Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/10/2024, 18:28
Behavioral task
behavioral1
Sample
0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe
-
Size
255KB
-
MD5
0bfa9cf3d04c2e33af496dac3aedac0d
-
SHA1
6c32e2e0df76ef05869da736a73dda519d12f0e0
-
SHA256
cb59cf15b8adbf8cbed38f9c97c7e5b8cf31e4445ad28cac7c79836f86b0a07c
-
SHA512
97f1970b33545f74e188fc3fe50ccc43789fb20b358ded3b6021a1e58eafea4bc981fab34dae50db6ae884c74694326c16d200626effc68f3166daf5c9b6ee82
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJh:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIK
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cnzbeanvjc.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cnzbeanvjc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cnzbeanvjc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cnzbeanvjc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cnzbeanvjc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cnzbeanvjc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" cnzbeanvjc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cnzbeanvjc.exe -
Executes dropped EXE 5 IoCs
pid Process 2336 cnzbeanvjc.exe 1576 jfantlfrtzubiwj.exe 924 kcuwipat.exe 828 zheuudcbrmicj.exe 2372 kcuwipat.exe -
Loads dropped DLL 5 IoCs
pid Process 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 2336 cnzbeanvjc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cnzbeanvjc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cnzbeanvjc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cnzbeanvjc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" cnzbeanvjc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cnzbeanvjc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" cnzbeanvjc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vsudcget = "cnzbeanvjc.exe" jfantlfrtzubiwj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\egwyhzfm = "jfantlfrtzubiwj.exe" jfantlfrtzubiwj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zheuudcbrmicj.exe" jfantlfrtzubiwj.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\v: cnzbeanvjc.exe File opened (read-only) \??\b: kcuwipat.exe File opened (read-only) \??\j: cnzbeanvjc.exe File opened (read-only) \??\n: cnzbeanvjc.exe File opened (read-only) \??\r: kcuwipat.exe File opened (read-only) \??\z: kcuwipat.exe File opened (read-only) \??\i: kcuwipat.exe File opened (read-only) \??\r: kcuwipat.exe File opened (read-only) \??\x: kcuwipat.exe File opened (read-only) \??\h: kcuwipat.exe File opened (read-only) \??\u: kcuwipat.exe File opened (read-only) \??\b: kcuwipat.exe File opened (read-only) \??\m: kcuwipat.exe File opened (read-only) \??\s: kcuwipat.exe File opened (read-only) \??\z: kcuwipat.exe File opened (read-only) \??\k: kcuwipat.exe File opened (read-only) \??\p: cnzbeanvjc.exe File opened (read-only) \??\l: kcuwipat.exe File opened (read-only) \??\o: kcuwipat.exe File opened (read-only) \??\t: kcuwipat.exe File opened (read-only) \??\g: kcuwipat.exe File opened (read-only) \??\m: cnzbeanvjc.exe File opened (read-only) \??\o: cnzbeanvjc.exe File opened (read-only) \??\q: cnzbeanvjc.exe File opened (read-only) \??\y: cnzbeanvjc.exe File opened (read-only) \??\y: kcuwipat.exe File opened (read-only) \??\q: kcuwipat.exe File opened (read-only) \??\t: kcuwipat.exe File opened (read-only) \??\n: kcuwipat.exe File opened (read-only) \??\w: kcuwipat.exe File opened (read-only) \??\l: cnzbeanvjc.exe File opened (read-only) \??\h: kcuwipat.exe File opened (read-only) \??\j: kcuwipat.exe File opened (read-only) \??\v: kcuwipat.exe File opened (read-only) \??\x: cnzbeanvjc.exe File opened (read-only) \??\m: kcuwipat.exe File opened (read-only) \??\e: kcuwipat.exe File opened (read-only) \??\s: kcuwipat.exe File opened (read-only) \??\k: cnzbeanvjc.exe File opened (read-only) \??\t: cnzbeanvjc.exe File opened (read-only) \??\a: kcuwipat.exe File opened (read-only) \??\w: kcuwipat.exe File opened (read-only) \??\y: kcuwipat.exe File opened (read-only) \??\h: cnzbeanvjc.exe File opened (read-only) \??\u: cnzbeanvjc.exe File opened (read-only) \??\e: kcuwipat.exe File opened (read-only) \??\v: kcuwipat.exe File opened (read-only) \??\k: kcuwipat.exe File opened (read-only) \??\i: cnzbeanvjc.exe File opened (read-only) \??\g: cnzbeanvjc.exe File opened (read-only) \??\w: cnzbeanvjc.exe File opened (read-only) \??\j: kcuwipat.exe File opened (read-only) \??\q: kcuwipat.exe File opened (read-only) \??\p: kcuwipat.exe File opened (read-only) \??\e: cnzbeanvjc.exe File opened (read-only) \??\a: cnzbeanvjc.exe File opened (read-only) \??\p: kcuwipat.exe File opened (read-only) \??\g: kcuwipat.exe File opened (read-only) \??\n: kcuwipat.exe File opened (read-only) \??\r: cnzbeanvjc.exe File opened (read-only) \??\z: cnzbeanvjc.exe File opened (read-only) \??\b: cnzbeanvjc.exe File opened (read-only) \??\s: cnzbeanvjc.exe File opened (read-only) \??\i: kcuwipat.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" cnzbeanvjc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" cnzbeanvjc.exe -
AutoIT Executable 55 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/828-38-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1236-45-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2336-83-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1576-84-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/924-85-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/828-86-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2336-87-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1576-88-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/924-89-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/828-90-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2372-91-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2372-92-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2336-93-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1576-94-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2372-97-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/828-96-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/924-95-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2372-101-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/924-100-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1576-104-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/828-105-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2336-103-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2336-106-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1576-107-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/828-108-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2336-109-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1576-110-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/828-111-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2336-112-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1576-113-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/828-114-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2336-119-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/828-121-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1576-120-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1576-123-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/828-124-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2336-122-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1576-126-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/828-127-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2336-125-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2336-128-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1576-129-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/828-130-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1576-132-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/828-133-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2336-131-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2336-134-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/828-136-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1576-135-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2336-137-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/828-139-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1576-138-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2336-140-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/828-142-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1576-141-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\cnzbeanvjc.exe 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe File created C:\Windows\SysWOW64\jfantlfrtzubiwj.exe 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jfantlfrtzubiwj.exe 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe File created C:\Windows\SysWOW64\kcuwipat.exe 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll cnzbeanvjc.exe File opened for modification C:\Windows\SysWOW64\cnzbeanvjc.exe 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kcuwipat.exe 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe File created C:\Windows\SysWOW64\zheuudcbrmicj.exe 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zheuudcbrmicj.exe 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/1236-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0009000000016df8-5.dat upx behavioral1/files/0x000c000000012280-17.dat upx behavioral1/files/0x0008000000016f02-29.dat upx behavioral1/memory/1236-28-0x0000000002350000-0x00000000023F0000-memory.dmp upx behavioral1/files/0x0008000000016edc-24.dat upx behavioral1/memory/1576-34-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/828-38-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1236-45-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0002000000003d27-67.dat upx behavioral1/files/0x0009000000016de9-73.dat upx behavioral1/memory/2336-83-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1576-84-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/924-85-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/828-86-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2336-87-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1576-88-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/924-89-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/828-90-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2372-91-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2372-92-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2336-93-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1576-94-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2372-97-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/828-96-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/924-95-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2372-101-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/924-100-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1576-104-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/828-105-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2336-103-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2336-106-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1576-107-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/828-108-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2336-109-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1576-110-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/828-111-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2336-112-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1576-113-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/828-114-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2336-119-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/828-121-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1576-120-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1576-123-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/828-124-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2336-122-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1576-126-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/828-127-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2336-125-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2336-128-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1576-129-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/828-130-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1576-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/828-133-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2336-131-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2336-134-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/828-136-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1576-135-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2336-137-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/828-139-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1576-138-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2336-140-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/828-142-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1576-141-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe kcuwipat.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe kcuwipat.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe kcuwipat.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe kcuwipat.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal kcuwipat.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe kcuwipat.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe kcuwipat.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal kcuwipat.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe kcuwipat.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal kcuwipat.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe kcuwipat.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zheuudcbrmicj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcuwipat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cnzbeanvjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jfantlfrtzubiwj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcuwipat.exe -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC0B1294492389E53BEB9D232EDD4BB" 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" cnzbeanvjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf cnzbeanvjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs cnzbeanvjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" cnzbeanvjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg cnzbeanvjc.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1845C60F14E5DBB2B8CC7F97EDE334BD" 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat cnzbeanvjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" cnzbeanvjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" cnzbeanvjc.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFF8F485C826D903DD7587D96BDEFE630594A674E6346D79E" 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F768B6FF1821DCD273D0A98A7C9011" 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh cnzbeanvjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" cnzbeanvjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc cnzbeanvjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" cnzbeanvjc.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402C769D2383226A4276D170512DD87D8464DA" 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABFFAC9F917F19784743B36869D3E93B38B03FE4214033BE1BE45E708A0" 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2764 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 924 kcuwipat.exe 924 kcuwipat.exe 924 kcuwipat.exe 924 kcuwipat.exe 2336 cnzbeanvjc.exe 2336 cnzbeanvjc.exe 2336 cnzbeanvjc.exe 2336 cnzbeanvjc.exe 2336 cnzbeanvjc.exe 828 zheuudcbrmicj.exe 828 zheuudcbrmicj.exe 828 zheuudcbrmicj.exe 828 zheuudcbrmicj.exe 828 zheuudcbrmicj.exe 828 zheuudcbrmicj.exe 1576 jfantlfrtzubiwj.exe 1576 jfantlfrtzubiwj.exe 1576 jfantlfrtzubiwj.exe 1576 jfantlfrtzubiwj.exe 1576 jfantlfrtzubiwj.exe 2372 kcuwipat.exe 2372 kcuwipat.exe 2372 kcuwipat.exe 2372 kcuwipat.exe 1576 jfantlfrtzubiwj.exe 828 zheuudcbrmicj.exe 828 zheuudcbrmicj.exe 1576 jfantlfrtzubiwj.exe 828 zheuudcbrmicj.exe 828 zheuudcbrmicj.exe 1576 jfantlfrtzubiwj.exe 1576 jfantlfrtzubiwj.exe 828 zheuudcbrmicj.exe 828 zheuudcbrmicj.exe 1576 jfantlfrtzubiwj.exe 828 zheuudcbrmicj.exe 828 zheuudcbrmicj.exe 1576 jfantlfrtzubiwj.exe 828 zheuudcbrmicj.exe 828 zheuudcbrmicj.exe 1576 jfantlfrtzubiwj.exe 828 zheuudcbrmicj.exe 828 zheuudcbrmicj.exe 1576 jfantlfrtzubiwj.exe 828 zheuudcbrmicj.exe 828 zheuudcbrmicj.exe 1576 jfantlfrtzubiwj.exe 828 zheuudcbrmicj.exe 828 zheuudcbrmicj.exe 1576 jfantlfrtzubiwj.exe 828 zheuudcbrmicj.exe 828 zheuudcbrmicj.exe 1576 jfantlfrtzubiwj.exe 828 zheuudcbrmicj.exe 828 zheuudcbrmicj.exe 1576 jfantlfrtzubiwj.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 2024 explorer.exe Token: SeShutdownPrivilege 2024 explorer.exe Token: SeShutdownPrivilege 2024 explorer.exe Token: SeShutdownPrivilege 2024 explorer.exe Token: SeShutdownPrivilege 2024 explorer.exe Token: SeShutdownPrivilege 2024 explorer.exe Token: SeShutdownPrivilege 2024 explorer.exe Token: SeShutdownPrivilege 2024 explorer.exe Token: SeShutdownPrivilege 2024 explorer.exe Token: SeShutdownPrivilege 2024 explorer.exe Token: SeShutdownPrivilege 2024 explorer.exe Token: SeShutdownPrivilege 2024 explorer.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
pid Process 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 924 kcuwipat.exe 924 kcuwipat.exe 924 kcuwipat.exe 2336 cnzbeanvjc.exe 2336 cnzbeanvjc.exe 2336 cnzbeanvjc.exe 828 zheuudcbrmicj.exe 828 zheuudcbrmicj.exe 828 zheuudcbrmicj.exe 1576 jfantlfrtzubiwj.exe 1576 jfantlfrtzubiwj.exe 1576 jfantlfrtzubiwj.exe 2372 kcuwipat.exe 2372 kcuwipat.exe 2372 kcuwipat.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe -
Suspicious use of SendNotifyMessage 34 IoCs
pid Process 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 924 kcuwipat.exe 924 kcuwipat.exe 924 kcuwipat.exe 2336 cnzbeanvjc.exe 2336 cnzbeanvjc.exe 2336 cnzbeanvjc.exe 828 zheuudcbrmicj.exe 828 zheuudcbrmicj.exe 828 zheuudcbrmicj.exe 1576 jfantlfrtzubiwj.exe 1576 jfantlfrtzubiwj.exe 1576 jfantlfrtzubiwj.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2764 WINWORD.EXE 2764 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1236 wrote to memory of 2336 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 31 PID 1236 wrote to memory of 2336 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 31 PID 1236 wrote to memory of 2336 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 31 PID 1236 wrote to memory of 2336 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 31 PID 1236 wrote to memory of 1576 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 32 PID 1236 wrote to memory of 1576 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 32 PID 1236 wrote to memory of 1576 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 32 PID 1236 wrote to memory of 1576 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 32 PID 1236 wrote to memory of 924 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 33 PID 1236 wrote to memory of 924 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 33 PID 1236 wrote to memory of 924 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 33 PID 1236 wrote to memory of 924 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 33 PID 1236 wrote to memory of 828 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 34 PID 1236 wrote to memory of 828 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 34 PID 1236 wrote to memory of 828 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 34 PID 1236 wrote to memory of 828 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 34 PID 1236 wrote to memory of 2764 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 35 PID 1236 wrote to memory of 2764 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 35 PID 1236 wrote to memory of 2764 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 35 PID 1236 wrote to memory of 2764 1236 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 35 PID 2336 wrote to memory of 2372 2336 cnzbeanvjc.exe 36 PID 2336 wrote to memory of 2372 2336 cnzbeanvjc.exe 36 PID 2336 wrote to memory of 2372 2336 cnzbeanvjc.exe 36 PID 2336 wrote to memory of 2372 2336 cnzbeanvjc.exe 36 PID 2764 wrote to memory of 1444 2764 WINWORD.EXE 39 PID 2764 wrote to memory of 1444 2764 WINWORD.EXE 39 PID 2764 wrote to memory of 1444 2764 WINWORD.EXE 39 PID 2764 wrote to memory of 1444 2764 WINWORD.EXE 39 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\cnzbeanvjc.execnzbeanvjc.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\kcuwipat.exeC:\Windows\system32\kcuwipat.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2372
-
-
-
C:\Windows\SysWOW64\jfantlfrtzubiwj.exejfantlfrtzubiwj.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1576
-
-
C:\Windows\SysWOW64\kcuwipat.exekcuwipat.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:924
-
-
C:\Windows\SysWOW64\zheuudcbrmicj.exezheuudcbrmicj.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:828
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1444
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2024
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD50efe99c89b8559d85e566189efa0216e
SHA1751cde2c46e8f6e9e29d47d81044c652fd86059b
SHA256aa7904d8376755f9b1bf4a1fd280dea7bfa1ee155cc0f455831073fd64165129
SHA512baa737f9d2a62d5754f1416b60717a086f229acdee88a6e6d1f0532be169abd85bd77c8f8e0150141de56d4096002206044dcc5705a7dd2b1f0cb564d43e4349
-
Filesize
255KB
MD521e42c446f764dfcb0ab158096f52227
SHA1350596e31d4524e25e1a2e68e4e01a9af58e066e
SHA25665f45cd4eb97985d7961ebefc95a3c8b60cd1792966865a14828e3c7413601dc
SHA5129df8fb2a30a03ddf983adfcba86dc9d048420e1a77bf63852086bd5ede2ab81322940f25083fc42b925a8a40ab681008d95ab978341abb77ab06599d39ebe750
-
Filesize
255KB
MD5ef57e6506882f51487a33eca58a0c44e
SHA154ccabe7ec470004a48d14b1422faa77a326d693
SHA2566f62e43532118113f4e806b084aca4f4e74c3e5d3b9b9250c295255339275107
SHA5125b6f871bc02c5ba3ee86c621400066d024dcd6f551362b36c80efde0cba0062923afe846d5a1f66cb5885adc429486fc401a4e90189492c0c88ea3412dc64f59
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD51701c912d9943971c43d914212bac46c
SHA13928f7d761acb98efa7e49d7b43b6fb197f8229e
SHA25653998bb79381c362416a5452395d81ce746692bbeb40a47f7998443c2eda7789
SHA512e97df745eb7cfdb2c644e83ee45f1fd8ff6bd52e793a9d664b49534627ea47d73c771b5b85236c25e6c919d82e0ebd35b9480bf17d22b58956e4b4a4d86c91d6
-
Filesize
255KB
MD5a34f83913a6e1802be6674f3c9d3e89c
SHA192e3aa91ca6750bd75a9758d0d6cfc79a4f5cc8e
SHA256ce9287947c8aef4c29b14969bd1762c1de720ac40e1c9ccfef0675ec3a309b37
SHA51279c983764b64928db428d0ad3c1ecf608269fb7443eab14fbcb3466f4d71fd62b843e6802b758cc98451057aa8e152d6c4c6b59da2b3240c3106ebaa19c8d1fe
-
Filesize
255KB
MD589db03437477c23d0fc434a383d47654
SHA1fbddd6a387880ae9ca137f0fa313ceedd1bc0880
SHA2561b70622ad30f2dfa8502bc45e9e4819e4c7401d9ffcd4dfe59e621d72911d851
SHA5122b1a2f9bd52fd8db9f642473754885b97ca8aee1bd855d5d5d2fb801bc879123b835d26376e3f62ef288ab04bef31556017afcd70f1741747d86d7f7067162c0