Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/01/2025, 19:19
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe
-
Size
1.9MB
-
MD5
d0ad32489cb94443b7c441d455a267d3
-
SHA1
7d8dc87deb71736947d765dbd5f00058f026cb46
-
SHA256
4b8e02e55cbd79b06a6e34dac839cc7f60cec7f5199ad65f1478d9594a164f22
-
SHA512
57e3c8548d3f1865224e170a8b91065229ea7486806005c5ef979372d31b02947b6e9693120df49eb6add641d656b825bad7a620e76fd9c3ec2f02d074fac060
-
SSDEEP
49152:sD8QbBnW5oGvmx4UJASuA4wDinashps9AzV1pCh9mLsvW:LSBnW5d+lub3asPs9S7pcre
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1844 gamevance32.exe -
Loads dropped DLL 5 IoCs
pid Process 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2504 cmd.exe 1844 gamevance32.exe 2776 regsvr32.exe 1640 IEXPLORE.EXE -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Gamevance = "C:\\Program Files (x86)\\Gamevance\\gamevance32.exe a" JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\NoExplorer = "1" regsvr32.exe -
Drops file in Program Files directory 9 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Gamevance\ars.cfg JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe File opened for modification C:\Program Files (x86)\Gamevance\ars.cfg gamevance32.exe File created C:\Program Files (x86)\Gamevance\icon.ico JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe File created C:\Program Files (x86)\Gamevance\gvtl.dll JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe File created C:\Program Files (x86)\Gamevance\ars.cfg JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe File created C:\Program Files (x86)\Gamevance\gamevance32.exe JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe File created C:\Program Files (x86)\Gamevance\gvun.exe JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe File created C:\Program Files (x86)\Gamevance\gamevancelib32.dll JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe File created C:\Program Files (x86)\Gamevance\gvff.tmp JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gamevance32.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString gamevance32.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 gamevance32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier gamevance32.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS gamevance32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct gamevance32.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{596D9C31-D69A-11EF-B9BB-7694D31B45CA} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443476256" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008f948ff715aa4442862a061e494bdf400000000002000000000010660000000100002000000052220052ac946975d1eccdbe5fcd1319b1154721c7d1e39a6ef3dc99eb7eb366000000000e8000000002000020000000a06a1ccea282557b0526b4dd2b27b5c08b7e838499a4b9ea97b867f20ff50d9120000000e2b9a0246518dd42208c5c19185c04ee253dfc52120d98ca253ca7617c6c142240000000b69f4a38be4759de2bbdbd58f376ba33ce5fbc753321ff7d3d9bffb70f338efb250068096773a6fd3c2c4fcdf1e5d6ad19f5ee8d21f41a97d50c090d71693d75 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 