Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
12-05-2024 04:53
Static task
static1
Behavioral task
behavioral1
Sample
385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe
-
Size
219KB
-
MD5
385af1697f3c8dc280ca4eca303cd79a
-
SHA1
d2696e30475c91cd6c0e8bb295191bf2729d2f9e
-
SHA256
8628de0058b0a0a3fb0a68a6e62827e28d8b74a7a0cfed84764394692caefd92
-
SHA512
63cebf1ebd346e8a4a460ac0d1ea586f8c648fada8bee3bf41e90e4c1dd80423a3dce063470722e5ef8092acf9987fd2bf34805a769df6231a9ab0cdbb760504
-
SSDEEP
6144:8yAge9RrJpDsGwJWg3ZU0WbOwV1+Md2X2VsC:IJp1wZYBV1Ld2X2CC
Malware Config
Extracted
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.cneo59.win/C1AB-E64A-7D44-006D-F5F6
http://cerberhhyed5frqa.we34re.top/C1AB-E64A-7D44-006D-F5F6
http://cerberhhyed5frqa.cmr95i.top/C1AB-E64A-7D44-006D-F5F6
http://cerberhhyed5frqa.45gf4t.win/C1AB-E64A-7D44-006D-F5F6
http://cerberhhyed5frqa.lfotp5.top/C1AB-E64A-7D44-006D-F5F6
http://cerberhhyed5frqa.onion/C1AB-E64A-7D44-006D-F5F6
Extracted
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (2065) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exesdchange.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\\sdchange.exe\"" 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\\sdchange.exe\"" sdchange.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
sdchange.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation sdchange.exe -
Drops startup file 2 IoCs
Processes:
385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exesdchange.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\sdchange.lnk 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\sdchange.lnk sdchange.exe -
Executes dropped EXE 5 IoCs
Processes:
sdchange.exesdchange.exesdchange.exesdchange.exesdchange.exepid process 2072 sdchange.exe 1344 sdchange.exe 2452 sdchange.exe 588 sdchange.exe 5616 sdchange.exe -
Loads dropped DLL 10 IoCs
Processes:
385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exesdchange.exesdchange.exesdchange.exepid process 1564 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe 1564 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe 1564 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe 2072 sdchange.exe 2072 sdchange.exe 2072 sdchange.exe 2452 sdchange.exe 2452 sdchange.exe 2452 sdchange.exe 5616 sdchange.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exesdchange.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdchange = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\\sdchange.exe\"" 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sdchange = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\\sdchange.exe\"" sdchange.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdchange = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\\sdchange.exe\"" sdchange.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sdchange = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\\sdchange.exe\"" 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 33 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
sdchange.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpC0BB.bmp" sdchange.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exesdchange.exesdchange.exedescription pid process target process PID 1564 set thread context of 1840 1564 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe PID 2072 set thread context of 1344 2072 sdchange.exe sdchange.exe PID 2452 set thread context of 588 2452 sdchange.exe sdchange.exe -
Drops file in Windows directory 3 IoCs
Processes:
