Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
27-09-2024 14:14
General
-
Target
fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe
-
Size
253KB
-
MD5
fa8dff8ebe3d919ebc72ed83c58a2351
-
SHA1
f98a4f7bd317a4a90790bdff2d13fdb8291c6357
-
SHA256
33b8c7c3d12e03465f4438e5431b0801dff1cfc8b16534619c009ac4387fc7e6
-
SHA512
8f5ecc6863b845cfc6ba86026b8771a3a43a923a92f054661e6d10013961d92d833c49626de02a9aa9a6592374c5f8987eba1d9fe747dc9b83d7b4a1419f5cda
-
SSDEEP
6144:UEcNCL4CqbmP+xNaYlQdmipcCYG2R7MmZFUDz7GJM:jL4CamP8FlQFC+m0v6JM
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.txt
Family
cerber
Ransom Note
C E R B E R R A N S O M W A R E
#########################################################################
Cannot you find the files you need?
Is the content of the files that you looked for not readable?
It is normal because the files' names, as well as the data in your files
have been encrypted.
Great!
You have turned to be a part of a big community "#Cerber Ransomware".
#########################################################################
!!! If you are reading this message it means the software "Cerber" has
!!! been removed from your computer.
!!! HTML instruction ("# DECRYPT MY FILES #.html") always contains a
!!! working domain of your personal page!
#########################################################################
What is encryption?
-------------------
Encryption is a reversible modification of information for security
reasons but providing full access to it for authorized users.
To become an authorized user and keep the modification absolutely
reversible (in other words to have a possibility to decrypt your files)
you should have an individual private key.
But not only it.
It is required also to have the special decryption software
(in your case "Cerber Decryptor" software) for safe and complete
decryption of all your files and data.
#########################################################################
Everything is clear for me but what should I do?
------------------------------------------------
The first step is reading these instructions to the end.
Your files have been encrypted with the "Cerber Ransomware" software; the
instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt")
in the folders with your encrypted files are not viruses, they will
help you.
After reading this text the most part of people start searching in the
Internet the words the "Cerber Ransomware" where they find a lot of
ideas, recommendations and instructions.
It is necessary to realize that we are the ones who closed the lock on
your files and we are the only ones who have this secret key to
open them.
!!! Any attempts to get back your files with the third-party tools can
!!! be fatal for your encrypted files.
The most part of the third-party software change data within the
encrypted file to restore it but this causes damage to the files.
Finally it will be impossible to decrypt your files.
When you make a puzzle, but some items are lost, broken or not put in its
place - the puzzle items will never match, the same way the third-party
software will ruin your files completely and irreversibly.
You should realize that any intervention of the third-party software to
restore files encrypted with the "Cerber Ransomware" software may be
fatal for your files.
#########################################################################
!!! There are several plain steps to restore your files but if you do
!!! not follow them we will not be able to help you, and we will not try
!!! since you have read this warning already.
#########################################################################
For your information the software to decrypt your files (as well as the
private key provided together) are paid products.
After purchase of the software package you will be able to:
1. decrypt all your files;
2. work with your documents;
3. view your photos and other media;
4. continue your usual and comfortable work at the computer.
If you understand all importance of the situation then we propose to you
to go directly to your personal page where you will receive the complete
instructions and guarantees to restore your files.
#########################################################################
There is a list of temporary addresses to go on your personal page below:
_______________________________________________________________________
|
| 1. http://pmenboeqhyrpvomq.pap44w.top/3F32-353C-C8F5-006D-FB0A
|
| 2. http://pmenboeqhyrpvomq.0vgu64.top/3F32-353C-C8F5-006D-FB0A
|
| 3. http://pmenboeqhyrpvomq.y5j7e6.top/3F32-353C-C8F5-006D-FB0A
|
| 4. http://pmenboeqhyrpvomq.daigy0.top/3F32-353C-C8F5-006D-FB0A
|
| 5. http://pmenboeqhyrpvomq.onion.to/3F32-353C-C8F5-006D-FB0A
|_______________________________________________________________________
#########################################################################
What should you do with these addresses?