902a502ea76adb01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008f948ff715aa4442862a061e494bdf400000000002000000000010660000000100002000000076b0b476f911a9b5fe3c19a581c634ee2c3c2903bd8bf5629ca0753bfc1760c7000000000e8000000002000020000000788a90f19dcdb208f7965fc5f39ac11c58c9777b973c3ffae7ef853c19d114b090000000b5e403d05ddc806464ac78eac2a5f1c161a597e49ec5944a3f7ceeb2fbbb9e1e53d2e35d696c544d4bd28061ee96a6c9790b1dd4a7c01f673da905cc08381ada2b1c4b71b45c305854d9cc4bd364e1671e78caf9a191867941bc3e5d6cb1786073a81efd8265693c9fdc2598cad2048e7fafefe319fe0930b519eaaebc04a1642449205da113a83a4d064573e2154cac40000000415e1c6fbe0f5c0bc3697cc41dc9a880ed1ac1f71298a6432ad607db3a81765b80ef9826828ae11d2227fb9749a289e955c506b8b7a8fd23e61fec2acabbc63b iexplore.exe -
Modifies registry class 26 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID\ = "GamevanceText.Linker" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID\ = "GamevanceText.Linker.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gvtl.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\ = "Gamevance Text" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\ = "Gamevance Text" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer\ = "GamevanceText.Linker.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\ = "GamevanceText" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\AppID = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib\ = "{014C4232-6904-47B9-9144-7E0FB7277444}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 1844 gamevance32.exe 1844 gamevance32.exe 1844 gamevance32.exe 1844 gamevance32.exe 1844 gamevance32.exe 1844 gamevance32.exe 1844 gamevance32.exe 1844 gamevance32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2912 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2912 iexplore.exe 2912 iexplore.exe 1640 IEXPLORE.EXE 1640 IEXPLORE.EXE 1640 IEXPLORE.EXE 1640 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2504 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 30 PID 2096 wrote to memory of 2504 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 30 PID 2096 wrote to memory of 2504 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 30 PID 2096 wrote to memory of 2504 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 30 PID 2504 wrote to memory of 1844 2504 cmd.exe 32 PID 2504 wrote to memory of 1844 2504 cmd.exe 32 PID 2504 wrote to memory of 1844 2504 cmd.exe 32 PID 2504 wrote to memory of 1844 2504 cmd.exe 32 PID 2096 wrote to memory of 2836 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 33 PID 2096 wrote to memory of 2836 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 33 PID 2096 wrote to memory of 2836 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 33 PID 2096 wrote to memory of 2836 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 33 PID 2836 wrote to memory of 2776 2836 cmd.exe 35 PID 2836 wrote to memory of 2776 2836 cmd.exe 35 PID 2836 wrote to memory of 2776 2836 cmd.exe 35 PID 2836 wrote to memory of 2776 2836 cmd.exe 35 PID 2836 wrote to memory of 2776 2836 cmd.exe 35 PID 2836 wrote to memory of 2776 2836 cmd.exe 35 PID 2836 wrote to memory of 2776 2836 cmd.exe 35 PID 2096 wrote to memory of 2912 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 38 PID 2096 wrote to memory of 2912 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 38 PID 2096 wrote to memory of 2912 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 38 PID 2096 wrote to memory of 2912 2096 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 38 PID 1844 wrote to memory of 2912 1844 gamevance32.exe 38 PID 2912 wrote to memory of 1640 2912 iexplore.exe 39 PID 2912 wrote to memory of 1640 2912 iexplore.exe 39 PID 2912 wrote to memory of 1640 2912 iexplore.exe 39 PID 2912 wrote to memory of 1640 2912 iexplore.exe 39 PID 1844 wrote to memory of 1640 1844 gamevance32.