Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 18:34
Behavioral task
behavioral1
Sample
08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
-
Size
807KB
-
MD5
08b0a0606c5218531babab185a80e2d5
-
SHA1
083ebd56e8e093f8dc9e38579fa94a6518c98e59
-
SHA256
cd7aadb8f27d40522b004279eeb351ffe94ef864a0cc8cb8072ba44c5c3578f0
-
SHA512
ddc0d827a572a0cba460bdc5dcbc51b2cb361dfdfcefc182ef7aeb944a575eaca70a7c6e71c4651b8f6dbe57dd8382f6ba5ed9d40c9dfd822b712d70305c175f
-
SSDEEP
24576:FYkjlzgR+tmbs1t9qgYohxfloUZhjaoJKwbgy:FYszhtmMKcoUvPJKwbgy
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
eQDewf74.exemerop.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" eQDewf74.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" merop.exe -
ModiLoader Second Stage 9 IoCs
Processes:
resource yara_rule behavioral1/memory/1440-10-0x0000000000400000-0x0000000000417000-memory.dmp modiloader_stage2 behavioral1/memory/1688-15-0x0000000000400000-0x0000000000515000-memory.dmp modiloader_stage2 behavioral1/memory/1688-14-0x0000000000400000-0x0000000000515000-memory.dmp modiloader_stage2 \Users\Admin\aihost.exe modiloader_stage2 behavioral1/memory/2548-68-0x0000000000400000-0x0000000000416000-memory.dmp modiloader_stage2 \Users\Admin\bihost.exe modiloader_stage2 behavioral1/memory/2996-89-0x0000000000400000-0x0000000000416000-memory.dmp modiloader_stage2 behavioral1/memory/1688-111-0x0000000000400000-0x0000000000515000-memory.dmp modiloader_stage2 behavioral1/memory/1688-407-0x0000000000400000-0x0000000000515000-memory.dmp modiloader_stage2 -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2844 cmd.exe -
Executes dropped EXE 13 IoCs
Processes:
eQDewf74.exemerop.exeaihost.exeaihost.exebihost.exebihost.execihost.exedihost.execihost.execihost.execsrss.exeeihost.exeB50D.tmppid process 2680 eQDewf74.exe 1104 merop.exe 2548 aihost.exe 3004 aihost.exe 2996 bihost.exe 2240 bihost.exe 2480 cihost.exe 2964 dihost.exe 1824 cihost.exe 2652 cihost.exe 336 csrss.exe 2984 eihost.exe 1988 B50D.tmp -
Loads dropped DLL 17 IoCs
Processes:
08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exeeQDewf74.execihost.exeB50D.tmppid process 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe 2680 eQDewf74.exe 2680 eQDewf74.exe 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe 2480 cihost.exe 2480 cihost.exe 1988 B50D.tmp -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/1688-6-0x0000000000400000-0x0000000000515000-memory.dmp upx behavioral1/memory/1688-15-0x0000000000400000-0x0000000000515000-memory.dmp upx behavioral1/memory/1688-14-0x0000000000400000-0x0000000000515000-memory.dmp upx behavioral1/memory/1688-13-0x0000000000400000-0x0000000000515000-memory.dmp upx behavioral1/memory/1688-12-0x0000000000400000-0x0000000000515000-memory.dmp upx behavioral1/memory/1688-4-0x0000000000400000-0x0000000000515000-memory.dmp upx behavioral1/memory/1688-2-0x0000000000400000-0x0000000000515000-memory.dmp upx behavioral1/memory/2240-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2240-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2240-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2240-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2240-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2240-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1688-111-0x0000000000400000-0x0000000000515000-memory.dmp upx behavioral1/memory/2480-153-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1824-155-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1688-407-0x0000000000400000-0x0000000000515000-memory.dmp upx -
Adds Run key to start application 2 TTPs 53 IoCs
Processes:
merop.execihost.exeeQDewf74.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /X" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /z" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /H" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /d" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /f" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /O" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /n" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /M" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /Y" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /Q" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /h" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /m" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /u" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /a" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /D" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /e" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /q" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /x" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /V" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /r" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /s" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /Z" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /U" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /L" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /l" merop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9F2.exe = "C:\\Program Files (x86)\\LP\\836C\\9F2.exe" cihost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /E" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /o" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /F" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /B" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /P" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /C" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /S" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /w" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /A" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /j" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /R" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /g" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /y" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /k" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /o" eQDewf74.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /N" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /K" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /i" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /I" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /v" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /t" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /p" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /J" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /T" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /b" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /c" merop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /G" merop.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
csrss.exedescription ioc process File created \systemroot\assembly\GAC_64\Desktop.ini csrss.exe File created \systemroot\assembly\GAC_32\Desktop.ini csrss.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
bihost.exeaihost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum bihost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 bihost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum aihost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 aihost.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exeaihost.exebihost.exedihost.exedescription pid process target process PID 1440 set thread context of 1688 1440 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe PID 2548 set thread context of 3004 2548 aihost.exe aihost.exe PID 2996 set thread context of 2240 2996 bihost.exe bihost.exe PID 2964 set thread context of 3036 2964 dihost.exe cmd.exe -
Drops file in Program Files directory 3 IoCs
Processes:
cihost.exedescription ioc process File created C:\Program Files (x86)\LP\836C\9F2.exe cihost.exe File opened for modification C:\Program Files (x86)\LP\836C\9F2.exe cihost.exe File opened for modification C:\Program Files (x86)\LP\836C\B50D.tmp cihost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2820 tasklist.exe 2876 tasklist.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
eQDewf74.exeaihost.exebihost.exemerop.execihost.exedihost.exepid process 2680 eQDewf74.exe 2680 eQDewf74.exe 3004 aihost.exe 3004 aihost.exe 3004 aihost.exe 2240 bihost.exe 1104 merop.exe 1104 merop.exe 1104 merop.exe 1104 merop.exe 1104 merop.exe 1104 merop.exe 1104 merop.exe 2480 cihost.exe 2480 cihost.exe 2480 cihost.exe 2480 cihost.exe 2480 cihost.exe 2480 cihost.exe 3004 aihost.exe 3004 aihost.exe 1104 merop.exe 1104 merop.exe 1104 merop.exe 1104 merop.exe 1104 merop.exe 1104 merop.exe 1104 merop.exe 3004 aihost.exe 3004 aihost.exe 1104 merop.exe 1104 merop.exe 1104 merop.exe 1104 merop.exe 1104 merop.exe 1104 merop.exe 1104 merop.exe 1104 merop.exe 3004 aihost.exe 3004 aihost.exe 1104 merop.exe 1104 merop.exe 1104 merop.exe 1104 merop.exe 1104 merop.exe 1104 merop.exe 1104 merop.exe 3004 aihost.exe 3004 aihost.exe 1104 merop.exe 1104 merop.exe 1104 merop.exe 1104 merop.exe 1104 merop.exe 1104 merop.exe 2964 dihost.exe 2964 dihost.exe 2964 dihost.exe 2964 dihost.exe 1104 merop.exe 2480 cihost.exe 2480 cihost.exe 2480 cihost.exe 2480 cihost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 2268 explorer.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
