Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/12/2024, 16:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe
-
Size
142KB
-
MD5
e7549ec8fa1ba0ba769e8cfe14d34790
-
SHA1
8e1130a36a9f26256fd2e0e6be67d5bc980aee66
-
SHA256
d0215d9f04581b0d6329d70ee1d501d2fa2360a9f274da0a22eca611fb882ad1
-
SHA512
31021a284312716323579b4de6dc27c76c9c55bdb620b490c1a1defe5360684b864ee5a65f1d299df6af2ba45005072e695b745a7896625738743a92caa7cd28
-
SSDEEP
3072:NT0/l0C5cSH6fMUAxeIE3EyMd8Z6OpA/RCpMxil+xI:NBCuRfMQFMd7gAgp0iMxI
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpdtn32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpdtn32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpdtn32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpdtn32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpdtn32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpdtn32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpdtn32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpdtn32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpdtn32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpdtn32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpdtn32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpdtn32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpdtn32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpdtn32.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wmpdtn32.exe -
Deletes itself 1 IoCs
pid Process 1612 wmpdtn32.exe -
Executes dropped EXE 32 IoCs
pid Process 4772 wmpdtn32.exe 1612 wmpdtn32.exe 3788 wmpdtn32.exe 1320 wmpdtn32.exe 2312 wmpdtn32.exe 1828 wmpdtn32.exe 2808 wmpdtn32.exe 1500 wmpdtn32.exe 2280 wmpdtn32.exe 2444 wmpdtn32.exe 1468 wmpdtn32.exe 4692 wmpdtn32.exe 5116 wmpdtn32.exe 4888 wmpdtn32.exe 4936 wmpdtn32.exe 4384 wmpdtn32.exe 1552 wmpdtn32.exe 988 wmpdtn32.exe 4892 wmpdtn32.exe 4088 wmpdtn32.exe 2560 wmpdtn32.exe 2800 wmpdtn32.exe 4532 wmpdtn32.exe 452 wmpdtn32.exe 3068 wmpdtn32.exe 228 wmpdtn32.exe 2980 wmpdtn32.exe 4744 wmpdtn32.exe 464 wmpdtn32.exe 2736 wmpdtn32.exe 1288 wmpdtn32.exe 2796 wmpdtn32.exe -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdtn32.exe -
Drops file in System32 directory 48 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\ e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe File created C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtn32.exe File created C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File created C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File created C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File created C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File created C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtn32.exe File created C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File created C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File created C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File created C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtn32.exe File created C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtn32.exe File created C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File created C:\Windows\SysWOW64\wmpdtn32.exe e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe File created C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File created C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File opened for modification C:\Windows\SysWOW64\wmpdtn32.exe e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe File created C:\Windows\SysWOW64\wmpdtn32.exe wmpdtn32.exe -
Suspicious use of SetThreadContext 17 IoCs
description pid Process procid_target PID 4632 set thread context of 4196 4632 e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe 83 PID 4772 set thread context of 1612 4772 wmpdtn32.exe 85 PID 3788 set thread context of 1320 3788 wmpdtn32.exe 91 PID 2312 set thread context of 1828 2312 wmpdtn32.exe 100 PID 2808 set thread context of 1500 2808 wmpdtn32.exe 104 PID 2280 set thread context of 2444 2280 wmpdtn32.exe 107 PID 1468 set thread context of 4692 1468 wmpdtn32.exe 109 PID 5116 set thread context of 4888 5116 wmpdtn32.exe 111 PID 4936 set thread context of 4384 4936 wmpdtn32.exe 113 PID 1552 set thread context of 988 1552 wmpdtn32.exe 115 PID 4892 set thread context of 4088 4892 wmpdtn32.exe 117 PID 2560 set thread context of 2800 2560 wmpdtn32.exe 119 PID 4532 set thread context of 452 4532 wmpdtn32.exe 121 PID 3068 set thread context of 228 3068 wmpdtn32.exe 123 PID 2980 set thread context of 4744 2980 wmpdtn32.exe 125 PID 464 set thread context of 2736 464 wmpdtn32.exe 127 PID 1288 set thread context of 2796 1288 wmpdtn32.exe 129 -
resource yara_rule behavioral2/memory/4196-0-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4196-2-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4196-3-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4196-4-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4196-31-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4196-45-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/1612-46-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/1612-48-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/1320-55-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/1612-59-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/1320-61-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/1320-66-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/1828-72-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/1828-74-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/1500-77-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/2444-83-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/2444-87-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/2444-90-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4692-96-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4692-99-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4888-104-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4888-107-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4384-112-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4384-115-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/988-120-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/988-123-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4088-128-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4088-131-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/2800-136-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/2800-141-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/452-145-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/228-153-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/228-158-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4744-162-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4744-167-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/2736-171-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/2736-176-0x0000000000400000-0x000000000045A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 33 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe -
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpdtn32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4196 e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe 4196 e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe 4196 e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe 4196 e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe 1612 wmpdtn32.exe 1612 wmpdtn32.exe 1612 wmpdtn32.exe 1612 wmpdtn32.exe 1320 wmpdtn32.exe 1320 wmpdtn32.exe 1320 wmpdtn32.exe 1320 wmpdtn32.exe 1828 wmpdtn32.exe 1828 wmpdtn32.exe 1828 wmpdtn32.exe 1828 wmpdtn32.exe 1500 wmpdtn32.exe 1500 wmpdtn32.exe 1500 wmpdtn32.exe 1500 wmpdtn32.exe 2444 wmpdtn32.exe 2444 wmpdtn32.exe 2444 wmpdtn32.exe 2444 wmpdtn32.exe 4692 wmpdtn32.exe 4692 wmpdtn32.exe 4692 wmpdtn32.exe 4692 wmpdtn32.exe 4888 wmpdtn32.exe 4888 wmpdtn32.exe 4888 wmpdtn32.exe 4888 wmpdtn32.exe 4384 wmpdtn32.exe 4384 wmpdtn32.exe 4384 wmpdtn32.exe 4384 wmpdtn32.exe 988 wmpdtn32.exe 988 wmpdtn32.exe 988 wmpdtn32.exe 988 wmpdtn32.exe 4088 wmpdtn32.exe 4088 wmpdtn32.exe 4088 wmpdtn32.exe 4088 wmpdtn32.exe 2800 wmpdtn32.exe 2800 wmpdtn32.exe 2800 wmpdtn32.exe 2800 wmpdtn32.exe 452 wmpdtn32.exe 452 wmpdtn32.exe 452 wmpdtn32.exe 452 wmpdtn32.exe 228 wmpdtn32.exe 228 wmpdtn32.exe 228 wmpdtn32.exe 228 wmpdtn32.exe 4744 wmpdtn32.exe 4744 wmpdtn32.exe 4744 wmpdtn32.exe 4744 wmpdtn32.exe 2736 wmpdtn32.exe 2736 wmpdtn32.exe 2736 wmpdtn32.exe 2736 wmpdtn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4632 wrote to memory of 4196 4632 e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe 83 PID 4632 wrote to memory of 4196 4632 e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe 83 PID 4632 wrote to memory of 4196 4632 e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe 83 PID 4632 wrote to memory of 4196 4632 e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe 83 PID 4632 wrote to memory of 4196 4632 e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe 83 PID 4632 wrote to memory of 4196 4632 e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe 83 PID 4632 wrote to memory of 4196 4632 e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe 83 PID 4196 wrote to memory of 4772 4196 e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe 84 PID 4196 wrote to memory of 4772 4196 e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe 84 PID 4196 wrote to memory of 4772 4196 e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe 84 PID 4772 wrote to memory of 1612 4772 wmpdtn32.exe 85 PID 4772 wrote to memory of 1612 4772 wmpdtn32.exe 85 PID 4772 wrote to memory of 1612 4772 wmpdtn32.exe 85 PID 4772 wrote to memory of 1612 4772 wmpdtn32.exe 85 PID 4772 wrote to memory of 1612 4772 wmpdtn32.exe 85 PID 4772 wrote to memory of 1612 4772 wmpdtn32.exe 85 PID 4772 wrote to memory of 1612 4772 wmpdtn32.exe 85 PID 1612 wrote to memory of 3788 1612 wmpdtn32.exe 89 PID 1612 wrote to memory of 3788 1612 wmpdtn32.exe 89 PID 1612 wrote to memory of 3788 1612 wmpdtn32.exe 89 PID 3788 wrote to memory of 1320 3788 wmpdtn32.exe 91 PID 3788 wrote to memory of 1320 3788 wmpdtn32.exe 91 PID 3788 wrote to memory of 1320 3788 wmpdtn32.exe 91 PID 3788 wrote to memory of 1320 3788 wmpdtn32.exe 91 PID 3788 wrote to memory of 1320 3788 wmpdtn32.exe 91 PID 3788 wrote to memory of 1320 3788 wmpdtn32.exe 91 PID 3788 wrote to memory of 1320 3788 wmpdtn32.exe 91 PID 1320 wrote to memory of 2312 1320 wmpdtn32.exe 99 PID 1320 wrote to memory of 2312 1320 wmpdtn32.exe 99 PID 1320 wrote to memory of 2312 1320 wmpdtn32.exe 99 PID 2312 wrote to memory of 1828 2312 wmpdtn32.exe 100 PID 2312 wrote to memory of 1828 2312 wmpdtn32.exe 100 PID 2312 wrote to memory of 1828 2312 wmpdtn32.exe 100 PID 2312 wrote to memory of 1828 2312 wmpdtn32.exe 100 PID 2312 wrote to memory of 1828 2312 wmpdtn32.exe 100 PID 2312 wrote to memory of 1828 2312 wmpdtn32.exe 100 PID 2312 wrote to memory of 1828 2312 wmpdtn32.exe 100 PID 1828 wrote to memory of 2808 1828 wmpdtn32.exe 103 PID 1828 wrote to memory of 2808 1828 wmpdtn32.exe 103 PID 1828 wrote to memory of 2808 1828 wmpdtn32.exe 103 PID 2808 wrote to memory of 1500 2808 wmpdtn32.exe 104 PID 2808 wrote to memory of 1500 2808 wmpdtn32.exe 104 PID 2808 wrote to memory of 1500 2808 wmpdtn32.exe 104 PID 2808 wrote to memory of 1500 2808 wmpdtn32.exe 104 PID 2808 wrote to memory of 1500 2808 wmpdtn32.exe 104 PID 2808 wrote to memory of 1500 2808 wmpdtn32.exe 104 PID 2808 wrote to memory of 1500 2808 wmpdtn32.exe 104 PID 1500 wrote to memory of 2280 1500 wmpdtn32.exe 106 PID 1500 wrote to memory of 2280 1500 wmpdtn32.exe 106 PID 1500 wrote to memory of 2280 1500 wmpdtn32.exe 106 PID 2280 wrote to memory of 2444 2280 wmpdtn32.exe 107 PID 2280 wrote to memory of 2444 2280 wmpdtn32.exe 107 PID 2280 wrote to memory of 2444 2280 wmpdtn32.exe 107 PID 2280 wrote to memory of 2444 2280 wmpdtn32.exe 107 PID 2280 wrote to memory of 2444 2280 wmpdtn32.exe 107 PID 2280 wrote to memory of 2444 2280 wmpdtn32.exe 107 PID 2280 wrote to memory of 2444 2280 wmpdtn32.exe 107 PID 2444 wrote to memory of 1468 2444 wmpdtn32.exe 108 PID 2444 wrote to memory of 1468 2444 wmpdtn32.exe 108 PID 2444 wrote to memory of 1468 2444 wmpdtn32.exe 108 PID 1468 wrote to memory of 4692 1468 wmpdtn32.exe 109 PID 1468 wrote to memory of 4692 1468 wmpdtn32.exe 109 PID 1468 wrote to memory of 4692 1468 wmpdtn32.exe 109 PID 1468 wrote to memory of 4692 1468 wmpdtn32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Users\Admin\AppData\Local\Temp\e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Users\Admin\AppData\Local\Temp\E7549E~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Users\Admin\AppData\Local\Temp\E7549E~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4692 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5116 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4888 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4936 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4384 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:988 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4892 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4088 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2800 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4532 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:452 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:228 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4744 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:464 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2736 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1288 -
C:\Windows\SysWOW64\wmpdtn32.exe"C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe34⤵
- Executes dropped EXE
- Maps connected drives based on registry
PID:2796
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
142KB
MD5e7549ec8fa1ba0ba769e8cfe14d34790
SHA18e1130a36a9f26256fd2e0e6be67d5bc980aee66
SHA256d0215d9f04581b0d6329d70ee1d501d2fa2360a9f274da0a22eca611fb882ad1
SHA51231021a284312716323579b4de6dc27c76c9c55bdb620b490c1a1defe5360684b864ee5a65f1d299df6af2ba45005072e695b745a7896625738743a92caa7cd28