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Program Files (x86)\Gamevance\gamevance32.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Program Files (x86)\Gamevance\gamevance32.exe"C:\Program Files (x86)\Gamevance\gamevance32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1844
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2776
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.gamevance.com/aj/ty.php?p=srKz%2F8T1wsH0srLSyejP2bvG2tKz69TV%2F7HFs7W6t8HHsbu3wcW7tML%2Fo%2F%2Bzs7Oys7Ozs%2F%2FMyA2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:275457 /prefetch:23⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1640
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53B
MD5a2fcfb394bccd9b23b2465bc2de3817c
SHA10eb6a328a0c82d60ea6d5eceb21eab342d5655b4
SHA256bcae5e13b3aa916dc30978904cb5987a928f127678232020622ff840ca24bd54
SHA5128373f3f608bdb7a6ea3e4b0ea0bb2187c0d0434ef24904dbf463b0d31db774017904c855ad58aa177e8c6443020b796dd8dc60beac070be6f37ee5e9791201de
-
Filesize
107B
MD5f9f7b3de340b18aaebb8e464f482812d
SHA1d26d3af289307503fb000384de20e4972d4537b7
SHA256db1301f32852b936eefc95220ff96608ed32d6fd1c2234faeca9be4f81e932de
SHA512e233595dacf82d2d3b726b181f22a0d06f17ff406b6f56d7a61ff03bff36ec73f6abe35b18266b8f73e6d859123cf6d423bcd9d9c2d4879e30b9dd8599c98371
-
Filesize
164B
MD57d8e1dfb0ce1de9514405d84b312d0d0
SHA14ec4ed10872d10d63b9137ab0369b9ca8b704b1a
SHA2564c32fd9d3285c3d12862ea0788c5bbf97af1aab36e177053476ed75250eb1098
SHA51297b7c6c3b33ed822acff32081f3376274ed4869bd7e11246013cd7413f57540aba72b8c8675fed093cf182e292c97898334151e945c1c09b1e7f9a978829d248
-
Filesize
154KB
MD5c6ecec4f180f5cf57a13e338015dc0a2
SHA1dfab483824956bddd46e61b5f6db3536fcc0ac64
SHA256ae939f3c64886fe24081c1070e3a7eaf04f2864db451e682efd1ff5cf546d007
SHA512a878b12487e5062441e2f23c7a72f9eec23e590e80db60c9c6c03e270e7e6283c951663adf7212ecbd649bdabf62b09ce1ae827b4d0b0a54c924aa129ebda72d
-
Filesize
256KB
MD513350ee3df4eb30475d6f655b7ce1839
SHA19b977ccca2eff1871441862ecb25654d00f5c6f2
SHA25629b5ac27364c331b249deda4110b4c0e481181a81cf5854c2dcf621220e5178a
SHA51207f9178fca3746d275eada4c6882d4ccd2c47f3113586bedee47bd07ad29b8aa3e32be93df89ef499479be34f06a5aa80b202381eed339a26aca34d508c4b9e0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5229a30203d894db13f5afeb62b5a3189
SHA1a3a554e278ff8e1eae6249657edf1aadc1bc6408
SHA256e4929eef04ef64767d845970089413f4e26badf5d851d8772781a34e2b2e247c
SHA512e818f1873a0f199c4acd9c2bf85e71ed91166a088fca05a7814b39cecc74ee5029b9d1fd4f849171e1c94d29f86c13038923b6eb5699e36e0fe6035dfb575a46
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e6e9f2dd38dc2f1ce259fa95777f738f
SHA1bf9598f1f9cb0436e889f161bb60f15a4f83f07e
SHA256f161202ac269c3ae1f6923773fccedb6e2ac156efb49830427bcd932cea20318
SHA512983975cfb38d8ca70a285b950db7eac77e35fc993e3ad50bb2ee4fa84c9938a6428b6b319fb6e71d3b4983cbca48a13a110a78c8edcb08abcfe9707f0d6296d8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55f26544b5d2879002cbfedc52ce96197
SHA1461cbecd5e335f90854aec7c71159c3cf5055315
SHA256c059d40ab464c230ad24806509b1f15b80568f52a6842f4cb4a6e1abd3939593
SHA512c384edbd04008c053266441b746f67df0eea43b125b33e44e9f0da4b5374fbaa19084825176b561c5065b2e3dd035850af9e574f90e63d7ecaec71975e8448d2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b1ce251c6fd3ce19bd0dfdd41e6f74d1
SHA1913982a41b0e5cc593560303f932c5b1d0a3b8d3
SHA256ebb0e25d128c25d4bd65eb3d7d0bfeaf57d71212d915890d13278a7b789bef6a
SHA5120692488c4f7d5c87c0d8eca10ce2d11e17b73c5d4f20c78bb644a1c3dadfcb8c83f25250c09b070dad3333906b8ca88328cc445a3eda02920c3dc1475905ecbf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52c897600acd771a4936df1cbbebbe177
SHA1807d7304b8a5d6e671c14928c6cbcb4840ba02cc
SHA256e2b4d9b9392a95ff76dc9bbf518b7f2ad7a0c5c1f61943ecddcfb9c4b0692ba2
SHA512d2acad185557c370a51122b4393936ca73dd692a42fbbd3283d68db4f5881f809270183d0710a0cdd5db87ba07bc59ae01f151136dfdb8abfbe97495eed298e3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57118df7f3d91c1b10f4d1383167ee6d2
SHA16cd74612e0e97d3d9b8c3e516619275d467400b3
SHA256a4d2c83e464ad8124dc4da342d1ba40b7c2c557c2bfae347a9a9877fcafaf9d1
SHA512f15ef5bf838a8ddb137bce513662ad05f5241f2f4fd4f6361e0cbc0eedfe40d151e31f126c4b6097f1e5e4d67e499efa2df9fa8d4c2bb2749b989e4c884d8ff7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56e2a35f97c001beac2fd056be7c06d84
SHA1369aaeb0c2ad85ddee896e128bce5104119b0ff1
SHA2562383cc0d1cccf57fd4fc20f6c6431705735ba1c96b8fa05debca0ec7c52359c3
SHA512813bd8b32d25225c29e5a4495fe1e516dfe67fae2ae292f89c1f8ec5efa9f16dff68d3b7f44a4d4be2c79f41d6ea0124c7ad4923557749e7dd2ad425f88f6784
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50a1eb0eb84d343a51269e188361b668f
SHA17cd7bef46a31dbc9af471e2e629e08fb2276c629
SHA25636328bf1764198499d631245b9e6238c4cbc61beb95e4601971fbde225be2f96
SHA51259195abada717a50ac51d82ce90b03261d5a13d78a1b8e51a977d79be19523ffcf45a86fe47cc6345cbe0a7c829c4da8f111a22eb135bdfd50211b3ac7bcbd09
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b2fd622e9b135127847b2e940538d3f1
SHA19214a1af7d96e078b0b228e77df20c4beb3c05b7
SHA256115931a889868ef902212b4a66920e861aaf5ca3789686663212a90d87b2208c
SHA5125c1a5886296fea6b70812eae9eba32dfd119ed8a60107b6f23e7dd4a872a0893feb0b8a1af7c08d479ab0571f2f93c6d6b9b2668b5b87f98f10c88a041925d22
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55222a277dd0a9650b67f8f15b44ef8ba
SHA11622376fc23ea972ce480b29b5f2469334e44b35
SHA25635d9b9c896d59bd83088f05f25df4f74a357db67013fccd8f30c9bf6efc644b8
SHA512812c7da9fccccf0622632126beb8022194d3024863103e2baa48effa140221553006892ac17845e11d14d2c1c46fc91c85b092dbeea91e0e34a416164e16370f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD597505e784a0d7a1ce2eb922f3e3e1101
SHA18dc382c434aaa12cca7d589dd8561f7a18cdcef5
SHA2565916c8d6d0c3d426963e9a3fc7941f0ecd1f6279e8a559a3ff34c118a7e6d417
SHA5124747870e2cebbbb9583d9ab58f7342a0da29e482b86331897813a35f5adf220a95fb3f41299342808470ccb48fec3b33175f4f94beafbeb5201849d87ccee18c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD545ae895f76411f8dc2b65548223f21d1
SHA17c0c69ed14557d17d53505d07685f83171de7ba4
SHA25692c42ea0a54b2c25a104d232f93bde263ed302bb02cb760a59ba5c9898a024e8
SHA512dbc7c57b0ade24bdd289074f0f5fcdde920d03efa08aa1dc68f859bd37fd1fa7b2bc92117dd7c9dab9be7a2a24d386f3cde2b1dd8ddd26e6b8d95be11c5e3cf9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57ca11ee9e9a00e1b72dec4672c297f3d