tasklist.exemsiexec.exedihost.exeexplorer.exetasklist.exedescription pid process Token: SeDebugPrivilege 2820 tasklist.exe Token: SeRestorePrivilege 2420 msiexec.exe Token: SeTakeOwnershipPrivilege 2420 msiexec.exe Token: SeSecurityPrivilege 2420 msiexec.exe Token: SeDebugPrivilege 2964 dihost.exe Token: SeDebugPrivilege 2964 dihost.exe Token: SeShutdownPrivilege 2268 explorer.exe Token: SeShutdownPrivilege 2268 explorer.exe Token: SeShutdownPrivilege 2268 explorer.exe Token: SeShutdownPrivilege 2268 explorer.exe Token: SeShutdownPrivilege 2268 explorer.exe Token: SeShutdownPrivilege 2268 explorer.exe Token: SeShutdownPrivilege 2268 explorer.exe Token: SeShutdownPrivilege 2268 explorer.exe Token: SeShutdownPrivilege 2268 explorer.exe Token: SeShutdownPrivilege 2268 explorer.exe Token: SeShutdownPrivilege 2268 explorer.exe Token: SeShutdownPrivilege 2268 explorer.exe Token: SeDebugPrivilege 2876 tasklist.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
explorer.exepid process 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
Processes:
explorer.exepid process 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exeeQDewf74.exemerop.exeeihost.exepid process 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe 2680 eQDewf74.exe 1104 merop.exe 2984 eihost.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
csrss.exepid process 336 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exeeQDewf74.execmd.exeaihost.exebihost.execihost.exedescription pid process target process PID 1440 wrote to memory of 1688 1440 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe PID 1440 wrote to memory of 1688 1440 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe PID 1440 wrote to memory of 1688 1440 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe PID 1440 wrote to memory of 1688 1440 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe PID 1440 wrote to memory of 1688 1440 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe PID 1440 wrote to memory of 1688 1440 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe PID 1440 wrote to memory of 1688 1440 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe PID 1440 wrote to memory of 1688 1440 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe PID 1688 wrote to memory of 2680 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe eQDewf74.exe PID 1688 wrote to memory of 2680 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe eQDewf74.exe PID 1688 wrote to memory of 2680 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe eQDewf74.exe PID 1688 wrote to memory of 2680 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe eQDewf74.exe PID 2680 wrote to memory of 1104 2680 eQDewf74.exe merop.exe PID 2680 wrote to memory of 1104 2680 eQDewf74.exe merop.exe PID 2680 wrote to memory of 1104 2680 eQDewf74.exe merop.exe PID 2680 wrote to memory of 1104 2680 eQDewf74.exe merop.exe PID 2680 wrote to memory of 2776 2680 eQDewf74.exe cmd.exe PID 2680 wrote to memory of 2776 2680 eQDewf74.exe cmd.exe PID 2680 wrote to memory of 2776 2680 eQDewf74.exe cmd.exe PID 2680 wrote to memory of 2776 2680 eQDewf74.exe cmd.exe PID 2776 wrote to memory of 2820 2776 cmd.exe tasklist.exe PID 2776 wrote to memory of 2820 2776 cmd.exe tasklist.exe PID 2776 wrote to memory of 2820 2776 cmd.exe tasklist.exe PID 2776 wrote to memory of 2820 2776 cmd.exe tasklist.exe PID 1688 wrote to memory of 2548 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe aihost.exe PID 1688 wrote to memory of 2548 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe aihost.exe PID 1688 wrote to memory of 2548 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe aihost.exe PID 1688 wrote to memory of 2548 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe aihost.exe PID 2548 wrote to memory of 3004 2548 aihost.exe aihost.exe PID 2548 wrote to memory of 3004 2548 aihost.exe aihost.exe PID 2548 wrote to memory of 3004 2548 aihost.exe aihost.exe PID 2548 wrote to memory of 3004 2548 aihost.exe aihost.exe PID 2548 wrote to memory of 3004 2548 aihost.exe aihost.exe PID 2548 wrote to memory of 3004 2548 aihost.exe aihost.exe PID 2548 wrote to memory of 3004 2548 