Analysis
-
max time kernel
4294231s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
25-03-2022 00:30
Static task
static1
Behavioral task
behavioral1
Sample
559440f61d38495c433fea442a58b4831422d52a04da1ef7f8e43b17a736a8fd.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
559440f61d38495c433fea442a58b4831422d52a04da1ef7f8e43b17a736a8fd.exe
Resource
win10v2004-20220310-en
General
-
Target
559440f61d38495c433fea442a58b4831422d52a04da1ef7f8e43b17a736a8fd.exe
-
Size
10.0MB
-
MD5
c8f1a1134ac0ccacb849b819e0435e11
-
SHA1
ca4941cba333018c484418a42d7e2e3a6d2a380e
-
SHA256
559440f61d38495c433fea442a58b4831422d52a04da1ef7f8e43b17a736a8fd
-
SHA512
db570e14148c36db6eb8de41c48f65472ef83e18fa0804e39fd1e9b484f3d55240a447451c6d9b7149e58c4d714d91ddb4696c196e8008d8e3d4e31375a4504f
Malware Config
Extracted
C:\Users\Admin\Desktop\README.txt
336Fvf8fRrpySwq8gsaWdf7gfuGm5FQi8K
Signatures
-
DemonWare
Ransomware first seen in mid-2020.
-
Drops file in Drivers directory 1 IoCs
Processes:
CyberPunk2077.exedescription ioc Process File created C:\Windows\SysWOW64\drivers\gmreadme.txt CyberPunk2077.exe -
Executes dropped EXE 3 IoCs
Processes:
CyberPunk2077.sfx.exeCyberPunk2077.exeCyberPunk2077.exepid Process 512 CyberPunk2077.sfx.exe 1468 CyberPunk2077.exe 1208 CyberPunk2077.exe -
Loads dropped DLL 37 IoCs
Processes:
cmd.exeCyberPunk2077.sfx.exeCyberPunk2077.exeCyberPunk2077.exepid Process 564 cmd.exe 512 CyberPunk2077.sfx.exe 512 CyberPunk2077.sfx.exe 512 CyberPunk2077.sfx.exe 1468 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe 1208 CyberPunk2077.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 64 IoCs
Processes:
CyberPunk2077.exedescription ioc Process File created C:\Windows\SysWOW64\fsutil.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\OptionalFeatures.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\RpcPing.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_locations.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_types.ps1xml.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_functions.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_script_internationalization.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\cmdkey.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\SystemPropertiesRemote.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_History.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_job_details.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_prompts.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_transactions.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_preference_variables.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\sxstrace.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Ref.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\AdapterTroubleshooter.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\DpiScaling.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\gpupdate.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\icardagt.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\shrpubw.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_scripts.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\autochk.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_scopes.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions_advanced_methods.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Arithmetic_Operators.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\ntoskrnl.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\ClickDownExpanded.gif CyberPunk2077.exe File created C:\Windows\SysWOW64\cscript.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\SystemPropertiesProtection.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_jobs.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_script_internationalization.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\mcbuilder.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Line_Editing.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Comparison_Operators.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Quoting_Rules.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_CommonParameters.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Command_Syntax.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_type_operators.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_try_catch_finally.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\en-US\about_BITS_Cmdlets.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_PSSnapins.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Command_Syntax.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_operators.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_script_internationalization.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Redirection.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Throw.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Language_Keywords.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_pssession_details.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\ftp.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_PSSnapins.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_WMI_Cmdlets.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_CommonParameters.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\RunLegacyCPLElevated.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\wermgr.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_operators.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Windows_PowerShell_ISE.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_environment_variables.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\fixmapi.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_FAQ.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_History.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_regular_expressions.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_logical_operators.help.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_scopes.help.txt CyberPunk2077.exe -
Drops file in Program Files directory 64 IoCs
Processes:
CyberPunk2077.exedescription ioc Process File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png CyberPunk2077.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial.png CyberPunk2077.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_ButtonGraphic.png CyberPunk2077.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe CyberPunk2077.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe CyberPunk2077.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_cloudy.png CyberPunk2077.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDXFile_8.ico CyberPunk2077.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImages.jpg CyberPunk2077.exe File created C:\Program Files (x86)\Windows Media Player\setup_wm.exe CyberPunk2077.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png CyberPunk2077.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\blank.png CyberPunk2077.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_windy.png CyberPunk2077.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_ButtonGraphic.png CyberPunk2077.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png CyberPunk2077.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoDev.png CyberPunk2077.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_left_over.gif CyberPunk2077.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png CyberPunk2077.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png CyberPunk2077.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png CyberPunk2077.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png CyberPunk2077.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down_BIDI.png CyberPunk2077.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\3.png CyberPunk2077.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoBeta.png CyberPunk2077.exe File created C:\Program Files\Internet Explorer\ieinstal.exe CyberPunk2077.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\content-background.png CyberPunk2077.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\blank.png CyberPunk2077.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\30.png CyberPunk2077.exe File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Waitcursor.gif CyberPunk2077.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt CyberPunk2077.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt CyberPunk2077.exe File created C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg CyberPunk2077.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png CyberPunk2077.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt CyberPunk2077.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\leftnav.gif CyberPunk2077.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodbig.gif CyberPunk2077.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_hail.png CyberPunk2077.exe File created C:\Program Files\DVD Maker\Shared\DissolveAnother.png CyberPunk2077.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047x576black.png CyberPunk2077.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookbig.gif CyberPunk2077.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-dock.png CyberPunk2077.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Peacock.jpg CyberPunk2077.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\SoftBlue.jpg CyberPunk2077.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_right_over.gif CyberPunk2077.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_s.png CyberPunk2077.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_over.png CyberPunk2077.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_hov.png CyberPunk2077.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_hov.png CyberPunk2077.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe CyberPunk2077.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)grayStateIcon.png CyberPunk2077.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif CyberPunk2077.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe CyberPunk2077.exe File created C:\Program Files (x86)\Internet Explorer\iexplore.exe CyberPunk2077.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_up.png CyberPunk2077.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\row_over.png CyberPunk2077.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\Tulip.jpg CyberPunk2077.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_SelectionSubpicture.png CyberPunk2077.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png CyberPunk2077.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_GreenTea.gif CyberPunk2077.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_disabled.png CyberPunk2077.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\activity16v.png CyberPunk2077.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_left_over.gif CyberPunk2077.exe File created C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_120.png CyberPunk2077.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png CyberPunk2077.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\rtf_italic.gif CyberPunk2077.exe -
Drops file in Windows directory 64 IoCs
Processes:
CyberPunk2077.exedescription ioc Process File created C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe CyberPunk2077.exe File created C:\Windows\Web\Wallpaper\Characters\img19.jpg CyberPunk2077.exe File created C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe CyberPunk2077.exe File created C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe CyberPunk2077.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\Narrator\0bae62c3fc6c327ed24989263988173d\Narrator.ni.exe CyberPunk2077.exe File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe CyberPunk2077.exe File created C:\Windows\Web\Wallpaper\Characters\img23.jpg CyberPunk2077.exe File created C:\Windows\twunk_32.exe CyberPunk2077.exe File created C:\Windows\ehome\ehshell.exe CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ThirdPartyNotices.txt CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\UninstallSqlState.sql CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif CyberPunk2077.exe File created C:\Windows\Web\Wallpaper\Characters\img22.jpg CyberPunk2077.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\WsatConfig\36ca2928b2191011831ab673861c6ac6\WsatConfig.ni.exe CyberPunk2077.exe File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe CyberPunk2077.exe File created C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceService_Schema.sql CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\en\SqlPersistenceService_Schema.sql CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe CyberPunk2077.exe File created C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Graphics\stop.ico CyberPunk2077.exe File created C:\Windows\ehome\it-IT\epgtos.txt CyberPunk2077.exe File created C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\ZA-wp3.jpg CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\es\Tracking_Logic.sql CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\UninstallSqlStateTemplate.sql CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif CyberPunk2077.exe File created C:\Windows\Web\Wallpaper\Characters\img24.jpg CyberPunk2077.exe File created C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\xlicons.exe CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\es\Tracking_Schema.sql CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\it\SqlPersistenceProviderLogic.sql CyberPunk2077.exe File created C:\Windows\Web\Wallpaper\Landscapes\img9.jpg CyberPunk2077.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Narrator\4cc02fad33053737088d4c18267ca0a0\Narrator.ni.exe CyberPunk2077.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\XDPFile_8.ico CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallMembership.sql CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\SQL\it\DropSqlPersistenceProviderSchema.sql CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallMembership.sql CyberPunk2077.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif CyberPunk2077.exe File created C:\Windows\ehome\de-DE\playready_eula.txt CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\UninstallCommon.sql CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\Tracking_Schema.sql CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif CyberPunk2077.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\ja\SqlPersistenceService_Schema.sql CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg CyberPunk2077.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\MSBuild\1a154709cdfe214029ea88c51ab2b579\MSBuild.ni.exe CyberPunk2077.exe File created C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\CA-wp3.jpg CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif CyberPunk2077.exe File created C:\Windows\splwow64.exe CyberPunk2077.exe File created C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\SQL\de\DropSqlPersistenceProviderSchema.sql CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe CyberPunk2077.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe CyberPunk2077.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\e88db1688b08fbb889b0b9d4b1a51493\SMSvcHost.ni.exe CyberPunk2077.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe CyberPunk2077.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif CyberPunk2077.exe -
Detects Pyinstaller 7 IoCs
Processes:
resource yara_rule behavioral1/files/0x000900000001273a-62.dat pyinstaller behavioral1/files/0x000900000001273a-63.dat pyinstaller behavioral1/files/0x000900000001273a-64.dat pyinstaller behavioral1/files/0x000900000001273a-66.dat pyinstaller behavioral1/files/0x000900000001273a-67.dat pyinstaller behavioral1/files/0x000900000001273a-68.dat pyinstaller behavioral1/files/0x000900000001273a-70.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
CyberPunk2077.exepid Process 1208 CyberPunk2077.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
CyberPunk2077.exedescription pid Process Token: 35 1208 CyberPunk2077.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
559440f61d38495c433fea442a58b4831422d52a04da1ef7f8e43b17a736a8fd.execmd.exeCyberPunk2077.sfx.exeCyberPunk2077.exedescription pid Process procid_target PID 756 wrote to memory of 564 756 559440f61d38495c433fea442a58b4831422d52a04da1ef7f8e43b17a736a8fd.exe 27 PID 756 wrote to memory of 564 756 559440f61d38495c433fea442a58b4831422d52a04da1ef7f8e43b17a736a8fd.exe 27 PID 756 wrote to memory of 564 756 559440f61d38495c433fea442a58b4831422d52a04da1ef7f8e43b17a736a8fd.exe 27 PID 756 wrote to memory of 564 756 559440f61d38495c433fea442a58b4831422d52a04da1ef7f8e43b17a736a8fd.exe 27 PID 564 wrote to memory of 512 564 cmd.exe 29 PID 564 wrote to memory of 512 564 cmd.exe 29 PID 564 wrote to memory of 512 564 cmd.exe 29 PID 564 wrote to memory of 512 564 cmd.exe 29 PID 512 wrote to memory of 1468 512 CyberPunk2077.sfx.exe 30 PID 512 wrote to memory of 1468 512 CyberPunk2077.sfx.exe 30 PID 512 wrote to memory of 1468 512 CyberPunk2077.sfx.exe 30 PID 512 wrote to memory of 1468 512 CyberPunk2077.sfx.exe 30 PID 1468 wrote to memory of 1208 1468 CyberPunk2077.exe 33 PID 1468 wrote to memory of 1208 1468 CyberPunk2077.exe 33 PID 1468 wrote to memory of 1208 1468 CyberPunk2077.exe 33 PID 1468 wrote to memory of 1208 1468 CyberPunk2077.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\559440f61d38495c433fea442a58b4831422d52a04da1ef7f8e43b17a736a8fd.exe"C:\Users\Admin\AppData\Local\Temp\559440f61d38495c433fea442a58b4831422d52a04da1ef7f8e43b17a736a8fd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\server.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Users\Admin\AppData\Local\Temp\CyberPunk2077.sfx.exeCyberPunk2077.sfx.exe -p1234 -dC:\Users\Admin\AppData\Local\Temp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberPunk2077.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberPunk2077.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberPunk2077.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberPunk2077.exe"5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:1208
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f65b6e5c80643e85771e1b050cce51f3
SHA1e9d6ec45859868fda152fd19a0c977a439be40fa
SHA2567e946b53dd48fc7d42a8812ab0450e1193ae21ee9990d812811224c3429ecfc5
SHA51263d3fb8b157c30fc155feedf01ba7f141e7251d9a424e056b8f6798ee1238dc6c5834938940c3fd445ed9c22a53841f389f3d553c6b53e52285030751e120c53
-
MD5
f65b6e5c80643e85771e1b050cce51f3
SHA1e9d6ec45859868fda152fd19a0c977a439be40fa
SHA2567e946b53dd48fc7d42a8812ab0450e1193ae21ee9990d812811224c3429ecfc5
SHA51263d3fb8b157c30fc155feedf01ba7f141e7251d9a424e056b8f6798ee1238dc6c5834938940c3fd445ed9c22a53841f389f3d553c6b53e52285030751e120c53
-
MD5
9bb3e77f3a2b7329ca41979a783996ae
SHA1fb4d3e1fe06bab2bb9255f18b1e8e079fbf6de06
SHA25608124c7d2c97ffd108f1b7c9bba86aaeff5a41d16c77fcf11b3a8c9504f93424
SHA512d1c4567034e479956c43660c4553d8aff2242dae7c414900747cdb0d59ace891bdf5774474e8509a8c33291dbf13561bfadd4758d77d2f60ae8e9cb262a08bf1
-
MD5
9bb3e77f3a2b7329ca41979a783996ae
SHA1fb4d3e1fe06bab2bb9255f18b1e8e079fbf6de06
SHA25608124c7d2c97ffd108f1b7c9bba86aaeff5a41d16c77fcf11b3a8c9504f93424
SHA512d1c4567034e479956c43660c4553d8aff2242dae7c414900747cdb0d59ace891bdf5774474e8509a8c33291dbf13561bfadd4758d77d2f60ae8e9cb262a08bf1
-
MD5
9bb3e77f3a2b7329ca41979a783996ae
SHA1fb4d3e1fe06bab2bb9255f18b1e8e079fbf6de06
SHA25608124c7d2c97ffd108f1b7c9bba86aaeff5a41d16c77fcf11b3a8c9504f93424
SHA512d1c4567034e479956c43660c4553d8aff2242dae7c414900747cdb0d59ace891bdf5774474e8509a8c33291dbf13561bfadd4758d77d2f60ae8e9cb262a08bf1
-
MD5
b30ec504a0d48b37c9dd7c5610832f44
SHA1efc46c98dee5d49892bbb6fd848a3dbe2dcc23a8
SHA25691268a56cdc767d5c1412887d56435595c58fdaef4a26bcfeac8f380d0ca5ff9
SHA5127bc50faa48895ea30a2d39e85ef0b76e64eea318c74e9b89280af60b802760732e44af8168fc7fdd6ff3c644c07e7ad53b74c55d40596716aff58118f070c321
-
MD5
6d387595f24aa01d830943edabe7f574
SHA13c613bed7f60d9d9d7d63afd1ada86427925e7ae
SHA256ea8d904ca11a89a5783770aa988da11859e63ea0d05f13d56b72d91b18eee121
SHA5124968382886269d8ef3b9c927ba0b09257816e27adda69e39f6815495e69fd4cdd23b5ab57acfa76af82116fcdbec88d734360f2d3b6a6ee8ffcc93bcaefbc4b3
-
MD5
59e1e5386d888953cf3db6ba5786b1fa
SHA12f0256eae40bee5270f2d661a323d0161697c5c6
SHA256e5ac021609a27b0296acb67a464e4270aa133d5740b4df555b4585d358ba1f6c
SHA512814124782ce39f6166827557a4ffb66c78843ae1cc4350fc62f239e6cabcc50973b6c9ce42abaa521d09fb11fb881746ebcfc10f443c563e9a443c7b043c3db1
-
MD5
9f949bbe2dd4f7524e147c32c9f009cc
SHA1a3bcb4754c725f080b8012b7f93946d719a9e19c
SHA256569e2828ed873580aad1142a4a8f197b48c51bbf082ca45d6659d40276910452
SHA5128b00ae064e3e9275c9ae06a0044a5952fe5bc5696a62cc6886230609b95781e0c0ef09756c15e8b233d0557f0bf2b21affc072e2117684495183fcc344c92b98
-
MD5
f47dcb5b325e17d116d0cd0c58618924
SHA16670afe930ee717f1217982148c508cebf0977de
SHA2562ecc748d30dc2302ef75c85f47247492acf888ae150499bab2154d91cdb2c6c6
SHA5123faeb66dfbf600673e6df99584b9708a3362fd82e4b599ee251f05dd409cbef0b91ca2b7260435abc8900057311cfabce347686e930a674312ed6d538fdbb11e
-
MD5
4dc9322f08bf2bdefc7d839ab12af6a1
SHA17e8cea0a18b986c64854a3bbf229f3d4775410a0
SHA256b743d19773f0ffd604039f832e77eda00bbae78899f949b6a7f2d13709d84a8d
SHA512a6079a3b35b62476c54a3cec6807a6b517eb9b6725e8218caaaf07953eaa3369adb33569b016163ee5221627ea07f7102961e76709ebedfc5c1a6821d2ab0259
-
MD5
f7b5a6f061886695b223f4b8d39d4902
SHA1418d9c54e12c3b9d9b488b70d47a0ee8b24b6d14
SHA256c7797e2cff42f002b1325f2a86bc882d5e0c23208d6165c2b961c819b67ef121
SHA512d41a4a963ad3bb473ba79a89ef7861ad48831b39581c6480667c381224c6742f21d6abbc40de586648dc859ddf2670a3d6a12c6f24c2ce74bcad0ff1068b15bd
-
MD5
864f5836335cef221215e26cf6d41603
SHA18ee27e68866c4b40d94bb9fb507b69410df7ab7f
SHA256291fe6fe0a55ffa808d616a32faf02735661da18e289c2f0ef528d8216054382
SHA5127c3daa6d0439c9b892caee8a8498d26ffc97ac8266fc7a066fc38f408ba045f7bece28893292a048ea5f50371878573f03edd430182957a2dc214f5698d0a04d
-
MD5
d8607a8a58b1cf026baca1b9dd82cd2d
SHA14008f66453a7a1ca800d085bce60ca51db94f3f8
SHA2565906d630c826491ed7f20a741f8d0116c8b54b020a5af3f8d4020fa3684cb33a
SHA512c703e00ca600aab0359722f28fe1d88911b38d7e9e535a0169cd1758484af8da815e9bbe79d64d8af502461d03c6bba17cd6427f6594eeecf2f62ea7aa33c5c3
-
MD5
e30362540228296980f7bc42f4a4c483
SHA1e69ee6a9a239b5d23e201d3dd47bfcbc15fb78b1
SHA25629ae2a46eee26cb64dd3aab346ba3f101607839e4a23be9ff679505c08358528
SHA512c8d26b0f1196c19b5c314b2354508742bd3e4c76e7d1042e01d016d27749fd5b284bac18b19ff7dd178f1b37b72778a45509258e5d3eaa6f7ccd4ed6465437f8
-
MD5
5c2e66df5cc26af3dcd5e1dc61fed7bc
SHA19708321fc655050e9272bc55e178ae5dc0d74bdc
SHA256a34b7eb861c3e2305cc0f7b481f3750172427a278659299ffac72b9f3069f0ab
SHA512d89011c5b8d1fcb47b190f3de57247d8e9647d4e32ae5918a954bc733cdb3cffa565bd917a52939f850b37d6383524e267dd67f6b086bb0496ad3db7b8b3933c
-
MD5
db31e8cc0699b54ccf8f7290a7971491
SHA1aabcf59d19bb7deb17aff2de96d72cc93988bff6
SHA2566b9201a3d1a2646b298c778de6e8c8ff93ec989051d589f3b78e1b96e212abdc
SHA512c0b35c1cfed1e5ed1a8c5db946e95766e302f550facaf03267013d670c1a3a737fd93af7b24e1bd33e37d3b9994da78a9410f0a83a3acab3b52e4bdb0c1e1bb6
-
MD5
f78718f60dc88148cd3a4178ec2260b0
SHA1cefffe857931756f76728ceddb0db0f73259165d
SHA256cdf8ac13f296fb16fa99196f39b8651ec2b4c08f222fe459fb7d2bbdadd4ebb8
SHA5129aef3f2415cfa5c69f727b30568339153e0adffed43e0ee38f2e402f5a6e40cc530c887812aabe722daae8fa65b9724cb1045a70eda02765ba1be3a118f22445
-
MD5
a2523ea6950e248cbdf18c9ea1a844f6
SHA1549c8c2a96605f90d79a872be73efb5d40965444
SHA2566823b98c3e922490a2f97f54862d32193900077e49f0360522b19e06e6da24b4
SHA5122141c041b6bdbee9ec10088b9d47df02bf72143eb3619e8652296d617efd77697f4dc8727d11998695768843b4e94a47b1aed2c6fb9f097ffc8a42ca7aaaf66a
-
MD5
f97c69209c208c1dd472c5e0ed760456
SHA1df60690e333433ddb39cbe19384ff10856b9b75d
SHA2569a0b806e6a764d6109da7762f57a92381db329d1b3ec5adbfbd3cf61ef81e3c0
SHA512cf03214687de08cb6dd12f9dbe500d036124ab76b3781148e5c7cda8ff9833b7bd1c12c368f4116edcbc6b8862af419250fa444e1d7b9dedc1162b9d0540b521
-
MD5
d0b0aacac633ee2eda0075eb85d43c06
SHA116f85e31472c783dddf3a00a8034f1fd8f571f62
SHA256a9c70c16cbd27d15b4d76f68f8d7663c27f7b4d89ab1641abe6c4a2ed2227032
SHA5124a8e19367f5fb335afe2ab7fd884d644d4ff9c2d2515da74e2c3d193e289a73f49ed4d9de08ca43ddd0b811b952dce3cbb49c4cdc323c48008eab7814ca423f2
-
MD5
f2d229ea5c830066b4642b947b27fe61
SHA1eac1e0a86af1cb7fa3a382821f9375db2d8fe30a
SHA256c5cefc7702556ee5542d2116774275c61f20ee2a173b851ee1c7319b4b8d2357
SHA512f161b377d46e1494621410231ef74f97047e58455cb63a8ca6d33f4d7208cc91869e82a4f92e33acbe66b7c77b81f98a89d5ce003c344292edbd4883b8261939
-
MD5
ea2d8f0c9320c1363640bf3a7a9ea21f
SHA19af865a4e4355dff9ab48af7acfd42ecdbec93c8
SHA256161f6ec2a08e4955e2c2850539bd61cd18f96a93b2f340ea7b244121fbed9cf6
SHA51215f8e062dd864a1f4cd8003ff7bc14fa3be1896112aaf696847eb15bce72b1db3f0fb81280fd20d64672888b5a916767fc049a9b8f4f3c03f52e50dfd610f83c
-
MD5
2b6cf186eba511e0903c9314b865d3b9
SHA119dd12a7d4cdb41e8efb46b235591d22ce35eab1
SHA256b1a6d7cb4f88a5eb2c30908836f7eed1f1c8294baaee94e9ab4b8bb47fe0f6dc
SHA512f4f7ac4edca5c49357fa174219d93d3206ce2f3d7a89418ba52ae815278feb72b9448a8f553b7d308d04774c52d2f95ae1656475caf160e0d59ad735a003080e
-
MD5
fb4db1e9eb7c4e3d7f74f1e31d7f2f02
SHA163c855aa583d2e484b42cfbfe78f6202601b782b
SHA25662ea60c77915fb24bdde4afa3b4639ccf4898929a79bec2d1d1b3f7f42e8e095
SHA512801c9a3d1858738f736759b37c14dbbf22672a2cd652f14afa1399f209d70a416935460319c0f08a1d9ebb0fd0d5236c377298cc0d0a2c3de0c40fe0503bd0b4
-
MD5
ff1800992e20ce2772f95e08ff55702b
SHA1d27dd9e0f45e9f449ec50af0fc406b4ca582ff8e
SHA256f189f532876626008bcd2d5a95aa8be548fa7e78b1b421589c0c5ba11c5e6c8d
SHA51213fe75226453017b6bcdb317a35e4815673e1f12b24329dc4035af6066ce9926e8e8743c7ec2d36ee78061f411bc3fac2877ad055aecac0a1d211bdfd8cabb6e
-
MD5
c543bb6076375933044987cdc2b696dc
SHA19366c0eacd6e8f9c72fabde15ea0b4b42d6015d2
SHA256b714d345fa1746f607b142c7bc90d7df950b41bb10a9724a7814a63fb68f550c
SHA512bcf444f09fc57ee31c3eafc2ed202c52cf507c2160b51373ac2431a90e02d6d5a6981e4325063f44f4327308b3247d02bebc12adea906f5ea7b46eacfebae4de
-
MD5
23ed0a03a2b8ae756c459caae2859d02
SHA1939ad94c06644758c1e532a6d6aa1c263e55e2ed
SHA2565e94b9c35c4ef0188bdd57fc08afd0f982849f8e100ae8ff9b90844e6f9f0edc
SHA512c0c6fe22bf57ed4af2a6a7b234000be766dc1e72daeb0996668ef9383f456046e51bbb13a206bc837c41eac76eacf56cbd9173077094f2bfe16a0e5764555679
-
MD5
1ac97dbe4a81fc2beb509f8da5a3e8b6
SHA1b9e7d3857a10072c8569b2d07e0208059cf9495c
SHA256258dd151e3ec9632d0b49488cc689bcbab172648854e121dc6b5f2e43e58cb62
SHA512c69a7619d3b75d7170e087be9f02afc6d6bd1706aefcb60e84507f33d393f7323b168436f77c540c9439e2045b7577a2fb77ad287e02ff1afac747017478fad1
-
MD5
02aaefa1473499a116ed8ce166881637
SHA1a373f1cb2655778e1f908541cc29d9ec46f308f3
SHA256733808629fa4903b844ef854cbab30323442cc62d015858f72a2d28253d5a8ab
SHA51248b211d0134eb4bd8cc236cb563a7bb5f7c0daa0d9aa2c79004c751856925c21e0297f380c7d14d568ce3d8663e2221f7d6a1d96607ec3b64f031bb53e2eace8
-
MD5
9606acb077b6ba32a5869fbf25373134
SHA1c4dd60b9d92c894042a9f34500492a088cd642fa
SHA2566aa99d4ff2c73722f67c9ef42c27e3a2c660edf1495d538dad9793a15e7b0b7c
SHA512a40fc446db5fcdb2367fa688fd7cc1f8beee70d41e9fc673bb1735c0002c1cb5d8e31db0ce32bb533289792f273919eb212d863bcb2660c402c4f13c20b64166
-
MD5
5900f51fd8b5ff75e65594eb7dd50533
SHA12e21300e0bc8a847d0423671b08d3c65761ee172
SHA25614df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0
SHA512ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc
-
MD5
0e7466542d8f0c527e77c297b85b17e8
SHA12ce37d74fb26e88054f6ef7d02a24a3a435c4f0d
SHA256b5063b511e98931da51ea471634f98a1c9de2fef149ea2e3c779b2adff002246
SHA512d0de3b5f92be8300784c1c5eea65f93e56568f72dd28958592c51ad72f97770efe158f0a8a4e092a996401d59bd49dc7eeb5c9ce91117717ae2c01640df30d22
-
MD5
82b73f08ee8c8d1eebd3f9dfc6495d8a
SHA1420ac44ac8447d97bb66029808215f3f59535ed4
SHA25627ae018d877d981cc5de00ce7ed6ee4873e1c6be8793596503127160ac31e88d
SHA51244821f8620d3b27134e14bc34d9d31ad9edcc0215ba0bef574b99636488fec1fe300e58003278fb4d0b13e861a2777f0fd3e7b492ac1ab75a922db94543a4823
-
MD5
f65b6e5c80643e85771e1b050cce51f3
SHA1e9d6ec45859868fda152fd19a0c977a439be40fa
SHA2567e946b53dd48fc7d42a8812ab0450e1193ae21ee9990d812811224c3429ecfc5
SHA51263d3fb8b157c30fc155feedf01ba7f141e7251d9a424e056b8f6798ee1238dc6c5834938940c3fd445ed9c22a53841f389f3d553c6b53e52285030751e120c53
-
MD5
9bb3e77f3a2b7329ca41979a783996ae
SHA1fb4d3e1fe06bab2bb9255f18b1e8e079fbf6de06
SHA25608124c7d2c97ffd108f1b7c9bba86aaeff5a41d16c77fcf11b3a8c9504f93424
SHA512d1c4567034e479956c43660c4553d8aff2242dae7c414900747cdb0d59ace891bdf5774474e8509a8c33291dbf13561bfadd4758d77d2f60ae8e9cb262a08bf1
-
MD5
9bb3e77f3a2b7329ca41979a783996ae
SHA1fb4d3e1fe06bab2bb9255f18b1e8e079fbf6de06
SHA25608124c7d2c97ffd108f1b7c9bba86aaeff5a41d16c77fcf11b3a8c9504f93424
SHA512d1c4567034e479956c43660c4553d8aff2242dae7c414900747cdb0d59ace891bdf5774474e8509a8c33291dbf13561bfadd4758d77d2f60ae8e9cb262a08bf1
-
MD5
9bb3e77f3a2b7329ca41979a783996ae
SHA1fb4d3e1fe06bab2bb9255f18b1e8e079fbf6de06
SHA25608124c7d2c97ffd108f1b7c9bba86aaeff5a41d16c77fcf11b3a8c9504f93424
SHA512d1c4567034e479956c43660c4553d8aff2242dae7c414900747cdb0d59ace891bdf5774474e8509a8c33291dbf13561bfadd4758d77d2f60ae8e9cb262a08bf1
-
MD5
9bb3e77f3a2b7329ca41979a783996ae
SHA1fb4d3e1fe06bab2bb9255f18b1e8e079fbf6de06
SHA25608124c7d2c97ffd108f1b7c9bba86aaeff5a41d16c77fcf11b3a8c9504f93424
SHA512d1c4567034e479956c43660c4553d8aff2242dae7c414900747cdb0d59ace891bdf5774474e8509a8c33291dbf13561bfadd4758d77d2f60ae8e9cb262a08bf1
-
MD5
b30ec504a0d48b37c9dd7c5610832f44
SHA1efc46c98dee5d49892bbb6fd848a3dbe2dcc23a8
SHA25691268a56cdc767d5c1412887d56435595c58fdaef4a26bcfeac8f380d0ca5ff9
SHA5127bc50faa48895ea30a2d39e85ef0b76e64eea318c74e9b89280af60b802760732e44af8168fc7fdd6ff3c644c07e7ad53b74c55d40596716aff58118f070c321
-
MD5
6d387595f24aa01d830943edabe7f574
SHA13c613bed7f60d9d9d7d63afd1ada86427925e7ae
SHA256ea8d904ca11a89a5783770aa988da11859e63ea0d05f13d56b72d91b18eee121
SHA5124968382886269d8ef3b9c927ba0b09257816e27adda69e39f6815495e69fd4cdd23b5ab57acfa76af82116fcdbec88d734360f2d3b6a6ee8ffcc93bcaefbc4b3
-
MD5
59e1e5386d888953cf3db6ba5786b1fa
SHA12f0256eae40bee5270f2d661a323d0161697c5c6
SHA256e5ac021609a27b0296acb67a464e4270aa133d5740b4df555b4585d358ba1f6c
SHA512814124782ce39f6166827557a4ffb66c78843ae1cc4350fc62f239e6cabcc50973b6c9ce42abaa521d09fb11fb881746ebcfc10f443c563e9a443c7b043c3db1
-
MD5
9f949bbe2dd4f7524e147c32c9f009cc
SHA1a3bcb4754c725f080b8012b7f93946d719a9e19c
SHA256569e2828ed873580aad1142a4a8f197b48c51bbf082ca45d6659d40276910452
SHA5128b00ae064e3e9275c9ae06a0044a5952fe5bc5696a62cc6886230609b95781e0c0ef09756c15e8b233d0557f0bf2b21affc072e2117684495183fcc344c92b98
-
MD5
f47dcb5b325e17d116d0cd0c58618924
SHA16670afe930ee717f1217982148c508cebf0977de
SHA2562ecc748d30dc2302ef75c85f47247492acf888ae150499bab2154d91cdb2c6c6
SHA5123faeb66dfbf600673e6df99584b9708a3362fd82e4b599ee251f05dd409cbef0b91ca2b7260435abc8900057311cfabce347686e930a674312ed6d538fdbb11e
-
MD5
4dc9322f08bf2bdefc7d839ab12af6a1
SHA17e8cea0a18b986c64854a3bbf229f3d4775410a0
SHA256b743d19773f0ffd604039f832e77eda00bbae78899f949b6a7f2d13709d84a8d
SHA512a6079a3b35b62476c54a3cec6807a6b517eb9b6725e8218caaaf07953eaa3369adb33569b016163ee5221627ea07f7102961e76709ebedfc5c1a6821d2ab0259
-
MD5
f7b5a6f061886695b223f4b8d39d4902
SHA1418d9c54e12c3b9d9b488b70d47a0ee8b24b6d14
SHA256c7797e2cff42f002b1325f2a86bc882d5e0c23208d6165c2b961c819b67ef121
SHA512d41a4a963ad3bb473ba79a89ef7861ad48831b39581c6480667c381224c6742f21d6abbc40de586648dc859ddf2670a3d6a12c6f24c2ce74bcad0ff1068b15bd
-
MD5
864f5836335cef221215e26cf6d41603
SHA18ee27e68866c4b40d94bb9fb507b69410df7ab7f
SHA256291fe6fe0a55ffa808d616a32faf02735661da18e289c2f0ef528d8216054382
SHA5127c3daa6d0439c9b892caee8a8498d26ffc97ac8266fc7a066fc38f408ba045f7bece28893292a048ea5f50371878573f03edd430182957a2dc214f5698d0a04d
-
MD5
d8607a8a58b1cf026baca1b9dd82cd2d
SHA14008f66453a7a1ca800d085bce60ca51db94f3f8
SHA2565906d630c826491ed7f20a741f8d0116c8b54b020a5af3f8d4020fa3684cb33a
SHA512c703e00ca600aab0359722f28fe1d88911b38d7e9e535a0169cd1758484af8da815e9bbe79d64d8af502461d03c6bba17cd6427f6594eeecf2f62ea7aa33c5c3
-
MD5
e30362540228296980f7bc42f4a4c483
SHA1e69ee6a9a239b5d23e201d3dd47bfcbc15fb78b1
SHA25629ae2a46eee26cb64dd3aab346ba3f101607839e4a23be9ff679505c08358528
SHA512c8d26b0f1196c19b5c314b2354508742bd3e4c76e7d1042e01d016d27749fd5b284bac18b19ff7dd178f1b37b72778a45509258e5d3eaa6f7ccd4ed6465437f8
-
MD5
db31e8cc0699b54ccf8f7290a7971491
SHA1aabcf59d19bb7deb17aff2de96d72cc93988bff6
SHA2566b9201a3d1a2646b298c778de6e8c8ff93ec989051d589f3b78e1b96e212abdc
SHA512c0b35c1cfed1e5ed1a8c5db946e95766e302f550facaf03267013d670c1a3a737fd93af7b24e1bd33e37d3b9994da78a9410f0a83a3acab3b52e4bdb0c1e1bb6
-
MD5
f78718f60dc88148cd3a4178ec2260b0
SHA1cefffe857931756f76728ceddb0db0f73259165d
SHA256cdf8ac13f296fb16fa99196f39b8651ec2b4c08f222fe459fb7d2bbdadd4ebb8
SHA5129aef3f2415cfa5c69f727b30568339153e0adffed43e0ee38f2e402f5a6e40cc530c887812aabe722daae8fa65b9724cb1045a70eda02765ba1be3a118f22445
-
MD5
a2523ea6950e248cbdf18c9ea1a844f6
SHA1549c8c2a96605f90d79a872be73efb5d40965444
SHA2566823b98c3e922490a2f97f54862d32193900077e49f0360522b19e06e6da24b4
SHA5122141c041b6bdbee9ec10088b9d47df02bf72143eb3619e8652296d617efd77697f4dc8727d11998695768843b4e94a47b1aed2c6fb9f097ffc8a42ca7aaaf66a
-
MD5
f97c69209c208c1dd472c5e0ed760456
SHA1df60690e333433ddb39cbe19384ff10856b9b75d
SHA2569a0b806e6a764d6109da7762f57a92381db329d1b3ec5adbfbd3cf61ef81e3c0
SHA512cf03214687de08cb6dd12f9dbe500d036124ab76b3781148e5c7cda8ff9833b7bd1c12c368f4116edcbc6b8862af419250fa444e1d7b9dedc1162b9d0540b521
-
MD5
d0b0aacac633ee2eda0075eb85d43c06
SHA116f85e31472c783dddf3a00a8034f1fd8f571f62
SHA256a9c70c16cbd27d15b4d76f68f8d7663c27f7b4d89ab1641abe6c4a2ed2227032
SHA5124a8e19367f5fb335afe2ab7fd884d644d4ff9c2d2515da74e2c3d193e289a73f49ed4d9de08ca43ddd0b811b952dce3cbb49c4cdc323c48008eab7814ca423f2
-
MD5
f2d229ea5c830066b4642b947b27fe61
SHA1eac1e0a86af1cb7fa3a382821f9375db2d8fe30a
SHA256c5cefc7702556ee5542d2116774275c61f20ee2a173b851ee1c7319b4b8d2357
SHA512f161b377d46e1494621410231ef74f97047e58455cb63a8ca6d33f4d7208cc91869e82a4f92e33acbe66b7c77b81f98a89d5ce003c344292edbd4883b8261939
-
MD5
ea2d8f0c9320c1363640bf3a7a9ea21f
SHA19af865a4e4355dff9ab48af7acfd42ecdbec93c8
SHA256161f6ec2a08e4955e2c2850539bd61cd18f96a93b2f340ea7b244121fbed9cf6
SHA51215f8e062dd864a1f4cd8003ff7bc14fa3be1896112aaf696847eb15bce72b1db3f0fb81280fd20d64672888b5a916767fc049a9b8f4f3c03f52e50dfd610f83c
-
MD5
2b6cf186eba511e0903c9314b865d3b9
SHA119dd12a7d4cdb41e8efb46b235591d22ce35eab1
SHA256b1a6d7cb4f88a5eb2c30908836f7eed1f1c8294baaee94e9ab4b8bb47fe0f6dc
SHA512f4f7ac4edca5c49357fa174219d93d3206ce2f3d7a89418ba52ae815278feb72b9448a8f553b7d308d04774c52d2f95ae1656475caf160e0d59ad735a003080e
-
MD5
fb4db1e9eb7c4e3d7f74f1e31d7f2f02
SHA163c855aa583d2e484b42cfbfe78f6202601b782b
SHA25662ea60c77915fb24bdde4afa3b4639ccf4898929a79bec2d1d1b3f7f42e8e095
SHA512801c9a3d1858738f736759b37c14dbbf22672a2cd652f14afa1399f209d70a416935460319c0f08a1d9ebb0fd0d5236c377298cc0d0a2c3de0c40fe0503bd0b4
-
MD5
ff1800992e20ce2772f95e08ff55702b
SHA1d27dd9e0f45e9f449ec50af0fc406b4ca582ff8e
SHA256f189f532876626008bcd2d5a95aa8be548fa7e78b1b421589c0c5ba11c5e6c8d
SHA51213fe75226453017b6bcdb317a35e4815673e1f12b24329dc4035af6066ce9926e8e8743c7ec2d36ee78061f411bc3fac2877ad055aecac0a1d211bdfd8cabb6e
-
MD5
23ed0a03a2b8ae756c459caae2859d02
SHA1939ad94c06644758c1e532a6d6aa1c263e55e2ed
SHA2565e94b9c35c4ef0188bdd57fc08afd0f982849f8e100ae8ff9b90844e6f9f0edc
SHA512c0c6fe22bf57ed4af2a6a7b234000be766dc1e72daeb0996668ef9383f456046e51bbb13a206bc837c41eac76eacf56cbd9173077094f2bfe16a0e5764555679
-
MD5
1ac97dbe4a81fc2beb509f8da5a3e8b6
SHA1b9e7d3857a10072c8569b2d07e0208059cf9495c
SHA256258dd151e3ec9632d0b49488cc689bcbab172648854e121dc6b5f2e43e58cb62
SHA512c69a7619d3b75d7170e087be9f02afc6d6bd1706aefcb60e84507f33d393f7323b168436f77c540c9439e2045b7577a2fb77ad287e02ff1afac747017478fad1
-
MD5
02aaefa1473499a116ed8ce166881637
SHA1a373f1cb2655778e1f908541cc29d9ec46f308f3
SHA256733808629fa4903b844ef854cbab30323442cc62d015858f72a2d28253d5a8ab
SHA51248b211d0134eb4bd8cc236cb563a7bb5f7c0daa0d9aa2c79004c751856925c21e0297f380c7d14d568ce3d8663e2221f7d6a1d96607ec3b64f031bb53e2eace8
-
MD5
9606acb077b6ba32a5869fbf25373134
SHA1c4dd60b9d92c894042a9f34500492a088cd642fa
SHA2566aa99d4ff2c73722f67c9ef42c27e3a2c660edf1495d538dad9793a15e7b0b7c
SHA512a40fc446db5fcdb2367fa688fd7cc1f8beee70d41e9fc673bb1735c0002c1cb5d8e31db0ce32bb533289792f273919eb212d863bcb2660c402c4f13c20b64166
-
MD5
0e7466542d8f0c527e77c297b85b17e8
SHA12ce37d74fb26e88054f6ef7d02a24a3a435c4f0d
SHA256b5063b511e98931da51ea471634f98a1c9de2fef149ea2e3c779b2adff002246
SHA512d0de3b5f92be8300784c1c5eea65f93e56568f72dd28958592c51ad72f97770efe158f0a8a4e092a996401d59bd49dc7eeb5c9ce91117717ae2c01640df30d22