Overview
overview
10Static
static
31e039f9770...18.exe
windows7-x64
101e039f9770...18.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Nwiz.dll
windows7-x64
1Nwiz.dll
windows10-2004-x64
3default_hash.js
ubuntu-18.04-amd64
1default_hash.js
debian-9-armhf
1default_hash.js
debian-9-mips
default_hash.js
debian-9-mipsel
libimalloc.dll
windows7-x64
1libimalloc.dll
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 19:26
Static task
static1
Behavioral task
behavioral1
Sample
1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
Nwiz.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Nwiz.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
default_hash.js
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral8
Sample
default_hash.js
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral9
Sample
default_hash.js
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral10
Sample
default_hash.js
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral11
Sample
libimalloc.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
libimalloc.dll
Resource
win10v2004-20240419-en
General
-
Target
1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe
-
Size
186KB
-
MD5
1e039f9770017f09225e58d7759b700a
-
SHA1
fc1e83365f05fb98b4dc94833e430a7adc055bf5
-
SHA256
f9ab2087217beb38c3ec3dc043aad739dac202dc422f44e49c0fb5ca6db26502
-
SHA512
ebeb10678547b0eca642645a673e9e6309c3ba961e62d83aca95aff8a351a56c07544c92688681e58dbe66cc8e0812ab01c388d0b5e463d5c97d4ea038bf26e2
-
SSDEEP
3072:oM1BjoYNXoKDIJBXJPG45d48j8uZmXJtP4NMtGvNOilk+qNKNtmlohi8tUUB5+Qy:oMMYNXqBBG6Zj8ikJtP4SGVdHqEUGQUw
Malware Config
Extracted
C:\Users\Admin\Documents\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.onion.to/D0E9-2FCD-7F1F-006D-F913
http://cerberhhyed5frqa.onion.cab/D0E9-2FCD-7F1F-006D-F913
http://cerberhhyed5frqa.onion.nu/D0E9-2FCD-7F1F-006D-F913
http://cerberhhyed5frqa.onion.link/D0E9-2FCD-7F1F-006D-F913
http://cerberhhyed5frqa.tor2web.org/D0E9-2FCD-7F1F-006D-F913
http://cerberhhyed5frqa.onion/D0E9-2FCD-7F1F-006D-F913
Extracted
C:\Users\Admin\Documents\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (16404) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
1e039f9770017f09225e58d7759b700a_JaffaCakes118.exemountvol.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{8999624C-A316-9EC4-C889-0544D5B59B99}\\mountvol.exe\"" 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{8999624C-A316-9EC4-C889-0544D5B59B99}\\mountvol.exe\"" mountvol.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mountvol.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation mountvol.exe -
Drops startup file 2 IoCs
Processes:
1e039f9770017f09225e58d7759b700a_JaffaCakes118.exemountvol.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\mountvol.lnk 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\mountvol.lnk mountvol.exe -
Executes dropped EXE 2 IoCs
Processes:
mountvol.exemountvol.exepid process 4004 mountvol.exe 2592 mountvol.exe -
Loads dropped DLL 6 IoCs
Processes:
1e039f9770017f09225e58d7759b700a_JaffaCakes118.exemountvol.exepid process 1592 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe 1592 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe 1592 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe 4004 mountvol.exe 4004 mountvol.exe 4004 mountvol.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
mountvol.exe1e039f9770017f09225e58d7759b700a_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mountvol = "\"C:\\Users\\Admin\\AppData\\Roaming\\{8999624C-A316-9EC4-C889-0544D5B59B99}\\mountvol.exe\"" mountvol.exe Set value (str) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mountvol = "\"C:\\Users\\Admin\\AppData\\Roaming\\{8999624C-A316-9EC4-C889-0544D5B59B99}\\mountvol.exe\"" 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mountvol = "\"C:\\Users\\Admin\\AppData\\Roaming\\{8999624C-A316-9EC4-C889-0544D5B59B99}\\mountvol.exe\"" 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mountvol = "\"C:\\Users\\Admin\\AppData\\Roaming\\{8999624C-A316-9EC4-C889-0544D5B59B99}\\mountvol.exe\"" mountvol.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 25 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
mountvol.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp35.bmp" mountvol.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
1e039f9770017f09225e58d7759b700a_JaffaCakes118.exemountvol.exedescription pid process target process PID 1592 set thread context of 3616 1592 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe PID 4004 set thread context of 2592 4004 mountvol.exe mountvol.exe -
Drops file in Windows directory 2 IoCs
Processes:
mountvol.exe1e039f9770017f09225e58d7759b700a_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\tillings mountvol.exe File opened for modification C:\Windows\tillings 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\{8999624C-A316-9EC4-C889-0544D5B59B99}\mountvol.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\{8999624C-A316-9EC4-C889-0544D5B59B99}\mountvol.exe nsis_installer_2 -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2532 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 432 taskkill.exe 4336 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
