Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06-05-2024 19:26

General

  • Target

    1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe

  • Size

    186KB

  • MD5

    1e039f9770017f09225e58d7759b700a

  • SHA1

    fc1e83365f05fb98b4dc94833e430a7adc055bf5

  • SHA256

    f9ab2087217beb38c3ec3dc043aad739dac202dc422f44e49c0fb5ca6db26502

  • SHA512

    ebeb10678547b0eca642645a673e9e6309c3ba961e62d83aca95aff8a351a56c07544c92688681e58dbe66cc8e0812ab01c388d0b5e463d5c97d4ea038bf26e2

  • SSDEEP

    3072:oM1BjoYNXoKDIJBXJPG45d48j8uZmXJtP4NMtGvNOilk+qNKNtmlohi8tUUB5+Qy:oMMYNXqBBG6Zj8ikJtP4SGVdHqEUGQUw

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.onion.to/F1CB-43B1-ACAA-006D-F530 | | 2. http://cerberhhyed5frqa.onion.cab/F1CB-43B1-ACAA-006D-F530 | | 3. http://cerberhhyed5frqa.onion.nu/F1CB-43B1-ACAA-006D-F530 | | 4. http://cerberhhyed5frqa.onion.link/F1CB-43B1-ACAA-006D-F530 | | 5. http://cerberhhyed5frqa.tor2web.org/F1CB-43B1-ACAA-006D-F530 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.onion.to/F1CB-43B1-ACAA-006D-F530); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.onion.to/F1CB-43B1-ACAA-006D-F530 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.onion.to/F1CB-43B1-ACAA-006D-F530); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/F1CB-43B1-ACAA-006D-F530 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.onion.to/F1CB-43B1-ACAA-006D-F530

http://cerberhhyed5frqa.onion.cab/F1CB-43B1-ACAA-006D-F530

http://cerberhhyed5frqa.onion.nu/F1CB-43B1-ACAA-006D-F530

http://cerberhhyed5frqa.onion.link/F1CB-43B1-ACAA-006D-F530

http://cerberhhyed5frqa.tor2web.org/F1CB-43B1-ACAA-006D-F530

http://cerberhhyed5frqa.onion/F1CB-43B1-ACAA-006D-F530

Extracted

Path

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://cerberhhyed5frqa.onion.to/F1CB-43B1-ACAA-006D-F530" target="_blank">http://cerberhhyed5frqa.onion.to/F1CB-43B1-ACAA-006D-F530</a></li> <li><a href="http://cerberhhyed5frqa.onion.cab/F1CB-43B1-ACAA-006D-F530" target="_blank">http://cerberhhyed5frqa.onion.cab/F1CB-43B1-ACAA-006D-F530</a></li> <li><a href="http://cerberhhyed5frqa.onion.nu/F1CB-43B1-ACAA-006D-F530" target="_blank">http://cerberhhyed5frqa.onion.nu/F1CB-43B1-ACAA-006D-F530</a></li> <li><a href="http://cerberhhyed5frqa.onion.link/F1CB-43B1-ACAA-006D-F530" target="_blank">http://cerberhhyed5frqa.onion.link/F1CB-43B1-ACAA-006D-F530</a></li> <li><a href="http://cerberhhyed5frqa.tor2web.org/F1CB-43B1-ACAA-006D-F530" target="_blank">http://cerberhhyed5frqa.tor2web.org/F1CB-43B1-ACAA-006D-F530</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.onion.to/F1CB-43B1-ACAA-006D-F530" target="_blank">http://cerberhhyed5frqa.onion.to/F1CB-43B1-ACAA-006D-F530</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.onion.to/F1CB-43B1-ACAA-006D-F530" target="_blank">http://cerberhhyed5frqa.onion.to/F1CB-43B1-ACAA-006D-F530</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.onion.to/F1CB-43B1-ACAA-006D-F530" target="_blank">http://cerberhhyed5frqa.onion.to/F1CB-43B1-ACAA-006D-F530</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/F1CB-43B1-ACAA-006D-F530</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Contacts a large (16390) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 59 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Users\Admin\AppData\Local\Temp\1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Modifies Control Panel
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Users\Admin\AppData\Roaming\{8F76CA93-6AF5-FCB8-1751-35093594ADFC}\PkgMgr.exe
        "C:\Users\Admin\AppData\Roaming\{8F76CA93-6AF5-FCB8-1751-35093594ADFC}\PkgMgr.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2932
        • C:\Users\Admin\AppData\Roaming\{8F76CA93-6AF5-FCB8-1751-35093594ADFC}\PkgMgr.exe
          "C:\Users\Admin\AppData\Roaming\{8F76CA93-6AF5-FCB8-1751-35093594ADFC}\PkgMgr.exe"
          4⤵
          • Adds policy Run key to start application
          • Drops startup file
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Sets desktop wallpaper using registry
          • Modifies Control Panel
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1948
          • C:\Windows\system32\vssadmin.exe
            "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:1064
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1576
          • C:\Windows\System32\bcdedit.exe
            "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:920
          • C:\Windows\System32\bcdedit.exe
            "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1824
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:544
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:544 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1656
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:544 CREDAT:406530 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1348
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
            5⤵
              PID:1700
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
              5⤵
                PID:232
              • C:\Windows\system32\cmd.exe
                /d /c taskkill /t /f /im "PkgMgr.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{8F76CA93-6AF5-FCB8-1751-35093594ADFC}\PkgMgr.exe" > NUL
                5⤵
                  PID:2676
                  • C:\Windows\system32\taskkill.exe
                    taskkill /t /f /im "PkgMgr.exe"
                    6⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2720
                  • C:\Windows\system32\PING.EXE
                    ping -n 1 127.0.0.1
                    6⤵
                    • Runs ping.exe
                    PID:2700
            • C:\Windows\SysWOW64\cmd.exe
              /d /c taskkill /t /f /im "1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe" > NUL
              3⤵
              • Deletes itself
              • Suspicious use of WriteProcessMemory
              PID:1792
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /t /f /im "1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe"
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2692
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 1 127.0.0.1
                4⤵
                • Runs ping.exe
                PID:1968
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1896
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:2024
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:275457 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1664
        • C:\Windows\SysWOW64\DllHost.exe
          C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
          1⤵
            PID:2360