SHA15916770ae121d5fca2a068be0ee7ce9cc88c005f
SHA25629afd1f0edeabc017aa6abd1559cf03eadd8c0eb823e31a34b5b97fb640ed0d1
SHA512fbaf7902703d3006022c9cb572fc04a71ada91f38eeb5db73bf3fb9b5aadcddc874f36f58f308eda31ad98ce3e6453b4f60ef77ddd7b923a10060f600603de70
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53c5b7e9781476e3de3efda0271eb9e5d
SHA1c88dab4963c29347d213557bdbf6ca10498f1e96
SHA2562e32925c1fe56e31a97d127646ede2aa275a8b8608c93de040681a3169387025
SHA5126a82820ea393e193fd0da2cbaddd37743f2ef64929199bf5ad391b474df011af5c28f686a6ee1f809043d844c93bb4dad9aeb1e2d17b2c8baab6104d9f64bf6e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c45997676e89e2231a96b79d52ec0058
SHA190813d8d09330df72c508a14a4401a3419f54630
SHA2562ebfeb94ee597b55099f0ee0579a15527d18ea485e0b2b0ba24d46fba3e50be9
SHA512ba3e58828bde51ef0169be5290a9d4331be124503944b827451b72c88695e8c8df2b9dbc8c97a95c2f652dce0ec946a745635eb82702d40b67e6222033743f74
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50f02deed7936111db073fdd1adb8ed68
SHA1fec2c03e4478b25094659effbcd1c2c7bea19d49
SHA2563dbbb3227f162ad94166afcd99a5a8344334162c3fdf89f4b41f99fa27a3e922
SHA51205ec8e352ee42b2f79accef111a9a2870097e67720427e16366f79a01da88b2e00504542e77251f01204e94daa6e94ae0951177891d88ea77e44017fe30b815c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58b08acaba2bd966df9d65f08170ff2d5
SHA11f439b1f8f2e5f6fcbdf89cac76b18327da0dd21
SHA2562f2520ca630c735e19c073254b7beff9c0d8cf1fadb5a749f0791032dc9306af
SHA512714234379d9654a6a6d309dc65cadfbe41f2f6a0b0c1ceb685bcf82b05c93b604203bc862297932455f522c60879bd64a19c34437174d0acaf93c04a794eafb6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c8dd30dd5c29a52e66604368fdf235f1
SHA13cd843b94acb0f4e190355150e69439f40f825e8
SHA2567e1d129a44c8873f0f6084dcbe4dec5dd7e342486898a6343b537a207b84ab9f
SHA512b532f15af491a952c0cf2048edf65b761f6796b5e8e6362d9f5e56b14bf1f997307704abd2dd3bb4aee5ea6b1bf05dec3e6726aea408241548dc4cf7778e16e9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5120528cddb0ef00faa33178fee992d80
SHA1dd087e3e3aa6eb478a75c6043b3fe5b5c35c5e41
SHA25689e5ca9c1c58c337d6a51ef4673b174a356b12f8d19f6ed2432d094fae4d1dd2
SHA512be2ace76e038b5e700256aced8d55d20b568cce4043a0904019fceffafd86d97527fc14a0c95162c719511e51b791a8ce3011bd60f903d611f69f10905682997
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bf5667fba9150fc6e3547ba95612968b
SHA17ec6b799c05da250189ec8a177fa8f01f37e1713
SHA256b294483e65630f850d19e791f83faf5f5035bc8dd6a1d944f54a8a5a942aef42
SHA512dccd2fec49e3350cab16e1e461a2ff0d9f70a8afdcc9518c03f8e31dd7cf31ca48f4a7973cc56d9e09b5c40f3732f2f5487492add3c33338051778451344af93
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
234KB
MD59b6aab97bc137c4eb4adb0ec6eec66f3
SHA15563f5a992ac8b83b907966d035445fea0ce7e58
SHA256b764b34e426f28478c8c02707bfb353a2ac02da0e31094c45ded6f2da62a789e
SHA512c08ecbbee0a74a5710ea3ead76360cf429fd65f8daf824e88f28f61c17041d56ffc36266e3fd1a2e105f7f061c1a8e3d2e56c500e98902bb7a967fa5b96dc3ee
-
Filesize
223KB
MD5dec77b23c96ef47910ab181bf8d187ce
SHA178d61fe5b39e43bfd4928c81e04b6cc5690af2c7
SHA2563835df1dbeb63fc12cea03ec21aff2be87fca0ebe4d94b34ed81dce53a5e10b4
SHA512a52b4a76f9070179cf0d661b0024755bd974ba7f60981c2c73485e12ab4f50e475c6ab21fa3fdfd17838d3194b615cf0f51db2ebc55e04f4ddd0a9bafaeb08c3