1e039f9770017f09225e58d7759b700a_JaffaCakes118.exemountvol.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\Desktop 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{8999624C-A316-9EC4-C889-0544D5B59B99}\\mountvol.exe\"" 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\Desktop mountvol.exe Set value (str) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{8999624C-A316-9EC4-C889-0544D5B59B99}\\mountvol.exe\"" mountvol.exe -
Modifies registry class 1 IoCs
Processes:
mountvol.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Local Settings mountvol.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
mountvol.exemsedge.exemsedge.exeidentity_helper.exepid process 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 2592 mountvol.exe 5692 msedge.exe 5692 msedge.exe 5316 msedge.exe 5316 msedge.exe 216 identity_helper.exe 216 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
1e039f9770017f09225e58d7759b700a_JaffaCakes118.exetaskkill.exemountvol.exevssvc.exewmic.exeAUDIODG.EXEtaskkill.exedescription pid process Token: SeDebugPrivilege 3616 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe Token: SeDebugPrivilege 432 taskkill.exe Token: SeDebugPrivilege 2592 mountvol.exe Token: SeBackupPrivilege 3056 vssvc.exe Token: SeRestorePrivilege 3056 vssvc.exe Token: SeAuditPrivilege 3056 vssvc.exe Token: SeIncreaseQuotaPrivilege 2116 wmic.exe Token: SeSecurityPrivilege 2116 wmic.exe Token: SeTakeOwnershipPrivilege 2116 wmic.exe Token: SeLoadDriverPrivilege 2116 wmic.exe Token: SeSystemProfilePrivilege 2116 wmic.exe Token: SeSystemtimePrivilege 2116 wmic.exe Token: SeProfSingleProcessPrivilege 2116 wmic.exe Token: SeIncBasePriorityPrivilege 2116 wmic.exe Token: SeCreatePagefilePrivilege 2116 wmic.exe Token: SeBackupPrivilege 2116 wmic.exe Token: SeRestorePrivilege 2116 wmic.exe Token: SeShutdownPrivilege 2116 wmic.exe Token: SeDebugPrivilege 2116 wmic.exe Token: SeSystemEnvironmentPrivilege 2116 wmic.exe Token: SeRemoteShutdownPrivilege 2116 wmic.exe Token: SeUndockPrivilege 2116 wmic.exe Token: SeManageVolumePrivilege 2116 wmic.exe Token: 33 2116 wmic.exe Token: 34 2116 wmic.exe Token: 35 2116 wmic.exe Token: 36 2116 wmic.exe Token: SeIncreaseQuotaPrivilege 2116 wmic.exe Token: SeSecurityPrivilege 2116 wmic.exe Token: SeTakeOwnershipPrivilege 2116 wmic.exe Token: SeLoadDriverPrivilege 2116 wmic.exe Token: SeSystemProfilePrivilege 2116 wmic.exe Token: SeSystemtimePrivilege 2116 wmic.exe Token: SeProfSingleProcessPrivilege 2116 wmic.exe Token: SeIncBasePriorityPrivilege 2116 wmic.exe Token: SeCreatePagefilePrivilege 2116 wmic.exe Token: SeBackupPrivilege 2116 wmic.exe Token: SeRestorePrivilege 2116 wmic.exe Token: SeShutdownPrivilege 2116 wmic.exe Token: SeDebugPrivilege 2116 wmic.exe Token: SeSystemEnvironmentPrivilege 2116 wmic.exe Token: SeRemoteShutdownPrivilege 2116 wmic.exe Token: SeUndockPrivilege 2116 wmic.exe Token: SeManageVolumePrivilege 2116 wmic.exe Token: 33 2116 wmic.exe Token: 34 2116 wmic.exe Token: 35 2116 wmic.exe Token: 36 2116 wmic.exe Token: 33 3832 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3832 AUDIODG.EXE Token: SeDebugPrivilege 4336 taskkill.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe1e039f9770017f09225e58d7759b700a_JaffaCakes118.execmd.exemountvol.exemountvol.exemsedge.exedescription pid process target process PID 1592 wrote to memory of 3616 1592 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe PID 1592 wrote to memory of 3616 1592 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe PID 1592 wrote to memory of 3616 1592 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe PID 1592 wrote to memory of 3616 1592 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe PID 1592 wrote to memory of 3616 1592 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe PID 1592 wrote to memory of 3616 1592 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe PID 1592 wrote to memory of 3616 1592 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe PID 1592 wrote to memory of 3616 1592 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe PID 1592 wrote to memory of 3616 1592 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe PID 3616 wrote to memory of 4004 3616 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe mountvol.exe PID 3616 wrote to memory of 4004 3616 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe mountvol.exe PID 3616 wrote to memory of 4004 3616 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe mountvol.exe PID 3616 wrote to memory of 3476 3616 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe cmd.exe PID 3616 wrote to memory of 3476 3616 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe cmd.exe PID 3616 wrote to memory of 3476 3616 1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe cmd.exe PID 3476 wrote to memory of 432 3476 cmd.exe taskkill.exe PID 3476 wrote to memory of 432 3476 cmd.exe taskkill.exe PID 3476 wrote to memory of 432 3476 cmd.exe taskkill.exe PID 3476 wrote to memory of 1012 3476 cmd.exe PING.EXE PID 3476 wrote to memory of 1012 3476 cmd.exe PING.EXE PID 3476 wrote to memory of 1012 3476 cmd.exe PING.EXE PID 4004 wrote to memory of 2592 4004 mountvol.exe mountvol.exe PID 4004 wrote to memory of 2592 4004 mountvol.exe mountvol.exe PID 4004 wrote to memory of 2592 4004 mountvol.exe mountvol.exe PID 4004 wrote to memory of 2592 4004 mountvol.exe mountvol.exe PID 4004 wrote to memory of 2592 4004 mountvol.exe mountvol.exe PID 4004 wrote to memory of 2592 4004 mountvol.exe mountvol.exe PID 4004 wrote to memory of 2592 4004 mountvol.exe mountvol.exe PID 4004 wrote to memory of 2592 4004 mountvol.exe mountvol.exe PID 4004 wrote to memory of 2592 4004 mountvol.exe mountvol.exe PID 2592 wrote to memory of 2532 2592 mountvol.exe vssadmin.exe PID 2592 wrote to memory of 2532 2592 mountvol.exe vssadmin.exe PID 2592 wrote to memory of 2116 2592 mountvol.exe wmic.exe PID 2592 wrote to memory of 2116 2592 mountvol.exe wmic.exe PID 2592 wrote to memory of 5316 2592 mountvol.exe msedge.exe PID 2592 wrote to memory of 5316 2592 mountvol.exe msedge.exe PID 5316 wrote to memory of 5336 5316 msedge.exe msedge.exe PID 5316 wrote to memory of 5336 5316 msedge.exe msedge.exe PID 2592 wrote to memory of 5344 2592 mountvol.exe NOTEPAD.EXE PID 2592 wrote to memory of 5344 2592 mountvol.exe NOTEPAD.EXE PID 5316 wrote to memory of 5684 5316 msedge.exe msedge.exe PID 5316 wrote to memory of 5684 5316 msedge.exe msedge.exe PID 5316 wrote to memory of 5684 5316 msedge.exe msedge.exe PID 5316 wrote to memory of 5684 5316 msedge.exe msedge.exe PID 5316 wrote to memory of 5684 5316 msedge.exe msedge.exe PID 5316 wrote to memory of 5684 5316 msedge.exe msedge.exe PID 5316 wrote to memory of 5684 5316 msedge.exe msedge.exe PID 5316 wrote to memory of 5684 5316 msedge.exe msedge.exe PID 5316 wrote to memory of 5684 5316 msedge.exe msedge.exe PID 5316 wrote to memory of 5684 5316 msedge.exe msedge.exe PID 5316 wrote to memory of 5684 5316 msedge.exe msedge.exe PID 5316 wrote to memory of 5684 5316 msedge.exe msedge.exe PID 5316 wrote to memory of 5684 5316 msedge.exe msedge.exe PID 5316 wrote to memory of 5684 5316 msedge.exe msedge.exe PID 5316 wrote to memory of 5684 5316 msedge.exe msedge.exe PID 5316 wrote to memory of 5684 5316 msedge.exe msedge.exe PID 5316 wrote to memory of 5684 5316 msedge.exe msedge.exe PID 5316 wrote to memory of 5684 5316 msedge.exe msedge.exe PID 5316 wrote to memory of 5684 5316 msedge.exe msedge.exe PID 5316 wrote to memory of 5684 5316 msedge.exe msedge.exe PID 5316 wrote to memory of 5684 5316 msedge.exe msedge.exe PID 5316 wrote to memory of 5684 5316 msedge.exe msedge.exe PID 5316 wrote to memory of 5684 5316 msedge.exe msedge.exe PID 5316 wrote to memory of 5684 5316 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{8999624C-A316-9EC4-C889-0544D5B59B99}\mountvol.exe"C:\Users\Admin\AppData\Roaming\{8999624C-A316-9EC4-C889-0544D5B59B99}\mountvol.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{8999624C-A316-9EC4-C889-0544D5B59B99}\mountvol.exe"C:\Users\Admin\AppData\Roaming\{8999624C-A316-9EC4-C889-0544D5B59B99}\mountvol.exe"4⤵
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe06a946f8,0x7ffe06a94708,0x7ffe06a947186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,13224526070530476742,7941745126620649395,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:26⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,13224526070530476742,7941745126620649395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,13224526070530476742,7941745126620649395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13224526070530476742,7941745126620649395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13224526070530476742,7941745126620649395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13224526070530476742,7941745126620649395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13224526070530476742,7941745126620649395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4268 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13224526070530476742,7941745126620649395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,13224526070530476742,7941745126620649395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3288 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,13224526070530476742,7941745126620649395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3288 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13224526070530476742,7941745126620649395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4344 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13224526070530476742,7941745126620649395,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4300 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13224526070530476742,7941745126620649395,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13224526070530476742,7941745126620649395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:16⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.onion.to/D0E9-2FCD-7F1F-006D-F9135⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe06a946f8,0x7ffe06a94708,0x7ffe06a947186⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"5⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "mountvol.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{8999624C-A316-9EC4-C889-0544D5B59B99}\mountvol.exe" > NUL5⤵
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "mountvol.exe"6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.16⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe" > NUL3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "1e039f9770017f09225e58d7759b700a_JaffaCakes118.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x520 0x4501⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5850f27f857369bf7fe83c613d2ec35cb
SHA17677a061c6fd2a030b44841bfb32da0abc1dbefb
SHA256a7db700e067222e55e323a9ffc71a92f59829e81021e2607cec0d2ec6faf602a
SHA5127b1efa002b7a1a23973bff0618fb4a82cd0c5193df55cd960c7516caa63509587fd8b36f3aea6db01ece368065865af6472365b820fadce720b64b561ab5f401
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD562c02dda2bf22d702a9b3a1c547c5f6a
SHA18f42966df96bd2e8c1f6b31b37c9a19beb6394d6
SHA256cb8a0964605551ed5a0668c08ab888044bbd845c9225ffee5a28e0b847ede62b
SHA512a7ce2c0946382188e1d8480cfb096b29bd0dcb260ccdc74167cc351160a1884d04d57a2517eb700b3eef30eaf4a01bfbf31858365b1e624d4b0960ffd0032fa9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD56567bd39d1828f313246be2193248e33
SHA188f9ba6f16fe01d3f8cebfce189edba143d6c0d4
SHA256ae52dd502765b0d895df8e3b30ead570bd20bcffbf46a377e2d3a67babf1241e
SHA512c1f3301d6d45ea3485983533353cdbc10f6487441b55d0d20188f6a5e6c2d189744af9a6c66c8e1b7dcb4fb6d716db2a8a2e8808a3131dd9d75d5cee3fb4de5d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5eda8affdbb1ef6c34a73ef243ef6192b
SHA199b49be52abf137a028ce0594f00f75d90632aaa
SHA2564bc6fb64e2519ba783a2deba819c4435ff1be8d69fdd2bf72201fa6aa363ac2b
SHA51247fe16cf25b4cc515893254ca8ad9e58ba4227d6bff1a0f0ceadb13e0404114a3c300b1db931a8affde20161ee409c197e5c888b9e531d4bdbda21c3ca415354
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5f7369e086a137449b1576d2824fc8b60
SHA14675e2fd9684e3e82b05e42cf251f93f0936b470
SHA256d18e322ac09600a9778b8aa76069b4ec8e5c6e61d822a811aac16ab6e7e254b9
SHA512c7864b2feab9e4b86d245185eda11560734bebd6cc0a13d338476e3c929e906acf0b33ae0c11b9b6018cccc4fe6222d3a390cef9f3f175002aeb1cce8cdf082e
-
C:\Users\Admin\AppData\Local\Temp\nsj372E.tmp\System.dllFilesize
11KB
MD5883eff06ac96966270731e4e22817e11
SHA1523c87c98236cbc04430e87ec19b977595092ac8
SHA25644e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82
SHA51260333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390
-
C:\Users\Admin\AppData\Roaming\3BSYBS1-DCSA_Alerts_05172015040008.xmlFilesize
1KB
MD56b4c09a2ef0528c2998ac0bc19757af2
SHA151cdd849771499a0de0d8cce746fddd5d177d4bf
SHA256d5fa42c3b71d032313cb07595432f8e177fd77cfe2ef026dc7dc114576415c5b
SHA512f63f32f550d456bf2227c41be3c891f492937714309e8b91d663267bf0a2f8403c7056dad53f008acf9b34951a2bd3d800ba1187daecae9e89057786d4a7c28b
-
C:\Users\Admin\AppData\Roaming\3BSYBS1-DCSA_Alerts_05172015040008.xmlFilesize
1KB
MD59df4113be5f1c32889410e8a9e86346a
SHA12750c7b2c6b116d2ff6abb9c6dd6a6867656de4d
SHA256761d16f96810371efec63c1c9195392b304d1231c252da9377cf1a59a102ac43
SHA512f7202854dfcaf4971c929f952a5faa2004d0b870e75dfb3969f3a3cfea34ba1ef8e97e1f9857211210633f3658018d8733d8455fbe9282ea460bbafc4b53bba4
-
C:\Users\Admin\AppData\Roaming\424 bl 4.ADOFilesize
524B
MD5f180e85af9eea2a1d42807a6ebcb7a36
SHA15d49cde993f16d8259b10c5401280aa067c1b423
SHA2564e748cbdf4437760c6f7e32b770814bba131d1d9a1e9fa887ae62114a1be22f1
SHA51222ff1448e9197f5ad37b288bcad397fed8de00c2cd97178aa7b3ae766a7eef60d153db0e59293281829ea65d3c3e66ff6b7d6eb7e52a5d5c3c3f108b46d416eb
-
C:\Users\Admin\AppData\Roaming\BahrainFilesize
77B
MD5d7a8d88e7d5b134d92542787e019e123
SHA1ad633d30aa9f0bf314bba5f004060fc90a14a16d
SHA256859d70658cc7502f214d9abd669c4e730e798210c372fd7020ceae470ac7756c
SHA512194e553ecc8ffd376c029670ced1f2480509b072d2adebd6af22fa69945f3fafb58a3385d5a09451c85f03d891049b8123c0cd3907bce944cb4784606679ffa2
-
C:\Users\Admin\AppData\Roaming\BruneiFilesize
77B
MD5e25d4339e1f45436dc0dfbfcb96ebf3d
SHA11bfac0992a3b92e9db24f51e6cd18db2686e174f
SHA2565db2a1b2a800bad6a64345b5993cf04b37818fc9679203ae93f12e46ca8bc241
SHA512dcfb9a4d288c732b36fb54a3cd1e78bf50b700e917cdbedd021a1164b5d2e65ddb8debc1d26357e2cb2dc1ec04e1a9e03114225b136942c396deab1fa971c5f7
-
C:\Users\Admin\AppData\Roaming\DamascusFilesize
1KB
MD593657662177fdc9183a0fd632790c0ae
SHA15586f64b641545aa2610b3bcd5df7750a17955de
SHA256a353644ae75ca0a454a56caa9a442e361f1097ff429d035fc7ba73e87650e21e
SHA512c0a0deb8e5773c783e3656084fb751847b71b2b1e6b2bf489f31f97100e4c629c0266c10d3f1a75c6811a2a195308d564d7216be8bce01b8ec5dda3a5096eb93
-
C:\Users\Admin\AppData\Roaming\DushanbeFilesize
261B
MD570e3f2851ad0cacb4d9f850fc7d0cd60
SHA16fbdc432df31bd7af06c619f91bf7b759788be2e
SHA256caeec5309a9b777812307e423efc4112cb1eb25a00704848eb954ec4c70f174d
SHA5121d484b231b9180f87af6d9d926d5faeaab0547d0600a7bd77046f71b4b2eaf62785bda462726a13fec4136d0bb20e737de819577a43a8d8f60660519b6263a74
-
C:\Users\Admin\AppData\Roaming\Glassine.m4TFilesize
117KB
MD5fdd3a4fb73e7fc0eff3d9db58f76867a
SHA1e3b522cc46fa8aa55df3d2920e3656c867c0be5b
SHA25678cf532835278c3baaa8ce8ebf204a470243df7baca7906403598c74a752c613
SHA5129c884410c8e3b39cd0bbeec8fef2dd97d1b65d1f5d8e41ed7e58ca9119d9fcb5cc89ae33f963bbe4455cf04280d3e5ed4ffa1dc98c3ba089c9b47e097954b41e
-
C:\Users\Admin\AppData\Roaming\HelsinkiFilesize
1KB
MD5f3b05d9cac6285e7ab08950275b0284a
SHA10a5d25e02a1784ff15c20c13840dbd48118360b6
SHA256e87cc9499cf2ada66c2b53ff2ef96ccb2726c08b4881608ceb23790bb60b3522
SHA51259d5c8ab5f09d0ccfd395510d24df8a9e4a935a6f9cc835142ac62b96416a395f8d6aa02e55a6d246f1879eb8e009e14b1ab5bad7b102ff53dfe0c3914a5b0c5
-
C:\Users\Admin\AppData\Roaming\KSCpc-EUC-VFilesize
3KB
MD5c8e708d1288dff4aba0cc066d873f187
SHA1c2078d884d95b0c3bf10dd0af5faafb0d504537b
SHA256d9f3be39a1777d1e3996b385b0ac90935e8fe6ab1b7a83cd9bfeca41fe7bd4ec
SHA512e60af3a3ccdb60273645a86a527a8152b9a80fae286948d546c53835b016cc31c686c2d3b22414e0b058fe3c56aba7761ceea817e9f73537f4ac4ccdb8a970e1
-
C:\Users\Admin\AppData\Roaming\LF_Disabled.pngFilesize
4KB
MD501988d409db3c319ec87721581b1ab9e
SHA14228ef415b1fa2256d57c7bc3fe4700c79bc02f0
SHA25639d37b9507fe014a62da954bfc126d17be3aab1b5e827b4dddcbe11f0f864f67
SHA512c02afd0ecf3b1b3d3fd8ba4c79f12c8415f83ab08fc527694d8b9e058201428e3eeec1f791f166f2a3c9c2685271d33b8e47886c45f16435748166d1829a14a2
-
C:\Users\Admin\AppData\Roaming\LF_Disabled.pngFilesize
4KB
MD5595512e1911d0549a46ed96f1b9fcf5a
SHA10144f01c7fde24550226bf994f3bcbda382c3942
SHA2564ada755850bdab968adb27e1b280cd84def9c4f8895d4d6430c66262c45562ff
SHA512e02eb3cf92ec04779ea8618b3f07673c43b6103268f60f2e74e212aabdd2a108e5277b1381b2afedd4f43d7a05593f00a18845d372122cf58ff3e4a84479ab8d
-
C:\Users\Admin\AppData\Roaming\Makefile.docParamFilesize
1KB
MD54fa5ebe8c3bebd54be9eded49c1c8c27
SHA1b320a0a0add161ee971a26aa54ed2db48c6020e9
SHA256a24237defa96897c3b553f4f81d6609f9bddb1c191e6eed69b35abecf56be9d6
SHA5121b7cbfa09367b8c12ab54b3766bd9f450736efe1dacc91c6c6acdd68ca53d434699074b386f57f5e64a0c5ef71429065556782f6d9e87cda55550e1d89a32024
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\mountvol.lnkFilesize
1KB
MD598b43e16fe14d06d875ca3675f57d274
SHA16f909c464003b7cf57848bbed9d30587378cef69
SHA256ad1dd2b960e08525bfc6a41b4a3e0de7a508bb5baca942b0d2127dd0f805eb17
SHA512a4c67a37c53abef27f6be67b8bf92c5cb4763fbee5c5f679fc323f6766e6742cb7e60aa3786ffc0c271a1fa6fc51f770889bd7f97ac53830717d38594776e22a
-
C:\Users\Admin\AppData\Roaming\Monochromatic Low Contrast.hdtFilesize
112B
MD553ca81c9d2f8bde4285415e29568f19b
SHA1759eeba53e63000efb6b39ce5d61ed71ba5cfb7a
SHA256303b07b6f9d35762ebca5b5496f7910b42f54ed0eab5000e2324f08aab28e57e
SHA51280f197fc63b9d441b6387f193efb8f273e04e72121f2580f4709941cba4b7a513acbb8453e04db8e7575bd16f8eb4ac22e3556cee18c173c928c7f18c1589614
-
C:\Users\Admin\AppData\Roaming\Nwiz.dllFilesize
40KB
MD57f5859cddce6d27bf5ee5a0e5abf80f7
SHA13fdb34f8c461031de871716f913b6414d71e5f8b
SHA2569be59c18fa3c74fda8d6bbab8ce3b0ac980872261688c62c4ea3a89e7aaf3766
SHA512d4dd6c85edc84b77f3ec96071e6cd3ac29ea62d59852a0707616fb8b70f25fee6ede59818a2c3e9e69d260cee31ade339ea80b9838eb38498d33319dd41ab4b0
-
C:\Users\Admin\AppData\Roaming\VSFlat.hlslFilesize
148B
MD5387995a1ad77f6a492c6f16ce887b7f1
SHA1e2f22e55d1b10d877514d9adee20d0c244d7bc62
SHA256c5381ca7bbd13cb11c2d2e543ee12e9c4d080e77a765743574eaef6fff96c6e6
SHA5128010388b6444f09d2ace5a31a3910746c42dcade8cda487c9d9f6f90397803ec05c79efbd3ac6e227478d2a1e82bf3d862cb53a719ec10581a9c0de44bc327eb
-
C:\Users\Admin\AppData\Roaming\Vestibule.XMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\appupdater.exe.manifestFilesize
1KB
MD5d223bb3f5c46425dcb13e41022d6986f
SHA1923f55318f52283afa03994b20073b2578fa8f57
SHA2560bc634dd83708546cc2d2f094a153dc7dcfedb9577ee00f5c591a755c44a5ca8
SHA512d9f804b86f701d2db4d490f84c36fa32bdfcbc9ce236a33de2304fa045af79369cac76ac30fa0f85d26a157d9f6d54833874d898bb69c0718a87bd30426dedc0
-
C:\Users\Admin\AppData\Roaming\body.bg.color.xmlFilesize
891B
MD5c8f0d3c03c5696181ae7aafd8789bce8
SHA15ec888513c60fefb2a42027333cd1cffbff0b44a
SHA2565e78efc7d4505f63d57951859a336551904a546f55a1f7564e12494012fdef83
SHA5123a31d227a986aeca2863f8732e382a9ee3405869ff86c43bec6d3ff3bcacdaa72b9edaa5ae683c8084cd71a4eac7318f80bfc3a2e129fc66f920baed9b4eaa4c
-
C:\Users\Admin\AppData\Roaming\data.pngFilesize
1KB
MD599794a31ae4ff2284d1183f5699c2d5e
SHA12297ae201904d17bff6f270bf732ff19636f496a
SHA256ea2022a289b2c2d1426b85ea2b26bec26c30e796698ea2d62eff4ed82a4b3c78
SHA512ec0dce0622b116849694a88451cea438424f97f846f83571d82a331e7a191a0e76266f9046082eb7f184622cd710528fde93a2d180fb10feffbbcb4d25a0e34a
-
C:\Users\Admin\AppData\Roaming\data.pngFilesize
1KB
MD5f8f9db79b3c6f4034f64a8bc279686d3
SHA1a50d737610dfff2ee80359784edd0b284d7e80d8
SHA2566ac78a9ad24cd69b70af427b0573709888067276f193123d592ece6690dcbbb6
SHA512991845d4e4cb308540e4af4fd7afa44ec276dc625e48725f33b13716a34b31a6c7101e6052784120c5720e2e20c740c2dbf3602dd544562f2817923e1fa721f3
-
C:\Users\Admin\AppData\Roaming\default_hash.jsFilesize
136B
MD506a09bda9d5dd7dba611b2dd460d545e
SHA173946d0150e298464b8a55a107bb22be6368029c