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Execution

          Windows Management Instrumentation

          1
          T1047

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Defense Evasion

          Indicator Removal

          2
          T1070

          File Deletion

          2
          T1070.004

          Modify Registry

          4
          T1112

          Credential Access

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Network Service Discovery

          2
          T1046

          System Information Discovery

          2
          T1082

          Remote System Discovery

          1
          T1018

          Collection

          Data from Local System

          1
          T1005

          Impact

          Inhibit System Recovery

          3
          T1490

          Defacement

          1
          T1491

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html
            Filesize

            12KB

            MD5

            65d4f7fce5345ac6bb2cc42597d54adf

            SHA1

            d8eedc0ff32f12ae15aa366eb1211612ffcf1d5a

            SHA256

            7529c5c895c67f831cb10b95a45af8bd0c9c1f92a74e97713608b8d6388e737b

            SHA512

            2ffd9ba3efb18c8a1c209087ba4a19f232227cbb354d9ab93110865d8c38e476d95926453c408618a03628820ebe8f7e9cd6bcf552a3a5a1c336213b210d7385

          • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
            Filesize

            10KB

            MD5

            749f3939953d3873d2b909ea82b8c29c

            SHA1

            7ea1ebf4027e837375e3f227946e7e04dbacf738

            SHA256

            8507499d81955a88b6bd4ec5b087cb718c48db49534aeeeaf2408fe70e402767

            SHA512

            70f33598e50ab4f82dbf9361f2a51b3dcb16173f80a6e7f980d1fe31015b46c246d7ef8687dd70351d6ba9c58f755f9af981fb6352ebc3e7cb58476b7cd47e67

          • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url
            Filesize

            83B

            MD5

            d3fb9d5da0695f823092c69189100ff2

            SHA1

            09f7e9adab9495faa79c686c8cc19816d2ecd522

            SHA256

            4eadc170889683f01c3be1de96ad1b5fb090006da748c2b9dbbe57d1b069e121

            SHA512

            cfe020bbd13cc4d0f7e30861822763adf329f5c44323207118ebcee984a5b045c59bf7e5d467f80166c111a447549a86f70ea8e825363507175594124ea96c3c

          • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs
            Filesize

            219B

            MD5

            35a3e3b45dcfc1e6c4fd4a160873a0d1

            SHA1

            a0bcc855f2b75d82cbaae3a8710f816956e94b37

            SHA256

            8ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934

            SHA512

            6d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            304B

            MD5

            e9dcfecc49a31bccbce34424f68eb600

            SHA1

            59350dc83b930500db1d29ea961993a793af90ba

            SHA256

            8a580c9711d777c86886400e6e92d80706cc67fda0c5e50f3bddf1bd47d39beb

            SHA512

            8f7a4a2a56e41a06cf3d4c7020711f9c171e75f157e15c1f1746b043332f2862ac6bbb0b22436dcf8dc5cee4ee10fc33bae2ce3584705c569a6c66f7e2a51fda

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            304B

            MD5

            8f8f80385ff5d897c7cde8833154319e

            SHA1

            f796889d75a9123be40f6fe3b374d4080311dbcc

            SHA256

            04d483193cb9efe188129c858b555f52c85ca2fdbc5adaf176dfe562d635e178

            SHA512

            9074df254e2f557b24fe647d22bfd3a8cd5a12eb59179dadee38b03aa66700347d0988010351ceabebdfd6d59f4a3b126df5e4b2cdbd8d72946061ade0d9de5b

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            304B

            MD5

            4705859888dac60955db181616fa7463

            SHA1

            ef68081fce30a935c5f78c6f21c09ed6befa5172

            SHA256

            8365295fee1ad383e3a13b52e1dfb2587f7ecdd895905a2b8cd22b4e5faa69fd

            SHA512

            7f808cce2a41f4238b7c4bce5205cadb30875cde3679258fe5ec5e54cfaf588aa53f9771a2ffc3e38720a7b87acb4e2d58b337d0e045731cca8c629a20c177e4

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            304B

            MD5

            1cd0d62e0a3b2a9df8fa4fd4c05b8b18

            SHA1

            aa315cba0dc7e0bc498e0a031c4136c5f3bee1bd

            SHA256

            78a641d10b0646cfb02d92777ca80ea75bbb00f9fc6d5611fd1af9a1ec99c7bb

            SHA512

            8df6718a6e7686c76a2eb242bb4ecd0d934eb4ee2d5b735a0e90bf1ae97e5030fe6e66cf6458c9b1f1ac752bdcb96d6fd88aeafe3c8b4d1aed6e965af2bdaa2b

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            304B

            MD5

            d0472dd41531602483c4a4fb326036c9

            SHA1

            9ae750f6369af73fb9d416cb5d06ab6eb7d1ba98

            SHA256

            433e1a350579f9b09e904bd514ca143b222430c0f7e286c96c42a49f726d1ea5

            SHA512

            cb878a2b799e390227edf4374af8273aa9e97343cd5a2aa67bef791057428dd83b26dbfb580005a8cd2f7ca371c6df43a3e087fc88212084e97cd039a7485cc9

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            304B

            MD5

            d282161c40db9e0d0ed621b4eed63c20

            SHA1

            b3a31beceb1250506d2530845a96a00ad4935e6f

            SHA256

            24536552b88d9af490d2c516c08d2066f1eb403bc14dfea70fb7067a590e8bcb

            SHA512

            aa19bcf0aa8283b6f4393a85363c470c1983bf2c7bde6acfa3638c740aa7394317f7b90084868292df67bcdd2fc092da6fd320fc514a0c1c6605aa5befb2e9be

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            304B

            MD5

            9eaa49349c85e422853f2e63147fa88e

            SHA1

            0b7c50dd602b955444f29d0d9ff894adc10befc1

            SHA256

            eb012945340af44c832c571c96c59edef0e2a4a5c7e7f9104aa9cad93f641ed8

            SHA512

            b934db4981c7f984deb011275ad811866d4add424a30f10066c89cb8cec87d2fb27591fabf4c3871d4798b2433440bc7064a3c203e90899605d3a223542b261a

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            304B

            MD5

            c57a69efaf88e573be5b8df20063d20d

            SHA1

            6f184786242297b3a82cc0281453a1a51cc568b3

            SHA256

            3eb0b73a92d74f583506b5f66d51e327418706cfd3d9bacfa5e38d6f7ceb33b7

            SHA512

            9390747a00a2fee6796b4528dc63620648930a9f8c1280a999ac78697f14b0f2a5db4de39c04efd677f9c4ae30fff68ab2ad32dfd27043164a0cef351939f4b0

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            304B

            MD5

            699c23e254a9d1b37565fadb124e7f43

            SHA1

            31c08f88b3f1988fc077c4793fe92703766f96cb

            SHA256

            354612143fc83e6cd616602be95d238c66042856c81088351e58348a1c7ae950

            SHA512

            16d27655001c985ee3de81b5901b511454baa3cf6ed58ae580d59d6ff45018b437452bd71296627c6722883c0d82d048903e8c9287418983d4a13066295ffe68

          • C:\Users\Admin\AppData\Local\Temp\Cab802B.tmp
            Filesize

            65KB

            MD5

            ac05d27423a85adc1622c714f2cb6184

            SHA1

            b0fe2b1abddb97837ea0195be70ab2ff14d43198

            SHA256

            c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

            SHA512

            6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

          • C:\Users\Admin\AppData\Local\Temp\Cab8117.tmp
            Filesize

            68KB

            MD5

            29f65ba8e88c063813cc50a4ea544e93

            SHA1

            05a7040d5c127e68c25d81cc51271ffb8bef3568

            SHA256

            1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

            SHA512

            e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

          • C:\Users\Admin\AppData\Local\Temp\Tar812B.tmp
            Filesize

            177KB

            MD5

            435a9ac180383f9fa094131b173a2f7b

            SHA1

            76944ea657a9db94f9a4bef38f88c46ed4166983

            SHA256

            67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

            SHA512

            1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

          • C:\Users\Admin\AppData\Roaming\3BSYBS1-DCSA_Alerts_05172015040008.xml
            Filesize

            1KB

            MD5

            02d85a522d05abc48ea60808a117a3b6

            SHA1

            4b838a6a61a35432632a17a3bba3b08d92c16400

            SHA256

            6cf17674e8026ad42fe74bfda3132f985bc9fdf7fb4bc0b3cb1624af49a3ee73

            SHA512

            864eac0c48ae9d1c5791b4294b42df953b3bddea08de4b6c9451369317c1d47f84728d5da2765f7c929549eb8ce7387528151f84dc41c8ad6309701c7ab4fe99

          • C:\Users\Admin\AppData\Roaming\424 bl 4.ADO
            Filesize

            524B

            MD5

            f180e85af9eea2a1d42807a6ebcb7a36

            SHA1

            5d49cde993f16d8259b10c5401280aa067c1b423

            SHA256

            4e748cbdf4437760c6f7e32b770814bba131d1d9a1e9fa887ae62114a1be22f1

            SHA512

            22ff1448e9197f5ad37b288bcad397fed8de00c2cd97178aa7b3ae766a7eef60d153db0e59293281829ea65d3c3e66ff6b7d6eb7e52a5d5c3c3f108b46d416eb