aihost.exe aihost.exe PID 2548 wrote to memory of 3004 2548 aihost.exe aihost.exe PID 2548 wrote to memory of 3004 2548 aihost.exe aihost.exe PID 2548 wrote to memory of 3004 2548 aihost.exe aihost.exe PID 1688 wrote to memory of 2996 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe bihost.exe PID 1688 wrote to memory of 2996 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe bihost.exe PID 1688 wrote to memory of 2996 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe bihost.exe PID 1688 wrote to memory of 2996 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe bihost.exe PID 2996 wrote to memory of 2240 2996 bihost.exe bihost.exe PID 2996 wrote to memory of 2240 2996 bihost.exe bihost.exe PID 2996 wrote to memory of 2240 2996 bihost.exe bihost.exe PID 2996 wrote to memory of 2240 2996 bihost.exe bihost.exe PID 2996 wrote to memory of 2240 2996 bihost.exe bihost.exe PID 2996 wrote to memory of 2240 2996 bihost.exe bihost.exe PID 2996 wrote to memory of 2240 2996 bihost.exe bihost.exe PID 2996 wrote to memory of 2240 2996 bihost.exe bihost.exe PID 1688 wrote to memory of 2480 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe cihost.exe PID 1688 wrote to memory of 2480 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe cihost.exe PID 1688 wrote to memory of 2480 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe cihost.exe PID 1688 wrote to memory of 2480 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe cihost.exe PID 1688 wrote to memory of 2964 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe dihost.exe PID 1688 wrote to memory of 2964 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe dihost.exe PID 1688 wrote to memory of 2964 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe dihost.exe PID 1688 wrote to memory of 2964 1688 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe dihost.exe PID 2480 wrote to memory of 1824 2480 cihost.exe cihost.exe PID 2480 wrote to memory of 1824 2480 cihost.exe cihost.exe PID 2480 wrote to memory of 1824 2480 cihost.exe cihost.exe PID 2480 wrote to memory of 1824 2480 cihost.exe cihost.exe PID 2480 wrote to memory of 2652 2480 cihost.exe cihost.exe PID 2480 wrote to memory of 2652 2480 cihost.exe cihost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
cihost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" cihost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
PID:336
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:864
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵PID:1376
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1372
-
C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe3⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\eQDewf74.exeC:\Users\Admin\eQDewf74.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\merop.exe"C:\Users\Admin\merop.exe"5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1104 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del eQDewf74.exe5⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2820 -
C:\Users\Admin\aihost.exeC:\Users\Admin\aihost.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\aihost.exeaihost.exe5⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:3004 -
C:\Users\Admin\bihost.exeC:\Users\Admin\bihost.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\bihost.exebihost.exe5⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2240 -
C:\Users\Admin\cihost.exeC:\Users\Admin\cihost.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2480 -
C:\Users\Admin\cihost.exeC:\Users\Admin\cihost.exe startC:\Users\Admin\AppData\Roaming\C0C4A\D4D83.exe%C:\Users\Admin\AppData\Roaming\C0C4A5⤵
- Executes dropped EXE
PID:1824 -
C:\Users\Admin\cihost.exeC:\Users\Admin\cihost.exe startC:\Program Files (x86)\4A449\lvvm.exe%C:\Program Files (x86)\4A4495⤵
- Executes dropped EXE
PID:2652 -
C:\Program Files (x86)\LP\836C\B50D.tmp"C:\Program Files (x86)\LP\836C\B50D.tmp"5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Users\Admin\dihost.exeC:\Users\Admin\dihost.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"5⤵PID:3036
-
C:\Users\Admin\eihost.exeC:\Users\Admin\eihost.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2984 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe4⤵
- Deletes itself
PID:2844 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2268
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:1956
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1808
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300B
MD5da828cc072fc77f50ff90fb5db92bced
SHA1222e40ec652991b2d3cb80967950d213176ccd98
SHA25680373662d97a94e5c35e971ee0d114dcf579267ac9821eb7386788c612dec1d5
SHA512fd509f98636750d94e2061194da1a2cbf061b966a748373c86a1da71de0cb6ba34149f7164d2b7f1bcf316472bd2cba5a03eaf7630a1453274fc0abf142a8805
-
Filesize
600B
MD54720ad52b10ded6396df3b7d28329c5b
SHA1ee639bd4da482e66f5f913edf1b37eaed70b591a
SHA256a08c71133ac10e332df87303481eb6bcdf8ceac57df9bf6ad1c16f97d58103c9
SHA5122731bd21e95768fa84209300079b57ca159542489b9edca23e0a8565ce346c9f7d192b874736cb12f1eba3bf8fb64c2e760fcbd35699278656bef4f686974d32
-
Filesize
996B
MD5e23eea83ff603ff3a0f596f808828356
SHA1820f6e3eff93bc4b6ffb9e8a0634e0a3abf167f8
SHA256a3580f504f3d2ea770f4b113ac987e18c5a4787dc36eb81c005d9cfc6c14d2db
SHA512754146ede76aa1eddc8210a0d2d56f90008c856b5c045a55c586bdf86e97a0acdc51976dffc79ec3e196a8fb0dc4a128252126c8383440ed1f8bbce5f64f8510
-
Filesize
1KB
MD5c1caaf6e8b87e9818e9c305218db827e
SHA1da8466c1901ca767a94b39fb0eb2f2344c8c3c8f
SHA256f5e4ed2c5b4b7dd76c456cdfa7d0ee62dfa1e605d56ca146754ce3b0715ffe60
SHA512c9e47ac9035d069185cb07252499745607718b641e0bdcd13d0c0840538737e3680977e5e53b1d3348f4a8472494de6865fadce4063d69a931010f2a1cf5131a
-
Filesize
279KB
MD54df3241b8f53ad2d1c0bba6dc1b97e02
SHA1f0c43893143a3442a453f56c9c4f740941b1d097
SHA256407e0425757e28262c3054c1dc981a9f41cf83cd67ecfbf37d3b8fe74db54199
SHA512e90e4a8b708fb9d3213f73e641fa39625a38fa969270ef1123206fb30d04837f018b9838aa02a234265c0b9ba765f567b748a7b73c437b96daba7a15e5e38663
-
Filesize
28KB
MD5f06f7a3945f4f78ee2c6d1ed35cbb5be
SHA1ac1ab0f60a94286b6f01b40431e6f87f6e9899bf
SHA256a2c720d07e18b73143b040ab817bad7da98ed2a262d55e6119b9cbd8b93dbbe3
SHA51223f1fc1f15aab030c3d19a1c166479a52659b91dac00fff1301ddfd6e5e62279d45ec176f2e891098eb0d613d1f148952bf71341227b35f52c3bc2bf5fcdad14
-
Filesize
2KB
MD56500e5fd603660eb2b6729779c9a428c
SHA1557043e6aa1685fe8a34fad7fbcc6dbec057b2f0
SHA256ab51a0675834728b0a444f1859ad4b560bf3fb5f8e420f61894bea168785dfb2
SHA512b4ccd0b3efdf082f9a03f3c04fa2a61bf5d5bb0cc54fe76df155977a2958e857785c047d055196bc9035cb413cac622115e0fd7c4dd96fa9404e31269c7e1fe9
-
Filesize
100KB
MD54c04ec47c44bc997519e18ce5f20e9d6
SHA1680968fe85eaa19ac68b8dabf3371dd81684ed83
SHA256446ddf0822deef56cedbfa0910143c744835ed765d128408d9ea994a569581a2
SHA512e33e959e25d09152c1f64d60a7733f7c7a1dfd9f0bee6ed1f8aa18cf5e5248442e365d211c4555e0723b4e23e97c0a99d43b8fe6538cc9c77f0d39fd73616279
-
Filesize
229KB
MD5c7b9733430c4bf7f56a0c89d7f2dd9cf
SHA10a894c98e17a8c81a378a37c2230cf188932d21e
SHA2568047916855a52a9b5e97c010e8fc2dc01a9ed91d2798a6869f8669ea4a92940d
SHA5124aefe0746e896c00bc908128ba63e13d2abed9e839d13da14042365afb81d85bf75537292f7323a56694258ddec7a88b57202721b62651cfcbef2932c0cb2464
-
Filesize
119KB
MD5386fef8fdb975e7c102921910db7f9fb
SHA1cdf3f86411189db08c8c0f887f26c2572ecc0889
SHA256ae06d784c51702aff587d235d48de3b1162872069fac4602d921d023527efae0
SHA5126ab8c2721c81bdff414e8cdbd7ca006abf3ed8c0155510d6c92555885038f33c1cf08372302b6465196f69aa15a7305fb05eb2e12026f1fc96a797646b8d2352
-
Filesize
244KB
MD588537f3fd69e60683c4467e89b7651af
SHA12c14a9010bed93b0622efe283a34de343ca33244
SHA2564a7897e22ad30c516920e6441dc360a98114f15d9652b89909758f4966029692
SHA512b3d070628092558770e08386eeabf69efc613ce163ce1f50cc00a81a78cbec6b667a84a4f09144b7f0c145ec28929b78deee4f7cab10ce7ac9a2f9c536ce8084
-
Filesize
180KB
MD542836a2ee8ce9deef8d846272ef3949f
SHA179f698c53e56c96c859a0155e02a24c93e120145
SHA2565569f623253918233149531fbd49bd624af013695bf0f7d8b53ef58b062e6a37
SHA512786802f71512228215ddac4d23a7eec6e8cfb8ab4c02ba0a03b06241431e70c202e845ce08222945f668218d91dd6630e9e5499be0b44fda7b3dc29e98231d85
-
Filesize
180KB
MD510ee467c5a813c878106b2cd53ad843e
SHA1c7677950669e79418430936f2e8a66707e5536bf
SHA256cd6746d196735ede609a5a8cecadd1619d8dfcb1fa8e1dce8c6f9d6611b25cec
SHA5126331fa32fd1b8dacca8cf65c0db4cee6a65b81cb3da6f2b0c81534f9694421777e86c79330fde0b7f5fc5209c2dd0c6248d852a556229fa24b330d89cacae37f
-
Filesize
53KB
MD563e99b675a1337db6d8430195ea3efd2
SHA11baead2bf8f433dc82f9b2c03fd65ce697a92155
SHA2566616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9
SHA512f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f
-
Filesize
4KB
MD5758f90d425814ea5a1d2694e44e7e295
SHA164d61731255ef2c3060868f92f6b81b4c9b5fe29
SHA256896221147d8172197cbbf06c45d461141ce6b4af38027c1a22d57c1165026433
SHA51211858e498309f611ee6241c026a402d6d979bffe28d4cbf7c9d5a89c3f3de25e1d253ab552ef7bc7cc43dd056307bd625e2e4f09beb21f0214c3946113b97ca9