Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
31-10-2024 08:50
General
-
Target
8283c1cc0db9501e05206c0542fe9447_JaffaCakes118.exe
-
Size
258KB
-
MD5
8283c1cc0db9501e05206c0542fe9447
-
SHA1
fa800fdf2fc3bc8c015d7f20e04a54b9f95f39f5
-
SHA256
b592240b55c4c0fcf3733ba808523025ec245302d7ebc897bbc6824596de90a7
-
SHA512
133edc6a33503896adcc86381f1bed32646b734e246b22843a524c489bd6a63c38e696aa14b814c744d817385146ad214a78963a80c6cb3d9a7783099ae6791a
-
SSDEEP
6144:BwHysO+NnMZ2INVorOnii05dapobD/OLJoMyk6zk:qO+NFYRYQyGNTykIk
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.txt
Ransom Note
C_E_R_B_E_R R_A_N_S_O_M_W_A_R_E
#########################################################################
Cannot you find the files you need?
Is the content of the files that you looked for not readable???
It is normal because the files' names, as well as the data in your files
have been encrypted.
Great!
You have turned to be a part of a big community "#Cerb3r Ransomware".
#########################################################################
!!! If you are reading this message it means the software "Cerber" has
!!! been removed from your computer.
!!! HTML instruction ("# DECRYPT MY FILES #.html") always contains a
!!! working domain of your personal page!
#########################################################################
What is encryption?
-------------------
Encryption is a reversible modification of information for security
reasons but providing full access to it for authorized users.
To become an authorized user and keep the modification absolutely
reversible (in other words to have a possibility to decrypt your files)
you should have an individual private key.
But not only it.
It is required also to have the special decryption software
(in your case "Cerber Decryptor" software) for safe and complete
decryption of all your files and data.
#########################################################################
Everything is clear for me but what should I do?
------------------------------------------------
The first step is reading these instructions to the end.
Your files have been encrypted with the "Cerber Ransomware" software; the
instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt")
in the folders with your encrypted files are not viruses, they will
help you.
After reading this text the most part of people start searching in the
Internet the words the "Cerber Ransomware" where they find a lot of
ideas, recommendations and instructions.
It is necessary to realize that we are the ones who closed the lock on
your files and we are the only ones who have this secret key to
open them.
!!! Any attempts to return your files with the third-party tools can
!!! be fatal for your encrypted files.
The most part of the third-party software change data within the
encrypted file to restore it but this causes damage to the files.
Finally it will be impossible to decrypt your files.
When you make a puzzle, but some items are lost, broken or not put in its
place - the puzzle items will never match, the same way the third-party
software will ruin your files completely and irreversibly.
You should realize that any intervention of the third-party software to
restore files encrypted with the "Cerber Ransomware" software may be
fatal for your files.
#########################################################################
!!! There are several plain steps to restore your files but if you do
!!! not follow them we will not be able to help you, and we will not try
!!! since you have read this warning already.
#########################################################################
For your information the software to decrypt your files (as well as the
private key provided together) are paid products.
After purchase of the software package you will be able to:
1. decrypt all your files;
2. work with your documents;
3. view your photos and other media;
4. continue your usual and comfortable work at the computer.
If you understand all importance of the situation then we propose to you
to go directly to your personal page where you will receive the complete
instructions and guarantees to restore your files.
#########################################################################
There is a list of temporary addresses to go on your personal page below:
_______________________________________________________________________
|
| 1. http://52uo5k3t73ypjije.5tb8hy.bid/332E-61FF-9E83-0046-1571
|
| 2. http://52uo5k3t73ypjije.y12acl.bid/332E-61FF-9E83-0046-1571
|
| 3. http://52uo5k3t73ypjije.hhc366.top/332E-61FF-9E83-0046-1571
|
| 4. http://52uo5k3t73ypjije.gg4dgp.bid/332E-61FF-9E83-0046-1571
|
| 5. http://52uo5k3t73ypjije.onion.to/332E-61FF-9E83-0046-1571
|_______________________________________________________________________
#########################################################################
What should you do with these addresses?
