Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    12-05-2024 04:53

General

  • Target

    385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe

  • Size

    219KB

  • MD5

    385af1697f3c8dc280ca4eca303cd79a

  • SHA1

    d2696e30475c91cd6c0e8bb295191bf2729d2f9e

  • SHA256

    8628de0058b0a0a3fb0a68a6e62827e28d8b74a7a0cfed84764394692caefd92

  • SHA512

    63cebf1ebd346e8a4a460ac0d1ea586f8c648fada8bee3bf41e90e4c1dd80423a3dce063470722e5ef8092acf9987fd2bf34805a769df6231a9ab0cdbb760504

  • SSDEEP

    6144:8yAge9RrJpDsGwJWg3ZU0WbOwV1+Md2X2VsC:IJp1wZYBV1Ld2X2CC

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.cneo59.win/3210-4D0F-0A47-006D-F56B | | 2. http://cerberhhyed5frqa.we34re.top/3210-4D0F-0A47-006D-F56B | | 3. http://cerberhhyed5frqa.cmr95i.top/3210-4D0F-0A47-006D-F56B | | 4. http://cerberhhyed5frqa.45gf4t.win/3210-4D0F-0A47-006D-F56B | | 5. http://cerberhhyed5frqa.lfotp5.top/3210-4D0F-0A47-006D-F56B |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.cneo59.win/3210-4D0F-0A47-006D-F56B); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.cneo59.win/3210-4D0F-0A47-006D-F56B appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.cneo59.win/3210-4D0F-0A47-006D-F56B); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/3210-4D0F-0A47-006D-F56B | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.cneo59.win/3210-4D0F-0A47-006D-F56B

http://cerberhhyed5frqa.we34re.top/3210-4D0F-0A47-006D-F56B

http://cerberhhyed5frqa.cmr95i.top/3210-4D0F-0A47-006D-F56B

http://cerberhhyed5frqa.45gf4t.win/3210-4D0F-0A47-006D-F56B

http://cerberhhyed5frqa.lfotp5.top/3210-4D0F-0A47-006D-F56B

http://cerberhhyed5frqa.onion/3210-4D0F-0A47-006D-F56B

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber &#082;ansomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://cerberhhyed5frqa.cneo59.win/3210-4D0F-0A47-006D-F56B" target="_blank">http://cerberhhyed5frqa.cneo59.win/3210-4D0F-0A47-006D-F56B</a></li> <li><a href="http://cerberhhyed5frqa.we34re.top/3210-4D0F-0A47-006D-F56B" target="_blank">http://cerberhhyed5frqa.we34re.top/3210-4D0F-0A47-006D-F56B</a></li> <li><a href="http://cerberhhyed5frqa.cmr95i.top/3210-4D0F-0A47-006D-F56B" target="_blank">http://cerberhhyed5frqa.cmr95i.top/3210-4D0F-0A47-006D-F56B</a></li> <li><a href="http://cerberhhyed5frqa.45gf4t.win/3210-4D0F-0A47-006D-F56B" target="_blank">http://cerberhhyed5frqa.45gf4t.win/3210-4D0F-0A47-006D-F56B</a></li> <li><a href="http://cerberhhyed5frqa.lfotp5.top/3210-4D0F-0A47-006D-F56B" target="_blank">http://cerberhhyed5frqa.lfotp5.top/3210-4D0F-0A47-006D-F56B</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.cneo59.win/3210-4D0F-0A47-006D-F56B" target="_blank">http://cerberhhyed5frqa.cneo59.win/3210-4D0F-0A47-006D-F56B</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.cneo59.win/3210-4D0F-0A47-006D-F56B" target="_blank">http://cerberhhyed5frqa.cneo59.win/3210-4D0F-0A47-006D-F56B</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.cneo59.win/3210-4D0F-0A47-006D-F56B" target="_blank">http://cerberhhyed5frqa.cneo59.win/3210-4D0F-0A47-006D-F56B</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/3210-4D0F-0A47-006D-F56B</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Contacts a large (2053) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 61 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Users\Admin\AppData\Local\Temp\385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Modifies Control Panel
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Users\Admin\AppData\Roaming\{D829B335-8529-7C36-6396-4FE23232B17C}\dfrgui.exe
        "C:\Users\Admin\AppData\Roaming\{D829B335-8529-7C36-6396-4FE23232B17C}\dfrgui.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2052
        • C:\Users\Admin\AppData\Roaming\{D829B335-8529-7C36-6396-4FE23232B17C}\dfrgui.exe
          "C:\Users\Admin\AppData\Roaming\{D829B335-8529-7C36-6396-4FE23232B17C}\dfrgui.exe"
          4⤵
          • Adds policy Run key to start application
          • Drops startup file
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Sets desktop wallpaper using registry
          • Modifies Control Panel
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2212
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:856
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:856 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2776
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:856 CREDAT:537601 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:700
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
            5⤵
              PID:108
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
              5⤵
                PID:1680
              • C:\Windows\system32\cmd.exe
                /d /c taskkill /t /f /im "dfrgui.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{D829B335-8529-7C36-6396-4FE23232B17C}\dfrgui.exe" > NUL
                5⤵
                  PID:1564
                  • C:\Windows\system32\taskkill.exe
                    taskkill /t /f /im "dfrgui.exe"
                    6⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1292
                  • C:\Windows\system32\PING.EXE
                    ping -n 1 127.0.0.1
                    6⤵
                    • Runs ping.exe
                    PID:2964
            • C:\Windows\SysWOW64\cmd.exe
              /d /c taskkill /t /f /im "385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe" > NUL
              3⤵
              • Deletes itself
              • Suspicious use of WriteProcessMemory
              PID:404
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /t /f /im "385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe"
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2980
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 1 127.0.0.1
                4⤵
                • Runs ping.exe
                PID:1980
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {138235F5-9577-4F22-9CB8-37630E465D31} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1904
          • C:\Users\Admin\AppData\Roaming\{D829B335-8529-7C36-6396-4FE23232B17C}\dfrgui.exe
            C:\Users\Admin\AppData\Roaming\{D829B335-8529-7C36-6396-4FE23232B17C}\dfrgui.exe
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Drops file in Windows directory
            • Suspicious use of WriteProcessMemory
            PID:864
            • C:\Users\Admin\AppData\Roaming\{D829B335-8529-7C36-6396-4FE23232B17C}\dfrgui.exe
              C:\Users\Admin\AppData\Roaming\{D829B335-8529-7C36-6396-4FE23232B17C}\dfrgui.exe
              3⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2652
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:380
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:380 CREDAT:275457 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2116
        • C:\Windows\SysWOW64\DllHost.exe
          C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
          1⤵
            PID:2532