          • C:\Users\Admin\AppData\Roaming\Bahrain
            Filesize

            77B

            MD5

            d7a8d88e7d5b134d92542787e019e123

            SHA1

            ad633d30aa9f0bf314bba5f004060fc90a14a16d

            SHA256

            859d70658cc7502f214d9abd669c4e730e798210c372fd7020ceae470ac7756c

            SHA512

            194e553ecc8ffd376c029670ced1f2480509b072d2adebd6af22fa69945f3fafb58a3385d5a09451c85f03d891049b8123c0cd3907bce944cb4784606679ffa2

          • C:\Users\Admin\AppData\Roaming\Brunei
            Filesize

            77B

            MD5

            e25d4339e1f45436dc0dfbfcb96ebf3d

            SHA1

            1bfac0992a3b92e9db24f51e6cd18db2686e174f

            SHA256

            5db2a1b2a800bad6a64345b5993cf04b37818fc9679203ae93f12e46ca8bc241

            SHA512

            dcfb9a4d288c732b36fb54a3cd1e78bf50b700e917cdbedd021a1164b5d2e65ddb8debc1d26357e2cb2dc1ec04e1a9e03114225b136942c396deab1fa971c5f7

          • C:\Users\Admin\AppData\Roaming\Damascus
            Filesize

            1KB

            MD5

            93657662177fdc9183a0fd632790c0ae

            SHA1

            5586f64b641545aa2610b3bcd5df7750a17955de

            SHA256

            a353644ae75ca0a454a56caa9a442e361f1097ff429d035fc7ba73e87650e21e

            SHA512

            c0a0deb8e5773c783e3656084fb751847b71b2b1e6b2bf489f31f97100e4c629c0266c10d3f1a75c6811a2a195308d564d7216be8bce01b8ec5dda3a5096eb93

          • C:\Users\Admin\AppData\Roaming\Dushanbe
            Filesize

            261B

            MD5

            70e3f2851ad0cacb4d9f850fc7d0cd60

            SHA1

            6fbdc432df31bd7af06c619f91bf7b759788be2e

            SHA256

            caeec5309a9b777812307e423efc4112cb1eb25a00704848eb954ec4c70f174d

            SHA512

            1d484b231b9180f87af6d9d926d5faeaab0547d0600a7bd77046f71b4b2eaf62785bda462726a13fec4136d0bb20e737de819577a43a8d8f60660519b6263a74

          • C:\Users\Admin\AppData\Roaming\Helsinki
            Filesize

            1KB

            MD5

            f3b05d9cac6285e7ab08950275b0284a

            SHA1

            0a5d25e02a1784ff15c20c13840dbd48118360b6

            SHA256

            e87cc9499cf2ada66c2b53ff2ef96ccb2726c08b4881608ceb23790bb60b3522

            SHA512

            59d5c8ab5f09d0ccfd395510d24df8a9e4a935a6f9cc835142ac62b96416a395f8d6aa02e55a6d246f1879eb8e009e14b1ab5bad7b102ff53dfe0c3914a5b0c5

          • C:\Users\Admin\AppData\Roaming\KSCpc-EUC-V
            Filesize

            3KB

            MD5

            c8e708d1288dff4aba0cc066d873f187

            SHA1

            c2078d884d95b0c3bf10dd0af5faafb0d504537b

            SHA256

            d9f3be39a1777d1e3996b385b0ac90935e8fe6ab1b7a83cd9bfeca41fe7bd4ec

            SHA512

            e60af3a3ccdb60273645a86a527a8152b9a80fae286948d546c53835b016cc31c686c2d3b22414e0b058fe3c56aba7761ceea817e9f73537f4ac4ccdb8a970e1

          • C:\Users\Admin\AppData\Roaming\LF_Disabled.png
            Filesize

            4KB

            MD5

            885b8f6f03afc2875d358f189389a78a

            SHA1

            c4f99bf71f30be63467897ca8a40067a132b98c4

            SHA256

            796025f41c142dc5878c63ab5bdda17bd9516a333fce26bad36c22cca6a7c1da

            SHA512

            2a305ecfc3a529ac4e40e9b26db83b6216fa21348c61555c0d38476e3f136d8b4c77afd619c23bb9181fa249d4da9c173e086037f3e1834af31d2805c1070f7a

          • C:\Users\Admin\AppData\Roaming\Makefile.docParam
            Filesize

            1KB

            MD5

            4fa5ebe8c3bebd54be9eded49c1c8c27

            SHA1

            b320a0a0add161ee971a26aa54ed2db48c6020e9

            SHA256

            a24237defa96897c3b553f4f81d6609f9bddb1c191e6eed69b35abecf56be9d6

            SHA512

            1b7cbfa09367b8c12ab54b3766bd9f450736efe1dacc91c6c6acdd68ca53d434699074b386f57f5e64a0c5ef71429065556782f6d9e87cda55550e1d89a32024

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\PkgMgr.lnk
            Filesize

            1KB

            MD5

            e7617ce35a1add0ed0db8e0ea1d59b0d

            SHA1

            a3c28a1316ba6b1936281981d506d495f5db9a21

            SHA256

            468b123a19e3177c1bfeba8ce0a451eba3da820655abe4a79fb8c7fb49d69b7f

            SHA512

            7daa81174a0bf438aefa24ac96aa95f6554df9192fc5036abb9c655e3a7f8f9cd09f8dc7a7dea85a506d90812c436eda6f96cb54ad9e68abb2879176aaacfe41

          • C:\Users\Admin\AppData\Roaming\Monochromatic Low Contrast.hdt
            Filesize

            112B

            MD5

            53ca81c9d2f8bde4285415e29568f19b

            SHA1

            759eeba53e63000efb6b39ce5d61ed71ba5cfb7a

            SHA256

            303b07b6f9d35762ebca5b5496f7910b42f54ed0eab5000e2324f08aab28e57e

            SHA512

            80f197fc63b9d441b6387f193efb8f273e04e72121f2580f4709941cba4b7a513acbb8453e04db8e7575bd16f8eb4ac22e3556cee18c173c928c7f18c1589614

          • C:\Users\Admin\AppData\Roaming\VSFlat.hlsl
            Filesize

            148B

            MD5

            387995a1ad77f6a492c6f16ce887b7f1

            SHA1

            e2f22e55d1b10d877514d9adee20d0c244d7bc62

            SHA256

            c5381ca7bbd13cb11c2d2e543ee12e9c4d080e77a765743574eaef6fff96c6e6

            SHA512

            8010388b6444f09d2ace5a31a3910746c42dcade8cda487c9d9f6f90397803ec05c79efbd3ac6e227478d2a1e82bf3d862cb53a719ec10581a9c0de44bc327eb

          • C:\Users\Admin\AppData\Roaming\Vestibule.X
            MD5

            d41d8cd98f00b204e9800998ecf8427e

            SHA1

            da39a3ee5e6b4b0d3255bfef95601890afd80709

            SHA256

            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

            SHA512

            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

          • C:\Users\Admin\AppData\Roaming\body.bg.color.xml
            Filesize

            891B

            MD5

            c8f0d3c03c5696181ae7aafd8789bce8

            SHA1

            5ec888513c60fefb2a42027333cd1cffbff0b44a

            SHA256

            5e78efc7d4505f63d57951859a336551904a546f55a1f7564e12494012fdef83

            SHA512

            3a31d227a986aeca2863f8732e382a9ee3405869ff86c43bec6d3ff3bcacdaa72b9edaa5ae683c8084cd71a4eac7318f80bfc3a2e129fc66f920baed9b4eaa4c

          • C:\Users\Admin\AppData\Roaming\data.png
            Filesize

            1KB

            MD5

            bd9ddfb41b3e25fd012e1f92dc942ea4

            SHA1

            aef939292591094e6363d80e9d029f920bbed314

            SHA256

            083d293c2882bb146cefbce31e9096d7bd340cc691e94e46a7be297a2ac9bb5e

            SHA512

            933c93dfc0e4709368440973297c279f4e504dd7cf6dafa12d92e42831440de2d4ffac3c92a4b1fc8903ce04527abc7090a6ef5c2d74959c1db4e9f529ddf66a

          • C:\Users\Admin\AppData\Roaming\default_hash.js
            Filesize

            528B

            MD5

            3693c0548c4d9e4e57849a52a4523606

            SHA1

            1dc700379cd42b6f045bcc0048b4c844528c5a21

            SHA256

            d197a4d9b206072739b60046fe03d60e10bccb70a7aec457e5b271f0ef038a7e

            SHA512

            66183be23520f39e15a11b59e236fd757b778cc635ee2d1c4bfef9a80ca203c071de6891d7a050e1a97c37aa30c6c82e7050e5f5b6648b33014af8d12b652e12

          • C:\Users\Admin\AppData\Roaming\diagnostics_na.png
            Filesize

            410B

            MD5

            1b509acbb124eda9d7a1f722941096cc

            SHA1

            9ed8ce338f74a57365546c4e112cc25564b7c971

            SHA256

            b6eaa77c7f3cc6efa96fc6f7f555477d7ba9226206cc954212d52d2e2dd90ebc

            SHA512

            61ec6ef8e4697456261b9d49b883f40a75f50f5c4c6bcdd4a88809724608fa6645803ec30b687b7d8a07eb6ff088e3eeb5bd46b55e0d916ad4a2fcaeec173d2f

          • C:\Users\Admin\AppData\Roaming\diagnostics_na.png
            Filesize

            808B

            MD5

            bc028a0820c2525818dafcbb36cdebe1

            SHA1

            f6734d8c8ffccc8e9d7985e1a7f2e3e68c548fbd

            SHA256

            0e7b6fa7cfd039417d89ee332d9f4ff9fb7489ca90dd9b01240a35c135668f03

            SHA512

            8b315273202fe06774a85c6526cc478922b95a36353ea82c6699063ad946890ec2b5c5d2457f2fc3ff42a5f34b95023e22238059e0eb6f0824f956b31b6d54d8