----------------------------------------
If you read the instructions in TXT format (if you have instruction in
HTML (the file with an icon of your Internet browser) then the easiest
way is to run it):
1. take a look at the first address (in this case it is
http://pmenboeqhyrpvomq.pap44w.top/3F32-353C-C8F5-006D-FB0A);
2. select it with the mouse cursor holding the left mouse button and
moving the cursor to the right;
3. release the left mouse button and press the right one;
4. select "Copy" in the appeared menu;
5. run your Internet browser (if you do not know what it is run the
Internet Explorer);
6. move the mouse cursor to the address bar of the browser (this is the
place where the site address is written);
7. click the right mouse button in the field where the site address
is written;
8. select the button "Insert" in the appeared menu;
9. then you will see the address
http://pmenboeqhyrpvomq.pap44w.top/3F32-353C-C8F5-006D-FB0A
appeared there;
10. press ENTER;
11. the site should be loaded; if it is not loaded repeat the same
instructions with the second address and continue until the last
address if falling.
If for some reason the site cannot be opened check the connection to the
Internet; if the site still cannot be opened take a look at the
instructions on omitting the point about working with the addresses in
the HTML instructions.
If you browse the instructions in HTML format:
1. click the left mouse button on the first address (in this case it is
http://pmenboeqhyrpvomq.pap44w.top/3F32-353C-C8F5-006D-FB0A);
2. in a new tab or window of your web browser the site should be loaded;
if it is not loaded repeat the same instructions with the second
address and continue until the last address.
If for some reason the site cannot be opened check the connection to
the Internet.
#########################################################################
Unfortunately these sites are short-term since the antivirus companies
are interested in you do not have a chance to restore your files but
continue to buy their products.
Unlike them we are ready to help you always.
If you need our help but the temporary sites are not available:
1. run your Internet browser (if you do not know what it is run the
Internet Explorer);
2. enter or copy the address
https://www.torproject.org/download/download-easy.html.en into the
address bar of your browser and press ENTER;
3. wait for the site loading;
4. on the site you will be offered to download Tor Browser; download and
run it, follow the installation instructions, wait until the
installation is completed;
5. run Tor Browser;
6. connect with the button "Connect" (if you use the English version);
7. a normal Internet browser window will be opened after
the initialization;
8. type or copy the address
________________________________________________________
| |
| http://pmenboeqhyrpvomq.onion/3F32-353C-C8F5-006D-FB0A |
|________________________________________________________|
in this browser address bar;
9. press ENTER;
10. the site should be loaded; if for some reason the site is not loading
wait for a moment and try again.
If you have any problems during installation or operation of Tor Browser,
please, visit https://www.youtube.com/ and type request in the search bar
"install tor browser windows" and you will find a lot of training videos
about Tor Browser installation and operation.
If TOR address is not available for a long period (2-3 days) it means you
are late; usually you have about 2-3 weeks after reading the instructions
to restore your files.
#########################################################################
Additional information:
You will find the instructions for restoring your files in those folders
where you have your encrypted files only.
The instructions are made in two file formats - HTML and TXT for
your convenience.
Unfortunately antivirus companies cannot protect or restore your files
but they can make the situation worse removing the instructions how to
restore your encrypted files.
The instructions are not viruses; they have informative nature only, so
any claims on the absence of any instruction files you can send to your
antivirus company.
#########################################################################
Cerber Ransomware Project is not malicious and is not intended to harm a
person and his/her information data.
The project is created for the sole purpose of instruction regarding
information security, as well as certification of antivirus software for
their suitability for data protection.
Together we make the Internet a better and safer place.
#########################################################################
If you look through this text in the Internet and realize that something
is wrong with your files but you do not have any instructions to restore
your files, please, contact your antivirus support.
#########################################################################
Remember that the worst situation already happened and now it depends on
your determination and speed of your actions the further life of
your files.
URLs
http://pmenboeqhyrpvomq.pap44w.top/3F32-353C-C8F5-006D-FB0A
http://pmenboeqhyrpvomq.0vgu64.top/3F32-353C-C8F5-006D-FB0A
http://pmenboeqhyrpvomq.y5j7e6.top/3F32-353C-C8F5-006D-FB0A
http://pmenboeqhyrpvomq.daigy0.top/3F32-353C-C8F5-006D-FB0A
http://pmenboeqhyrpvomq.onion.to/3F32-353C-C8F5-006D-FB0A
http://pmenboeqhyrpvomq.onion/3F32-353C-C8F5-006D-FB0A
Extracted
Path
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.html
Ransom Note
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Cerber Ransomware</title>
<style>
a {
color: #47c;
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
body {
background-color: #e7e7e7;
color: #333;
font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";
font-size: 16px;
line-height: 1.6;
margin: 0;
padding: 0;
}
hr {
background-color: #e7e7e7;
border: 0 none;
border-bottom: 1px solid #c7c7c7;
height: 5px;
margin: 30px 0;
}
li {
padding: 0 0 7px 7px;
}
ol {
padding-left: 3em;
}
.container {
background-color: #fff;
border: 1px solid #c7c7c7;
margin: 40px;
padding: 40px 40px 20px 40px;
}
.info, .tor {
background-color: #efe;
border: 1px solid #bda;
display: block;
padding: 0px 20px;
}
.logo {
font-size: 12px;
font-weight: bold;
line-height: 1;
margin: 0;
}
.upd_on {
color: red;
display: block;
}
.upd_off {
display: none;
float: left;
}
.tor {
padding: 10px 0;
text-align: center;
}
.url {
margin-right: 5px;
}
.warning {
background-color: #f5e7e7;
border: 1px solid #ebccd1;
color: #a44;
display: block;
padding: 15px 10px;
text-align: center;
}
</style>
</head>
<body>
<div class="container">
<h3>C E R B E R R A N S O M W A R E</h3>
<hr>
<p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p>
<p>It is normal because the files' names, as well as the data in your files have been encrypted.</p>
<p>Great!<br>You have turned to be a part of a big community "#Cerber Ransomware".</p>
<hr>
<p><span class="warning">If you are reading this message it means the software "Cerber" has been removed from your computer.</span></p>
<hr>
<h3>What is encryption?</h3>
<p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p>
<p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p>
<p>But not only it.</p>
<p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p>
<hr>
<h3>Everything is clear for me but what should I do?</h3>
<p>The first step is reading these instructions to the end.</p>
<p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p>
<p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p>
<p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p>
<p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p>
<p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p>
<p>Finally it will be impossible to decrypt your files.</p>
<p>When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p>
<p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p>
<hr>
<p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p>
<hr>
<p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p>
<p>After purchase of the software package you will be able to:</p>
<ol>
<li>decrypt all your files;</li>
<li>work with your documents;</li>
<li>view your photos and other media;</li>
<li>continue your usual and comfortable work at the computer.</li>