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Defense Evasion

          Modify Registry

          4
          T1112

          Credential Access

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Network Service Discovery

          2
          T1046

          System Information Discovery

          2
          T1082

          Remote System Discovery

          1
          T1018

          Collection

          Data from Local System

          1
          T1005

          Impact

          Defacement

          1
          T1491

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs
            Filesize

            231B

            MD5

            9d8c4bfbd009c4d6001e2125abaa8b02

            SHA1

            cd040558172b5fca5b200447a281843956243741

            SHA256

            a652297987f14317100f8c5f7eb26d1bc67eb8a64f0b39b72b5fd5046a9f29b0

            SHA512

            c4c84f43642b805a105acce9ebc9f01aa0e6ef553ea32be3f8b890fc7440f0b7d3ddf99b9336bce20ce7a3d9b9f6434a704651a8af425ffc8407ba39d5de735f

          • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\# DECRYPT MY FILES #.html
            Filesize

            12KB

            MD5

            aa2a70a48ee41939cededf7c057e68b1

            SHA1

            d4efc92bd20fd6452be99de1cf1cc4ea28dd28ca

            SHA256

            e77a1734594e500ccde44c576ac1a38dd0e459493aef72fabedbab43e1e36311

            SHA512

            4130e034c9df3686790f0fc8041f894bb7f0bba5fc9d9cc00acd8f5ce146000aac863864e0470011d63a67d4d86c7100843965fd0dcc5bb8e59e5f6a6b22f8ae

          • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\# DECRYPT MY FILES #.txt
            Filesize

            10KB

            MD5

            9d2592aa387b9e528fa5bc3cada19dc5

            SHA1

            602d9dc3fb96e74520e085c4c091e27c254705ac

            SHA256

            f10e2df850c4116a2cb69b0d6ababe2e97617cecdc8fe3af3dd076e20c883e15

            SHA512

            0075a55201c7613f34a0ba363ec724d0cdbf8edfe286be373d0eadea86241740892c02dc85ce40a422852d5e004b725aff463e4669d3d6d92092e0bff786549e

          • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\# DECRYPT MY FILES #.url
            Filesize

            90B

            MD5

            a60b0956c30ad36b7b0572b364b5664c

            SHA1

            2ee826432eae3eaa7715600bddb76e815c1b94a2

            SHA256

            4e412ea3d3b96e5b519e9664a9972e5f943519b53001d84d515f3cf8a81ea72f

            SHA512

            30d13319be8953293cd7bbe742d95d97572281ca752cbe4bd2f2bf124fb51012d9a110c08e59a4147ab59e9394d990be320d630a82be3ff138f48e0c2a8f77f9

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            3ce48150e282db3687586c754be99758

            SHA1

            ddb73612e3e7fb9673d644a881935cfa6246bcab

            SHA256

            62dea98e68edfc2a679049a55aa6e67803181689ceca72d452fd9f5fe7c4d8b6

            SHA512

            300cc3efa53cfd97e2b4b7d344c3de7580328bb4da7310288704aeebdcdb530923728aaa6266fd0071f448117ceeece02f553f2fc3da7dc909af2c9036d10a21

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            b52eace95c7739020dade77562f0d48e

            SHA1

            812e557e01951fcc8304b44e5a4e01fb9c2321b1

            SHA256

            84322ad0f425533b58429ab45afb4487e8eb41e13fb9392797cbb8c0fd9f4b55

            SHA512

            b1ed6f1ab5c9c7369248a1ed06eab6a7e1d0e24c0682d14b4943f8d01242475600cf309af3c7281067d9d6924b7623b4b6e82045ba7a5a9570e1049168e37beb

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            75770b16387db520539200db3caa04d0

            SHA1

            a26251e9a8ae19e18d711bf2d017a272c517f003

            SHA256

            528fdba572a5697b7fd8808566d621bc1110b7a9ecd41bd84a956a1f45e39827

            SHA512

            3a65ef53974907058bfcaf88840a869180ec3cbdd2c18ac0df3c43008d0c33edc2e3a6c7f07946e06b13a5b24a6b6fd16556f67cfd7eac223fb18fc9ad570cfa

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            23d0eca060d3c9ab975961437c03747b

            SHA1

            a123be15d28e08f088ab3ee516b83f9b13576e05

            SHA256

            e1d6992d857c594d0d54699b49dea47bbfb1a5ca8e1bdd33c6e9887f4b636814

            SHA512

            58745e9d1f0e2b203fc1be33b49daf8c467bf947c4a250b939c98ffa6bb5716fb3084447ece1a90afe7c65a7eb2114c7431ea3b193ae00611af23b9b8fe82fb5

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            6e855b1f17cbab138eb301eb616c4a7a

            SHA1

            19d675283eecd96be737ff82e64963cf190828ce

            SHA256

            e47bd9fc5aa70b0187edf922da83201beafe11a73517d12de4a9dea4db87c4bd

            SHA512

            88dc7fe3d64a98f5ec27988f1e48c535e64febeef51704f3bf22286cda27a6f012ab07e4afbe3a8fa88b497bee57e03f19b26e71cba79ebc6aaba4765459ffae

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            4bf55dbd2fbdd1af752d614002975557

            SHA1

            1caee7e356bbc5867c9235498dc68a1cc953af77

            SHA256

            fac5f643221232993c2b861726a115195ec4b6fa76b8b3a6f4deb04a5e4cffca

            SHA512

            b38314077bcbb61d7a68ad61a6ca7f4151cc6c6007937b091f96a2551a8d190b036f93ee742fdbd4f7d86c512743e822973cbd08787231e9839babd7363da969

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            36ee82f40f9ce1efe65cd64d00fe9a39

            SHA1

            91b213af0c9f1ad3ff89f807fb48c27bfcf410d6

            SHA256

            e38a7a69ed31d85e27489769fb09567d5f9928c88ac69c9b37e6ff8a7e39bbb9

            SHA512

            65c771bcc3c79c8c4cec7e41e51e221d085ecdc0408f9b2e7ff54eaeefe6c308469fc97d7905c4debf90a719b22e7f81b5b480ef21cfcfae96a74c27ea384ffb

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            a5d9c926242ed0f75953e972619b25a2

            SHA1

            b837f17e456434ccaa6c039479148cf687bf6050

            SHA256

            88142b48e1e1cc0b9fa6018d585b09f1084db176a026d2ad299afcbff07600df

            SHA512

            ff27fa551d565d5f5a029685db09f0e6bb6f5461bd8cfab95b676107cdb6c336dd3107668635f3cb9e5973043059af5396e03c4f58dd0fd10fe0df3f2ea25961

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            1693cbfecc7e1fbebb04ab2ea209fac4

            SHA1

            afaae2a43c6477086047b7b867a17e67a6be735a

            SHA256

            417d64337a883006e70f00a2c68cb6be7b84cdfa5a27085303b615637b57b400

            SHA512

            8f6259f08a7942ae302c4d0d9c2bfe75e57d92515f1fc22af65229b4918f7c755b14aa4875e95c9252d8c3b7b257dc53f349fdf8a9a5bb32db7c5ae9553d9796

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            2b6dc4df007adca67f6f72195276431b

            SHA1

            84871ae92ce7fd2878f0cc18e70babc45839162b

            SHA256

            2429073fff53d4c83623db55fdeaac7e0477f7146248b93a989f2b1c3528d214

            SHA512

            f839f0f44cf1336f94f5edd027ad62e2e3ee50099895f061a3b99b1862c715e44440d0c65495c83ba1bd17a0b56f83d21b0f6cb4a224561ab36f70fcbb5e5a67

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            9586b90e7cd9475df6213561a46b0c5c

            SHA1

            41ecd00dbb9c02b8e563bc7e30b57c004862be67

            SHA256

            960323081d183d1226cfae97daefac6c7274fda5e2af58b7a3600c3bfaf9b88a

            SHA512

            420252f31349842bd47ef209e387b6c272e58c1f4abc0dca61e7f477b72df6db16a8a6fd382f0799e8119bb76f320d33a2162cfd6249faae82965f8bf09c99ab

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            67d12fca1761794d8ddf75c3f10c6edd

            SHA1

            9256384250dc102bf50a0e4719b092db08566ee9

            SHA256

            19417ea685a0e86b620af07b9967ed3b428191e0472b425849c70657bd00dc68

            SHA512

            b20259edecea66a5e7d3ad7afc611db8c1226d9fa75746ace082d16f8f841c8f27027da49a2c59a2247a50c26b6a4103f2cfcb8f826a153cf427b489f96584b9

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            50b67271a575fd665839142545b1f11d

            SHA1

            ef797e8242a6209f4790bd6fdf92d1f19b7b3c81

            SHA256

            caaa829099ab107ff5cd39537c6eb25a7257b1fc9ffde880137ff506ffc7eb0e

            SHA512

            2f21e655ab169cf3abeddd99d39f93056e6aee15938da36b318cc8270cdf4b2552234b89e7739d0bc418cc9ffbda4da66dd8ad83c3400e443565ba6ef22d6dc1

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            c421a17194577df56078eb7e234e4325

            SHA1

            84406cd6828849a673bb7f40ad13169dda3f85b6

            SHA256

            e17604bfabe30daba7207e628f4500a92646fe5b91a06cb2b1ffed5d3c8bb4da

            SHA512

            49f8706f29793c42d1bfcc4ee0acb5d2b166703342865d7a20f0825ab6eaf6188d785081f502e908ce63ff5c74ab9f3a251413066f0195103e76966ad09daa7d

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            307e2c9fb7e95ddbeb0b3891df2cdbf6

            SHA1

            ca1b26ffa79d1972bafdbb108929124f05858f4c

            SHA256

            04d71bb1e2a9f377705f476f46358ed61068b5c46d99a2daa7d82fe830c2c224

            SHA512

            142b272cd4cec8cf421339ab271ad368be4d46d27cf1f6ef59812d3ada714f673c13a46cc78efa153aa14b38b593905451ad8bc82f44b784b6dd1bde2c7078ff

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            83572af116289d9b5c2f2f0c5ca4ac58

            SHA1

            7d3288f59eff5c85d331fb9f27aa3941e289eecc

            SHA256

            e8eca8eab6726b459d3fb141d5358ad5f1d49fdc56e5e3b7ec172d4e7d24c006

            SHA512

            109571605fd069786b9d8d1f88237cc14136d3dc0d7badc22a607453fdf7bf43a0699249cb2add7ed24fbf6acb37b7da2955f3b544df7b74e89f142a2fe91b43

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            8eaa009061d68f4f021389f6e61f1b1d