          • C:\Users\Admin\AppData\Roaming\externalhelp.xsd
            Filesize

            805B

            MD5

            4e78ba21399fe6c949c163ebc779bf60

            SHA1

            d20b6e7d854a53394eb68d653b2eea32963fc96c

            SHA256

            984afa83853bb983601491fc923fb957e523084c670745ee1d0ea6f6edfc5f6c

            SHA512

            97f4440beabce2d6bb8783cd157ba3cab159dc6f0659a4315a65c4e1716350d2a03641465c1297ecd14332724d8ad2801f815667331dbd449cfa9765c2674b32

          • C:\Users\Admin\AppData\Roaming\f2.png
            Filesize

            1KB

            MD5

            d327242e49b038fa123a598102e5d0cd

            SHA1

            f5bbf38f4300883b83d4d9c41e70eebefaf8018a

            SHA256

            8cbef400adddb7c310eb7fdd19ccffd80521064b435d9b391188023be7f3591b

            SHA512

            89447e41596266fd297cb4f40a670ecf3be7cbc74af2cb4130416f6409c054d8e8b276cba3c522731e28e2a63879374738293af91322a2409100c045967517d4

          • C:\Users\Admin\AppData\Roaming\f6.png
            Filesize

            1KB

            MD5

            e1cc4228bf8efcffeab59fb645c9832c

            SHA1

            a4994becf0cd8c5f2924e4365e064f1a34fbdfec

            SHA256

            5ece16429710ff94c832ebac8eb48614e547fdd7d94067bc5ddd64367776b961

            SHA512

            4ea6bf172a002bf51408bdb0d4e6ea096209512465d3772e022b4db911be8c699a024c0d9f7d6f1af9f9d25a401a8cbc34b45a9526c0390dc0ab990ff4f75e00

          • C:\Users\Admin\AppData\Roaming\f6.png
            Filesize

            1KB

            MD5

            8abe12bf32d65c2f8c0af9c8bfd77c62

            SHA1

            b63290e99b00a03cb08c6853b9b71ad1037e6031

            SHA256

            c2dbce16e3def25797c4620928e614848c5e53deed6fdcb4a775758b38fa77a5

            SHA512

            1024689524ed700d77bba93d834cbd5fceda521a6e328b02810ffc26421e95db0772c2546f87d3d1913b5710c169ac306fe86b939e091afe0c117ba9942adb62

          • C:\Users\Admin\AppData\Roaming\file_sig_verification.png
            Filesize

            543B

            MD5

            1315745b828d02838c8f3a8954bfe1c7

            SHA1

            57fb2c41320bdee698d75b59fd7ce5b337deba93

            SHA256

            738bb684c612de4553ea636325846acc0b8661659ad5495ae79d08a31997d184

            SHA512

            6e30b24b345c2b4a70d6444799fc5e87fc489bbcf9038a551a7406e7f4ec5dce9c51a5a6b77241f5bf2a60af346b4ac36fa099306cc0050380a9adf4e094ec3c

          • C:\Users\Admin\AppData\Roaming\file_sig_verification.png
            Filesize

            955B

            MD5

            71ff8835e27d495e764d33a08cd5dd31

            SHA1

            98920b18b7c98c3934c34ca95ee31fa60f3f04b5

            SHA256

            5c347889ae446dc288c8d6d84552419cb012354548a905f9dcec40b674d64adc

            SHA512

            bf35a3f661f15738689570c619edb78634412c6ce779f56ebfefbca0f993b3fa157a453eaad2658e1f86e1f3956835a29308f6bc70d0e857ef8810d28abd4c5e

          • C:\Users\Admin\AppData\Roaming\hammer.png
            Filesize

            3KB

            MD5

            10566dd922ce3766715d5950adef767c

            SHA1

            81afeabcb35828f71bff053ab342983e5cbec847

            SHA256

            d1cdcf57ae3fc07e2d51c74be1be3df32557b11eafdf5c78a2fdd77426ec46b1

            SHA512

            dcd842aba0bd34a7cd44353e4a0c2ae04e3e382a24de43ba36b0f146ef10abd887d88141e8a7432080e1324578c1ede199201ecd09521a7615cf45d7c8d08a23

          • C:\Users\Admin\AppData\Roaming\hammer.png
            Filesize

            3KB

            MD5

            a4083c0b4c784f8bd8d25a2e11c94c00

            SHA1

            5055292a8aca3eb52c0b78107e394e81f1b640f4

            SHA256

            42bc8a6bec014b8f0ded37fe4a84bda406166fa3ab74048146157bbef6b074ad

            SHA512

            f381a7bd823d07e2e761ff7e7aa1e69a950bd91cbfe2812a8a6322400793f80f1f31f45ea8d993dcd454ed6deae227367813518e5798ca4841624cc278df9039

          • C:\Users\Admin\AppData\Roaming\html.cellpadding.xml
            Filesize

            983B

            MD5

            5b626b6f01e073a639410a00ba394414

            SHA1

            c500c25c5976cc9b20c0bbb65a2869651dff50fd

            SHA256

            4156be6502ba6daa517e5cff65e2792dd12e98f9ddcb439eda287080c461892c

            SHA512

            a79ddfe1ec9085d42b0a1b6561a7a85b6d44880c893e0004060ed45e2bd1a16627c8cf1311e56ef81d4b61466015cda316cab7fadbab70075d7fa9a3e02f8849

          • C:\Users\Admin\AppData\Roaming\html.cellpadding.xml
            Filesize

            1KB

            MD5

            a04752cb181220c0f648f7db3a8f5a61

            SHA1

            7f50ff711fce7d970b3ad9e63a87568f32017024

            SHA256

            d011155b31698893194feb7c9bc1c1cad230430e1f151f51db054e1785de179d

            SHA512

            cbab207cc5a75833fd8bf15af12c1e83071f70934f21ddb1f2ae95141115d65fe1a9fe6af905b6fe822ceecf40e3426f190d1113aab28c097ddd423a86e4c3a6

          • C:\Users\Admin\AppData\Roaming\itemizedlist.properties.xml
            Filesize

            1KB

            MD5

            41e5c9ebfc019a38e094c4868c9a1b10

            SHA1

            88d34e80beab2e1b4e9ff8baa963e47ea35e53db

            SHA256

            b515a1b4f21354daa641ca0794cffa1007731ac8a08df5ff39171d180373d000

            SHA512

            bb2538e88341d456f9d66c8ca6f756139d23bfa0c0aa03a9b30612863124ee04839572dfeab99f142849525f95f83b2d6a22a7a1b619c252a781a43c8422a291

          • C:\Users\Admin\AppData\Roaming\man.output.base.dir.xml
            Filesize

            1KB

            MD5

            601499ed95bf6c937209ebbdae1b33ab

            SHA1

            3d0d6d945668498cce4f8d09d08920647fa08684

            SHA256

            f808da08ad1b8e5ab75bcc7d8d2dcaf2fa51cdf47e693b212d2a893fe301d31c

            SHA512

            eb3e95902d91c015f803270eed9046524a3943cff49845071ab90d99bb92b5f98a630153f1448da8466eabde7dc1693129a5f77ed15029a7c4f7ef68744743d7

          • C:\Users\Admin\AppData\Roaming\msconfig.png
            Filesize

            2KB

            MD5

            ecbc5e3d8c0314a1671441ad66422581

            SHA1

            356b6245df4dae2ec2d5312031438834171c94fb

            SHA256

            4a9a8b1aa036980f933053221d996f69070c32410cd7467b7a8653c523ac7a43

            SHA512

            c0b131bfbdcf6ece718e2b3b345327a2e9492e6bc3c3e8f63ee0d67c8ec32945971232df8e90bc617e32181e51899a1c67c74349aa44dd908a4a265523194964

          • C:\Users\Admin\AppData\Roaming\msconfig.png
            Filesize

            2KB

            MD5

            e58cabadd11838d2fb5d5cb376b20930

            SHA1

            9fd4a2d683b8036659132c9f88ac3ede769d6b0d

            SHA256

            5708872baf40ebc1fe8d2b3aedc38a7cab65e8d13b4766e194b1263612232397

            SHA512

            50befbdd82f500e127e3de5c71d256d1f2a24071515499e8ddea3ffe4abe3b148d5db158f8d14a90c0434d68a9d4962609a3595d0b044250ba6aa04a0cde42ad

          • C:\Users\Admin\AppData\Roaming\pointer.png
            Filesize

            556B

            MD5

            1fdfde82d31456ca9d1d378235ef4f1b

            SHA1

            79f736075090fe8942ae69e9e0ffc2198935059f

            SHA256

            93e4b5913a084791e282efa6c018388a31a5100df870e0aa38c6b5f73d66b1ec

            SHA512

            2044ab0584681f904778ae7cd785725cfefa259db6ed9e6181f3949b14a888c0d725ca9bdaaa2c3ca4c9e3f83e7859c4707e0298248ef1381f8c928bd045b971

          • C:\Users\Admin\AppData\Roaming\smartcard_reader.png
            Filesize

            4KB

            MD5

            8ad63bce5bbb3a69ffcc1cc5eb065cae

            SHA1

            baff947cb368dddf86df3c74d89f44fe16f46872

            SHA256

            38a51458fba9b2bbd6060d95c483959dd343453cf9e0cf970698236d4b58d23d

            SHA512

            a1e70d333a929d99ee1368bb318e7d9d32d4f82e5d7cb867dc5c75a91be2da25f4fe02e42f2e2a64d3350bd8726d7cba0a80fd41cb148719da7d345deaa07f7b

          • C:\Users\Admin\AppData\Roaming\smartcard_reader.png
            Filesize

            4KB

            MD5

            81f983bf97abfe3d28918bb2ce9e8a06

            SHA1

            0a84a215a7778f9c7fbc0f4758d45a3ce86cd10a

            SHA256

            e5f5b97d653805627d26704d64f156c07e3dea01df45e4d582ca14a131bce28f

            SHA512

            ff716bd138b468b69fad718acb2e40bb62a8980344f9ae01cfe4e91eb3a12a94c06cdb28011a03a2cd22d538a654b40909d5f0da29a95bd39d75fb4d8a107b62

          • C:\Users\Admin\AppData\Roaming\tweakNetworkingManual_es.p5p
            Filesize

            1KB

            MD5

            f815309cb6953d1a573e2bc721287053

            SHA1

            2e2284639a82b38fe6cb5d4e278ecdb4ce145370

            SHA256

            cc0fe9c375dee9d1c548c506865cc086ab8914945156cb818db5d928622943fd

            SHA512

            cc07f98f280ba81b32cc2490f3274aa60be379ba465cba3e15237396c8fc59cb41c12fad0135f8fbbacf232a5979782a8971d9008b934c936dd8f4d8f0ca98e0

          • C:\Users\Admin\AppData\Roaming\video_card.png
            Filesize

            3KB

            MD5

            8f76de212a59bcffc6613e3365cc9871

            SHA1

            5565c6f389b5c1ca190567b3d1055eba1be29ca6

            SHA256

            c9b169107fca20ca721ad2dc03b065ae546093348ec5ebf9107b2c745f47cae1

            SHA512

            571e12113723c076075cdceb1b9f6aaa9dc805b7700b1e624e0118a16d264f0c9b5c5b5414101fb2b80301112bbfddcbbbc0a4e960d7ba8107429b8666a96676

          • C:\Users\Admin\AppData\Roaming\video_card.png
            Filesize

            4KB

            MD5

            8b1a0b936059f38621043920eff3b416

            SHA1

            5d92c55ebf0533e9038bae889346554670cff7c9

            SHA256

            872f3250c8a438dfca5389b6d48a628e8ca29f9c383ba0bbe3ea556b5b33dcc5

            SHA512

            6a9fbd6d78e00b382792c4e000e3d758553eefdc4c67687a2046e1d869f4bfdaebd76ca6b74ee0a1e21aaa33c9733256df30ed41b1656279baead364943528c9

          • C:\Users\Admin\AppData\Roaming\yellow bl 4.ADO
            Filesize

            524B

            MD5

            9f92ff064f3910a5199c60109ab20d42

            SHA1

            6949e2728d371d57d446c46d648a086849825656

            SHA256

            586c1646484e700c6c80aa5f5031286119d97767f5cf7217758890439007738d

            SHA512

            e48294ec60f229f9d59a5a251a0b9c2ab852a4b4c3c5b781476c5fb3844048c63fd91eb1866ebae956fbf4bfcb3bf950fb6ad4832f44b48bffd5415481553d7e

          • C:\Users\Admin\AppData\Roaming\{8F76CA93-6AF5-FCB8-1751-35093594ADFC}\PkgMgr.exe
            Filesize

            186KB

            MD5

            1e039f9770017f09225e58d7759b700a

            SHA1

            fc1e83365f05fb98b4dc94833e430a7adc055bf5

            SHA256

            f9ab2087217beb38c3ec3dc043aad739dac202dc422f44e49c0fb5ca6db26502

            SHA512

            ebeb10678547b0eca642645a673e9e6309c3ba961e62d83aca95aff8a351a56c07544c92688681e58dbe66cc8e0812ab01c388d0b5e463d5c97d4ea038bf26e2

          • \Users\Admin\AppData\Local\Temp\nso255D.tmp\System.dll
            Filesize

            11KB

            MD5

            883eff06ac96966270731e4e22817e11

            SHA1

            523c87c98236cbc04430e87ec19b977595092ac8

            SHA256

            44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

            SHA512

            60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

          • \Users\Admin\AppData\Roaming\Nwiz.dll
            Filesize

            40KB

            MD5

            7f5859cddce6d27bf5ee5a0e5abf80f7

            SHA1

            3fdb34f8c461031de871716f913b6414d71e5f8b

            SHA256

            9be59c18fa3c74fda8d6bbab8ce3b0ac980872261688c62c4ea3a89e7aaf3766

            SHA512

            d4dd6c85edc84b77f3ec96071e6cd3ac29ea62d59852a0707616fb8b70f25fee6ede59818a2c3e9e69d260cee31ade339ea80b9838eb38498d33319dd41ab4b0

          • memory/1948-185-0x0000000000560000-0x0000000000561000-memory.dmp
            Filesize

            4KB

          • memory/1948-187-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/1948-192-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/1948-200-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/1948-193-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/1948-183-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/1948-627-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/1948-180-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/1948-181-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/1948-190-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/1948-188-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/1948-632-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/1948-630-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/1948-624-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2568-62-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2568-54-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2568-63-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2568-64-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2568-83-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2568-48-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2568-53-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2568-65-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2568-56-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2568-58-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
            Filesize

            4KB

          • memory/2568-60-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2568-50-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2932-165-0x00000000005F0000-0x00000000005FA000-memory.dmp
            Filesize

            40KB

          • memory/2988-46-0x0000000001E10000-0x0000000001E1A000-memory.dmp
            Filesize

            40KB