----------------------------------------
If you read the instructions in TXT format (if you have instruction in
HTML (the file with an icon of your Internet browser) then the easiest
way is to run it):
1. take a look at the first address (in this case it is
http://52uo5k3t73ypjije.5tb8hy.bid/332E-61FF-9E83-0046-1571);
2. select it with the mouse cursor holding the left mouse button and
moving the cursor to the right;
3. release the left mouse button and press the right one;
4. select "Copy" in the appeared menu;
5. run your Internet browser (if you do not know what it is run the
Internet Explorer);
6. move the mouse cursor to the address bar of the browser (this is the
place where the site address is written);
7. click the right mouse button in the field where the site address
is written;
8. select the button "Insert" in the appeared menu;
9. then you will see the address
http://52uo5k3t73ypjije.5tb8hy.bid/332E-61FF-9E83-0046-1571
appeared there;
10. press ENTER;
11. the site should be loaded; if it is not loaded repeat the same
instructions with the second address and continue until the last
address if falling.
If for some reason the site cannot be opened check the connection to the
Internet; if the site still cannot be opened take a look at the
instructions on omitting the point about working with the addresses in
the HTML instructions.
If you browse the instructions in HTML format:
1. click the left mouse button on the first address (in this case it is
http://52uo5k3t73ypjije.5tb8hy.bid/332E-61FF-9E83-0046-1571);
2. in a new tab or window of your web browser the site should be loaded;
if it is not loaded repeat the same instructions with the second
address and continue until the last address.
If for some reason the site cannot be opened check the connection to
the Internet.
#########################################################################
Unfortunately these sites are short-term since the antivirus companies
are interested in you do not have a chance to restore your files but
continue to buy their products.
Unlike them we are ready to help you always.
If you need our help but the temporary sites are not available:
1. run your Internet browser (if you do not know what it is run the
Internet Explorer);
2. enter or copy the address
https://www.torproject.org/download/download-easy.html.en into the
address bar of your browser and press ENTER;
3. wait for the site loading;
4. on the site you will be offered to download Tor Browser; download and
run it, follow the installation instructions, wait until the
installation is completed;
5. run Tor Browser;
6. connect with the button "Connect" (if you use the English version);
7. a normal Internet browser window will be opened after
the initialization;
8. type or copy the address
________________________________________________________
| |
| http://52uo5k3t73ypjije.onion/332E-61FF-9E83-0046-1571 |
|________________________________________________________|
in this browser address bar;
9. press ENTER;
10. the site should be loaded; if for some reason the site is not loading
wait for a moment and try again.
If you have any problems during installation or operation of Tor Browser,
please, visit https://www.youtube.com/ and type request in the search bar
"install tor browser windows" and you will find a lot of training videos
about Tor Browser installation and operation.
If TOR address is not available for a long period (2-3 days) it means you
are late; usually you have about 2-3 weeks after reading the instructions
to restore your files.
#########################################################################
Additional information:
You will find the instructions for restoring your files in those folders
where you have your encrypted files only.
The instructions are made in two file formats - HTML and TXT for
your convenience.
Unfortunately antivirus companies cannot protect or restore your files
but they can make the situation worse removing the instructions how to
restore your encrypted files.
The instructions are not viruses; they have informative nature only, so
any claims on the absence of any instruction files you can send to your
antivirus company.
#########################################################################
Cerber Ransomware Project is not malicious and is not intended to harm a
person and his/her information data.
The project is created for the sole purpose of instruction regarding
information security, as well as certification of antivirus software for
their suitability for data protection.
Together we make the Internet a better and safer place.
#########################################################################
If you look through this text in the Internet and realize that something
is wrong with your files but you do not have any instructions to restore
your files, please, contact your antivirus support.
#########################################################################
Remember that the worst situation already happened and now it depends on
your determination and speed of your actions the further life of
your files.
URLs
http://52uo5k3t73ypjije.5tb8hy.bid/332E-61FF-9E83-0046-1571
http://52uo5k3t73ypjije.y12acl.bid/332E-61FF-9E83-0046-1571
http://52uo5k3t73ypjije.hhc366.top/332E-61FF-9E83-0046-1571
http://52uo5k3t73ypjije.gg4dgp.bid/332E-61FF-9E83-0046-1571
http://52uo5k3t73ypjije.onion.to/332E-61FF-9E83-0046-1571
http://52uo5k3t73ypjije.onion/332E-61FF-9E83-0046-1571
Extracted
Path
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.html
Ransom Note
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Cerber Ransomware</title>
<style>
a {
color: #47c;
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
body {
background-color: #e7e7e7;
color: #333;
font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";
font-size: 16px;
line-height: 1.6;
margin: 0;
padding: 0;
}
hr {
background-color: #e7e7e7;
border: 0 none;
border-bottom: 1px solid #c7c7c7;
height: 5px;
margin: 30px 0;
}
li {
padding: 0 0 7px 7px;
}
ol {
padding-left: 3em;
}
.container {
background-color: #fff;
border: 1px solid #c7c7c7;
margin: 40px;
padding: 40px 40px 20px 40px;
}
.info, .tor {
background-color: #efe;
border: 1px solid #bda;
display: block;
padding: 0px 20px;
}
.logo {
font-size: 12px;
font-weight: bold;
line-height: 1;
margin: 0;
}
.upd_on {
color: red;
display: block;
}
.upd_off {
display: none;
float: left;
}
.tor {
padding: 10px 0;
text-align: center;
}
.url {
margin-right: 5px;
}
.warning {
background-color: #f5e7e7;
border: 1px solid #ebccd1;
color: #a44;
display: block;
padding: 15px 10px;
text-align: center;
}
</style>
</head>
<body>
<div class="container">
<h3>C E R B E R R A N S O M W A R E</h3>
<hr>
<p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p>
<p>It is normal because the files' names, as well as the data in your files have been encrypted.</p>
<p>Great!<br>You have turned to be a part of a big community "#C3rber Ransomware".</p>
<hr>
<p><span class="warning">If you are reading this message it means the software "Cerber" has been removed from your computer.</span></p>
<hr>
<h3>What is encryption?</h3>
<p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p>
<p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p>
<p>But not only it.</p>
<p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p>
<hr>
<h3>Everything is clear for me but what should I do?</h3>
<p>The first step is reading these instructions to the end.</p>
<p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p>
<p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p>
<p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p>
<p><span class="warning">!Any attempts to get back your files with the third-party tools can be fatal for your encrypted files!</span></p>
<p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p>
<p>Finally it will be impossible to decrypt your files!</p>
<p>When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p>
<p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p>
<hr>
<p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p>
<hr>
<p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p>
<p>After purchase of the software package you will be able to:</p>
<ol>
<li>decrypt all your files;</li>
<li>work with your documents;</li>
<li>view your photos and other media;</li>
<li>continue your usual and comfortable work at the computer.</li>
</ol>
<p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p>
<hr>
<div class="info">
<p>There is a list of temporary addresses to go on your personal page below:</p>
<ol>
<li><span class="upd_off" id="upd_1">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.5tb8hy.bid/332E-61FF-9E83-0046-1571" id="url_1" target="_blank">http://52uo5k3t73ypjije.5tb8hy.bid/332E-61FF-9E83-0046-1571</a>(<a href="#updateUrl" onClick="return updateUrl();" style="color: red;">Get a NEW address!</a>)</li>
<li><a href="http://52uo5k3t73ypjije.y12acl.bid/332E-61FF-9E83-0046-1571" target="_blank">http://52uo5k3t73ypjije.y12acl.bid/332E-61FF-9E83-0046-1571</a></li>
<li><a href="http://52uo5k3t73ypjije.hhc366.top/332E-61FF-9E83-0046-1571" target="_blank">http://52uo5k3t73ypjije.hhc366.top/332E-61FF-9E83-0046-1571</a></li>
<li><a href="http://52uo5k3t73ypjije.gg4dgp.bid/332E-61FF-9E83-0046-1571" target="_blank">http://52uo5k3t73ypjije.gg4dgp.bid/332E-61FF-9E83-0046-1571</a></li>
<li><a href="http://52uo5k3t73ypjije.onion.to/332E-61FF-9E83-0046-1571" target="_blank">http://52uo5k3t73ypjije.onion.to/332E-61FF-9E83-0046-1571</a></li>
</ol>
</div>
<hr>
<h3>What should you do with these addresses?</h3>
<p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p>
<ol>
<li>take a look at the first address (in this case it is <span class="upd_off" id="upd_2">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.5tb8hy.bid/332E-61FF-9E83-0046-1571" id="url_2" target="_blank">http://52uo5k3t73ypjije.5tb8hy.bid/332E-61FF-9E83-0046-1571</a>);</li>
<li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li>
<li>release the left mouse button and press the right one;</li>
<li>select "Copy" in the appeared menu;</li>
<li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li>
<li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li>
<li>click the right mouse button in the field where the site address is written;</li>
<li>select the button "Insert" in the appeared menu;</li>
<li>then you will see the address <span class="upd_off" id="upd_3">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.5tb8hy.bid/332E-61FF-9E83-0046-1571" id="url_3" target="_blank">http://52uo5k3t73ypjije.5tb8hy.bid/332E-61FF-9E83-0046-1571</a> appeared there;</li>
<li>press ENTER;</li>
<li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li>
</ol>
<p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p>
<p>If you browse the instructions in HTML format:</p>
<ol>
<li>click the left mouse button on the first address (in this case it is <span class="upd_off" id="upd_4">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.5tb8hy.bid/332E-61FF-9E83-0046-1571" id="url_4" target="_blank">http://52uo5k3t73ypjije.5tb8hy.bid/332E-61FF-9E83-0046-1571</a>);</li>
<li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li>
</ol>
<p>If for some reason the site cannot be opened check the connection to the Internet.</p>
<hr>
<p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p>
<p>Unlike them we are ready to help you always.</p>
<p>If you need our help but the temporary sites are not available:</p>
<ol>
<li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li>
<li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li>
<li>wait for the site loading;</li>
<li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li>
<li>run Tor Browser;</li>
<li>connect with the button "Connect" (if you use the English version);</li>
<li>a normal Internet browser window will be opened after the initialization;</li>
<li>type or copy the address <span class="tor">http://52uo5k3t73ypjije.onion/332E-61FF-9E83-0046-1571</span> in this browser address bar;</li>
<li>press ENTER;</li>
<li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li>
</ol>
<p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p>
<p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p>
<hr>
<h3>Additional information:</h3>
<p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p>
<p>The instructions are made in two file formats - HTML and TXT for your convenience.</p>
<p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p>
<p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p>
<hr>
<p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p>
<p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p>
<p>Together we make the Internet a better and safer place.</p>
<hr>
<p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p>
<hr>
<p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p>
</div>
<script>
function getXMLHttpRequest() {
if (window.XMLHttpRequest) {
return new window.XMLHttpRequest;
}
else {
try {
return new ActiveXObject("MSXML2.XMLHTTP.3.0");
}
catch(error) {
return null;
}
}
}
function getUrlContent(url, callback) {
var xhttp = getXMLHttpRequest();
if (xhttp) {
xhttp.onreadystatechange = function() {
if (xhttp.readyState == 4) {
if (xhttp.status == 200) {
return callback(xhttp.responseText.replace(/[\s ]+/gm, ""), null);
}
else {
return callback(null, true);
}
}
};
xhttp.open("GET", url + '?_=' + new Date().getTime(), true);
xhttp.send();
}
else {
return callback(null, true);
}
}
function server1(address, callback) {
getUrlContent("http://btc.blockr.io/api/v1/address/txs/" + address, function(result, error) {
if (!error) {
var tx = /"tx":"([\w]+)","time_utc":"[\w-:]+","confirmations":[\d]+,"amount":-/.exec(result);
if (tx) {
getUrlContent("http://btc.blockr.io/api/v1/tx/info/" + tx[1], function(result, error) {
if (!error) {
var address = /"vouts":\[{"address":"([\w]+)"/.exec(result);
if (address) {
return callback(address[1], null);
}
else {
return callback(null, true);
}
}
else {
return callback(null, true);
}
});
}
else {
return callback(null, true);
}
}
else {
return callback(null, true);
}
});
}
function server2(address, callback) {
getUrlContent("http://api.blockcypher.com/v1/btc/main/addrs/" + address, function(result, error) {
if (!error) {
var tx = /"tx_hash":"([\w]+)","block_height":[\d]+,"tx_input_n":[\d-]+,"tx_output_n":-/.exec(result);
if (tx) {
getUrlContent("http://api.blockcypher.com/v1/btc/main/txs/" + tx[1], function(result, error) {
if (!error) {
var address = /"outputs":\[{"value":[\d]+,"script":"[\w]+","spent_by":"[\w]+","addresses":\["([\w]+)"/.exec(result);
if (address) {
return callback(address[1], null);
}
else {
return callback(null, true);
}
}
else {
return callback(null, true);
}
});
}
else {
return callback(null, true);
}
}
else {
return callback(null, true);
Signatures
-
Cerber 2 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Cerber family
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Contacts a large (530) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 6 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 16 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 2 IoCs
-
Modifies Control Panel 4 IoCs
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 51 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8283c1cc0db9501e05206c0542fe9447_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8283c1cc0db9501e05206c0542fe9447_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8283c1cc0db9501e05206c0542fe9447_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8283c1cc0db9501e05206c0542fe9447_JaffaCakes118.exe"2⤵
- Cerber
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{221C34B6-8771-0DBF-8B49-80C3396FDD4F}\efsui.exe"C:\Users\Admin\AppData\Roaming\{221C34B6-8771-0DBF-8B49-80C3396FDD4F}\efsui.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{221C34B6-8771-0DBF-8B49-80C3396FDD4F}\efsui.exe"C:\Users\Admin\AppData\Roaming\{221C34B6-8771-0DBF-8B49-80C3396FDD4F}\efsui.exe"4⤵
- Cerber
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8174146f8,0x7ff817414708,0x7ff8174147186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,458708243950291901,1651730047241756244,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,458708243950291901,1651730047241756244,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,458708243950291901,1651730047241756244,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,458708243950291901,1651730047241756244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,458708243950291901,1651730047241756244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,458708243950291901,1651730047241756244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,458708243950291901,1651730047241756244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,458708243950291901,1651730047241756244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,458708243950291901,1651730047241756244,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,458708243950291901,1651730047241756244,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,458708243950291901,1651730047241756244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,458708243950291901,1651730047241756244,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,458708243950291901,1651730047241756244,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,458708243950291901,1651730047241756244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:16⤵
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt5⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://52uo5k3t73ypjije.5tb8hy.bid/332E-61FF-9E83-0046-1571?auto5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0xdc,0x7ff8174146f8,0x7ff817414708,0x7ff8174147186⤵
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"5⤵
-
-
C:\Windows\system32\cmd.exe/d /c taskkill /f /im "efsui.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{221C34B6-8771-0DBF-8B49-80C3396FDD4F}\efsui.exe" > NUL5⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\taskkill.exetaskkill /f /im "efsui.exe"6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /f /im "8283c1cc0db9501e05206c0542fe9447_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\8283c1cc0db9501e05206c0542fe9447_JaffaCakes118.exe" > NUL3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "8283c1cc0db9501e05206c0542fe9447_JaffaCakes118.exe"4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x150 0x4a41⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Direct Volume Access
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
2File Deletion
2Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Service Discovery
1Query Registry
2Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ba6ef346187b40694d493da98d5da979
SHA1643c15bec043f8673943885199bb06cd1652ee37
SHA256d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA5122e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c
-
Filesize
152B
MD5b8880802fc2bb880a7a869faa01315b0
SHA151d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2
-
Filesize
5KB
MD52a425f151ca7be77a553e215b4c46600
SHA11996a1477436dc62d56bf0b5ade74b35eb7b7c34
SHA256dfecc517f99c92c9efc53ab6e54f6777b5021de1a5ff1525846309684ef9cde0
SHA51282265892bc4280203b3020429f680a264480678f58229d9b4ae153b91bc55e8de59353230ef1e6e423b5053bd5414b742ea77a7dfe80afdb78dd83c50c72fc97
-
Filesize
6KB
MD582dd75e24c204b67732734acd45fc4f7
SHA17cf74e2a428bb8a6dcf52a85a8d03a3883ae7203
SHA2565f30223057e4aba48440f407284b151e31b840a982853237655657536db68166
SHA5128848f4c14b3c1599f94721ef5f07b6c3f3647dce556678bdeec8233a354fb54bd353dcff44e1f2b360686820e64d2e6f2dd257a33b789532ebf0377d2b3faefe
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD509f622b64c227a9e5e7215d77cd7329a
SHA1a137ed5b5e054dcd109b095feaf1ecb3aa245ce4
SHA25686eacf5bc921387efbd4d534a056dff467bf329ffc3ecf0a9ac67d7056ac8bee
SHA5126a7d8f0cc8718b5015f1956581e70b74f9d022d6c3ad8bdb04bce895de63b8d67caefc5a9335ee32752e4afba10033870739e68fee61238307b921fbdc6651b0
-
Filesize
289B
MD559386c53f2570f0e370e2ece30ccce7a
SHA1b2fe2bc41bc2c07a33ebbc2e3ec6e30229215d69
SHA2563b845724fd74dd2034ec56d4a2ecacc2dd49e0b388bf68f2e9546b9f8fa8065f
SHA5123dd155da349193d5b1c185c52b2bd5b66edcff318d4fb051799523c490f6a95c9da85ab8dc203334b4630c978b0cb6fa70fcc54497e33ea1b9c91f4497541569
-
Filesize
11KB
MD56f5257c0b8c0ef4d440f4f4fce85fb1b
SHA1b6ac111dfb0d1fc75ad09c56bde7830232395785
SHA256b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1
SHA512a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8
-
Filesize
19KB
MD52cb787ac6ad67dc8d25c345f8cdccb31
SHA13c945db3ff0d2210ef148047033775b7e6e6f55f
SHA2567085dcfb5fc016a2dfa636ab0a7853e2f8b8a1c73c0914ce9b68e5ca39568880
SHA512c956e6ebfa87bbf8783de43a1c7df8db5d30579af0a9bb65727ab71fcf66543a80d61ba678271db7712c82c138a305da47dd1b70a91ceebfe835840440b06962
-
Filesize
10KB
MD591677d3c3a651a0c59c8fca384a21671
SHA15acca5855c42844b3e930df1393f28c24b94a2a8
SHA256a43b4a86629a68ad10f08bbecd7255c1c95d5788cbd000dae359667f2fe5c49a
SHA5121b746a709abcae0e6970b40869db4cfe111caddaa27071c14fbe61359e51f915ce18cfd7dd8b7915e11613c01d361ae6beadea22c7751ddb95d2ff409dcdd379
-
Filesize
90B
MD5f5b008c6f7b872ff2950f1aea26d176d
SHA186d9d0c6ead0d9a55585cd431805d734e7f32e0c
SHA256b01f28e202a2f1fda7bba77cd1d7677c824806194a212a536264ca35fe1e0b6b
SHA512a7b3e61a18b79524f152dc5ec881e62491a5d1beec50b890efbcaeb1c76eba95ed376ec2f8e7556376f120a31993fcf6036c5b91a1ca5282dbb1c79a152566f4
-
Filesize
252B
MD518d46f5d8ebd3c7d6df0c7a8fd1bd64d
SHA1aeb8407457434aabce2a4c2f95fe305c5303f929
SHA256ceb35b75d397b07c84dfab3a28189e9431bdf80ec99ab65f9ccf01986bd4a8e9
SHA51235fc759be0dee77eb9e39350873c24d9693cf6f370f171814e2ce6250ea814fea8a0887442ebae9077d6e9ff81ae7034faa0afcb080401a7d4ac384d2ba42d65
-
Filesize
3KB
MD56b6888981cf28ad6060bf74a6310d40c
SHA15eab9777cfcf3be44dd621eb3a7abf482df3e7f3
SHA256d429f4b6cda0bc7014c10f05cb4d9a520cbabc6b297c4e8cd792b2b5e854d987
SHA51264c6d6ea608e1c5d0c3a952caf5816a16d31212e1bb9e62b76710b4e9dd751023f3d8c58333c73cf79c7aff0fafb1143290b0666a7e20b798c3e52a563a61655
-
Filesize
3KB
MD5bd600beb7970de7c3a30d3374159ada8
SHA1a7317fd2a67fc4856d02589c001e91b42e5cdbfe
SHA256326c54cac5aa893a2da05c78a7cf9daa6391c2b4ad34a14147c8c80964ebb7ea
SHA512764e60c590d469d699d31bfc83ec428e6bcdbf9b79d24ae567b0439cb1f163290c07c2ff40051a11cb7020f493fa9ec90cd953a0f53752b61da86536d5642d1c
-
Filesize
2KB
MD51b5c9ac81d0db16bdef65bb8ed4401a1
SHA1b45a09049cdabcdaa104e284bb457aabf9e02909
SHA25679f8f465d0ad808a0c2bc0bd79cad80d1f2ec0e92df2a7b9d79d764bb0308535
SHA512c2d6146fad4289a9f6b502872f102dbe7678bab74f744810845ed80d137620b3ea45b8141f2600cc557df27f3e79523df6ce8bc9fc2947798f2171034149076c
-
Filesize
3KB
MD5c22dce2c95e3fbc8ac2f569b7fb8474a
SHA19e5b1c407424004fa5c0c1d96af96a9b0e10353e
SHA256423cad4eca8206b5b3ef851278a749e5246042e32759abe6b2026d14ed2ba6d6
SHA512f516531af2f75cb949ef6fbd2bd18e12aa07f94e2b7cb1398d0b13033f84c91f32ca28dc76c6e8caa8191c7b115a3cf59fddc241bfb3e244ae50247c6eee69f1
-
Filesize
207KB
MD52fcb0be151595ca64a870aa356c0db8c
SHA1e9ecdf81188a5fc3800fbe4b2856c04cbb838def
SHA25658c63bb36f82c489fee50f4f460fb0467abf158200d512c0b007b8111a53b00d
SHA512bbaa13b73a94c1c4c421e99e148aaadc2f01e2b2e5fe49f1bd8c36ddca7592b31660a3e6daac045dc6d92a93028b4b21ea87f7290ee353adb28d43188ad01690
-
Filesize
1KB
MD53ee1b6e8ba66b58ab042e16fae2458e6
SHA1ea7dcbbcfa62164347ce20a46c1400d45f22bd48
SHA25648de711d369441be4831ecca78ebd7c4f1f11e0cc3bf18700d871da8dc20a494
SHA51236d592c6732d51e5add5b4a1e16a54df9e92fdaf7caece1c645c6265793babfa78c6d8137165c42a2c707b3f2b9d912e0c5b1fb0de4c24eac3e05590dae088f0
-
Filesize
72KB
MD59b35870798ea01e8e943091ec7a0bb80
SHA166650be447dceabd4ba938ccf1a9663f2eb99a91
SHA256663aa24d2ef5cc3a0f0b8e8e575643c59a37b4c0fd7d7b2cf5217f14c9eb7309
SHA512b9f297a2cc255a7aac51ff2b1e45f6985359968bfe88b8e7201f7ecb5b16bfd97323042a29ad87e149c7994d9e16b034ebe1b044bffc6e2a98ebef2997656279
-
Filesize
258KB
MD58283c1cc0db9501e05206c0542fe9447
SHA1fa800fdf2fc3bc8c015d7f20e04a54b9f95f39f5
SHA256b592240b55c4c0fcf3733ba808523025ec245302d7ebc897bbc6824596de90a7
SHA512133edc6a33503896adcc86381f1bed32646b734e246b22843a524c489bd6a63c38e696aa14b814c744d817385146ad214a78963a80c6cb3d9a7783099ae6791a
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB