a950aa413e1470ac2effbdb53cd
-
Filesize
85KB
MD5fd512afc6a7dda9e8a098c54d7a38e36
SHA1301be5f4872c46d941030963aa6444909f90d7a5
SHA256d4461470bd76a0dad0ddcbb1a512b4f1513425dcd0f1f8790471a45cb7978ef5
SHA512694d31e2734161e4b847fecdcc3142e32013f657bc1589c71dd266b636d225a169a8b77454dbb4a1d4a74ea0b021f888b2746fa35548e36cb566f17201f2fbcb
-
Filesize
387KB
MD5fd1effd45bd615a741227f84fd1ae915
SHA11e254610fd5d60b4ab377cd1796a2781f60b134e
SHA25652ae84051c5038d19d2d72dfd10739b50f4b78e0936d1cb45d7dabb2eff19810
SHA5122917b1b0dc738a7406620b3af465c4f57c8bd7d9834c76f7b277c634fa0672dba5407a2298a4cdd4729f80c502df4887d7eea23b568b6d49ab26cc5602365cc0
-
Filesize
119KB
MD507fb6fbaa38521c859c6e2c9d3508560
SHA1bdbbac36111f7526a386a3b2440ad6c88af275b7
SHA256a24e71f60a22b99cabfc2bd9c04f5477e23a33e880442d60ff84191cc55055e6
SHA51233feee5c6b35bfc389fe3f536512c17cd8a5f2f151e4aee951b521620e0c543506d5130bfdb39006b5640c6f8c79cf429d8c5a92d0f932b10ca9b06b05539eb9
-
Filesize
1.0MB
MD5c464ce70a57da04861a29015814e0dd1
SHA17cb84bc701d14ae10d415da168c7c64ce62a44ab
SHA2569529a0892a46b0653e8214b9b6d717bbed1bf02c1d02f5d7253ee940aaf6c6f4
SHA512ea31ff0fc8e5505b4b6ef10ed509893835b329ecce429a0d3b88b8c40683ac6a51fedeae33f695915decab03d019ac866371895599106762f8397026579803fd
-
Filesize
286KB
MD5f2c7bcc4b9096a5eb57ed5d1aad3e85d
SHA1bf047b8d9df03689eaa83015bb343e379583b8ba
SHA256d91ecfecbfde91c6646e4bc7783a2df0e77794d36622923973a9f679a77d9e7e
SHA512c5a547d89b23f9b269fbf82548676024c0a24cc9b82669788c8ac1a94d12cda17fdc62e0bba813a9ce631247331f02f64ef17ded7b532c16d8333f925350f8d7