385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exesdchange.exesdchange.exedescription ioc process File opened for modification C:\Windows\ 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe File opened for modification C:\Windows\ sdchange.exe File opened for modification C:\Windows\ sdchange.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\sdchange.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\sdchange.exe nsis_installer_2 -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 4524 taskkill.exe 5720 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exesdchange.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\\sdchange.exe\"" 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop sdchange.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\\sdchange.exe\"" sdchange.exe -
Modifies registry class 1 IoCs
Processes:
sdchange.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings sdchange.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
sdchange.exepid process 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe 1344 sdchange.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exetaskkill.exesdchange.exesdchange.exeAUDIODG.EXEtaskkill.exedescription pid process Token: SeDebugPrivilege 1840 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe Token: SeDebugPrivilege 4524 taskkill.exe Token: SeDebugPrivilege 1344 sdchange.exe Token: SeDebugPrivilege 588 sdchange.exe Token: 33 1468 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1468 AUDIODG.EXE Token: SeDebugPrivilege 5720 taskkill.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe 4384 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.execmd.exesdchange.exesdchange.exesdchange.exemsedge.exedescription pid process target process PID 1564 wrote to memory of 1840 1564 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe PID 1564 wrote to memory of 1840 1564 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe PID 1564 wrote to memory of 1840 1564 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe PID 1564 wrote to memory of 1840 1564 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe PID 1564 wrote to memory of 1840 1564 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe PID 1564 wrote to memory of 1840 1564 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe PID 1564 wrote to memory of 1840 1564 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe PID 1564 wrote to memory of 1840 1564 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe PID 1564 wrote to memory of 1840 1564 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe PID 1840 wrote to memory of 2072 1840 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe sdchange.exe PID 1840 wrote to memory of 2072 1840 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe sdchange.exe PID 1840 wrote to memory of 2072 1840 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe sdchange.exe PID 1840 wrote to memory of 3464 1840 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe cmd.exe PID 1840 wrote to memory of 3464 1840 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe cmd.exe PID 1840 wrote to memory of 3464 1840 385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe cmd.exe PID 3464 wrote to memory of 4524 3464 cmd.exe taskkill.exe PID 3464 wrote to memory of 4524 3464 cmd.exe taskkill.exe PID 3464 wrote to memory of 4524 3464 cmd.exe taskkill.exe PID 3464 wrote to memory of 2024 3464 cmd.exe PING.EXE PID 3464 wrote to memory of 2024 3464 cmd.exe PING.EXE PID 3464 wrote to memory of 2024 3464 cmd.exe PING.EXE PID 2072 wrote to memory of 1344 2072 sdchange.exe sdchange.exe PID 2072 wrote to memory of 1344 2072 sdchange.exe sdchange.exe PID 2072 wrote to memory of 1344 2072 sdchange.exe sdchange.exe PID 2072 wrote to memory of 1344 2072 sdchange.exe sdchange.exe PID 2072 wrote to memory of 1344 2072 sdchange.exe sdchange.exe PID 2072 wrote to memory of 1344 2072 sdchange.exe sdchange.exe PID 2072 wrote to memory of 1344 2072 sdchange.exe sdchange.exe PID 2072 wrote to memory of 1344 2072 sdchange.exe sdchange.exe PID 2072 wrote to memory of 1344 2072 sdchange.exe sdchange.exe PID 2452 wrote to memory of 588 2452 sdchange.exe sdchange.exe PID 2452 wrote to memory of 588 2452 sdchange.exe sdchange.exe PID 2452 wrote to memory of 588 2452 sdchange.exe sdchange.exe PID 2452 wrote to memory of 588 2452 sdchange.exe sdchange.exe PID 2452 wrote to memory of 588 2452 sdchange.exe sdchange.exe PID 2452 wrote to memory of 588 2452 sdchange.exe sdchange.exe PID 2452 wrote to memory of 588 2452 sdchange.exe sdchange.exe PID 2452 wrote to memory of 588 2452 sdchange.exe sdchange.exe PID 2452 wrote to memory of 588 2452 sdchange.exe sdchange.exe PID 1344 wrote to memory of 4384 1344 sdchange.exe msedge.exe PID 1344 wrote to memory of 4384 1344 sdchange.exe msedge.exe PID 4384 wrote to memory of 3036 4384 msedge.exe msedge.exe PID 4384 wrote to memory of 3036 4384 msedge.exe msedge.exe PID 1344 wrote to memory of 3936 1344 sdchange.exe NOTEPAD.EXE PID 1344 wrote to memory of 3936 1344 sdchange.exe NOTEPAD.EXE PID 4384 wrote to memory of 2364 4384 msedge.exe msedge.exe PID 4384 wrote to memory of 2364 4384 msedge.exe msedge.exe PID 4384 wrote to memory of 2364 4384 msedge.exe msedge.exe PID 4384 wrote to memory of 2364 4384 msedge.exe msedge.exe PID 4384 wrote to memory of 2364 4384 msedge.exe msedge.exe PID 4384 wrote to memory of 2364 4384 msedge.exe msedge.exe PID 4384 wrote to memory of 2364 4384 msedge.exe msedge.exe PID 4384 wrote to memory of 2364 4384 msedge.exe msedge.exe PID 4384 wrote to memory of 2364 4384 msedge.exe msedge.exe PID 4384 wrote to memory of 2364 4384 msedge.exe msedge.exe PID 4384 wrote to memory of 2364 4384 msedge.exe msedge.exe PID 4384 wrote to memory of 2364 4384 msedge.exe msedge.exe PID 4384 wrote to memory of 2364 4384 msedge.exe msedge.exe PID 4384 wrote to memory of 2364 4384 msedge.exe msedge.exe PID 4384 wrote to memory of 2364 4384 msedge.exe msedge.exe PID 4384 wrote to memory of 2364 4384 msedge.exe msedge.exe PID 4384 wrote to memory of 2364 4384 msedge.exe msedge.exe PID 4384 wrote to memory of 2364 4384 msedge.exe msedge.exe PID 4384 wrote to memory of 2364 4384 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\sdchange.exe"C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\sdchange.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\sdchange.exe"C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\sdchange.exe"4⤵
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83e1946f8,0x7ff83e194708,0x7ff83e1947186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:26⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:36⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2992 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3004 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3352 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2688 /prefetch:16⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.cneo59.win/C1AB-E64A-7D44-006D-F5F6?auto5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x8c,0xe0,0x104,0x90,0x108,0x7ff83e1946f8,0x7ff83e194708,0x7ff83e1947186⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"5⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "sdchange.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\sdchange.exe" > NUL5⤵
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "sdchange.exe"6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.16⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe" > NUL3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\sdchange.exeC:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\sdchange.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\sdchange.exeC:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\sdchange.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x51c 0x2ec1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\sdchange.exeC:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\sdchange.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.htmlFilesize
12KB
MD5e6baaab7cf7ad10c053e3aabe1dc4ecf
SHA17dfceda11a6b88959b749dcfa69d76a53f89cd9f
SHA256f05cf4d9ae7caa64ad3cf8dab70b79bce437e4e5ef1d5cb716bf4aa54d4c6160
SHA512fcfca0690fc4e308468ab3722e3bc9891fd4aaa133ff7da15e16f12ee56f53cc2b8a3da64a4c1ed1486a3262e3a96aceb57c167fc9f6e328a057fbdfff925c97
-
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.txtFilesize
10KB
MD5b1f8d6c64020dc7bb3f542feb18269b9
SHA14aef056b8609275870661338423ba127032e9ebc
SHA256c78ca26726d895cf29c8a74089ec6f66a8d866c87ac819e7e26c4502affa518e
SHA512b49940ab002f4cab66cb8514de01f355cf1a502daa0c1732c33deca692ce906e5c8a210fcabc19b92866af1dac5c93d341c5722517adce03d9da1da749be8720
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ecdc2754d7d2ae862272153aa9b9ca6e
SHA1c19bed1c6e1c998b9fa93298639ad7961339147d
SHA256a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7
SHA512cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD52daa93382bba07cbc40af372d30ec576
SHA1c5e709dc3e2e4df2ff841fbde3e30170e7428a94
SHA2561826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30
SHA51265635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD534bfea3b0f29b23dddf4ce8fc4722cbc
SHA166c529d0a65fe0855b8d3b301ef9b0f49ea86305
SHA25638bed436aee01f536f8232059519674fa72a500f73c1b1be2486526b010bef15
SHA5122580c2247be5d017e739ae86a8944d01404f2dbeff39d435c23adc9449354f8eb27ad22bc94f48b40d20fd3958d92b2626ea640b9ffa51dc68e3f88c9341bc48
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD531dfbbaccb04cad86a65373ce5c1a849
SHA12f6c53bf55803db5a3fe8073d7e16c472d303323
SHA2567fd1b31465df9e2fff6fa04e71816b72d48da12607356fd6863571613bacf67b
SHA5128a9e330c65f36e279ce96915204f0b05a7bd69d9ff73b218d9b55778d0125cd8b3cb3608479c9232398de7b873a699cdf5a853e1d7f6890740d0d8087a821a7c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5a94443b27f0b8191eb24d52f61f7b477
SHA14b78b16ec4524a9e367f5c3c8525742081e57cef
SHA2561d19c5302ef209068cfd7050ae98c1387e3fd187ef6d5b8db6761ab5ab0b7c96
SHA51209218d21d726992ec955c61989ca111cd919c54a0e9c80978a7186f5a9b04f14b05510216d1a54826ca05809c3d4732db7a30fef9ce92a0bbe7b8b289026861a
-
C:\Users\Admin\AppData\Local\Temp\nsw303A.tmp\System.dllFilesize
11KB
MD56f5257c0b8c0ef4d440f4f4fce85fb1b
SHA1b6ac111dfb0d1fc75ad09c56bde7830232395785
SHA256b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1
SHA512a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8
-
C:\Users\Admin\AppData\Roaming\3BSYBS1-DCSA_Alerts_05012015040015.xmlFilesize
922B
MD52441eb89ca0fdf56ee7b248574cdcc34
SHA11996c906f2525d15333b0bbb516c8ec8ac53c537
SHA256618b5228301b0ba1898110336137e8668e56392249356adc5d8643dbc7e5ee48
SHA512ff19f6a29511b7adb1261808a0cfa3466d5b50ef2c03755cb5e0db054a2345cb87f298affd8822bf19e294030c3c9734fe861af9d1e5702f7dc6af717cc09a83
-
C:\Users\Admin\AppData\Roaming\401-5.htmFilesize
1KB
MD5431b67e464486add8912ba19ba8dba03
SHA11e19d1844548c0aed8d9723dca02de0e500e7f4c
SHA256a8b19979f9011710e1a839690d109188eba8d4ba9890efcb1333b056bf0f831f
SHA512b2fc415ad7255f24a06c1f345edff3bb2059b4328f2a7f5cf78e6592baa59aaa88af7b0da533e0a59b4b58761b5bba07d7c0ee9cdec31af0df20e1fb28e3d9ff
-
C:\Users\Admin\AppData\Roaming\ActionInfo.javaFilesize
1KB
MD581fa79dfd944fc960b1a93e7e242d13b
SHA15e1534edda93c74c30e2bd1b07adcd992f70b1b1
SHA256d52f3713b6bb99d5a124f352654ea06e6856d521b354b75b8662babf4f2bae9b
SHA51236b3752c5526dd38f933cd5d430493ebe60779c1dd39076e5fd137d82dd750be95a4e0a01d2bb318df174cb710ed5e8694274330052d11fc638d149844612836
-
C:\Users\Admin\AppData\Roaming\Adobe-CNS1-3Filesize
4KB
MD502fc9c141c7fe565396ee5479e0206e4
SHA194f8be8f0a8f5245155686c37a78b83ba51d6984
SHA256dd0a8f1fe12bdab4387ac528e12244ee68bb6d098548e31e84343e8660b9ba2d
SHA5120ca311a23f55ba2c4eefedf7a2280257113ed77c3dd7a7d6c4d04c4e1a51de6c3596c4cc8bce413f3799e3f279ae31b402ca26de24584fa97060e0a6fa24a307
-
C:\Users\Admin\AppData\Roaming\Ageratum.wFilesize
3KB
MD55371876aab8792b1544810e4fe347e29
SHA1aadca4c0bac0f576417caaced7411aabeb5e1098
SHA2566e7aac54de5f4c11d067a1887718a5f447ad0e07c19d1aae375d8c4c716dbb49
SHA5127e770d02a7da88bf4217f8151f0bc23bca1578d6571a4fd98eead453e54f5a420a76644a47c13726e0caaa7961aa0400f3f936570afd072f795197165ef787b9
-
C:\Users\Admin\AppData\Roaming\BCY green 2.ADOFilesize
524B
MD5c5db28a2e96c21437f165c6383197907
SHA1291fd6e83f7bb84ca7867cfeb0fd09ce1b8d4d03
SHA256533cd7262b177c70e80265298c1956d86bf49bc7936d8817b218abbe8f28fafd
SHA512714fb27977897bf8026bdae465a207d35aec54237d4accfaec65cd2362aecae410e3e4bdb09b568b029a96e6534e63e3569b83b40b52e4a3dd1e5ca2cf79e83b
-
C:\Users\Admin\AppData\Roaming\BlackRectangle.bmpFilesize
4KB
MD5a59552f1c776a3745ca8391aff8bcca6
SHA1be8e062d1fec7eed2ab33177019069798fde07ff
SHA2564adb9b44ae64eee08d87750ba2cd2ddb1e88da5ff7e90c63d813755d73a92005
SHA5121ee933756e08f71219753f5921ccbc8c307541ce4bfc15a654cbea075d7c28071b627779cec9d2146d8263e37dc8005bd333275058dc0de9a62c74391bd24595
-
C:\Users\Admin\AppData\Roaming\Blowfish.dllFilesize
11KB
MD5162f091bc878c23dc07bd5d252b85102
SHA136785ee3ac4bf5e2e5494c665668b96deebdb5e2
SHA25690ddec5a0d2bad402ef79988914970e7904f6448d8bf87b85f979d27bf0a0606
SHA512ff413fa363f2e9e23a4b76053bff8fdd81832e6110cb838b369a3a1285fa536f14a8a91a9489a18dd51ff6e48f388803beaa0aeb70c92d2979170e94e2216592
-
C:\Users\Admin\AppData\Roaming\BoiseFilesize
1KB
MD546866a49bb80f05024b94dfaf49d6af8
SHA1b8b759cddda32c7eee8d8d76b9a3e6cfcaaf9b05
SHA2561cc8d2f24ecfc2b71857ff973f8a17ec2eeed7495dd3db02f6d5f1b7c4deb528
SHA512d42ad553e700f6b88411909ca241a8db3b2f5e1f38056fd2b5a873b192bbd6e437bb81c8500d2e44fdf564f11568247f186154564abf3a549bed1a7a112f9f2a
-
C:\Users\Admin\AppData\Roaming\CNS2-VFilesize
2KB
MD568ba9ca1e541c73104daf446938e5583
SHA19d863f17dfbe0e7ac172fddbcc5fde8e636d49ef
SHA256d6a643978fd39cf31494da165c80d655de92565c834af7457cd2828fe7548a09
SHA512023cad6108ad3d505f8d9ca340f004bee44f74817a43cc94a6c316fdbc1346b3af9a16c887af55cb6942370e84df4ebdeadd8fa8b4e335a2365f41cd4c1ed525
-
C:\Users\Admin\AppData\Roaming\CNS2-VMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\EfateFilesize
233B
MD5a1e91923c47567f6a6e8b4759efbdce8
SHA196472c46cc0d85901b0612b27e6ed1b927310534
SHA2563947884f27876aba39f268da374a8aadffe79eb7068e85c1d244487294e132ec
SHA51226cf0f0e925b4da8f49fea549c95d171e2c771057c52948679efd17ec821bc1e7774cf78ca08dcc60adf2cb449da67526f6077f0b0f582ab5126f5a743729e13
-
C:\Users\Admin\AppData\Roaming\GambierFilesize
65B
MD518eac4b6b7149274ea66f02c467fe5fe
SHA1f2b9fff005feb2f8d573833552c62465316fce03
SHA256096be05f33b3bade8093bb35977c4c19d3fed290da514747ed03cef359170315
SHA512f02a26cb37eca5da6a28ef02d7003fa73509c92233ed5510c350a33a025c21b00eb9b1ea5ad847f24bbee7c64e580de3b8a71c1884090e65e91e6b9e1d134c20
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\sdchange.lnkFilesize
1KB
MD5a881ab144c3d1ae77eb5eb9db15f3604
SHA1cccccf7dc4a5e061eea371b695521fb28812df51
SHA256f0d65ed6502c78da52cafb9e947a4792e1fc5c0b62d8f5b061c69aa5e16abc12
SHA512fb9391627fbd8ba6b45e317909fa9c8267a37e2c9533e7dbb4de031de68704f51214e441bdc0dbe4adcce240fb26766716895e3585f1112bf5e2d1646267d17e
-
C:\Users\Admin\AppData\Roaming\Votary.wFilesize
128KB
MD5de0c11b1f825fe79eea50696673311fa
SHA18511cb0309233e99f8b4e3bd8dbb286a79a9009c
SHA2565b21f2c9a59f86d537de5cb69607b2833a127397f63874a8bacd4e60b8f8ba4a
SHA51279945e797c7a932a8ca642cb9271b10858fecace01937b2fe6a600736281d487e713b752c710130e82f0c1a64d09d74f8040b09e6f47dcc13ead2e753e6f8119
-
C:\Users\Admin\AppData\Roaming\annotations.xslFilesize
698B
MD55e12d213c51e81583c3396448e65a451
SHA173610d7d9e52526d65ba6626922a40a3c8225732
SHA256f1f317710778eae65cde8266eda110a3e237171020e3e0fd8863b9103952836a
SHA5124165e60f036c557b70f13817043a8ed9304bb424b714713a41a173b62a72d5e7568ab951077672a7f1a07b15f2aa6925bdb7f2dec17f387b4b36a41c9d0aa127
-
C:\Users\Admin\AppData\Roaming\atstamp.xslFilesize
2KB
MD5ee1ea399056a74f3e90996b198b23533
SHA11bf06bc18cd19e769a23fb1c7dde3ac82d1dc05e
SHA2560d5620c426c14276135373978f381b53dc5d0fd0b9c3ec0d07e597eb53f8c3ae
SHA512497222110bb4698ef6034b166577c53c9c06b48c26bcbe2dfcb97299fee0aed7268e3733c171a019ddafe92cbea10795cf3ae2995bfed94e2127a9e83c09a0e4
-
C:\Users\Admin\AppData\Roaming\batik.NOTICE.txtFilesize
702B
MD5057093f3e2fb79cc8f84d11577d28420
SHA1ce7046631d30d1a29be7abec225062c382d77bfe
SHA256aca191714442d813bf736730cb6be9c2150b09be3840e6678a18e5b057b52f4c
SHA5125f0c2b00e93da4ab83995a7e6935e32b2a9a280a715fbeea35aec40168115c8e91cbcb5f5812ae85d18c5a57e02f762b3943624cf482e217d7f626b573795c0f
-
C:\Users\Admin\AppData\Roaming\callout.icon.size.xmlFilesize
923B
MD5524be3d8b21c7b33c619ceb3d968fbf4
SHA13b14fa89d2cb0541da1482d21b06d640a787e45f
SHA256f6993201c3af85c8461426c311c099894d2a0f70632f4e51e96b60b544dffb41
SHA512ff5628c5c5f05a25f08047ec25531f82d06c8ca32bfbc8aa992da62b94af50f3a501fcbc90337f292a471edfd00d285bb3c6f267eb809d26f1e2bcea9a9f83ab
-
C:\Users\Admin\AppData\Roaming\chapter.autolabel.xmlFilesize
2KB
MD57623f2b569ab91833cd345eead830e73
SHA1e95ea6aa4880ed4d5616d1766d514541c815b0e5
SHA2564e5e5197a7baa85df15b2ab86932f8c90c24e4a1896f84e44c263f1af46bde43
SHA512d31796f75db3c503c78298d16eef50700a57899f473a2ee3723899c6c0bd6c448c2b90270742f3b32446c0a105cb10beb2dafe81f4dd3b4dca7738a1dc674c98
-
C:\Users\Admin\AppData\Roaming\cleanmgr.pngFilesize
1KB
MD5f341233b35df61978a142487b89c6f4b
SHA15bb6c709ead39c4642dd9d5666a4cab1cabd25df
SHA2566e70478b7b9618d1615e1bf96667dba878142ce57749c30f467c18dd5f9688c7
SHA5122a608c9b31d603686fd109b4bb75d8fe6d3d212fdcc8d02349fd2b83278db0836a7e45d886727d7df20c3eda1b8f2265809c214efd5970082b680ac95dd862ef
-
C:\Users\Admin\AppData\Roaming\close_down.pngFilesize
2KB
MD50b4c456e11bf25d883e8f265368e5989
SHA130bc42209dca7f0e39d68485d226ada5e5f0d18c
SHA25601bddb021ba9db0385876496c4b3fea84708b0e8e304d2ac9df15205e3f51dac
SHA5123dd02c261d2d091988008fbfb7b22043d2ca64170d464a8ec23f60f38fa90eeab0e7d28793048d5b70069b75fb515dd94188f7c28725fc14ba1b2d766b076681
-
C:\Users\Admin\AppData\Roaming\compass_marker.pngFilesize
3KB
MD5227fb8e068d500dc6ccbd62cc1682bc1
SHA116f3901b9b4c74fbb6f8f9cc71748196eae09f51
SHA2561b0b09e8f1108de72f11263b1b7f3932ccf9b38d7c3bfb47a1e697ef58ea93e5
SHA512b17dbef4878998037ed65f75bccaaeea63ed7cff13c7c088c78c8248317e5b05a641cadd2148a634fe8e2a04951a6d54970ea1d234c7a0dd97ae57ba5b2cb905
-
C:\Users\Admin\AppData\Roaming\computer_diagnostics.pngFilesize
3KB
MD5bd8078dcc074aaebdc63ba53082e75c2
SHA1a3887f75154e5de9921871a82fe3d6e33b7b5ba7
SHA2569e35270e3510c195a64635292dfcc6dc508e93dcb5715c3e30cf3ec15af6951e
SHA5129a0b6c67c52ba0a0c9175a62680e9e35793676e4e06dfc6b5bafbff3b50474c94c5434e700d19eff4c46ee84ef0a424e850a3e7fd78d6f62d1d19912a8a38e66
-
C:\Users\Admin\AppData\Roaming\css.xslFilesize
1KB
MD5ded24462fb0c166fbe5ef1565485fc4e
SHA14b499df9d3993106e71adc8880a62d14f03149c1
SHA256980629ce32592a6cf0a0d0897bfd469adba888966dbb9e11f4dbd72b642424e3
SHA512010033a51437cbd2d8271941db82a2ecc3200aa0f2d4fcdde1c8491c945b05f40aa245fa492cbcec254e6cd255de0a86b6d7097511f0eab05d484d91d3faf2e2
-
C:\Users\Admin\AppData\Roaming\dsfroot.infFilesize
1KB
MD5a9525c72b61ca351d7adc155866f3331
SHA11acd90bbb46c2d8ede1018bb62e8fbf4b788326f
SHA25644f7115e9c4a02f1a1d712ba719094c5e68f7850bd9247dc14d381ac53ad1c19
SHA51215d2512ab113662728af610d2c9c2583043bf20b53433a2e1aa11590a3c61da6a48c0ba8bd7268abb7ca4e5bea9f54cb95bc397a004490b4efe134b2355d431a
-
C:\Users\Admin\AppData\Roaming\email.mailto.enabled.xmlFilesize
1012B
MD500b985be2ff3a54b1a40727574f4113e
SHA1ddcba70fb5bace0ccd241d7c9552c80954aed645
SHA256e3cb99162c94217f05f416303cab7cf1e1b98daa0c159d9aa2e12a4d09852063
SHA5124f9e7bb76a321cd524275239391daf2e9d4b3e2f5a81a65bed5f56c26dc1ebe874f23bea8d009b51ca1845d9b303af7146dedc0d61815c82593e31670a59f1b3
-
C:\Users\Admin\AppData\Roaming\en_GB.lngFilesize
62B
MD58d63bbff3bb89a80861e33042680a423
SHA1be8a5ea0dea66d97d2006c76a3677fd56cdcd70c
SHA256419b9c5901170236a918d64bedeae838bef031e354651ee300bd8b03af6d01f9
SHA5124ffaafb44b065f8b4341405b3a2e2b728b9db5a6ebb1d0249d2137902f3a0189f7427e6ad4894e43e89ddcb2e5b41a3bdfdd795c4c19826aa91f69f89c73630e
-
C:\Users\Admin\AppData\Roaming\engine_glow.jpgFilesize
3KB
MD5f8e64c91f63872f6cd8a5a8eaac8c0c3
SHA14b8c896f763b5a8400826ea796dcc96c0210d1fa
SHA256a168bcf78cc7e0a02a6f427f2b3e32b9912d8afc5ef3d3923091f03769242c92
SHA512f1d60a437ff4337393009e2bb65f0f9459eb79eeceead3e6ffbaab9f82dc782c8172d5d9f63da6d156ad9b60cf879a56a9d3779c9c28905849b62e99f6a7e235
-
C:\Users\Admin\AppData\Roaming\engphon.envFilesize
2KB
MD58a4a4021258135dbef8fe0c4b8059b9d
SHA12f0fd4c492295453f8c17e6b399207811117af62
SHA256a5bd83d0eb2a96375ad43983bc414a5ff3f1f88a87db17a3aec02c0cfbba3872
SHA512a36138c4296a71fe1eb68e8c9904cb045d8edb17a4410804333473d48a82eb6aac6e81124da7f3c02977147437d89d85ef5a7ae7aad466a3a33a241fb087fc6b
-
C:\Users\Admin\AppData\Roaming\f31.pngFilesize
1KB
MD58b4d93dfd0d70b162857206e8c7330b6
SHA1a67a4d4583a08a0fd3789a7c27051ba55ccef069
SHA2560ec0b04ccda9fc04086a5f6240ffb6f6ee6bd025c7e8233523fc68cc090e9806
SHA512c68fef174d73f42ccbd2766ad0712770e32d51fb8085dbff01099f0521f29a746b45c456b0047109e30071edd94d54b6f50e0a79204e11180dad819fc563b6b3
-
C:\Users\Admin\AppData\Roaming\fontconfig.bfcFilesize
3KB
MD5eae4324b48ece18f48a817cb53a1fc72
SHA19c05c88b8f8361a06e0b6218d79605e0be55d886
SHA2562ebd07443b5e98f38629e58c1d41a19be6f7a0cd920fcf4c093717170de6824c
SHA5126c5ca78ba558774ebc98908488a4256b7e5cf09078218537291204e3d79f7a7408eab07c7a641467d12336d6b8ec7e20e029a383d530001b6dee4d49aaa66fb7
-
C:\Users\Admin\AppData\Roaming\globe.pngFilesize
2KB
MD5eed8f97cfcee662001cc34f0ca382db1
SHA1631106c6b1d5b6e70e670b2f4eee3757c072f13a
SHA2568d330af6424df369cf4e383ff5dd374742cabce0fdc8473bb9e12ccb5ad7649f
SHA512b5215164ef4a5169c6e1888031f98a0048ec9b00ffb85dfdfb572190e70afb4e080c94c7a514ed8beab2e2551ace99ab9f4b3deb556d011af2982fbb4d630fc6
-
C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\sdchange.exeFilesize
219KB
MD5385af1697f3c8dc280ca4eca303cd79a
SHA1d2696e30475c91cd6c0e8bb295191bf2729d2f9e
SHA2568628de0058b0a0a3fb0a68a6e62827e28d8b74a7a0cfed84764394692caefd92
SHA51263cebf1ebd346e8a4a460ac0d1ea586f8c648fada8bee3bf41e90e4c1dd80423a3dce063470722e5ef8092acf9987fd2bf34805a769df6231a9ab0cdbb760504
-
C:\Users\Admin\Downloads\# DECRYPT MY FILES #.urlFilesize
90B
MD591b44b3dcb2d8b7e5083e6f0678f1f9c
SHA11f703bd7a67c06412cd45161727c54d15be2a0d9
SHA2566b31e73d37b46f9519f5779591c2100da121358f60928a5c893ab61a54ad27df
SHA51204b601dac12ee07c2c591b172e1e43ca14c7ccadda9929ebb9ff4492ef8b8fb010f54d84d1962f50ca10c116e9c47dc649deef9b401322afa7d568318d03ed39
-
C:\Users\Admin\Downloads\# DECRYPT MY FILES #.vbsFilesize
231B
MD59d8c4bfbd009c4d6001e2125abaa8b02
SHA1cd040558172b5fca5b200447a281843956243741
SHA256a652297987f14317100f8c5f7eb26d1bc67eb8a64f0b39b72b5fd5046a9f29b0
SHA512c4c84f43642b805a105acce9ebc9f01aa0e6ef553ea32be3f8b890fc7440f0b7d3ddf99b9336bce20ce7a3d9b9f6434a704651a8af425ffc8407ba39d5de735f
-
memory/588-236-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/588-237-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1344-169-0x0000000003780000-0x0000000003781000-memory.dmpFilesize
4KB
-
memory/1344-520-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1344-241-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1344-243-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1344-245-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1344-244-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1344-173-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1344-172-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1344-171-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1344-166-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1344-488-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1344-485-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1344-482-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1344-491-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1344-479-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1344-496-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1344-512-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1344-234-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1344-522-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1344-516-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1344-510-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1344-506-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1344-503-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1344-499-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1344-524-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1344-167-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1344-587-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1344-586-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1344-578-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1840-56-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1840-57-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1840-64-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1840-54-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1840-52-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB