Analysis
-
max time kernel
94s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 16:05
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/raw/refs/heads/master/Ransomware/Cerber5.exe
Resource
win10v2004-20241007-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/raw/refs/heads/master/Ransomware/Cerber5.exe
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___6Z01E_.txt
cerber
http://xpcx6erilkjced3j.onion/03FD-2E19-6080-0098-B54D
http://xpcx6erilkjced3j.1n5mod.top/03FD-2E19-6080-0098-B54D
http://xpcx6erilkjced3j.19kdeh.top/03FD-2E19-6080-0098-B54D
http://xpcx6erilkjced3j.1mpsnr.top/03FD-2E19-6080-0098-B54D
http://xpcx6erilkjced3j.18ey8e.top/03FD-2E19-6080-0098-B54D
http://xpcx6erilkjced3j.17gcun.top/03FD-2E19-6080-0098-B54D
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Cerber family
-
Contacts a large (1105) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 4972 netsh.exe 3892 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Cerber5.exe -
Drops startup file 1 IoCs
description ioc Process File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ Cerber5.exe -
Executes dropped EXE 6 IoCs
pid Process 4960 Cerber5.exe 3608 Cerber5.exe 3524 Cerber5.exe 2544 Cerber5.exe 4368 Cerber5.exe 5724 Cerber5.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\x: Cerber5.exe File opened (read-only) \??\u: Cerber5.exe File opened (read-only) \??\w: Cerber5.exe File opened (read-only) \??\x: Cerber5.exe File opened (read-only) \??\e: Cerber5.exe File opened (read-only) \??\n: Cerber5.exe File opened (read-only) \??\q: Cerber5.exe File opened (read-only) \??\u: Cerber5.exe File opened (read-only) \??\k: Cerber5.exe File opened (read-only) \??\p: Cerber5.exe File opened (read-only) \??\z: Cerber5.exe File opened (read-only) \??\j: Cerber5.exe File opened (read-only) \??\m: Cerber5.exe File opened (read-only) \??\t: Cerber5.exe File opened (read-only) \??\l: Cerber5.exe File opened (read-only) \??\n: Cerber5.exe File opened (read-only) \??\a: Cerber5.exe File opened (read-only) \??\e: Cerber5.exe File opened (read-only) \??\i: Cerber5.exe File opened (read-only) \??\v: Cerber5.exe File opened (read-only) \??\q: Cerber5.exe File opened (read-only) \??\p: Cerber5.exe File opened (read-only) \??\z: Cerber5.exe File opened (read-only) \??\g: Cerber5.exe File opened (read-only) \??\r: Cerber5.exe File opened (read-only) \??\a: Cerber5.exe File opened (read-only) \??\e: Cerber5.exe File opened (read-only) \??\k: Cerber5.exe File opened (read-only) \??\h: Cerber5.exe File opened (read-only) \??\h: Cerber5.exe File opened (read-only) \??\g: Cerber5.exe File opened (read-only) \??\q: Cerber5.exe File opened (read-only) \??\b: Cerber5.exe File opened (read-only) \??\e: Cerber5.exe File opened (read-only) \??\x: Cerber5.exe File opened (read-only) \??\s: Cerber5.exe File opened (read-only) \??\y: Cerber5.exe File opened (read-only) \??\o: Cerber5.exe File opened (read-only) \??\s: Cerber5.exe File opened (read-only) \??\h: Cerber5.exe File opened (read-only) \??\q: Cerber5.exe File opened (read-only) \??\z: Cerber5.exe File opened (read-only) \??\v: Cerber5.exe File opened (read-only) \??\b: Cerber5.exe File opened (read-only) \??\l: Cerber5.exe File opened (read-only) \??\g: Cerber5.exe File opened (read-only) \??\o: Cerber5.exe File opened (read-only) \??\v: Cerber5.exe File opened (read-only) \??\s: Cerber5.exe File opened (read-only) \??\w: Cerber5.exe File opened (read-only) \??\n: Cerber5.exe File opened (read-only) \??\p: Cerber5.exe File opened (read-only) \??\h: Cerber5.exe File opened (read-only) \??\i: Cerber5.exe File opened (read-only) \??\y: Cerber5.exe File opened (read-only) \??\s: Cerber5.exe File opened (read-only) \??\y: Cerber5.exe File opened (read-only) \??\o: Cerber5.exe File opened (read-only) \??\i: Cerber5.exe File opened (read-only) \??\l: Cerber5.exe File opened (read-only) \??\v: Cerber5.exe File opened (read-only) \??\i: Cerber5.exe File opened (read-only) \??\k: Cerber5.exe File opened (read-only) \??\u: Cerber5.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 20 raw.githubusercontent.com 21 raw.githubusercontent.com -
Drops file in System32 directory 38 IoCs
description ioc Process File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat! Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat! Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\documents Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\desktop Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint Cerber5.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp14DB.bmp" Cerber5.exe -
Drops file in Program Files directory 20 IoCs
description ioc Process File opened for modification \??\c:\program files\ Cerber5.exe File opened for modification \??\c:\program files (x86)\ Cerber5.exe File opened for modification \??\c:\program files (x86)\bitcoin Cerber5.exe File opened for modification \??\c:\program files (x86)\microsoft\outlook Cerber5.exe File opened for modification \??\c:\program files (x86)\microsoft\office Cerber5.exe File opened for modification \??\c:\program files (x86)\microsoft\onenote Cerber5.exe File opened for modification \??\c:\program files (x86)\microsoft\word Cerber5.exe File opened for modification \??\c:\program files (x86)\office Cerber5.exe File opened for modification \??\c:\program files (x86)\outlook Cerber5.exe File opened for modification \??\c:\program files (x86)\microsoft sql server Cerber5.exe File opened for modification \??\c:\program files (x86)\microsoft\excel Cerber5.exe File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server Cerber5.exe File opened for modification \??\c:\program files (x86)\microsoft\powerpoint Cerber5.exe File opened for modification \??\c:\program files (x86)\onenote Cerber5.exe File opened for modification \??\c:\program files (x86)\powerpoint Cerber5.exe File opened for modification \??\c:\program files (x86)\steam Cerber5.exe File opened for modification \??\c:\program files (x86)\the bat! Cerber5.exe File opened for modification \??\c:\program files (x86)\thunderbird Cerber5.exe File opened for modification \??\c:\program files (x86)\word Cerber5.exe File opened for modification \??\c:\program files (x86)\excel Cerber5.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat! Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\the bat! Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\office Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\word Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\steam Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat! Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\desktop Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\word Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\excel Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\office Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\outlook Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat! Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\steam Cerber5.exe File opened for modification \??\c:\windows\ Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\onenote Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\documents Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\documents Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server Cerber5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cerber5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cerber5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cerber5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cerber5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cerber5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cerber5.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5996 cmd.exe 5136 PING.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 1 IoCs
pid Process 6100 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings Cerber5.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 315615.crdownload:SmartScreen msedge.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 5636 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5136 PING.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2772 msedge.exe 2772 msedge.exe 2388 msedge.exe 2388 msedge.exe 3428 identity_helper.exe 3428 identity_helper.exe 4104 msedge.exe 4104 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeShutdownPrivilege 4960 Cerber5.exe Token: SeCreatePagefilePrivilege 4960 Cerber5.exe Token: SeDebugPrivilege 6100 taskkill.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
pid Process 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 5636 NOTEPAD.EXE 2388 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2388 wrote to memory of 1940 2388 msedge.exe 85 PID 2388 wrote to memory of 1940 2388 msedge.exe 85 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2796 2388 msedge.exe 86 PID 2388 wrote to memory of 2772 2388 msedge.exe 87 PID 2388 wrote to memory of 2772 2388 msedge.exe 87 PID 2388 wrote to memory of 1904 2388 msedge.exe 88 PID 2388 wrote to memory of 1904 2388 msedge.exe 88 PID 2388 wrote to memory of 1904 2388 msedge.exe 88 PID 2388 wrote to memory of 1904 2388 msedge.exe 88 PID 2388 wrote to memory of 1904 2388 msedge.exe 88 PID 2388 wrote to memory of 1904 2388 msedge.exe 88 PID 2388 wrote to memory of 1904 2388 msedge.exe 88 PID 2388 wrote to memory of 1904 2388 msedge.exe 88 PID 2388 wrote to memory of 1904 2388 msedge.exe 88 PID 2388 wrote to memory of 1904 2388 msedge.exe 88 PID 2388 wrote to memory of 1904 2388 msedge.exe 88 PID 2388 wrote to memory of 1904 2388 msedge.exe 88 PID 2388 wrote to memory of 1904 2388 msedge.exe 88 PID 2388 wrote to memory of 1904 2388 msedge.exe 88 PID 2388 wrote to memory of 1904 2388 msedge.exe 88 PID 2388 wrote to memory of 1904 2388 msedge.exe 88 PID 2388 wrote to memory of 1904 2388 msedge.exe 88 PID 2388 wrote to memory of 1904 2388 msedge.exe 88 PID 2388 wrote to memory of 1904 2388 msedge.exe 88 PID 2388 wrote to memory of 1904 2388 msedge.exe 88
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/raw/refs/heads/master/Ransomware/Cerber5.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa048146f8,0x7ffa04814708,0x7ffa048147182⤵PID:1940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:22⤵PID:2796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:82⤵PID:1904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:4660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵PID:3712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:82⤵PID:4840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4748 /prefetch:82⤵PID:2764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:12⤵PID:1828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5752 /prefetch:82⤵PID:4136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4104
-
-
C:\Users\Admin\Downloads\Cerber5.exe"C:\Users\Admin\Downloads\Cerber5.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4960 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4972
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3892
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___QFSQH_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- System Location Discovery: System Language Discovery
PID:5668
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___WWFH8IAX_.txt3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:5636
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "C" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:5996 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "C"4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6100
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5136
-
-
-
-
C:\Users\Admin\Downloads\Cerber5.exe"C:\Users\Admin\Downloads\Cerber5.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:3608
-
-
C:\Users\Admin\Downloads\Cerber5.exe"C:\Users\Admin\Downloads\Cerber5.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:3524
-
-
C:\Users\Admin\Downloads\Cerber5.exe"C:\Users\Admin\Downloads\Cerber5.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:2544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:12⤵PID:5624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2500 /prefetch:12⤵PID:5576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:12⤵PID:5976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:12⤵PID:5896
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2564
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1504
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1176
-
C:\Users\Admin\Downloads\Cerber5.exe"C:\Users\Admin\Downloads\Cerber5.exe"1⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:4368
-
C:\Users\Admin\Downloads\Cerber5.exe"C:\Users\Admin\Downloads\Cerber5.exe"1⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:5724
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Discovery
Browser Information Discovery
1Network Service Discovery
1Peripheral Device Discovery
1Query Registry
3Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5d7cb450b1315c63b1d5d89d98ba22da5
SHA1694005cd9e1a4c54e0b83d0598a8a0c089df1556
SHA25638355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031
SHA512df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8
-
Filesize
152B
MD537f660dd4b6ddf23bc37f5c823d1c33a
SHA11c35538aa307a3e09d15519df6ace99674ae428b
SHA2564e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2069dbc4-875b-4b03-93ef-e7a924a681e1.tmp
Filesize5KB
MD59a08b79c90bd28dd57a47e2395c1c793
SHA109cbd7918ed90fc1aedb564d73967663d14e3e0a
SHA25652778f71d903b0001a98a69080b53812eff80a70a3e9fdd1e41685f9dc1b69ce
SHA512d87b782d0f5e0401a7bebc325c34431308552a4631c7b7c3333f93ded62c01c16665637209bb5c66b5a94872a2b1ff3cce82d2893bebaa069d3e2b5748c57b93
-
Filesize
261B
MD52c2e6472d05e3832905f0ad4a04d21c3
SHA1007edbf35759af62a5b847ab09055e7d9b86ffcc
SHA256283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03
SHA5128c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37
-
Filesize
6KB
MD5ecb4a4752df3a633451420cdc49a12e3
SHA1ecf993ebd7944e4a294b600200620bc6eb3ce308
SHA256554f5c2f5814f88a101ed81ce855b627b13a53d100c5cac470ef0b62aa84ce50
SHA51260a06e1e2fe270eb5322832c202183d6f9e3197665d8a1920d1f67206739245f92cbded830dc04ac21d8b3bee82ca7ef86aa40253bcaed0f39764b23863fde9c
-
Filesize
6KB
MD546fa383fcbfc59afd72a27ec6ee96273
SHA1cde95348df8eefca217234b1d0970c96cc66cec0
SHA256aff9d3ad75cae8d1c574965356b11f3398e2ff9cf97e98f8d34191001a3d486b
SHA512df09881a2769abb7ecc6c93851ba39af9f1e0cefda93ef5891a7d7da1842c93e64bfe4dc2e98d4add96f37186e65a90ebfa9bebc02c32044987395a2b77ff5eb
-
Filesize
6KB
MD55f93d1251468c532ac20a27d749bca33
SHA1c8daf54109770e78e59a1bdbbf43872772fbaa00
SHA256d65bfad62162a1e8b16e7c88ab4b737cc27bcf92bbd1b835b66cc144b4f56ada
SHA51243c5354345aa7f78b255e3e94c867e210e23aad70a8fd3e999832e696c9afa0a85117e1d6c9f695b79b33c1f735d803ad005a53c256f1ccfef69387d616d6dc2
-
Filesize
6KB
MD544cdc5e86748ef91bdadaf4e0f068da2
SHA198e0a9c421a70c4f7ee6311cadf9f3388a1bcbe6
SHA2561e082c27263b21eb760c3a36b2562b86fcf7af17f405fc4aa28c8b654de27164
SHA512fa10bb74caf935fd701a7ad80ca6a4ff269c89dfb297e83e19b55dfd01c6b55f40951f094a428b2960cb109fdb6ec281d0e40fc12999a5d09435728331868023
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5f7fb51d9f9936ea33bf1c4b6e263e56f
SHA168c37adfd076c3f0637696828f4e3ef81db87caa
SHA256e730320f02adccfa0945239ac2397bf174113a073645fadda67f081b23aef39d
SHA51248572c7da29c65f04da307e1436694dca00097f88e619fb7180ad0d2b09855c3d9dfbf4c39622889c7d746cf1d00a4f15e1344f25aa5747ef739ff226e8c4d79
-
Filesize
10KB
MD545472d5b7f9a080db132474f77136198
SHA1bd5d9ab60ce302b406552213e624992b13e2105c
SHA2567802b2eb17c026c4751d95c479e5755f42ca0a73b0c5d5cd2f8b3d17b7a1fa83
SHA5127096bb1d86e3ce28003876d4b29130892465f3bbc1acf4127a123312f875c4e3b3fd5493c1c3697542cf70e075541f374642664d6bef3e9b70f86e884f677a75
-
Filesize
10KB
MD5d6126e4317bdaa13a094945939aa9990
SHA192197676e1086483aa1fba7ca08a2652d8f64388
SHA256d24d275dbe42dd3cc1c264191aca749f8efab6eb2baddc8a44bd1fe91048e871
SHA5123da5aae5300c9afc586170f919727e8bc68a24568d82510d0246f400f570ca1716ce50e317e8419386c312b9ed93ed14584a7e6d2c4891bc6e7948c9d2452399
-
Filesize
10KB
MD5a47739d0c06aea77eecc5254e32cc81d
SHA1a3d2a0c8944f6dcc710e8b944cd6d48131b45731
SHA25634eae7204f853e2068b3b991ffe1f7aeff2160c4c17799d71f267e2762479eb8
SHA512fc5489d243f983d04f324e81da44e62f20b68cb1fe7c803c00d83186a3c7fd956ca262085c3b7161c838998c6fa62aae90312095eeec0142e505b514857d9de8
-
Filesize
1KB
MD5bfe78b81783c5f2bf62fc91298cfd3fc
SHA1ddc864962d730e3cdf16a82084cf07f0e45ee7e7
SHA256294b7f3849426520e65e11c73e0c80274dd6ad8b73d2062f0a92e54ec0a44a1c
SHA512005318d9bff1ed34502c6b844b4091b0a670c730482fd6d91f047eb7c5eedc26f0d5ae18b1a335bf7891187028a11e8285a26f28e18b367fb01002ddccf9a707
-
Filesize
76KB
MD5bf88acc2f7070557701b08fee37d0d84
SHA1d96cab630b4869e8dbd855d4c8aeb19620164cf3
SHA256d6ae6e0a990aae0c8b48c0463ec5dfc518dcc9fd06c513f7064dcb15acba9c14
SHA5121a43c5b813b66771bda9b759b66d9dade3da173e2fb20999869942c72675c9ee112f52f5129acfaab832e5fa50b3bc751a990a112976400311711a23c619027f
-
Filesize
313KB
MD5fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89