Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 18:08
Behavioral task
behavioral1
Sample
52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
29 signatures
150 seconds
General
-
Target
52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe
-
Size
255KB
-
MD5
52ff20b246f428e8935923a12a5adc16
-
SHA1
c137c9d7ca7368426b2601dddda8157abc498c90
-
SHA256
be34be7265a5559936de261023105b65ba2f1f7529117c7a60f7442ca3904bce
-
SHA512
9dd0b1ef97e663d524f8e7d9829f28341b4dba769d302c0ba0684c943cffe79017a59d067bd117fc5408c3ef43ac80d1b4cddadaebcbe5aacc72daf90975ff89
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJn:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI+
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" fzadmbadgh.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fzadmbadgh.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fzadmbadgh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fzadmbadgh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fzadmbadgh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fzadmbadgh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" fzadmbadgh.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fzadmbadgh.exe -
Executes dropped EXE 5 IoCs
pid Process 2676 fzadmbadgh.exe 2668 wqtrqsaukpbhvmg.exe 2688 bzofeyltwtrye.exe 2780 aulmbrlt.exe 3008 aulmbrlt.exe -
Loads dropped DLL 5 IoCs
pid Process 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 2676 fzadmbadgh.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fzadmbadgh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" fzadmbadgh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fzadmbadgh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fzadmbadgh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fzadmbadgh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" fzadmbadgh.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pqgzxvui = "fzadmbadgh.exe" wqtrqsaukpbhvmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\froyujnh = "wqtrqsaukpbhvmg.exe" wqtrqsaukpbhvmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "bzofeyltwtrye.exe" wqtrqsaukpbhvmg.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\u: fzadmbadgh.exe File opened (read-only) \??\v: fzadmbadgh.exe File opened (read-only) \??\h: aulmbrlt.exe File opened (read-only) \??\k: aulmbrlt.exe File opened (read-only) \??\q: aulmbrlt.exe File opened (read-only) \??\b: aulmbrlt.exe File opened (read-only) \??\h: aulmbrlt.exe File opened (read-only) \??\m: aulmbrlt.exe File opened (read-only) \??\g: aulmbrlt.exe File opened (read-only) \??\a: aulmbrlt.exe File opened (read-only) \??\p: aulmbrlt.exe File opened (read-only) \??\q: fzadmbadgh.exe File opened (read-only) \??\e: aulmbrlt.exe File opened (read-only) \??\j: aulmbrlt.exe File opened (read-only) \??\m: aulmbrlt.exe File opened (read-only) \??\x: aulmbrlt.exe File opened (read-only) \??\k: fzadmbadgh.exe File opened (read-only) \??\i: aulmbrlt.exe File opened (read-only) \??\t: aulmbrlt.exe File opened (read-only) \??\z: aulmbrlt.exe File opened (read-only) \??\i: aulmbrlt.exe File opened (read-only) \??\t: aulmbrlt.exe File opened (read-only) \??\x: aulmbrlt.exe File opened (read-only) \??\y: aulmbrlt.exe File opened (read-only) \??\r: aulmbrlt.exe File opened (read-only) \??\e: fzadmbadgh.exe File opened (read-only) \??\r: fzadmbadgh.exe File opened (read-only) \??\n: aulmbrlt.exe File opened (read-only) \??\y: aulmbrlt.exe File opened (read-only) \??\g: aulmbrlt.exe File opened (read-only) \??\z: aulmbrlt.exe File opened (read-only) \??\v: aulmbrlt.exe File opened (read-only) \??\w: aulmbrlt.exe File opened (read-only) \??\s: aulmbrlt.exe File opened (read-only) \??\n: fzadmbadgh.exe File opened (read-only) \??\w: fzadmbadgh.exe File opened (read-only) \??\z: fzadmbadgh.exe File opened (read-only) \??\s: fzadmbadgh.exe File opened (read-only) \??\a: aulmbrlt.exe File opened (read-only) \??\e: aulmbrlt.exe File opened (read-only) \??\u: aulmbrlt.exe File opened (read-only) \??\k: aulmbrlt.exe File opened (read-only) \??\v: aulmbrlt.exe File opened (read-only) \??\l: fzadmbadgh.exe File opened (read-only) \??\p: fzadmbadgh.exe File opened (read-only) \??\b: aulmbrlt.exe File opened (read-only) \??\o: aulmbrlt.exe File opened (read-only) \??\p: aulmbrlt.exe File opened (read-only) \??\q: aulmbrlt.exe File opened (read-only) \??\g: fzadmbadgh.exe File opened (read-only) \??\r: aulmbrlt.exe File opened (read-only) \??\o: fzadmbadgh.exe File opened (read-only) \??\t: fzadmbadgh.exe File opened (read-only) \??\x: fzadmbadgh.exe File opened (read-only) \??\y: fzadmbadgh.exe File opened (read-only) \??\o: aulmbrlt.exe File opened (read-only) \??\w: aulmbrlt.exe File opened (read-only) \??\a: fzadmbadgh.exe File opened (read-only) \??\m: fzadmbadgh.exe File opened (read-only) \??\l: aulmbrlt.exe File opened (read-only) \??\s: aulmbrlt.exe File opened (read-only) \??\l: aulmbrlt.exe File opened (read-only) \??\h: fzadmbadgh.exe File opened (read-only) \??\i: fzadmbadgh.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" fzadmbadgh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" fzadmbadgh.exe -
AutoIT Executable 54 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2268-46-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2676-76-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2668-77-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2688-78-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2780-79-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/3008-84-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2688-83-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2780-82-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2668-81-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2676-80-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/3008-85-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2676-86-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2668-87-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/3008-90-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2688-89-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2780-88-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2780-94-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/3008-93-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2668-96-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2688-97-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2676-95-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2676-98-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2668-99-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2688-100-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2676-101-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2668-102-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2688-103-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2676-105-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2688-107-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2668-106-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2676-112-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2688-114-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2668-113-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2676-115-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2688-117-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2668-116-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2676-118-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2688-120-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2668-119-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2676-121-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2668-122-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2688-123-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2676-124-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2668-125-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2688-126-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2676-127-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2668-128-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2688-129-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2668-131-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2688-132-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2676-130-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2676-134-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2668-135-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2688-136-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\fzadmbadgh.exe 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe File created C:\Windows\SysWOW64\wqtrqsaukpbhvmg.exe 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wqtrqsaukpbhvmg.exe 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe File created C:\Windows\SysWOW64\aulmbrlt.exe 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\aulmbrlt.exe 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe File created C:\Windows\SysWOW64\bzofeyltwtrye.exe 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bzofeyltwtrye.exe 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll fzadmbadgh.exe File created C:\Windows\SysWOW64\fzadmbadgh.exe 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2268-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0007000000019438-9.dat upx behavioral1/files/0x000e00000001228d-17.dat upx behavioral1/files/0x000600000001944d-38.dat upx behavioral1/files/0x0007000000019423-35.dat upx behavioral1/memory/2676-26-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2688-39-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2668-29-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2268-46-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/3008-45-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0002000000003d26-68.dat upx behavioral1/files/0x0002000000003d27-70.dat upx behavioral1/memory/2676-76-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2668-77-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2688-78-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2780-79-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/3008-84-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2688-83-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2780-82-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2668-81-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2676-80-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/3008-85-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2676-86-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2668-87-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/3008-90-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2688-89-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2780-88-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2780-94-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/3008-93-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2668-96-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2688-97-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2676-95-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2676-98-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2668-99-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2688-100-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2676-101-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2668-102-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2688-103-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2676-105-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2688-107-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2668-106-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2676-112-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2688-114-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2668-113-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2676-115-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2688-117-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2668-116-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2676-118-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2688-120-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2668-119-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2676-121-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2668-122-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2688-123-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2676-124-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2668-125-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2688-126-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2676-127-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2668-128-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2688-129-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2668-131-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2688-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2676-130-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2676-134-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2668-135-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe aulmbrlt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe aulmbrlt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal aulmbrlt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal aulmbrlt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe aulmbrlt.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe aulmbrlt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal aulmbrlt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal aulmbrlt.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe aulmbrlt.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe aulmbrlt.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe aulmbrlt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe aulmbrlt.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe aulmbrlt.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe aulmbrlt.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fzadmbadgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bzofeyltwtrye.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aulmbrlt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aulmbrlt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqtrqsaukpbhvmg.exe -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" fzadmbadgh.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F168B4FE1A22A9D178D1A88B7C9163" 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" fzadmbadgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" fzadmbadgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" fzadmbadgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" fzadmbadgh.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33452D0D9C5783206A3176D270272CDA7DF264A8" 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat fzadmbadgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs fzadmbadgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg fzadmbadgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183DC70815EDDBB2B9C17C97ED9034BA" 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh fzadmbadgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf fzadmbadgh.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC9F9CCFE10F2E0840E3A42869A3E94B0FB038D43110348E2C842ED08D4" 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FCAB02F47E239EF53CCB9D03299D4BB" 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E88FC8D482F8568913DD62E7DE0BC90E635584366456237D791" 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc fzadmbadgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" fzadmbadgh.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3004 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 2668 wqtrqsaukpbhvmg.exe 2668 wqtrqsaukpbhvmg.exe 2668 wqtrqsaukpbhvmg.exe 2668 wqtrqsaukpbhvmg.exe 2668 wqtrqsaukpbhvmg.exe 2676 fzadmbadgh.exe 2676 fzadmbadgh.exe 2676 fzadmbadgh.exe 2676 fzadmbadgh.exe 2676 fzadmbadgh.exe 2688 bzofeyltwtrye.exe 2688 bzofeyltwtrye.exe 2688 bzofeyltwtrye.exe 2688 bzofeyltwtrye.exe 2688 bzofeyltwtrye.exe 2688 bzofeyltwtrye.exe 2780 aulmbrlt.exe 2780 aulmbrlt.exe 2780 aulmbrlt.exe 2780 aulmbrlt.exe 3008 aulmbrlt.exe 3008 aulmbrlt.exe 3008 aulmbrlt.exe 3008 aulmbrlt.exe 2668 wqtrqsaukpbhvmg.exe 2688 bzofeyltwtrye.exe 2688 bzofeyltwtrye.exe 2668 wqtrqsaukpbhvmg.exe 2668 wqtrqsaukpbhvmg.exe 2688 bzofeyltwtrye.exe 2688 bzofeyltwtrye.exe 2668 wqtrqsaukpbhvmg.exe 2688 bzofeyltwtrye.exe 2688 bzofeyltwtrye.exe 2668 wqtrqsaukpbhvmg.exe 2688 bzofeyltwtrye.exe 2688 bzofeyltwtrye.exe 2668 wqtrqsaukpbhvmg.exe 2688 bzofeyltwtrye.exe 2688 bzofeyltwtrye.exe 2668 wqtrqsaukpbhvmg.exe 2688 bzofeyltwtrye.exe 2688 bzofeyltwtrye.exe 2668 wqtrqsaukpbhvmg.exe 2688 bzofeyltwtrye.exe 2688 bzofeyltwtrye.exe 2668 wqtrqsaukpbhvmg.exe 2688 bzofeyltwtrye.exe 2688 bzofeyltwtrye.exe 2668 wqtrqsaukpbhvmg.exe 2688 bzofeyltwtrye.exe 2688 bzofeyltwtrye.exe 2668 wqtrqsaukpbhvmg.exe 2688 bzofeyltwtrye.exe 2688 bzofeyltwtrye.exe 2668 wqtrqsaukpbhvmg.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 1256 explorer.exe Token: SeShutdownPrivilege 1256 explorer.exe Token: SeShutdownPrivilege 1256 explorer.exe Token: SeShutdownPrivilege 1256 explorer.exe Token: SeShutdownPrivilege 1256 explorer.exe Token: SeShutdownPrivilege 1256 explorer.exe Token: SeShutdownPrivilege 1256 explorer.exe Token: SeShutdownPrivilege 1256 explorer.exe Token: SeShutdownPrivilege 1256 explorer.exe Token: SeShutdownPrivilege 1256 explorer.exe Token: SeShutdownPrivilege 1256 explorer.exe Token: SeShutdownPrivilege 1256 explorer.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
pid Process 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 2676 fzadmbadgh.exe 2676 fzadmbadgh.exe 2676 fzadmbadgh.exe 2668 wqtrqsaukpbhvmg.exe 2668 wqtrqsaukpbhvmg.exe 2668 wqtrqsaukpbhvmg.exe 2688 bzofeyltwtrye.exe 2688 bzofeyltwtrye.exe 2688 bzofeyltwtrye.exe 2780 aulmbrlt.exe 2780 aulmbrlt.exe 2780 aulmbrlt.exe 3008 aulmbrlt.exe 3008 aulmbrlt.exe 3008 aulmbrlt.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe -
Suspicious use of SendNotifyMessage 30 IoCs
pid Process 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 2676 fzadmbadgh.exe 2676 fzadmbadgh.exe 2676 fzadmbadgh.exe 2668 wqtrqsaukpbhvmg.exe 2668 wqtrqsaukpbhvmg.exe 2668 wqtrqsaukpbhvmg.exe 2688 bzofeyltwtrye.exe 2688 bzofeyltwtrye.exe 2688 bzofeyltwtrye.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3004 WINWORD.EXE 3004 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2676 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 31 PID 2268 wrote to memory of 2676 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 31 PID 2268 wrote to memory of 2676 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 31 PID 2268 wrote to memory of 2676 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 31 PID 2268 wrote to memory of 2668 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 32 PID 2268 wrote to memory of 2668 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 32 PID 2268 wrote to memory of 2668 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 32 PID 2268 wrote to memory of 2668 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 32 PID 2268 wrote to memory of 2780 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 33 PID 2268 wrote to memory of 2780 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 33 PID 2268 wrote to memory of 2780 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 33 PID 2268 wrote to memory of 2780 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 33 PID 2268 wrote to memory of 2688 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 34 PID 2268 wrote to memory of 2688 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 34 PID 2268 wrote to memory of 2688 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 34 PID 2268 wrote to memory of 2688 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 34 PID 2268 wrote to memory of 3004 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 36 PID 2268 wrote to memory of 3004 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 36 PID 2268 wrote to memory of 3004 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 36 PID 2268 wrote to memory of 3004 2268 52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe 36 PID 2676 wrote to memory of 3008 2676 fzadmbadgh.exe 35 PID 2676 wrote to memory of 3008 2676 fzadmbadgh.exe 35 PID 2676 wrote to memory of 3008 2676 fzadmbadgh.exe 35 PID 2676 wrote to memory of 3008 2676 fzadmbadgh.exe 35 PID 3004 wrote to memory of 2304 3004 WINWORD.EXE 39 PID 3004 wrote to memory of 2304 3004 WINWORD.EXE 39 PID 3004 wrote to memory of 2304 3004 WINWORD.EXE 39 PID 3004 wrote to memory of 2304 3004 WINWORD.EXE 39 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\52ff20b246f428e8935923a12a5adc16_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\fzadmbadgh.exefzadmbadgh.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\aulmbrlt.exeC:\Windows\system32\aulmbrlt.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3008
-
-
-
C:\Windows\SysWOW64\wqtrqsaukpbhvmg.exewqtrqsaukpbhvmg.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2668
-
-
C:\Windows\SysWOW64\aulmbrlt.exeaulmbrlt.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2780
-
-
C:\Windows\SysWOW64\bzofeyltwtrye.exebzofeyltwtrye.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2688
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2304
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1256
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD50528930645bfd5b6ab056b3267e9188b
SHA149e575b26d5fcf860fa8a53cd6186f624a384474
SHA2561aa28efc782f07ecabd069462d44c48d8b9f5925a25876480c4e6d7650d31894
SHA51203044875c26f43a6f6736b0ec52afadddee1d9f5c11ed78b659740caea06d45c8abff521aa576d5bfb477d84457febb72790d25aa0809336f9406171c446e18a
-
Filesize
255KB
MD5fa135d3568e6ceeac13d375246af5d36
SHA1d91239728c92e418452a2f91df7b232698818969
SHA25649e06909a2f1e62090a8d4f1b9e7d407bde0b31ac2594de99bf3000b4590b24a
SHA512e397e1069cc63299d1410443b5aa01964eb769000ece36d54b84953022fb3dfc2a8590d3c996593faec480417406c8144280a52644b5d85805ce8932ce06d3d4
-
Filesize
255KB
MD59feda5700694ed9f51cc3077b789a2bb
SHA18dedcb4a99fb5890021596349cfe7b7fed82f80f
SHA256456dd39198a196f0db736f62be6a4f50ff3dbdc300b2a23fdb68087d69a5dadd
SHA5129b9fbc51a54667c1ea815037dff3428cc23f34b3f6dc96da0ca11dac5aa96036ed1a221f87aef2a84014314b5db846bf5580a944ba3b2ad4f40ff9cdac356caa
-
Filesize
255KB
MD5eb12fa7849a0bc0100cc425838fc0b13
SHA151aff1e383a69f677e2691e402a835d5413e64d4
SHA2564e4b627ce2d9cafd93dcdebb1708bed0b2ddde390f71fa729736f4effe48663d
SHA5126773b9f1849a48452ed34c81e07454758702d57d750e8d59373db14cd3edb8484108a0620229cc4549152ffdad8a5f2d9a78eaff540648042698408bc824f9ea
-
Filesize
255KB
MD5695add64d4474b04524e0a1e3e5c8c7b
SHA199742bb0b99d4b7d1d2a36697f1ffb3ed3d29360
SHA256978049a94f549f9a6fabe1b704fe7ca248581a7022a5fe1e7270a2b8467e11cc
SHA51279b1a272bf73f2b4d422df3c5583b49896c03842d007c49ad71b0d5e63bc418da17fd413b257ed946fba177c700ac51c71b5215ab1c13ce7c296a394a9d3cd3c
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5fc9e8f703dca605e1f645f7c7419927c
SHA1a80748e4bfd39b367d3887b4e14097184197ddd3
SHA2564eef58c1cdee9da9230245b2dc2adfb778c8a830239a484e58b03c41f9853643
SHA5127ff6abeaceb8565b918bc1918fbc2242960121ea43672c8f833475d1d590ac65ad419412549a5226d93bd096fdb1ece2e1be968374bb8ccb6f33e2812b1e3502