SHA256c062646586359c92950920a9e5a51bcec73afeb863dc01337a88adadc789f05e
SHA512b104418ebc3eabf7a3d4aae3a23bdeea63d0118f56397e3763318397baa0b59ed5756a354a922c2c6206636ab761197e379e6fa5b4aa7cf2a60c24416a2ad459
-
C:\Users\Admin\AppData\Roaming\default_hash.jsFilesize
528B
MD5704b7256ef3bb022ea04ac869331a748
SHA1b7021f098a986f07b916d4ac8f32cfd4ff0373a7
SHA25604fbd58a50239383832d00971797a70f16c7e8780c0285befc699b66b02e3e78
SHA51271b4cf81a2ff0c1c5b91d8b7ecdda40d9044c72b0a964ddb4d43bb03fd5d410a983da8990f074d6c5226974d8d154d59921532f0f38daf4626e9306656656bd7
-
C:\Users\Admin\AppData\Roaming\diagnostics_na.pngFilesize
808B
MD5deb72596c68e9b6f16b59f5de8ff901c
SHA13e22a0f4eb128a7648711f8da091a5c46b3bdb60
SHA256b0c0d834193f54df5535625d9481f0539974537b1fe4c8951ef684114af33610
SHA51249de31a2e43816398998fbe69a183dcb51539eb8b842f164c0546e5289a4f37ffe9e77b7d1d9e361a1112957b14a356040bfd3d5aa96aaa8364b9780ca85a6f7
-
C:\Users\Admin\AppData\Roaming\diagnostics_na.pngFilesize
410B
MD51b509acbb124eda9d7a1f722941096cc
SHA19ed8ce338f74a57365546c4e112cc25564b7c971
SHA256b6eaa77c7f3cc6efa96fc6f7f555477d7ba9226206cc954212d52d2e2dd90ebc
SHA51261ec6ef8e4697456261b9d49b883f40a75f50f5c4c6bcdd4a88809724608fa6645803ec30b687b7d8a07eb6ff088e3eeb5bd46b55e0d916ad4a2fcaeec173d2f
-
C:\Users\Admin\AppData\Roaming\externalhelp.xsdFilesize
805B
MD54e78ba21399fe6c949c163ebc779bf60
SHA1d20b6e7d854a53394eb68d653b2eea32963fc96c
SHA256984afa83853bb983601491fc923fb957e523084c670745ee1d0ea6f6edfc5f6c
SHA51297f4440beabce2d6bb8783cd157ba3cab159dc6f0659a4315a65c4e1716350d2a03641465c1297ecd14332724d8ad2801f815667331dbd449cfa9765c2674b32
-
C:\Users\Admin\AppData\Roaming\f2.pngFilesize
1KB
MD5776bd82891e52f9430b3891103e8bd1c
SHA100a4de0a6fe8067fa41202f6312e1e85c0cf9126
SHA256a08812bfa0464d79d082d2e2ad8d2cc4aa2c941fd3deb2e8e0c5fd015d9901ec
SHA512d4f1adec624a79645d22c6c3901df2a91efa62399f4143384e47a5ab75fdd69a9373ef9cece6f51439fb2029782474f77ac18348e6c9f09848cdaf5cd73ae4cb
-
C:\Users\Admin\AppData\Roaming\f2.pngFilesize
1KB
MD54517d0c4dcc010004b44670274a99294
SHA17266f50e4fb28b881dbb4546e90ceed8259acf0b
SHA25673ebb47d85164fc1666f4fbd66cfec90fdd0154eca449cae10614f56a209f432
SHA512d85e1f8bdc46566656073310b6d58dc977feb3a18ebd5739716925ad97ab71776ca0e7144b7d74d662c32baf5a5b7e088bf76530affa9c223ee1781fc923d3a3
-
C:\Users\Admin\AppData\Roaming\f6.pngFilesize
1KB
MD5d22a8dd33f23c84c07902f656d27de60
SHA1b9bf1655ebb3738813fdd5132bb89a39173e580b
SHA256573619b3cb3cf6ebf2a675790a26a2c2dcf5218d99ef45036519fecccba77bcd
SHA5124789f9eea04ee23a5aed6d3da4b896220c72efabfca85996e581e25beee495069e70cde517605abd34b5065491bf0ae56f5194f46a87b9614752be3f5f65bebe
-
C:\Users\Admin\AppData\Roaming\f6.pngFilesize
1KB
MD5e1cc4228bf8efcffeab59fb645c9832c
SHA1a4994becf0cd8c5f2924e4365e064f1a34fbdfec
SHA2565ece16429710ff94c832ebac8eb48614e547fdd7d94067bc5ddd64367776b961
SHA5124ea6bf172a002bf51408bdb0d4e6ea096209512465d3772e022b4db911be8c699a024c0d9f7d6f1af9f9d25a401a8cbc34b45a9526c0390dc0ab990ff4f75e00
-
C:\Users\Admin\AppData\Roaming\file_sig_verification.pngFilesize
543B
MD51315745b828d02838c8f3a8954bfe1c7
SHA157fb2c41320bdee698d75b59fd7ce5b337deba93
SHA256738bb684c612de4553ea636325846acc0b8661659ad5495ae79d08a31997d184
SHA5126e30b24b345c2b4a70d6444799fc5e87fc489bbcf9038a551a7406e7f4ec5dce9c51a5a6b77241f5bf2a60af346b4ac36fa099306cc0050380a9adf4e094ec3c
-
C:\Users\Admin\AppData\Roaming\file_sig_verification.pngFilesize
955B
MD591031b74b714ccbc552e8b5e596e75eb
SHA10699ca79e4c60c49d94b11d0238ee0e255a51194
SHA2563042396935fa41b5671c4b4323a7263364db975f70c5e99222938dabdcf3efb9
SHA512818d1f2545fbe293e6d551b5794a8f157ab75b4690140142e5fd014ee69b86614b5ed3a9c5ee527ad370c970759bc3464b338f349e930a71ecb81cfdf2d7e95a
-
C:\Users\Admin\AppData\Roaming\hammer.pngFilesize
3KB
MD5ac484fe0bfd59e00631ff9651d7dec65
SHA10ff105a95028919f6d192b11c32c636adc7160e8
SHA25639a3e70707a3461478ed2b58a743f4aaee978b7f38c6e4b0d29751f7a4d4fb84
SHA51208850f7a2207f2bfb2af32a6b52ce012d7725790b609b06a0a31fa3b0aab731c905af8bfddf10471a6623e454ea269ff419f5d148ffc72ce2cdc58b92ab6ee9e
-
C:\Users\Admin\AppData\Roaming\hammer.pngFilesize
3KB
MD510566dd922ce3766715d5950adef767c
SHA181afeabcb35828f71bff053ab342983e5cbec847
SHA256d1cdcf57ae3fc07e2d51c74be1be3df32557b11eafdf5c78a2fdd77426ec46b1
SHA512dcd842aba0bd34a7cd44353e4a0c2ae04e3e382a24de43ba36b0f146ef10abd887d88141e8a7432080e1324578c1ede199201ecd09521a7615cf45d7c8d08a23
-
C:\Users\Admin\AppData\Roaming\html.cellpadding.xmlFilesize
1KB
MD53f1a1ae17d17d712b0260d3bc4639935
SHA1259124fb4fd23f2a4869a08eb029aca73ae77acf
SHA256912547a16d7e1d873417f1c5dceaf9a02bf79a7dbc173e6a8f2fdfa8d0fd170c
SHA5127a73b8344a76e81bcace4bff336a9da7c969d9468a447adff5759b1bc7e4f754665eeb30d9c775b06e4ae94f9d879efc6f4f52832731c1f4a9f46727a9eee52c
-
C:\Users\Admin\AppData\Roaming\html.cellpadding.xmlFilesize
983B
MD55b626b6f01e073a639410a00ba394414
SHA1c500c25c5976cc9b20c0bbb65a2869651dff50fd
SHA2564156be6502ba6daa517e5cff65e2792dd12e98f9ddcb439eda287080c461892c
SHA512a79ddfe1ec9085d42b0a1b6561a7a85b6d44880c893e0004060ed45e2bd1a16627c8cf1311e56ef81d4b61466015cda316cab7fadbab70075d7fa9a3e02f8849
-
C:\Users\Admin\AppData\Roaming\isoamsc.entFilesize
2KB
MD5da706f14a76714c7e9ad2590c264df8f
SHA1c85afb023638c54941dec1e0ccef2e54ed619725
SHA256d24f46dd70139e3eeaab2e3e24e15cd46a3e6a6f3b2cc207e528717bba9a37fd
SHA5128870f62ec63ad7bdf129d2e9c0ae133d240d001f5bb73ec50651df3651d3b57e4b5456d46cba8f2b9a833932c46a6348c0477b62becabc3612bc9b7222d2a5aa
-
C:\Users\Admin\AppData\Roaming\itemizedlist.properties.xmlFilesize
1KB
MD541e5c9ebfc019a38e094c4868c9a1b10
SHA188d34e80beab2e1b4e9ff8baa963e47ea35e53db
SHA256b515a1b4f21354daa641ca0794cffa1007731ac8a08df5ff39171d180373d000
SHA512bb2538e88341d456f9d66c8ca6f756139d23bfa0c0aa03a9b30612863124ee04839572dfeab99f142849525f95f83b2d6a22a7a1b619c252a781a43c8422a291
-
C:\Users\Admin\AppData\Roaming\libimalloc.dllFilesize
3KB
MD55a9d61592a64ed8d0df13ce430d3bf6a
SHA1d19862c6125595440865cb2b6049572902980101
SHA256fd135a296d34e7b707343d703e05fcefdf08bc2e3be6f554daf765a04710e1f1
SHA5127df008f55f6c3c7cdc862086264e2db571e19a9e6e198e8f7e9505984a7867ac63fb92d49f6c592ef1167e7e7e75f554756b1438d53c899a463c2a3fcc167688
-
C:\Users\Admin\AppData\Roaming\man.output.base.dir.xmlFilesize
1KB
MD5601499ed95bf6c937209ebbdae1b33ab
SHA13d0d6d945668498cce4f8d09d08920647fa08684
SHA256f808da08ad1b8e5ab75bcc7d8d2dcaf2fa51cdf47e693b212d2a893fe301d31c
SHA512eb3e95902d91c015f803270eed9046524a3943cff49845071ab90d99bb92b5f98a630153f1448da8466eabde7dc1693129a5f77ed15029a7c4f7ef68744743d7
-
C:\Users\Admin\AppData\Roaming\msconfig.pngFilesize
2KB
MD5ecbc5e3d8c0314a1671441ad66422581
SHA1356b6245df4dae2ec2d5312031438834171c94fb
SHA2564a9a8b1aa036980f933053221d996f69070c32410cd7467b7a8653c523ac7a43
SHA512c0b131bfbdcf6ece718e2b3b345327a2e9492e6bc3c3e8f63ee0d67c8ec32945971232df8e90bc617e32181e51899a1c67c74349aa44dd908a4a265523194964
-
C:\Users\Admin\AppData\Roaming\msconfig.pngFilesize
2KB
MD5a5256008f2bcc58048b0fe953ab2264d
SHA1c9b96b8dad778b744fed04e49e92b93dbda7e605
SHA256cea67b0d84f75d4acac0b067c5a46bc56cb77ec230565c165f9c45b9f51cada9
SHA512898658ded34281ab89342949bdbc8ad4f194b19b293a5a462600594d875c4e49ca794c0f91595dc8f86b6cbaf0467c790aa810b4f6dde666bfd3ce950df983b5
-
C:\Users\Admin\AppData\Roaming\no.next.image.xmlFilesize
901B
MD56a6b2829a4fe85a75e98d3a3fd9187a1
SHA157dce22eb765b7ca603ea680481145cdab969b08
SHA25650af1f6c515ba759e7ccd92c9bd7bd3e6535003a09024b3d5053df40600e7c27
SHA512231ad2c2781b58641710bafba0dc759f5f40e4f45bd34e5917b9a06e90fe72c825b054b06ea0417a36693652aad1bab28f056b60ef490416d2c12ea09bdec941
-
C:\Users\Admin\AppData\Roaming\pointer.pngFilesize
556B
MD52b99d906fd310712f4e5f94e99c023b7
SHA1746df05eee14cf531e41afb8c3092f9b64f7f4a5
SHA256c00708b8023dc2575bf60930161e099e723cb4c25146ecd1be8a1142c43fe540
SHA51230929817b511d3659592eec4324a3fbd09c7a5bcc617a89829b870da35f580f1734debf744acede528f571037514dc58b1852360614083843c0ab748905d981b
-
C:\Users\Admin\AppData\Roaming\pointer.pngFilesize
172B
MD5328d207b3e601381d79377b86409b71d
SHA10597db362867ca8801d079fcd5d6b8f35d5b5f74
SHA2568eb2920d9a36ecbc931f5992f88808f818c3c7a6c16119f30c34aaa9a3707b30
SHA512abb38613947cb751e03da36f474d3bc956203d6fdd9a6ef5e978e187866d638ae28c5048d0bad374f4574d4e9fe456995ba594d86f75d709833961d1a39ae7b4
-
C:\Users\Admin\AppData\Roaming\prev.svgFilesize
1KB
MD5d5e5cc502e3b6a10d8c0624758a5400b
SHA175591b459ef8a37b85949fdca298723d637e26a2
SHA256327ecfd3afe06fc4379baa3a47face1f09b64d92c2c57bea9257446781e50c0e
SHA512d5fbeca06b89fd395a6e1d3a56a9e897c2c912775365fde9131642d753b4795d6ade8a000db5be9a899e550d06d7cac7362b76378fb8395b442314f008be3c0a
-
C:\Users\Admin\AppData\Roaming\smartcard_reader.pngFilesize
4KB
MD58ad63bce5bbb3a69ffcc1cc5eb065cae
SHA1baff947cb368dddf86df3c74d89f44fe16f46872
SHA25638a51458fba9b2bbd6060d95c483959dd343453cf9e0cf970698236d4b58d23d
SHA512a1e70d333a929d99ee1368bb318e7d9d32d4f82e5d7cb867dc5c75a91be2da25f4fe02e42f2e2a64d3350bd8726d7cba0a80fd41cb148719da7d345deaa07f7b
-
C:\Users\Admin\AppData\Roaming\smartcard_reader.pngFilesize
4KB
MD549b7d0dc3d2ae0ba1d405e665954d15a
SHA14611c1a33041fa9d704078f9ad6927612e60a881
SHA2563381ad52a015d00e222032f6d18d70f1cc66114a540bb1ce82e9fd850ca6ad31
SHA51276e47c2ce710181b871814c5acd261f24979e5c7de0395a0b6a20ad0cc46843fd9381c9b04e786616ae6747cd05dec43c3bd6f02f726ccda9e0f32df6c4b4722
-
C:\Users\Admin\AppData\Roaming\tweakDiskCleanup_pt.p5pFilesize
95B
MD57d8b84bd6edbe7c4176f5fd20ec99b40
SHA18064e8a2f16fa0d6f1e4e56ab9fd5b169f9f7f57
SHA2567e6932c2bad825efae22c8723764b6ce1f897b28d0251ab25a2f490400d1a2a5
SHA512701ef1fc001a01f1cb81d2f18e3e60394a89b0024b14d5c4f1a6c263af2a3a7d58c1eb234cab51a8151baeb8fac061a45fa2a2a0d60f7b40de2e1571aa4d4a4c
-
C:\Users\Admin\AppData\Roaming\tweakNetworkingManual_es.p5pFilesize
1KB
MD5f815309cb6953d1a573e2bc721287053
SHA12e2284639a82b38fe6cb5d4e278ecdb4ce145370
SHA256cc0fe9c375dee9d1c548c506865cc086ab8914945156cb818db5d928622943fd
SHA512cc07f98f280ba81b32cc2490f3274aa60be379ba465cba3e15237396c8fc59cb41c12fad0135f8fbbacf232a5979782a8971d9008b934c936dd8f4d8f0ca98e0
-
C:\Users\Admin\AppData\Roaming\vcss.pngFilesize
1KB
MD535986567c8c46ef7fe2fd6f769f8eab3
SHA17110e627fe61db1e73bccc8ec7ec55ef6f410d99
SHA256c602e65680851b379c5e6aec9e528dfb98e42427fcacfc2462434e55d8bcc83d
SHA512a8bfe6a92cf4652ec6377ea583cd42248f8754af10ed10c4bcdcb27e3e2479f316dfae92080dfdfc5e3cda4b4ea9e83079e6bf0969c22f18204cc2242002e7df
-
C:\Users\Admin\AppData\Roaming\video_card.pngFilesize
3KB
MD58f76de212a59bcffc6613e3365cc9871
SHA15565c6f389b5c1ca190567b3d1055eba1be29ca6
SHA256c9b169107fca20ca721ad2dc03b065ae546093348ec5ebf9107b2c745f47cae1
SHA512571e12113723c076075cdceb1b9f6aaa9dc805b7700b1e624e0118a16d264f0c9b5c5b5414101fb2b80301112bbfddcbbbc0a4e960d7ba8107429b8666a96676
-
C:\Users\Admin\AppData\Roaming\video_card.pngFilesize
4KB
MD55fa443fc614ac8473b0e48a7b1000bf0
SHA1c403b8fe7ff7938a0cdcc9d12db803d5a87249e0
SHA2567009938e6809dce1c85b213313bb10d19714d53c50866b9e03437b3c9afb1dbd
SHA51277053557b732a02edb656ce2c85ffd732715517a8fc075571fc1f20b009d329d40294c54bcb40ed2d233e0748ffd92971724da1b14f5bad67d9936438871f64e
-
C:\Users\Admin\AppData\Roaming\yellow bl 4.ADOFilesize
524B
MD59f92ff064f3910a5199c60109ab20d42
SHA16949e2728d371d57d446c46d648a086849825656
SHA256586c1646484e700c6c80aa5f5031286119d97767f5cf7217758890439007738d
SHA512e48294ec60f229f9d59a5a251a0b9c2ab852a4b4c3c5b781476c5fb3844048c63fd91eb1866ebae956fbf4bfcb3bf950fb6ad4832f44b48bffd5415481553d7e
-
C:\Users\Admin\AppData\Roaming\{8999624C-A316-9EC4-C889-0544D5B59B99}\mountvol.exeFilesize
186KB
MD51e039f9770017f09225e58d7759b700a
SHA1fc1e83365f05fb98b4dc94833e430a7adc055bf5
SHA256f9ab2087217beb38c3ec3dc043aad739dac202dc422f44e49c0fb5ca6db26502
SHA512ebeb10678547b0eca642645a673e9e6309c3ba961e62d83aca95aff8a351a56c07544c92688681e58dbe66cc8e0812ab01c388d0b5e463d5c97d4ea038bf26e2
-
C:\Users\Admin\Documents\# DECRYPT MY FILES #.htmlFilesize
12KB
MD514b4e40a01dd72f4d96b112a74326585
SHA1477106ba46e4acfea5d5cf9d284722a048b1c5ff
SHA256617837727bc1019e215132986f0db588ff1b3427610bea1a5e7400702edb6f74
SHA512f41f92bcd6ede2a522838ef53d000e43d6409ee695963631f5d80996cb30f4dd3b3f355398a1c6100a44f48d2d3357f780c3350b05782dfa144f6e9dcffb357a
-
C:\Users\Admin\Documents\# DECRYPT MY FILES #.txtFilesize
10KB
MD56c39080c2b6ec41dfdfcf1b82fdd1746
SHA1624e89651562228ee361f03d61d26cb595248b11
SHA256b233e88fb1aa6dc25ac96910106391d7ef8c94cd0ef7be69f10e04b42cdbbce6
SHA5120b46b11280ea5547cac880472c5593a1673441198ff83ea0f39591b2e87660e7b2d265eded58109b0e4db080ecac037ee59c9558e80ea8166422e27ccaf3951b
-
C:\Users\Admin\Documents\# DECRYPT MY FILES #.urlFilesize
83B
MD5c521a62bc53ac991acb8b55c916a8abe
SHA16ba08d5f6631bc2984504503ee29cd5b5a142a82
SHA2569c1e0e4df7a81e501646da8ef0c8ec961aa89097a22fbb87f0129abc858618d0
SHA512606747ecb073c6e5764bc4237be5e3266ad60d20877cda5ded3892c171fa044c05e81d1edd5d6edee492e148e1ad5eb13b60989c1454b1760ce1d66f02293528
-
C:\Users\Admin\Documents\# DECRYPT MY FILES #.vbsFilesize
219B
MD535a3e3b45dcfc1e6c4fd4a160873a0d1
SHA1a0bcc855f2b75d82cbaae3a8710f816956e94b37
SHA2568ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934
SHA5126d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853
-
memory/1592-48-0x0000000002270000-0x000000000227A000-memory.dmpFilesize
40KB
-
memory/2592-161-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2592-173-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2592-499-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2592-496-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2592-493-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2592-490-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2592-528-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2592-505-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2592-508-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2592-513-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2592-519-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2592-520-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2592-525-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2592-531-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2592-521-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2592-175-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2592-176-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2592-503-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2592-168-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2592-167-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2592-166-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2592-164-0x0000000003B20000-0x0000000003B21000-memory.dmpFilesize
4KB
-
memory/2592-162-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2592-160-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2592-612-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2592-589-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3616-56-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3616-55-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3616-69-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3616-54-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3616-53-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3616-51-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4004-155-0x00000000020B0000-0x00000000020BA000-memory.dmpFilesize
40KB