            SHA1

            03747f9b40dd31862992aa4e8ebd83e986ad6dec

            SHA256

            2e6b576c0a69cbb1c36f1b760f5ebb9c4e9832da42588a72e412377b4f66bbce

            SHA512

            098eeeb95207e4bf56cb9f0e784181f5c4f58c323155c0515928660b00859641e63e9da9bdd6a267413ff616adf0f03bb6a0dd905d3014f83997efa8707e0258

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            303040e84f8205367676976c1987c025

            SHA1

            e224c36751c92db692a22fdf83ff7b35c5d035f9

            SHA256

            c3752e6e356a10d5270f3f39dcc9386b30ac72ab3fda87d05daa5c774341321a

            SHA512

            e645e74831343a377a85fbc04afd59fc652aad0e20f7e72e91323d0df0cf1d81a506baddf05d907bb19bf48ad7ad7080982dd54814bdb425dfa3f21bfbfc05d3

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            69b5087f773729c0ae47255312e24cfb

            SHA1

            bdff015d737ceb7ecf2ef54253ee6db7aea0c0c0

            SHA256

            3665568b17a23a8f2b2268b6141a7669a28f1bd5de5b09f8a77fda0c647c2652

            SHA512

            1e1d1063027dc7bc970f5ec10f858b30b7f2fb9f7ae7906fbae687e65d31ac7bf6fcc7578f9fa106a2dc197e83fe22606152d0f2006d438f58731b2275d113b0

          • C:\Users\Admin\AppData\Local\Temp\Cab5DBD.tmp
            Filesize

            65KB

            MD5

            ac05d27423a85adc1622c714f2cb6184

            SHA1

            b0fe2b1abddb97837ea0195be70ab2ff14d43198

            SHA256

            c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

            SHA512

            6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

          • C:\Users\Admin\AppData\Local\Temp\Cab5E7A.tmp
            Filesize

            68KB

            MD5

            29f65ba8e88c063813cc50a4ea544e93

            SHA1

            05a7040d5c127e68c25d81cc51271ffb8bef3568

            SHA256

            1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

            SHA512

            e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

          • C:\Users\Admin\AppData\Local\Temp\Tar5E8F.tmp
            Filesize

            177KB

            MD5

            435a9ac180383f9fa094131b173a2f7b

            SHA1

            76944ea657a9db94f9a4bef38f88c46ed4166983

            SHA256

            67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

            SHA512

            1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

          • C:\Users\Admin\AppData\Roaming\3BSYBS1-DCSA_Alerts_05012015040015.xml
            Filesize

            922B

            MD5

            2441eb89ca0fdf56ee7b248574cdcc34

            SHA1

            1996c906f2525d15333b0bbb516c8ec8ac53c537

            SHA256

            618b5228301b0ba1898110336137e8668e56392249356adc5d8643dbc7e5ee48

            SHA512

            ff19f6a29511b7adb1261808a0cfa3466d5b50ef2c03755cb5e0db054a2345cb87f298affd8822bf19e294030c3c9734fe861af9d1e5702f7dc6af717cc09a83

          • C:\Users\Admin\AppData\Roaming\401-5.htm
            Filesize

            1KB

            MD5

            431b67e464486add8912ba19ba8dba03

            SHA1

            1e19d1844548c0aed8d9723dca02de0e500e7f4c

            SHA256

            a8b19979f9011710e1a839690d109188eba8d4ba9890efcb1333b056bf0f831f

            SHA512

            b2fc415ad7255f24a06c1f345edff3bb2059b4328f2a7f5cf78e6592baa59aaa88af7b0da533e0a59b4b58761b5bba07d7c0ee9cdec31af0df20e1fb28e3d9ff

          • C:\Users\Admin\AppData\Roaming\7.png
            Filesize

            344B

            MD5

            0def94f52c5e45256232320aaffeb1ce

            SHA1

            81508ec66d4305d2f291c666943fa19629fa67f3

            SHA256

            959986b33f56465e2acfe85004c168e0c0988b69ec726bf7f18f0936dacefa1f

            SHA512

            3400a02c438896d2a76b8e4c42e875b93d5806f9d8ebab0d9650359e89db8a891b873ec988031a08eadc3e686251cb5bfae5b59aff4e5105bb8a53e888b97f09

          • C:\Users\Admin\AppData\Roaming\ActionInfo.java
            Filesize

            1KB

            MD5

            81fa79dfd944fc960b1a93e7e242d13b

            SHA1

            5e1534edda93c74c30e2bd1b07adcd992f70b1b1

            SHA256

            d52f3713b6bb99d5a124f352654ea06e6856d521b354b75b8662babf4f2bae9b

            SHA512

            36b3752c5526dd38f933cd5d430493ebe60779c1dd39076e5fd137d82dd750be95a4e0a01d2bb318df174cb710ed5e8694274330052d11fc638d149844612836

          • C:\Users\Admin\AppData\Roaming\Adobe-CNS1-3
            Filesize

            4KB

            MD5

            02fc9c141c7fe565396ee5479e0206e4

            SHA1

            94f8be8f0a8f5245155686c37a78b83ba51d6984

            SHA256

            dd0a8f1fe12bdab4387ac528e12244ee68bb6d098548e31e84343e8660b9ba2d

            SHA512

            0ca311a23f55ba2c4eefedf7a2280257113ed77c3dd7a7d6c4d04c4e1a51de6c3596c4cc8bce413f3799e3f279ae31b402ca26de24584fa97060e0a6fa24a307

          • C:\Users\Admin\AppData\Roaming\Ageratum.w
            Filesize

            3KB

            MD5

            5371876aab8792b1544810e4fe347e29

            SHA1

            aadca4c0bac0f576417caaced7411aabeb5e1098

            SHA256

            6e7aac54de5f4c11d067a1887718a5f447ad0e07c19d1aae375d8c4c716dbb49

            SHA512

            7e770d02a7da88bf4217f8151f0bc23bca1578d6571a4fd98eead453e54f5a420a76644a47c13726e0caaa7961aa0400f3f936570afd072f795197165ef787b9

          • C:\Users\Admin\AppData\Roaming\BCY green 2.ADO
            Filesize

            524B

            MD5

            c5db28a2e96c21437f165c6383197907

            SHA1

            291fd6e83f7bb84ca7867cfeb0fd09ce1b8d4d03

            SHA256

            533cd7262b177c70e80265298c1956d86bf49bc7936d8817b218abbe8f28fafd

            SHA512

            714fb27977897bf8026bdae465a207d35aec54237d4accfaec65cd2362aecae410e3e4bdb09b568b029a96e6534e63e3569b83b40b52e4a3dd1e5ca2cf79e83b

          • C:\Users\Admin\AppData\Roaming\Beulah
            Filesize

            1KB

            MD5

            fda30c89aa9032581be7773555f5f229

            SHA1

            5ac7b7c48758a2296087b8f4ee70f4c3862ea196

            SHA256

            39407407857aeb373c6e155471c142032afe983ad2cfdb09bc41d01cecbac875

            SHA512

            fa40491bb31ffaf99b751120cdb7487d143cd9d00025bbd187b9e8359bc75bf91e3f3881284b9dc1b763345c98648c42c059bc3ffe6a859e9c1420811b1b76bd

          • C:\Users\Admin\AppData\Roaming\BlackRectangle.bmp
            Filesize

            4KB

            MD5

            a59552f1c776a3745ca8391aff8bcca6

            SHA1

            be8e062d1fec7eed2ab33177019069798fde07ff

            SHA256

            4adb9b44ae64eee08d87750ba2cd2ddb1e88da5ff7e90c63d813755d73a92005

            SHA512

            1ee933756e08f71219753f5921ccbc8c307541ce4bfc15a654cbea075d7c28071b627779cec9d2146d8263e37dc8005bd333275058dc0de9a62c74391bd24595

          • C:\Users\Admin\AppData\Roaming\Boise
            Filesize

            1KB

            MD5

            46866a49bb80f05024b94dfaf49d6af8

            SHA1

            b8b759cddda32c7eee8d8d76b9a3e6cfcaaf9b05

            SHA256

            1cc8d2f24ecfc2b71857ff973f8a17ec2eeed7495dd3db02f6d5f1b7c4deb528

            SHA512

            d42ad553e700f6b88411909ca241a8db3b2f5e1f38056fd2b5a873b192bbd6e437bb81c8500d2e44fdf564f11568247f186154564abf3a549bed1a7a112f9f2a

          • C:\Users\Admin\AppData\Roaming\CNS2-V
            Filesize

            2KB

            MD5

            68ba9ca1e541c73104daf446938e5583

            SHA1

            9d863f17dfbe0e7ac172fddbcc5fde8e636d49ef

            SHA256

            d6a643978fd39cf31494da165c80d655de92565c834af7457cd2828fe7548a09

            SHA512

            023cad6108ad3d505f8d9ca340f004bee44f74817a43cc94a6c316fdbc1346b3af9a16c887af55cb6942370e84df4ebdeadd8fa8b4e335a2365f41cd4c1ed525

          • C:\Users\Admin\AppData\Roaming\Efate
            Filesize

            233B

            MD5

            a1e91923c47567f6a6e8b4759efbdce8

            SHA1

            96472c46cc0d85901b0612b27e6ed1b927310534

            SHA256

            3947884f27876aba39f268da374a8aadffe79eb7068e85c1d244487294e132ec

            SHA512

            26cf0f0e925b4da8f49fea549c95d171e2c771057c52948679efd17ec821bc1e7774cf78ca08dcc60adf2cb449da67526f6077f0b0f582ab5126f5a743729e13

          • C:\Users\Admin\AppData\Roaming\Ext-RKSJ-V
            Filesize

            3KB

            MD5

            5f801547f79019d60fc68319b1f049b4

            SHA1

            4d525d254adbe2187b4543c5c92d5c01a61885cc

            SHA256

            90e9fc4efe897e08e4a6182c4a077e3303ca0c132ac2199ce1a5473ba91b3205

            SHA512

            f49a801bb62c22f95d4e52ee74fdd1dab2020839c5c10c21afbd0a9b9f1a7b6e34ba026ea5b9f504f60af3feb1e2a6c5cdfa2d926addd4b65ffdd01708f3b6d2

          • C:\Users\Admin\AppData\Roaming\F12Tools.dll.mui
            Filesize

            2KB

            MD5

            ee7b146f2e7dd525a519b77c617f1a30

            SHA1

            9761632a0e9c74917669895f2536ca7e6a4082bb

            SHA256

            532761d95d20bade147724a8110498bea8b3077d7aee3ff6e0a66dd696cd33d1

            SHA512

            be584489f35112da28beaf8a5bcaae856c763bc955825bed50b076cc4a0a720af3dcc232ab042560e93b9c958d41348803ed06256a35ab710e7157066c889e4a

          • C:\Users\Admin\AppData\Roaming\GIF 64 No Dither.irs
            Filesize

            1KB

            MD5

            93492f31a35fde6cf46abccebe02f0a8

            SHA1

            cec19520f626e32de64c1f38ffc94162b32e5069

            SHA256

            fd24cac9a45bd8a98bcb3d31a9716357b2b43f75febeb1713889939116241f0d

            SHA512

            23f4576203810c9dce0dd75ba9fdee285c4a84da8c85eac0a8ab8f5500a923288fe9e1ad7e0be3e70621df7bfe48c6836f0275ef23094028dfa78ffb6fdeec05

          • C:\Users\Admin\AppData\Roaming\Gambier
            Filesize

            65B

            MD5

            18eac4b6b7149274ea66f02c467fe5fe

            SHA1

            f2b9fff005feb2f8d573833552c62465316fce03

            SHA256

            096be05f33b3bade8093bb35977c4c19d3fed290da514747ed03cef359170315

            SHA512

            f02a26cb37eca5da6a28ef02d7003fa73509c92233ed5510c350a33a025c21b00eb9b1ea5ad847f24bbee7c64e580de3b8a71c1884090e65e91e6b9e1d134c20

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\dfrgui.lnk
            Filesize

            1KB

            MD5

            ee204432198bb0a9b4bf37b41a084e87

            SHA1

            3393ed6cf49bc6ffe8ca68c99e2989794ea5c9ff

            SHA256

            46489d40920c3fb4d1413cab344bb7351da999b4029bd8a33e2536148a4493c4

            SHA512

            93b40a2aeffbec5fc660a7528296e99985868901a68de7c31cf8a07c8384499a014e4cd5fafc88e002f2bdef448f56338daf8c9a81c7286c1aa22901fb26facf

          • C:\Users\Admin\AppData\Roaming\alien.jpg
            Filesize

            1KB

            MD5

            4190e588c160ac5b36f115af7444523f

            SHA1

            f688118564de21f505c00d6aa7a4d33d8f6c748c

            SHA256

            08ee68e1658706664de60264f8d5ed5e589a47fa98c6f672ec221be7a22edb58

            SHA512

            a99cdf25224abb8002f1fb9b649d608d54003fe2570fda5c3139291839fe0f9f4f57043e81face78f66d26bdc84534604c9255d4c8de1f23e3f8c8b51ccf008d

          • C:\Users\Admin\AppData\Roaming\annotations.xsl
            Filesize

            698B

            MD5

            5e12d213c51e81583c3396448e65a451

            SHA1

            73610d7d9e52526d65ba6626922a40a3c8225732

            SHA256

            f1f317710778eae65cde8266eda110a3e237171020e3e0fd8863b9103952836a

            SHA512

            4165e60f036c557b70f13817043a8ed9304bb424b714713a41a173b62a72d5e7568ab951077672a7f1a07b15f2aa6925bdb7f2dec17f387b4b36a41c9d0aa127

          • C:\Users\Admin\AppData\Roaming\atstamp.xsl
            Filesize

            2KB

            MD5

            ee1ea399056a74f3e90996b198b23533

            SHA1

            1bf06bc18cd19e769a23fb1c7dde3ac82d1dc05e

            SHA256

            0d5620c426c14276135373978f381b53dc5d0fd0b9c3ec0d07e597eb53f8c3ae

            SHA512

            497222110bb4698ef6034b166577c53c9c06b48c26bcbe2dfcb97299fee0aed7268e3733c171a019ddafe92cbea10795cf3ae2995bfed94e2127a9e83c09a0e4

          • C:\Users\Admin\AppData\Roaming\batik.NOTICE.txt
            Filesize

            702B

            MD5

            057093f3e2fb79cc8f84d11577d28420

            SHA1

            ce7046631d30d1a29be7abec225062c382d77bfe

            SHA256

            aca191714442d813bf736730cb6be9c2150b09be3840e6678a18e5b057b52f4c

            SHA512

            5f0c2b00e93da4ab83995a7e6935e32b2a9a280a715fbeea35aec40168115c8e91cbcb5f5812ae85d18c5a57e02f762b3943624cf482e217d7f626b573795c0f

          • C:\Users\Admin\AppData\Roaming\brz.hyp
            Filesize

            2KB

            MD5

            061323450280f3c8761368a6711965e1

            SHA1

            5528d6cee793423346a5a453f30dce6ea14fd9dd

            SHA256

            a50ccc449d9ab09b9d28042b1980d9a520901888e5ecc336ed9ec874e75287bf

            SHA512

            35598b7975017b47a53ba19deb2dad30d2302d1c8c88bde833987b46396033fe5644d8533f0edb25c78aaefa7e20885a2bdfa1812489e90f0e832da14a737877

          • C:\Users\Admin\AppData\Roaming\callout.icon.size.xml
            Filesize

            923B

            MD5

            524be3d8b21c7b33c619ceb3d968fbf4

            SHA1

            3b14fa89d2cb0541da1482d21b06d640a787e45f

            SHA256

            f6993201c3af85c8461426c311c099894d2a0f70632f4e51e96b60b544dffb41

            SHA512

            ff5628c5c5f05a25f08047ec25531f82d06c8ca32bfbc8aa992da62b94af50f3a501fcbc90337f292a471edfd00d285bb3c6f267eb809d26f1e2bcea9a9f83ab

          • C:\Users\Admin\AppData\Roaming\cleanmgr.png
            Filesize

            1KB

            MD5

            f341233b35df61978a142487b89c6f4b

            SHA1

            5bb6c709ead39c4642dd9d5666a4cab1cabd25df

            SHA256

            6e70478b7b9618d1615e1bf96667dba878142ce57749c30f467c18dd5f9688c7

            SHA512

            2a608c9b31d603686fd109b4bb75d8fe6d3d212fdcc8d02349fd2b83278db0836a7e45d886727d7df20c3eda1b8f2265809c214efd5970082b680ac95dd862ef

          • C:\Users\Admin\AppData\Roaming\cleanmgr.png
            MD5

            d41d8cd98f00b204e9800998ecf8427e

            SHA1

            da39a3ee5e6b4b0d3255bfef95601890afd80709

            SHA256

            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

            SHA512

            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

          • C:\Users\Admin\AppData\Roaming\close_down.png
            Filesize

            2KB

            MD5

            0b4c456e11bf25d883e8f265368e5989

            SHA1

            30bc42209dca7f0e39d68485d226ada5e5f0d18c

            SHA256

            01bddb021ba9db0385876496c4b3fea84708b0e8e304d2ac9df15205e3f51dac

            SHA512

            3dd02c261d2d091988008fbfb7b22043d2ca64170d464a8ec23f60f38fa90eeab0e7d28793048d5b70069b75fb515dd94188f7c28725fc14ba1b2d766b076681

          • C:\Users\Admin\AppData\Roaming\compass_marker.png
            Filesize

            3KB

            MD5

            227fb8e068d500dc6ccbd62cc1682bc1

            SHA1

            16f3901b9b4c74fbb6f8f9cc71748196eae09f51

            SHA256

            1b0b09e8f1108de72f11263b1b7f3932ccf9b38d7c3bfb47a1e697ef58ea93e5

            SHA512

            b17dbef4878998037ed65f75bccaaeea63ed7cff13c7c088c78c8248317e5b05a641cadd2148a634fe8e2a04951a6d54970ea1d234c7a0dd97ae57ba5b2cb905

          • C:\Users\Admin\AppData\Roaming\computer_diagnostics.png
            Filesize

            3KB

            MD5

            bd8078dcc074aaebdc63ba53082e75c2

            SHA1

            a3887f75154e5de9921871a82fe3d6e33b7b5ba7

            SHA256

            9e35270e3510c195a64635292dfcc6dc508e93dcb5715c3e30cf3ec15af6951e

            SHA512

            9a0b6c67c52ba0a0c9175a62680e9e35793676e4e06dfc6b5bafbff3b50474c94c5434e700d19eff4c46ee84ef0a424e850a3e7fd78d6f62d1d19912a8a38e66

          • C:\Users\Admin\AppData\Roaming\css.xsl
            Filesize

            1KB

            MD5

            ded24462fb0c166fbe5ef1565485fc4e

            SHA1

            4b499df9d3993106e71adc8880a62d14f03149c1

            SHA256

            980629ce32592a6cf0a0d0897bfd469adba888966dbb9e11f4dbd72b642424e3

            SHA512

            010033a51437cbd2d8271941db82a2ecc3200aa0f2d4fcdde1c8491c945b05f40aa245fa492cbcec254e6cd255de0a86b6d7097511f0eab05d484d91d3faf2e2

          • C:\Users\Admin\AppData\Roaming\dsfroot.inf
            Filesize

            1KB

            MD5

            a9525c72b61ca351d7adc155866f3331

            SHA1

            1acd90bbb46c2d8ede1018bb62e8fbf4b788326f

            SHA256

            44f7115e9c4a02f1a1d712ba719094c5e68f7850bd9247dc14d381ac53ad1c19

            SHA512

            15d2512ab113662728af610d2c9c2583043bf20b53433a2e1aa11590a3c61da6a48c0ba8bd7268abb7ca4e5bea9f54cb95bc397a004490b4efe134b2355d431a

          • C:\Users\Admin\AppData\Roaming\email.mailto.enabled.xml
            Filesize

            1012B

            MD5

            00b985be2ff3a54b1a40727574f4113e

            SHA1

            ddcba70fb5bace0ccd241d7c9552c80954aed645

            SHA256

            e3cb99162c94217f05f416303cab7cf1e1b98daa0c159d9aa2e12a4d09852063

            SHA512

            4f9e7bb76a321cd524275239391daf2e9d4b3e2f5a81a65bed5f56c26dc1ebe874f23bea8d009b51ca1845d9b303af7146dedc0d61815c82593e31670a59f1b3

          • C:\Users\Admin\AppData\Roaming\en_GB.lng
            Filesize

            62B

            MD5

            8d63bbff3bb89a80861e33042680a423

            SHA1

            be8a5ea0dea66d97d2006c76a3677fd56cdcd70c

            SHA256

            419b9c5901170236a918d64bedeae838bef031e354651ee300bd8b03af6d01f9

            SHA512

            4ffaafb44b065f8b4341405b3a2e2b728b9db5a6ebb1d0249d2137902f3a0189f7427e6ad4894e43e89ddcb2e5b41a3bdfdd795c4c19826aa91f69f89c73630e

          • C:\Users\Admin\AppData\Roaming\engine_glow.jpg
            Filesize

            3KB

            MD5

            f8e64c91f63872f6cd8a5a8eaac8c0c3

            SHA1

            4b8c896f763b5a8400826ea796dcc96c0210d1fa

            SHA256

            a168bcf78cc7e0a02a6f427f2b3e32b9912d8afc5ef3d3923091f03769242c92

            SHA512

            f1d60a437ff4337393009e2bb65f0f9459eb79eeceead3e6ffbaab9f82dc782c8172d5d9f63da6d156ad9b60cf879a56a9d3779c9c28905849b62e99f6a7e235

          • C:\Users\Admin\AppData\Roaming\engphon.env
            Filesize

            2KB

            MD5

            8a4a4021258135dbef8fe0c4b8059b9d

            SHA1

            2f0fd4c492295453f8c17e6b399207811117af62

            SHA256

            a5bd83d0eb2a96375ad43983bc414a5ff3f1f88a87db17a3aec02c0cfbba3872

            SHA512

            a36138c4296a71fe1eb68e8c9904cb045d8edb17a4410804333473d48a82eb6aac6e81124da7f3c02977147437d89d85ef5a7ae7aad466a3a33a241fb087fc6b

          • C:\Users\Admin\AppData\Roaming\f28.png
            Filesize

            1KB

            MD5

            4e1e960fa44b2fa93b0878eb303d97b6

            SHA1

            9eab5b87ba04f5ff2bedde2efa92175488dc06d3

            SHA256

            ac79199b27e31674fec1236cb2815d1237931920dd82b9c250e11687fd672ee5

            SHA512

            28f677dd6632e3af719fd6d5f0cd9c7de37d0dbe8715bfbbf47c51219de5096b1019a4eb40f9251671ef96ba6d53e2a193d2f270f38b9be590b2f4d47967366a

          • C:\Users\Admin\AppData\Roaming\f31.png
            Filesize

            1KB

            MD5

            8b4d93dfd0d70b162857206e8c7330b6

            SHA1

            a67a4d4583a08a0fd3789a7c27051ba55ccef069

            SHA256

            0ec0b04ccda9fc04086a5f6240ffb6f6ee6bd025c7e8233523fc68cc090e9806

            SHA512

            c68fef174d73f42ccbd2766ad0712770e32d51fb8085dbff01099f0521f29a746b45c456b0047109e30071edd94d54b6f50e0a79204e11180dad819fc563b6b3

          • C:\Users\Admin\AppData\Roaming\fontconfig.bfc
            Filesize

            3KB

            MD5

            eae4324b48ece18f48a817cb53a1fc72

            SHA1

            9c05c88b8f8361a06e0b6218d79605e0be55d886

            SHA256

            2ebd07443b5e98f38629e58c1d41a19be6f7a0cd920fcf4c093717170de6824c

            SHA512

            6c5ca78ba558774ebc98908488a4256b7e5cf09078218537291204e3d79f7a7408eab07c7a641467d12336d6b8ec7e20e029a383d530001b6dee4d49aaa66fb7

          • C:\Users\Admin\AppData\Roaming\foot.js
            Filesize

            122B

            MD5

            d23a4c5127c6f05e5c798aac9ba242e9

            SHA1

            c1f89fd32c48f41843fe0fec6ce9356bd27118f7

            SHA256

            22ccf9de84c71878df2697e2a6ff58a8114158931a974328a8fb498ea9625441

            SHA512

            0202f59c122444d185abb1b5f13421ea5809740377fb49d7759d41c4996651d8839e2a6191810b7096df62371958d4ca7e9272f8b30bfabb358d108fd4a4dcbd

          • C:\Users\Admin\AppData\Roaming\frn.fca
            Filesize

            1KB

            MD5

            420be751ebc4ba1db0066cd8abdcd653

            SHA1

            1f046369b9e98c4efa5e342b479d32843467197b

            SHA256

            5bbd13fa185a62a97a1eeece5278d87f68333bc22e8aab0c26d10dd17a0b1070

            SHA512

            f8715e5d71570f5d7b81e9bc39efe28de97ecbaa5782559644562da1875adea3ef4693d142378332cfc412077f8530fb9755efa0e98e215e572eae714fc04200

          • C:\Users\Admin\AppData\Roaming\globe.png
            Filesize

            2KB

            MD5

            eed8f97cfcee662001cc34f0ca382db1

            SHA1

            631106c6b1d5b6e70e670b2f4eee3757c072f13a

            SHA256

            8d330af6424df369cf4e383ff5dd374742cabce0fdc8473bb9e12ccb5ad7649f

            SHA512

            b5215164ef4a5169c6e1888031f98a0048ec9b00ffb85dfdfb572190e70afb4e080c94c7a514ed8beab2e2551ace99ab9f4b3deb556d011af2982fbb4d630fc6

          • C:\Users\Admin\AppData\Roaming\goURL_lr_photoshop_tw.csv
            Filesize

            315B

            MD5

            a495dbfcf4b0a3d3c31fb66ae38d372b

            SHA1

            8e4f6d1a038404df23ed5ec0ea78e33620ae50ed

            SHA256

            ab450cefc9d7dc3db5204e235475bc8168c064019b81d4c582c7cb3eb718a642

            SHA512

            3439f9cefb4c7337f8a203fb2ff225104657fcb20771c54896f75e83f6bc76c6e91ffb2952d209a3ab17cc904223185d0d8da3db4fddaae4a8430b2438294eae

          • \Users\Admin\AppData\Local\Temp\nst11FD.tmp\System.dll
            Filesize

            11KB

            MD5

            6f5257c0b8c0ef4d440f4f4fce85fb1b

            SHA1

            b6ac111dfb0d1fc75ad09c56bde7830232395785

            SHA256

            b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

            SHA512

            a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

          • \Users\Admin\AppData\Roaming\Blowfish.dll
            Filesize

            11KB

            MD5

            162f091bc878c23dc07bd5d252b85102

            SHA1

            36785ee3ac4bf5e2e5494c665668b96deebdb5e2

            SHA256

            90ddec5a0d2bad402ef79988914970e7904f6448d8bf87b85f979d27bf0a0606

            SHA512

            ff413fa363f2e9e23a4b76053bff8fdd81832e6110cb838b369a3a1285fa536f14a8a91a9489a18dd51ff6e48f388803beaa0aeb70c92d2979170e94e2216592

          • \Users\Admin\AppData\Roaming\{D829B335-8529-7C36-6396-4FE23232B17C}\dfrgui.exe
            Filesize

            219KB

            MD5

            385af1697f3c8dc280ca4eca303cd79a

            SHA1

            d2696e30475c91cd6c0e8bb295191bf2729d2f9e

            SHA256

            8628de0058b0a0a3fb0a68a6e62827e28d8b74a7a0cfed84764394692caefd92

            SHA512

            63cebf1ebd346e8a4a460ac0d1ea586f8c648fada8bee3bf41e90e4c1dd80423a3dce063470722e5ef8092acf9987fd2bf34805a769df6231a9ab0cdbb760504

          • memory/2212-276-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2212-192-0x0000000001EC0000-0x0000000001EC1000-memory.dmp
            Filesize

            4KB

          • memory/2212-190-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2212-189-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2212-277-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2212-270-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2212-194-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2212-195-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2212-196-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2212-269-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2652-272-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2652-273-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2696-77-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2696-68-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2696-67-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2696-65-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2696-53-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2696-55-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2696-57-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2696-59-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2696-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
            Filesize

            4KB

          • memory/2696-63-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2696-51-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB