Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
30-09-2024 04:17
General
-
Target
fff2b25d6363f93276cd2f20e7e27578_JaffaCakes118.exe
-
Size
209KB
-
MD5
fff2b25d6363f93276cd2f20e7e27578
-
SHA1
225fe2828be9b637da2d7621e9fae8f42f4ac4f8
-
SHA256
6480fc69756f789c08636c4cc4a3a8456f9e037245f1001a8ce47be37b56ad03
-
SHA512
4501f3fbdadf9cb737ed451e2f0003fbeace09b3830b2adab6a39483cdb41ae144b9ec924ded56e77ae96b1305b18cdfd262a6eb0563cfe0b8d706c651b93464
-
SSDEEP
6144:D/uTZqR/XgxURVls4nSYA3HK9LUGkII/3EINS:zR/XgxURVlDnmq9LgtEeS
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Music\# DECRYPT MY FILES #.html
Ransom Note
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Cerber Ransomware</title>
<style>
a {
color: #47c;
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
body {
background-color: #e7e7e7;
color: #333;
font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";
font-size: 16px;
line-height: 1.6;
margin: 0;
padding: 0;
}
hr {
background-color: #e7e7e7;
border: 0 none;
border-bottom: 1px solid #c7c7c7;
height: 5px;
margin: 30px 0;
}
li {
padding: 0 0 7px 7px;
}
ol {
padding-left: 3em;
}
.container {
background-color: #fff;
border: 1px solid #c7c7c7;
margin: 40px;
padding: 40px 40px 20px 40px;
}
.info, .tor {
background-color: #efe;
border: 1px solid #bda;
display: block;
padding: 0px 20px;
}
.logo {
font-size: 12px;
font-weight: bold;
line-height: 1;
margin: 0;
}
.upd_on {
color: red;
display: block;
}
.upd_off {
display: none;
float: left;
}
.tor {
padding: 10px 0;
text-align: center;
}
.url {
margin-right: 5px;
}
.warning {
background-color: #f5e7e7;
border: 1px solid #ebccd1;
color: #a44;
display: block;
padding: 15px 10px;
text-align: center;
}
</style>
</head>
<body>
<div class="container">
<h3>C E R B E R R A N S O M W A R E</h3>
<hr>
<p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p>
<p>It is normal because the files' names, as well as the data in your files have been encrypted.</p>
<p>Great!<br>You have turned to be a part of a big community "#Cerber Ransomware".</p>
<hr>
<p><span class="warning">If you are reading this message it means the software "Cerber" has been removed from your computer.</span></p>
<hr>
<h3>What is encryption?</h3>
<p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p>
<p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p>
<p>But not only it.</p>
<p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p>
<hr>
<h3>Everything is clear for me but what should I do?</h3>
<p>The first step is reading these instructions to the end.</p>
<p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p>
<p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p>
<p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p>
<p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p>
<p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p>
<p>Finally it will be impossible to decrypt your files.</p>
<p>When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p>
<p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p>
<hr>
<p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p>
<hr>
<p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p>
<p>After purchase of the software package you will be able to:</p>
<ol>
<li>decrypt all your files;</li>
<li>work with your documents;</li>
<li>view your photos and other media;</li>
<li>continue your usual and comfortable work at the computer.</li>
</ol>
<p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p>
<hr>
<div class="info">
<p>There is a list of temporary addresses to go on your personal page below:</p>
<ol>
<li><span class="upd_off" id="upd_1">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.0vgu64.top/5902-EB50-2BEE-0446-66A2" id="url_1" target="_blank">http://52uo5k3t73ypjije.0vgu64.top/5902-EB50-2BEE-0446-66A2</a>(<a href="#updateUrl" onClick="return updateUrl();" style="color: red;">Get a NEW address!</a>)</li>
<li><a href="http://52uo5k3t73ypjije.pap44w.top/5902-EB50-2BEE-0446-66A2" target="_blank">http://52uo5k3t73ypjije.pap44w.top/5902-EB50-2BEE-0446-66A2</a></li>
<li><a href="http://52uo5k3t73ypjije.r21wmw.top/5902-EB50-2BEE-0446-66A2" target="_blank">http://52uo5k3t73ypjije.r21wmw.top/5902-EB50-2BEE-0446-66A2</a></li>
<li><a href="http://52uo5k3t73ypjije.y5j7e6.top/5902-EB50-2BEE-0446-66A2" target="_blank">http://52uo5k3t73ypjije.y5j7e6.top/5902-EB50-2BEE-0446-66A2</a></li>