</ol>
<p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p>
<hr>
<div class="info">
<p>There is a list of temporary addresses to go on your personal page below:</p>
<ol>
<li><span class="upd_off" id="upd_1">Please wait...</span><a class="url" href="http://pmenboeqhyrpvomq.pap44w.top/3F32-353C-C8F5-006D-FB0A" id="url_1" target="_blank">http://pmenboeqhyrpvomq.pap44w.top/3F32-353C-C8F5-006D-FB0A</a>(<a href="#updateUrl" onClick="return updateUrl();" style="color: red;">Get a NEW address!</a>)</li>
<li><a href="http://pmenboeqhyrpvomq.0vgu64.top/3F32-353C-C8F5-006D-FB0A" target="_blank">http://pmenboeqhyrpvomq.0vgu64.top/3F32-353C-C8F5-006D-FB0A</a></li>
<li><a href="http://pmenboeqhyrpvomq.y5j7e6.top/3F32-353C-C8F5-006D-FB0A" target="_blank">http://pmenboeqhyrpvomq.y5j7e6.top/3F32-353C-C8F5-006D-FB0A</a></li>
<li><a href="http://pmenboeqhyrpvomq.daigy0.top/3F32-353C-C8F5-006D-FB0A" target="_blank">http://pmenboeqhyrpvomq.daigy0.top/3F32-353C-C8F5-006D-FB0A</a></li>
<li><a href="http://pmenboeqhyrpvomq.onion.to/3F32-353C-C8F5-006D-FB0A" target="_blank">http://pmenboeqhyrpvomq.onion.to/3F32-353C-C8F5-006D-FB0A</a></li>
</ol>
</div>
<hr>
<h3>What should you do with these addresses?</h3>
<p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p>
<ol>
<li>take a look at the first address (in this case it is <span class="upd_off" id="upd_2">Please wait...</span><a class="url" href="http://pmenboeqhyrpvomq.pap44w.top/3F32-353C-C8F5-006D-FB0A" id="url_2" target="_blank">http://pmenboeqhyrpvomq.pap44w.top/3F32-353C-C8F5-006D-FB0A</a>);</li>
<li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li>
<li>release the left mouse button and press the right one;</li>
<li>select "Copy" in the appeared menu;</li>
<li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li>
<li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li>
<li>click the right mouse button in the field where the site address is written;</li>
<li>select the button "Insert" in the appeared menu;</li>
<li>then you will see the address <span class="upd_off" id="upd_3">Please wait...</span><a class="url" href="http://pmenboeqhyrpvomq.pap44w.top/3F32-353C-C8F5-006D-FB0A" id="url_3" target="_blank">http://pmenboeqhyrpvomq.pap44w.top/3F32-353C-C8F5-006D-FB0A</a> appeared there;</li>
<li>press ENTER;</li>
<li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li>
</ol>
<p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p>
<p>If you browse the instructions in HTML format:</p>
<ol>
<li>click the left mouse button on the first address (in this case it is <span class="upd_off" id="upd_4">Please wait...</span><a class="url" href="http://pmenboeqhyrpvomq.pap44w.top/3F32-353C-C8F5-006D-FB0A" id="url_4" target="_blank">http://pmenboeqhyrpvomq.pap44w.top/3F32-353C-C8F5-006D-FB0A</a>);</li>
<li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li>
</ol>
<p>If for some reason the site cannot be opened check the connection to the Internet.</p>
<hr>
<p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p>
<p>Unlike them we are ready to help you always.</p>
<p>If you need our help but the temporary sites are not available:</p>
<ol>
<li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li>
<li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li>
<li>wait for the site loading;</li>
<li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li>
<li>run Tor Browser;</li>
<li>connect with the button "Connect" (if you use the English version);</li>
<li>a normal Internet browser window will be opened after the initialization;</li>
<li>type or copy the address <span class="tor">http://pmenboeqhyrpvomq.onion/3F32-353C-C8F5-006D-FB0A</span> in this browser address bar;</li>
<li>press ENTER;</li>
<li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li>
</ol>
<p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p>
<p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p>
<hr>
<h3>Additional information:</h3>
<p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p>
<p>The instructions are made in two file formats - HTML and TXT for your convenience.</p>
<p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p>
<p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p>
<hr>
<p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p>
<p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p>
<p>Together we make the Internet a better and safer place.</p>
<hr>
<p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p>
<hr>
<p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p>
</div>
<script>
function getXMLHttpRequest() {
if (window.XMLHttpRequest) {
return new window.XMLHttpRequest;
}
else {
try {
return new ActiveXObject("MSXML2.XMLHTTP.3.0");
}
catch(error) {
return null;
}
}
}
function getUrlContent(url, callback) {
var xhttp = getXMLHttpRequest();
if (xhttp) {
xhttp.onreadystatechange = function() {
if (xhttp.readyState == 4) {
if (xhttp.status == 200) {
return callback(xhttp.responseText.replace(/[\s ]+/gm, ""), null);
}
else {
return callback(null, true);
}
}
};
xhttp.open("GET", url + '?_=' + new Date().getTime(), true);
xhttp.send();
}
else {
return callback(null, true);
}
}
function server1(address, callback) {
getUrlContent("http://btc.blockr.io/api/v1/address/txs/" + address, function(result, error) {
if (!error) {
var tx = /"tx":"([\w]+)","time_utc":"[\w-:]+","confirmations":[\d]+,"amount":-/.exec(result);
if (tx) {
getUrlContent("http://btc.blockr.io/api/v1/tx/info/" + tx[1], function(result, error) {
if (!error) {
var address = /"vouts":\[{"address":"([\w]+)"/.exec(result);
if (address) {
return callback(address[1], null);
}
else {
return callback(null, true);
}
}
else {
return callback(null, true);
}
});
}
else {
return callback(null, true);
}
}
else {
return callback(null, true);
}
});
}
function server2(address, callback) {
getUrlContent("http://api.blockcypher.com/v1/btc/main/addrs/" + address, function(result, error) {
if (!error) {
var tx = /"tx_hash":"([\w]+)","block_height":[\d]+,"tx_input_n":[\d-]+,"tx_output_n":-/.exec(result);
if (tx) {
getUrlContent("http://api.blockcypher.com/v1/btc/main/txs/" + tx[1], function(result, error) {
if (!error) {
var address = /"outputs":\[{"value":[\d]+,"script":"[\w]+","spent_by":"[\w]+","addresses":\["([\w]+)"/.exec(result);
if (address) {
return callback(address[1], null);
}
else {
return callback(null, true);
}
}
else {
return callback(null, true);
}
});
}
else {
return callback(null, true);
}
}
else {
return callback(null, true);
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Contacts a large (529) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 9 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 16 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies Control Panel 4 IoCs
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{19923940-1D30-C683-172B-F15FA51771E4}\grpconv.exe"C:\Users\Admin\AppData\Roaming\{19923940-1D30-C683-172B-F15FA51771E4}\grpconv.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{19923940-1D30-C683-172B-F15FA51771E4}\grpconv.exe"C:\Users\Admin\AppData\Roaming\{19923940-1D30-C683-172B-F15FA51771E4}\grpconv.exe"4⤵
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9120846f8,0x7ff912084708,0x7ff9120847186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,9022351910836828314,4266701505760594874,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,9022351910836828314,4266701505760594874,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,9022351910836828314,4266701505760594874,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2324 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9022351910836828314,4266701505760594874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9022351910836828314,4266701505760594874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9022351910836828314,4266701505760594874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9022351910836828314,4266701505760594874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9022351910836828314,4266701505760594874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,9022351910836828314,4266701505760594874,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,9022351910836828314,4266701505760594874,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9022351910836828314,4266701505760594874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9022351910836828314,4266701505760594874,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9022351910836828314,4266701505760594874,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9022351910836828314,4266701505760594874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9022351910836828314,4266701505760594874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1824 /prefetch:16⤵
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt5⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pmenboeqhyrpvomq.pap44w.top/3F32-353C-C8F5-006D-FB0A?auto5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9120846f8,0x7ff912084708,0x7ff9120847186⤵
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"5⤵
-
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "grpconv.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{19923940-1D30-C683-172B-F15FA51771E4}\grpconv.exe" > NUL5⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "grpconv.exe"6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe" > NUL3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe"4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Roaming\{19923940-1D30-C683-172B-F15FA51771E4}\grpconv.exeC:\Users\Admin\AppData\Roaming\{19923940-1D30-C683-172B-F15FA51771E4}\grpconv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{19923940-1D30-C683-172B-F15FA51771E4}\grpconv.exeC:\Users\Admin\AppData\Roaming\{19923940-1D30-C683-172B-F15FA51771E4}\grpconv.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x430 0x4081⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Service Discovery
1Query Registry
2Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e765f3d75e6b0e4a7119c8b14d47d8da
SHA1cc9f7c7826c2e1a129e7d98884926076c3714fc0
SHA256986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89
SHA512a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079
-
Filesize
152B
MD553bc70ecb115bdbabe67620c416fe9b3
SHA1af66ec51a13a59639eaf54d62ff3b4f092bb2fc1
SHA256b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771
SHA512cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921
-
Filesize
6KB
MD5ce0bdb423d2c8811acbe008a5670dd7a
SHA1786c7723746b22d3b80e46da5cb07773b0dd32c0
SHA256c719a8056c3ab3c73fe48932e0d6144f16cddbf990f304bfe33c61501f0a6bdd
SHA5129da68d5b3d9e53fc4d220a0f25e2afd558b0b5bc04bbd6d7b95ae75a6997eeae3b545fc9e92a9f7e5bbe786f78ad0d3cf4e79b5ee7a420aa8ca4096a233540f2
-
Filesize
5KB
MD5ac152d3791832e86506122dfeb42021a
SHA12178663d59c93d7febbfd175183e88b8323651f6
SHA2569c4a6b92e0f3ae2b51f535d43781e587249b7caced479701a99b95968f238186
SHA51207cc5a837315ab8c76298e0ae0343ea4722f7ddb0090d6737baea220afd46becdca635b8ca9ab69cb6e04e63c1dd46b0a5e8f33311e4e9ed0f778993679e00d7
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD54247bc8f69eca1f2e82fe11c8b537e5c
SHA1c2e8b0ed76e6484eed1eac21f923daa319a7b229
SHA2569d0eadf830adf47760df61bfcd63123ee1d7d9f73d697d6a67c291500748d080
SHA5126773b597a459c3a7a8acfd44178fe7a729b9a6efa6cd4798dc4e7f7874f37c354081788d5b29636ebd2a3ee629dd963cdc0e6e79c27f7cc6d5f0e96ef10bac6c
-
Filesize
1KB
MD50267ef0118f917681a00b350c9e6911f
SHA1314e8f5329983d234959a4f7e94736d99d039d12
SHA2567bad2da380f6fa6f9aebdea5a0350d377086cc68a04b92b68b32b0b272719e92
SHA5122b4eab9fef989f1d325546b1deaa9a40f1a421e619bc9cbb757abf20ba8e7b7ff236fda375b40983f3b7a6fac2a04b6b803bf8e0d0e1d5558a171eea14000a88
-
Filesize
218B
MD5f8969783e9d4873af3f58346c9bdb15b
SHA1536d3ea983a350fc2983e2a3844a87485d99d373
SHA256ecf6f7686acbf209579bf90789e2608e9f7cfe0c6a2bbb6aa45713b2b7f89d71
SHA512463b26a875e11b285286b4eded330580b868216e8bf7f9d5945371ce465c8955ef6e37b0663cb71bedc28c448ed16de71bebfa89cd99148dc6ccabce509c9773
-
Filesize
4KB
MD52c75cdd8a8d68a50bc179649b7aeefc0
SHA1d178afb5dcfedb35e70f445c15984d5203408811
SHA256908f92f69a4583e55275a9a97f71a81984b5c598deeb379a58c4ae6352b99dfd
SHA512bf316cb91a4b3bc4ec374bf8cf75efde1c6ae4dec2f1877d995844224a1744a85230f9d1661b16e4628f73875ed1c8337a73b0420200ff93a5dbd615758139a4
-
Filesize
3KB
MD5fda6512a5f61cecd95dcc31514c26fe3
SHA12b1fc8b3bb931b8ae4fc6e6750144761720fdce6
SHA2563f4a51a5a1001937ccfd4bd056c69c5d713ce4b91a109916b265e1a80dd316d2
SHA512658782117e20ab15927c813ba92835e0f518fbb5f11b18397042c01a3d917f6b2cb348256d3bf42a9ddc6a6f45a0c5550bfbc3f15663e033ecb286b9a2f84f96
-
Filesize
485B
MD5ad8baefe636e08b8d937ee4303d37231
SHA10f58d13ae045ea62f4f64dedd7de4bdfef7e985c
SHA256b510a9f128b96f387a21d7b719fdc1d7ae81480a94620d11456699fd76271442
SHA51231b60710c0c59c882d21dd9d4eb5449c62e4f1bb75366d2b006b68f28e49f7cf63058272c0e2f8621d4bc80ccde0cc1e4cfdb503f3a513f0e2123c97524cc485
-
Filesize
3KB
MD5a33b205d2c07a68475fd1ff3ba7ce6c5
SHA19ad672f39f10b822c18196bd9d06ee7afa5e0740
SHA2561454f5f35a4472c53c37efb4c965b9f0c5318bce978d7c09d4e586bc6b98b2b4
SHA5127835f185f136751174eca88837bc2431c5f6ad45a11363d6c74695b6a829d7037f1a8610c54a369e509b076bf22d854ce79eaeb95218e25869b45d8f26d247e5
-
Filesize
148KB
MD580fed5c28b0bbf5e6f2f29755a984a1d
SHA14a0edf53ff1851e7a91f0f635b04aeccc6646970
SHA256a1c040049534c2c6cbde308ea120cf35f6805863d6ab3ef4eb9985ee04985d7d
SHA512d63c59f487991d0fc2d9aa1cb47d23707d45ef2ae82e801355de1171a5db7c04a2977e3f5c5229fcd3ffa5c4f8a150bc9e11aee9ba2b19ced7ab96bfdf4a7a85
-
Filesize
79KB
MD50e8e72d3531cecec1518d1c3929671d6
SHA15e7153adfea4cffa64dbbd8caf78f0e50f6733a0
SHA2568bf396d466b453d594cc7816884351261b5eb5602324a855953b45678bcc7254
SHA512b4002806ef09c61bc50167e45407660e0564b54732ef70c88b1b8e4f43081ccd3468fa2fb07c7c8c2197bac66fd5ce3e7b42b0aa068f95385c7371b09cd98214
-
Filesize
3KB
MD5c6010e77916c990c8e5e7e7b2546af36
SHA1fd7a8c5b49c66ac4b1b05622032908e8101aafdd
SHA256fe33a076cf6ae33766d202707e04ea439896850950419a68e2569c4d9a48d205
SHA512090395590f02b438017bd1433f7fc66a5d135c59b10a66f562d81b1b328af68b5bf90d84fa6d3d16747edfef86efb42e95a4cd505a6e1c3fab2be91fc3954f1a
-
Filesize
873B
MD5c97ff523785684bfafb523e994710d63
SHA1dd1d166ee22825a7b1a659e69cce500c8726823c
SHA2561d7295b88c7d37f8c59c7002281f8f3a5060852b2fadacb826b7066bbefe2284
SHA5124e51fcc9d64efc8cad482cd293fd440436222886267eb586a9ab70023e5f12b6b6115f7955d65419f431a9af492e1056dd8193a03983baf60c678bd9a6305aa5
-
Filesize
750B
MD5533b30fdbd4ab5d87fb8e2081f93b797
SHA17262676dd0af789afb53085f1b352455ace74552
SHA2568ef1f3da84d39926c50645696bae8175d8465a64f2e51ffc35e9c50854d915b6
SHA51293e97129fc6687be7eea739774f3524d3a5fb2e552aa8069b37d51524dfbff8928155b088ec019b85fc4b26597fceb1755b7cdc5c9d86ad7c401cdef91e2fdfa
-
Filesize
46B
MD5e67bb39e43493d3882b7673ef76d4a3c
SHA1e5273781bcef374a1586c448e1f08b46d2532211
SHA25697807b9b758a5a8a70fe85a5a4a70b7b931ab76b1e530e226c97415766d1b8be
SHA512768ad4a01a0f32fb9851919b8e10f46b637f1dd31308942eb21c66db4ff1941f3e8289c5b5632754ff2bd82344fa5ec029d0bc751463cdef5f5ada335f348883
-
Filesize
11KB
MD56f5257c0b8c0ef4d440f4f4fce85fb1b
SHA1b6ac111dfb0d1fc75ad09c56bde7830232395785
SHA256b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1
SHA512a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8
-
Filesize
1KB
MD55a76603ab4f236fa2c15de6511871226
SHA16038cc1a9833e097b1b986ef7b75437bed974bbf
SHA256b77bdcf28009e85439cf3fc3ea37c73df8bd772059f8a270942a95860ec17005
SHA512d9b19f018ccdc75c05eba6b9f0dd50b524f120f5618c79d1e9d71d2a694176f66e5a3acf817f07b5aa5ef62fccf7213b78392b863e8f21a774128f523a4496db
-
Filesize
253KB
MD5fa8dff8ebe3d919ebc72ed83c58a2351
SHA1f98a4f7bd317a4a90790bdff2d13fdb8291c6357
SHA25633b8c7c3d12e03465f4438e5431b0801dff1cfc8b16534619c009ac4387fc7e6
SHA5128f5ecc6863b845cfc6ba86026b8771a3a43a923a92f054661e6d10013961d92d833c49626de02a9aa9a6592374c5f8987eba1d9fe747dc9b83d7b4a1419f5cda
-
Filesize
19KB
MD515b878e77ad7b4bd6f0d5bf2a192bf21
SHA1832450ccbf48ca655c2305c6365a52738ec84665
SHA256805df05b3909d34bc3ed8a917fbb8ca82e4d231af5a96f7a0a5847f83deaa737
SHA5121c7c7e23a077e25331e1974f77a11d2d62c941756017eaf2c13b562aa2ebd7ca7740475db9d0ab5e7792fd8438cc70321b5c25b62503dbae3e996b61181cdfc8
-
Filesize
10KB
MD579395dbe046b787faa7cfa69a6d46116
SHA1e9a249ef3e79d5f56ae3adafd8554ae3f9e95731
SHA2561571560d9387e3d9da72792dd1c8af714e3053ddf6d3b33e94ff49e6b550c7ba
SHA5127cd9aef93731932d9d65c830364ed379595a479dea701ef7b54268e7989ff1873f3bcbf516e2aa322e86ba1fe6963e5acde10180b2d03f7793fc5349c8c7bcd2
-
Filesize
90B
MD59f6a53e76374fbaa3a90cfe5831a7c2d
SHA1afd93aa7e7f70faeb509a4ec9f36cfa1be4c0a33
SHA25624eef36bdcc30683a56552e4dd8cd5f374b2f8fc18203bec257a72694eed0ab9
SHA512906f1509e30e76d77a264ac14445569d970d29b6aa2cc189a0cfa6768e7b0217ee8a6d804b72ed82456cab7e0ccd57755cdfc21a2ab250a031767cd1ff48ba06
-
Filesize
213B
MD51c2a24505278e661eca32666d4311ce5
SHA1d1deb57023bbe38a33f0894b6a9a7bbffbfdeeee
SHA2563f0dc6126cf33e7aa725df926a1b7d434eaf62a69f42e1b8ae4c110fd3572628
SHA512ce866f2c4b96c6c7c090f4bf1708bfebdfcd58ce65a23bdc124a13402ef4941377c7e286e6156a28bd229e422685454052382f1f532545bc2edf07be4861b36c
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
116KB