<li><a href="http://52uo5k3t73ypjije.onion.to/5902-EB50-2BEE-0446-66A2" target="_blank">http://52uo5k3t73ypjije.onion.to/5902-EB50-2BEE-0446-66A2</a></li>
</ol>
</div>
<hr>
<h3>What should you do with these addresses?</h3>
<p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p>
<ol>
<li>take a look at the first address (in this case it is <span class="upd_off" id="upd_2">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.0vgu64.top/5902-EB50-2BEE-0446-66A2" id="url_2" target="_blank">http://52uo5k3t73ypjije.0vgu64.top/5902-EB50-2BEE-0446-66A2</a>);</li>
<li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li>
<li>release the left mouse button and press the right one;</li>
<li>select "Copy" in the appeared menu;</li>
<li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li>
<li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li>
<li>click the right mouse button in the field where the site address is written;</li>
<li>select the button "Insert" in the appeared menu;</li>
<li>then you will see the address <span class="upd_off" id="upd_3">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.0vgu64.top/5902-EB50-2BEE-0446-66A2" id="url_3" target="_blank">http://52uo5k3t73ypjije.0vgu64.top/5902-EB50-2BEE-0446-66A2</a> appeared there;</li>
<li>press ENTER;</li>
<li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li>
</ol>
<p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p>
<p>If you browse the instructions in HTML format:</p>
<ol>
<li>click the left mouse button on the first address (in this case it is <span class="upd_off" id="upd_4">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.0vgu64.top/5902-EB50-2BEE-0446-66A2" id="url_4" target="_blank">http://52uo5k3t73ypjije.0vgu64.top/5902-EB50-2BEE-0446-66A2</a>);</li>
<li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li>
</ol>
<p>If for some reason the site cannot be opened check the connection to the Internet.</p>
<hr>
<p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p>
<p>Unlike them we are ready to help you always.</p>
<p>If you need our help but the temporary sites are not available:</p>
<ol>
<li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li>
<li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li>
<li>wait for the site loading;</li>
<li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li>
<li>run Tor Browser;</li>
<li>connect with the button "Connect" (if you use the English version);</li>
<li>a normal Internet browser window will be opened after the initialization;</li>
<li>type or copy the address <span class="tor">http://52uo5k3t73ypjije.onion/5902-EB50-2BEE-0446-66A2</span> in this browser address bar;</li>
<li>press ENTER;</li>
<li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li>
</ol>
<p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p>
<p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p>
<hr>
<h3>Additional information:</h3>
<p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p>
<p>The instructions are made in two file formats - HTML and TXT for your convenience.</p>
<p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p>
<p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p>
<hr>
<p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p>
<p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p>
<p>Together we make the Internet a better and safer place.</p>
<hr>
<p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p>
<hr>
<p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p>
</div>
<script>
function getXMLHttpRequest() {
if (window.XMLHttpRequest) {
return new window.XMLHttpRequest;
}
else {
try {
return new ActiveXObject("MSXML2.XMLHTTP.3.0");
}
catch(error) {
return null;
}
}
}
function getUrlContent(url, callback) {
var xhttp = getXMLHttpRequest();
if (xhttp) {
xhttp.onreadystatechange = function() {
if (xhttp.readyState == 4) {
if (xhttp.status == 200) {
return callback(xhttp.responseText.replace(/[\s ]+/gm, ""), null);
}
else {
return callback(null, true);
}
}
};
xhttp.open("GET", url + '?_=' + new Date().getTime(), true);
xhttp.send();
}
else {
return callback(null, true);
}
}
function server1(address, callback) {
getUrlContent("http://btc.blockr.io/api/v1/address/txs/" + address, function(result, error) {
if (!error) {
var tx = /"tx":"([\w]+)","time_utc":"[\w-:]+","confirmations":[\d]+,"amount":-/.exec(result);
if (tx) {
getUrlContent("http://btc.blockr.io/api/v1/tx/info/" + tx[1], function(result, error) {
if (!error) {
var address = /"vouts":\[{"address":"([\w]+)"/.exec(result);
if (address) {
return callback(address[1], null);
}
else {
return callback(null, true);
}
}
else {
return callback(null, true);
}
});
}
else {
return callback(null, true);
}
}
else {
return callback(null, true);
}
});
}
function server2(address, callback) {
getUrlContent("http://api.blockcypher.com/v1/btc/main/addrs/" + address, function(result, error) {
if (!error) {
var tx = /"tx_hash":"([\w]+)","block_height":[\d]+,"tx_input_n":[\d-]+,"tx_output_n":-/.exec(result);
if (tx) {
getUrlContent("http://api.blockcypher.com/v1/btc/main/txs/" + tx[1], function(result, error) {
if (!error) {
var address = /"outputs":\[{"value":[\d]+,"script":"[\w]+","spent_by":"[\w]+","addresses":\["([\w]+)"/.exec(result);
if (address) {
return callback(address[1], null);
}
else {
return callback(null, true);
}
}
else {
return callback(null, true);
}
});
}
else {
return callback(null, true);
}
}
else {
return callback(null, true);
Extracted
Path
C:\Users\Admin\Music\# DECRYPT MY FILES #.txt
Family
cerber
Ransom Note
C E R B E R R A N S O M W A R E
#########################################################################
Cannot you find the files you need?
Is the content of the files that you looked for not readable?
It is normal because the files' names, as well as the data in your files
have been encrypted.
Great!
You have turned to be a part of a big community "#Cerber Ransomware".
#########################################################################
!!! If you are reading this message it means the software "Cerber" has
!!! been removed from your computer.
!!! HTML instruction ("# DECRYPT MY FILES #.html") always contains a
!!! working domain of your personal page!
#########################################################################
What is encryption?
-------------------
Encryption is a reversible modification of information for security
reasons but providing full access to it for authorized users.
To become an authorized user and keep the modification absolutely
reversible (in other words to have a possibility to decrypt your files)
you should have an individual private key.
But not only it.
It is required also to have the special decryption software
(in your case "Cerber Decryptor" software) for safe and complete
decryption of all your files and data.
#########################################################################
Everything is clear for me but what should I do?
------------------------------------------------
The first step is reading these instructions to the end.
Your files have been encrypted with the "Cerber Ransomware" software; the
instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt")
in the folders with your encrypted files are not viruses, they will
help you.
After reading this text the most part of people start searching in the
Internet the words the "Cerber Ransomware" where they find a lot of
ideas, recommendations and instructions.
It is necessary to realize that we are the ones who closed the lock on
your files and we are the only ones who have this secret key to
open them.
!!! Any attempts to get back your files with the third-party tools can
!!! be fatal for your encrypted files.
The most part of the third-party software change data within the
encrypted file to restore it but this causes damage to the files.
Finally it will be impossible to decrypt your files.
When you make a puzzle, but some items are lost, broken or not put in its
place - the puzzle items will never match, the same way the third-party
software will ruin your files completely and irreversibly.
You should realize that any intervention of the third-party software to
restore files encrypted with the "Cerber Ransomware" software may be
fatal for your files.
#########################################################################
!!! There are several plain steps to restore your files but if you do
!!! not follow them we will not be able to help you, and we will not try
!!! since you have read this warning already.
#########################################################################
For your information the software to decrypt your files (as well as the
private key provided together) are paid products.
After purchase of the software package you will be able to:
1. decrypt all your files;
2. work with your documents;
3. view your photos and other media;
4. continue your usual and comfortable work at the computer.
If you understand all importance of the situation then we propose to you
to go directly to your personal page where you will receive the complete
instructions and guarantees to restore your files.
#########################################################################
There is a list of temporary addresses to go on your personal page below:
_______________________________________________________________________
|
| 1. http://52uo5k3t73ypjije.0vgu64.top/5902-EB50-2BEE-0446-66A2
|
| 2. http://52uo5k3t73ypjije.pap44w.top/5902-EB50-2BEE-0446-66A2
|
| 3. http://52uo5k3t73ypjije.r21wmw.top/5902-EB50-2BEE-0446-66A2
|
| 4. http://52uo5k3t73ypjije.y5j7e6.top/5902-EB50-2BEE-0446-66A2
|
| 5. http://52uo5k3t73ypjije.onion.to/5902-EB50-2BEE-0446-66A2
|_______________________________________________________________________
#########################################################################
What should you do with these addresses?
----------------------------------------
If you read the instructions in TXT format (if you have instruction in
HTML (the file with an icon of your Internet browser) then the easiest
way is to run it):
1. take a look at the first address (in this case it is
http://52uo5k3t73ypjije.0vgu64.top/5902-EB50-2BEE-0446-66A2);
2. select it with the mouse cursor holding the left mouse button and
moving the cursor to the right;
3. release the left mouse button and press the right one;
4. select "Copy" in the appeared menu;
5. run your Internet browser (if you do not know what it is run the
Internet Explorer);
6. move the mouse cursor to the address bar of the browser (this is the
place where the site address is written);
7. click the right mouse button in the field where the site address
is written;
8. select the button "Insert" in the appeared menu;
9. then you will see the address
http://52uo5k3t73ypjije.0vgu64.top/5902-EB50-2BEE-0446-66A2
appeared there;
10. press ENTER;
11. the site should be loaded; if it is not loaded repeat the same
instructions with the second address and continue until the last
address if falling.
If for some reason the site cannot be opened check the connection to the
Internet; if the site still cannot be opened take a look at the
instructions on omitting the point about working with the addresses in
the HTML instructions.
If you browse the instructions in HTML format:
1. click the left mouse button on the first address (in this case it is
http://52uo5k3t73ypjije.0vgu64.top/5902-EB50-2BEE-0446-66A2);
2. in a new tab or window of your web browser the site should be loaded;
if it is not loaded repeat the same instructions with the second
address and continue until the last address.
If for some reason the site cannot be opened check the connection to
the Internet.
#########################################################################
Unfortunately these sites are short-term since the antivirus companies
are interested in you do not have a chance to restore your files but
continue to buy their products.
Unlike them we are ready to help you always.
If you need our help but the temporary sites are not available:
1. run your Internet browser (if you do not know what it is run the
Internet Explorer);
2. enter or copy the address
https://www.torproject.org/download/download-easy.html.en into the
address bar of your browser and press ENTER;
3. wait for the site loading;
4. on the site you will be offered to download Tor Browser; download and
run it, follow the installation instructions, wait until the
installation is completed;
5. run Tor Browser;
6. connect with the button "Connect" (if you use the English version);
7. a normal Internet browser window will be opened after
the initialization;
8. type or copy the address
________________________________________________________
| |
| http://52uo5k3t73ypjije.onion/5902-EB50-2BEE-0446-66A2 |
|________________________________________________________|
in this browser address bar;
9. press ENTER;
10. the site should be loaded; if for some reason the site is not loading
wait for a moment and try again.
If you have any problems during installation or operation of Tor Browser,
please, visit https://www.youtube.com/ and type request in the search bar
"install tor browser windows" and you will find a lot of training videos
about Tor Browser installation and operation.
If TOR address is not available for a long period (2-3 days) it means you
are late; usually you have about 2-3 weeks after reading the instructions
to restore your files.
#########################################################################
Additional information:
You will find the instructions for restoring your files in those folders
where you have your encrypted files only.
The instructions are made in two file formats - HTML and TXT for
your convenience.
Unfortunately antivirus companies cannot protect or restore your files
but they can make the situation worse removing the instructions how to
restore your encrypted files.
The instructions are not viruses; they have informative nature only, so
any claims on the absence of any instruction files you can send to your
antivirus company.
#########################################################################
Cerber Ransomware Project is not malicious and is not intended to harm a
person and his/her information data.
The project is created for the sole purpose of instruction regarding
information security, as well as certification of antivirus software for
their suitability for data protection.
Together we make the Internet a better and safer place.
#########################################################################
If you look through this text in the Internet and realize that something
is wrong with your files but you do not have any instructions to restore
your files, please, contact your antivirus support.
#########################################################################
Remember that the worst situation already happened and now it depends on
your determination and speed of your actions the further life of
your files.
URLs
http://52uo5k3t73ypjije.0vgu64.top/5902-EB50-2BEE-0446-66A2
http://52uo5k3t73ypjije.pap44w.top/5902-EB50-2BEE-0446-66A2
http://52uo5k3t73ypjije.r21wmw.top/5902-EB50-2BEE-0446-66A2
http://52uo5k3t73ypjije.y5j7e6.top/5902-EB50-2BEE-0446-66A2
http://52uo5k3t73ypjije.onion.to/5902-EB50-2BEE-0446-66A2
http://52uo5k3t73ypjije.onion/5902-EB50-2BEE-0446-66A2
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Contacts a large (528) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 9 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 16 IoCs
-
Drops file in Windows directory 3 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies Control Panel 4 IoCs
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fff2b25d6363f93276cd2f20e7e27578_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fff2b25d6363f93276cd2f20e7e27578_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fff2b25d6363f93276cd2f20e7e27578_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fff2b25d6363f93276cd2f20e7e27578_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{213785FD-B748-09EE-BD5D-A1A6131C1E0C}\TapiUnattend.exe"C:\Users\Admin\AppData\Roaming\{213785FD-B748-09EE-BD5D-A1A6131C1E0C}\TapiUnattend.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{213785FD-B748-09EE-BD5D-A1A6131C1E0C}\TapiUnattend.exe"C:\Users\Admin\AppData\Roaming\{213785FD-B748-09EE-BD5D-A1A6131C1E0C}\TapiUnattend.exe"4⤵
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7fffdcac46f8,0x7fffdcac4708,0x7fffdcac47186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,16543575788095766555,3522945852425175054,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,16543575788095766555,3522945852425175054,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,16543575788095766555,3522945852425175054,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,16543575788095766555,3522945852425175054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,16543575788095766555,3522945852425175054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,16543575788095766555,3522945852425175054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,16543575788095766555,3522945852425175054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,16543575788095766555,3522945852425175054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,16543575788095766555,3522945852425175054,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,16543575788095766555,3522945852425175054,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,16543575788095766555,3522945852425175054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,16543575788095766555,3522945852425175054,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,16543575788095766555,3522945852425175054,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,16543575788095766555,3522945852425175054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,16543575788095766555,3522945852425175054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:16⤵
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt5⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://52uo5k3t73ypjije.0vgu64.top/5902-EB50-2BEE-0446-66A2?auto5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffdcac46f8,0x7fffdcac4708,0x7fffdcac47186⤵
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"5⤵
-
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "TapiUnattend.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{213785FD-B748-09EE-BD5D-A1A6131C1E0C}\TapiUnattend.exe" > NUL5⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "TapiUnattend.exe"6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "fff2b25d6363f93276cd2f20e7e27578_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\fff2b25d6363f93276cd2f20e7e27578_JaffaCakes118.exe" > NUL3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "fff2b25d6363f93276cd2f20e7e27578_JaffaCakes118.exe"4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Roaming\{213785FD-B748-09EE-BD5D-A1A6131C1E0C}\TapiUnattend.exeC:\Users\Admin\AppData\Roaming\{213785FD-B748-09EE-BD5D-A1A6131C1E0C}\TapiUnattend.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{213785FD-B748-09EE-BD5D-A1A6131C1E0C}\TapiUnattend.exeC:\Users\Admin\AppData\Roaming\{213785FD-B748-09EE-BD5D-A1A6131C1E0C}\TapiUnattend.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x51c 0x5181⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Service Discovery
1Query Registry
2Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5b9569e123772ae290f9bac07e0d31748
SHA15806ed9b301d4178a959b26d7b7ccf2c0abc6741
SHA25620ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b
SHA512cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795
-
Filesize
152B
MD5eeaa8087eba2f63f31e599f6a7b46ef4
SHA1f639519deee0766a39cfe258d2ac48e3a9d5ac03
SHA25650fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9
SHA512eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c
-
Filesize
6KB
MD5221de8fdd876c80db5e38896d4fe3c58
SHA1a08fb7dfcb14d083f0e216b21a2253794ad5041f
SHA256d818b9f875e6e6b11867d469c9c8891c3e1b7cd66ddb0426c0934861e4b0b043
SHA5121219d8f6bc48c4be65d8faf122d7a6a6a02fe010af43b5d9d28cedb79ec4e2cdcaf004ff81b863d1fc9ce25be5cfbdfcd4c417027e28f531523e3ce5f48d635d
-
Filesize
6KB
MD5c0c6548fd6f4b0871f9ca77c5767928e
SHA1c6f89f62a71d938335e6910457d0a36a8ee64335
SHA256ac7742647d4ae9ad708e00f969b2a7257b3d54c986175d1873a05895413f8fed
SHA512935efebf661ced3715f421a62d6b400729e54055a2b4518f23d60e803a705d3314061721ec8c73aa8a87838a845fc1803051418aca4d662e43a33e0982f19806
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5b4889d619e134048b2c5c71072497adc
SHA192cbf6e2d85718be06cc550da402d0863a7f21da
SHA256f881d8ab91078cde6474b463eacc7adb8134885fe2dc3f3de3d8a82e7471d54d
SHA512f57a29596243785cc0ac73dd0662f08a05db92355ba701e6a5187c2d4f9a5e502122580d3d9f245489ebd61f132547aa6ea7f5ff86a7ecf9c6cf6d7ceaf40e8c
-
Filesize
1KB
MD568796f196b22db99a53addbea06fb015
SHA115fd11610f51aaff87fb813deb9072aef89a968f
SHA256db903b41e04034de2ee5271bd31960d155fdac9dcfee289687c911da5c328557
SHA512f4628f88e26cd383ddd75b32b4b505cf216d797cd24fc795ef82cde9a28126cb0433a6d9323dc11eaf8733b6760020ca68013d434b5ae0faadd922f71138f298
-
Filesize
524B
MD5ca6338ce720c9dc0cbb180e881c93bb8
SHA1148d708c97d0c20c2f931d64c189a15a9e1dbb4f
SHA256c4a39a0e6b140f0993c931bb7da6f2d658cae5d430d04bbdcbbfee3b673e705b
SHA5128c07330e187f5b5e25e452b15cf7cb2c2f3959dac2fba9d9ed335b7a22bd8cc63dad3df7b48212d0cbd567267193621112debde6f4733fee41346d037ec1772a
-
Filesize
2KB
MD520f118b48a744553f6a5d2075ef1f114
SHA13905c8b23e04a589b64060b1226f29955625e127
SHA256af3ea190ec3ae5330f2289aea799c3f7d87ebe9d57bc96d9646b8a59f24903b0
SHA51215743ff18c5b0ffadac1fe4b4662e29e2ed81c4da7c1050b81a6e65178a868d01fbfae6c66555d6fba10005010843efecc7ff7a6896077e664794cb713bc6314
-
Filesize
33B
MD51f3bc75daaf847977f7cf3529e4c48df
SHA1f4dc15cada37c0eb4277dfb13f054c0c4e26f381
SHA256d4368f7873c76dc461ffbcea9c96ec52db4de2e97f0c02762b78b5af1d1b4678
SHA51201fee9822070f4413f7125e94a82794861da82f5d77dec0e3a1b6db90f605fc25f07926ef0fb4792e8e910cc90b868a89a50b16d5119084fe7c8ad8fa89df87d
-
Filesize
1KB
MD5b37db354d10a73ba88288164bb13182c
SHA13649f45a56cf71a0cb551315372546700cd96a0d
SHA2569840c3e72436433614eab701e18e61f0ce0ab924a9491629463c949186dace4b
SHA5128afe3071ba61ed20c2034c7501d8953a5a7d313bf4acc1a69f50f369296ad4e34df895c039eadf97afd543b4c4dc27e2d0532705121158ceb2a186725ba76bca
-
Filesize
64KB
MD58bc69dd99430807714e08254db2b4d35
SHA17a9ecf46b2f0a2789d807c53cc422e7df33a94ed
SHA256ac96254a6832b71fa87a150a8940b4afc68126ada77a6a256d7b903ef96a57c3
SHA51285c58a8265606bc5421a5f7d00425557bba33ece80c094d1b9a8f94f14c0f511db20f8cb521af3a8d44b767ae458b461a5349175cb1268009b233b34a447605d
-
Filesize
4KB
MD5af8d5781966c6e1986ae1f468200dc9c
SHA1ce14ace59a7282e7ebc3b48a101712262c248dd4
SHA2566054571883bf20eab6213eb0c41d7778e97dafe769e18624e995ece2e67794aa
SHA5122b887d28a7bcdb4a61fc2b1bc07a195384a59a9b8cc2c4f639f2afb79b24fbacd4da61e188cd06cf6d27f3af8ff7b0119a709589bf2ea6c585316569673c0bd1
-
Filesize
36KB
MD5159cd36e2bd6b1f8caba5ee02df51ed7
SHA17fa99130376af9ab813e66a2abc3e949b27ac7f5
SHA25666348180266a0a8aacf6a87be7797adf9932f70ce0c5e461d02f7f4477940009
SHA512835f6b146edfd1b51672b3e5815cb0274a8323cf17a59236a2b838a4f3464cd774f1e57a6bb01f5e52ef75ea5fe0ccd1b41e0d351029abac7adf6ccbf8183c41
-
Filesize
1KB
MD5dcf6e7a41169fb0fc0a668500c02a897
SHA198b869d53ecc7dd7371c31b6462afee2701703ea
SHA256b9aaaf7c331d9eab50a41789a65cac92942b5452cb583a048012cbb4defa777d
SHA512c46f1dc2bf869e16693815cb1bffcf1ebe4fbc9dedfc6c09549cd06f2942efbf250ed49c7603531776f12b84a1161d5a83fffd0e5982a27e0ae7feecea3e7340
-
Filesize
762B
MD5d11e598eb6c13a60f7e90199e2494fbc
SHA183b217b64256c18466c65b82db94915263452bf5
SHA2567e092d72dd7f39541054e6f3c8de572ea385d49b9e1269f09cb7b98a185944f2
SHA5129352d14c008933ee11434129191cdaec45919fad313397b73f64b8bc5dbeaef08b10a0198829c7a47ba6c944adb6a0120100caefa5aa6c4eec30e1b7a3e328a1
-
Filesize
1KB
MD5b315d71c7feca1a5c1611675c577d2df
SHA1df93907f42140b3c6f932a2b5b40deb730dd5109
SHA256575d396d6995c2f4c9cfe493c76847df2d468a49d2a379139521bd00fa1c1abf
SHA5120a0513f58f33a27803bfdaa3e635928317d40de7488bef0b6d040d58414e60fd252f7ca348ef9d50827192f03e9e15675c5a5e3870cc8b36252671d4bbb5e680
-
Filesize
69B
MD50b30fdcd40962a14e305287fd65226d2
SHA1bf274efac3559e73a27eae2b321b24796c2b2b91
SHA2562ba947f88ea44d148e026ff20bcb43e8adb8981bb9d94b001c4a16d0fb0b98a0
SHA51267dc3efff810a26684c0579861c3091d69b92ef84b693afc30ba7625ba5932c03463822904b6c3d89d9e214e608436f0a4c3f531e449f267dd2208e2479fb454
-
Filesize
1KB
MD57bfb373d67d06ffe199f0902f93d9e7d
SHA1bd59ac1a74a77ff17a3ef258bf78103d4314904a
SHA256ae6e8895a2a328869326312221f08a1cbc7c45efe99ce66410d65d4139892140
SHA5124bb98ab5e2aa95097edddf165587778b37737bf41523fff7f82e468a1c43f8f4b6074017d107fabca5fe237fa4beeec2d40ea47516afc6d7fe7093d59fc84770
-
Filesize
11KB
MD56f5257c0b8c0ef4d440f4f4fce85fb1b
SHA1b6ac111dfb0d1fc75ad09c56bde7830232395785
SHA256b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1
SHA512a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8
-
Filesize
1KB
MD5b422f0f3b781bcd0fde04bdb0bf286a1
SHA14a73813107b27222c8429fcb133b6fec1a186d21
SHA256d8b6e59901699bece4b3bfdfc707e7fdead4767d7589007ea4d9e37f195c387f
SHA5126b0af870d2a1804be87adfcb42c80ff2067d6cc22e3e942e708bdb8a9dd9693f43c6718444b362fb63c9f91ac50ab3087ca015cf69368b5bfa9371434059dd6e
-
Filesize
209KB
MD5fff2b25d6363f93276cd2f20e7e27578
SHA1225fe2828be9b637da2d7621e9fae8f42f4ac4f8
SHA2566480fc69756f789c08636c4cc4a3a8456f9e037245f1001a8ce47be37b56ad03
SHA5124501f3fbdadf9cb737ed451e2f0003fbeace09b3830b2adab6a39483cdb41ae144b9ec924ded56e77ae96b1305b18cdfd262a6eb0563cfe0b8d706c651b93464
-
Filesize
19KB
MD54a20ebafb5b02afafe783068684d7ede
SHA1c5cfeb099bfd826fd068496d9bec9f2fda521310
SHA2561585e0ea1806704bcaf46d6e427ce6ebcb337c3292aee2405f1041d5d423b788
SHA512a81a749a1e0878c34a43b49cb19adb1052149e2609a80741103b122f7699ca2a015feefa890eb69a7f72f2b662fd2798e9db818756981f810a973c444ee6485d
-
Filesize
10KB
MD569fca59977182975c2681c7ffe4ab159
SHA101fb726ff2bad097dac7ce7427fc4e6746b13a24
SHA256229f50e3d8f16cef5027c4de409cd2521559bba387987e67e0444bab747c23a7
SHA5121ea0d5dc2b524fc109ea11a562a5761136446d9a9a19c0eeb3f5e0b3398bc1717eecb68fcc81db410e79ff45da61fa4a8d7ac58ae8e30e7a4a9756f2e90a2491
-
Filesize
90B
MD520590f405eb25f4992c1dce2694be1b4
SHA1f9edbca5fcc60ac174fa3183c7824f343df96339
SHA25685cebfdb4766a6abca021c835b3f564b1cfde40250ebd9606092dc2d10e0c527
SHA512b13576fb2c196f16f3542fb8faea2142a8e5cc14d9b473f809c1eb7e377f6a5060d1daa2cf413dbeb7378be43f227c74ca0e53527324507e77ab9e67101a717c
-
Filesize
213B
MD51c2a24505278e661eca32666d4311ce5
SHA1d1deb57023bbe38a33f0894b6a9a7bbffbfdeeee
SHA2563f0dc6126cf33e7aa725df926a1b7d434eaf62a69f42e1b8ae4c110fd3572628
SHA512ce866f2c4b96c6c7c090f4bf1708bfebdfcd58ce65a23bdc124a13402ef4941377c7e286e6156a28bd229e422685454052382f1f532545bc2edf07be4861b36c
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
36KB
-
Filesize
36KB
