Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    12-05-2024 05:18

General

  • Target

    3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe

  • Size

    191KB

  • MD5

    3874199af9bef338ffc8dcd9a9d2dbf0

  • SHA1

    14f4aa746d391393bd2fdd112a430266bf20a8f2

  • SHA256

    a80f30ee99a8d0d12abe3c6b631f8c8870d4f4f5ac776f1febb7cca78d7af964

  • SHA512

    38c177e59a2d36ed2e25e61930275e474c4cc628485581393dee8202bccdd3576149416fa10b74c9b7ac192c689f08db9ee3553a8e90f06c7ac691c5c2a34fec

  • SSDEEP

    3072:eyAaQqe90u5DdXJP45JQRCK5Z4AhJvKI+EXWML6KyugTxfvDcO3g+xJ+88aQ4VVn:eyAge9RNOQg+ZP12EX5L6154+N8apiPi

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.xmfir0.win/46F5-B740-18A4-0063-718C | | 2. http://cerberhhyed5frqa.gkfit9.win/46F5-B740-18A4-0063-718C | | 3. http://cerberhhyed5frqa.305iot.win/46F5-B740-18A4-0063-718C | | 4. http://cerberhhyed5frqa.dkrti5.win/46F5-B740-18A4-0063-718C | | 5. http://cerberhhyed5frqa.cneo59.win/46F5-B740-18A4-0063-718C |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.xmfir0.win/46F5-B740-18A4-0063-718C); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.xmfir0.win/46F5-B740-18A4-0063-718C appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.xmfir0.win/46F5-B740-18A4-0063-718C); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/46F5-B740-18A4-0063-718C | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.xmfir0.win/46F5-B740-18A4-0063-718C

http://cerberhhyed5frqa.gkfit9.win/46F5-B740-18A4-0063-718C

http://cerberhhyed5frqa.305iot.win/46F5-B740-18A4-0063-718C

http://cerberhhyed5frqa.dkrti5.win/46F5-B740-18A4-0063-718C

http://cerberhhyed5frqa.cneo59.win/46F5-B740-18A4-0063-718C

http://cerberhhyed5frqa.onion/46F5-B740-18A4-0063-718C

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://cerberhhyed5frqa.xmfir0.win/46F5-B740-18A4-0063-718C" target="_blank">http://cerberhhyed5frqa.xmfir0.win/46F5-B740-18A4-0063-718C</a></li> <li><a href="http://cerberhhyed5frqa.gkfit9.win/46F5-B740-18A4-0063-718C" target="_blank">http://cerberhhyed5frqa.gkfit9.win/46F5-B740-18A4-0063-718C</a></li> <li><a href="http://cerberhhyed5frqa.305iot.win/46F5-B740-18A4-0063-718C" target="_blank">http://cerberhhyed5frqa.305iot.win/46F5-B740-18A4-0063-718C</a></li> <li><a href="http://cerberhhyed5frqa.dkrti5.win/46F5-B740-18A4-0063-718C" target="_blank">http://cerberhhyed5frqa.dkrti5.win/46F5-B740-18A4-0063-718C</a></li> <li><a href="http://cerberhhyed5frqa.cneo59.win/46F5-B740-18A4-0063-718C" target="_blank">http://cerberhhyed5frqa.cneo59.win/46F5-B740-18A4-0063-718C</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfir0.win/46F5-B740-18A4-0063-718C" target="_blank">http://cerberhhyed5frqa.xmfir0.win/46F5-B740-18A4-0063-718C</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.xmfir0.win/46F5-B740-18A4-0063-718C" target="_blank">http://cerberhhyed5frqa.xmfir0.win/46F5-B740-18A4-0063-718C</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfir0.win/46F5-B740-18A4-0063-718C" target="_blank">http://cerberhhyed5frqa.xmfir0.win/46F5-B740-18A4-0063-718C</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/46F5-B740-18A4-0063-718C</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Contacts a large (16389) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 59 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Users\Admin\AppData\Local\Temp\3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Modifies Control Panel
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\msdt.exe
        "C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\msdt.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2472
        • C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\msdt.exe
          "C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\msdt.exe"
          4⤵
          • Adds policy Run key to start application
          • Drops startup file
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Sets desktop wallpaper using registry
          • Modifies Control Panel
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:852
          • C:\Windows\system32\vssadmin.exe
            "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:2404
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2096
          • C:\Windows\System32\bcdedit.exe
            "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:496
          • C:\Windows\System32\bcdedit.exe
            "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:3040
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1264
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1264 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2248
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1264 CREDAT:537601 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1628
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
            5⤵
              PID:1580
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
              5⤵
                PID:1136
              • C:\Windows\system32\cmd.exe
                /d /c taskkill /t /f /im "msdt.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\msdt.exe" > NUL
                5⤵
                  PID:2136
                  • C:\Windows\system32\taskkill.exe
                    taskkill /t /f /im "msdt.exe"
                    6⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2424
                  • C:\Windows\system32\PING.EXE
                    ping -n 1 127.0.0.1
                    6⤵
                    • Runs ping.exe
                    PID:2892
            • C:\Windows\SysWOW64\cmd.exe
              /d /c taskkill /t /f /im "3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe" > NUL
              3⤵
              • Deletes itself
              • Suspicious use of WriteProcessMemory
              PID:2936
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /t /f /im "3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe"
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2636
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 1 127.0.0.1
                4⤵
                • Runs ping.exe
                PID:1260
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2836
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:2192
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2192 CREDAT:275457 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1968
        • C:\Windows\SysWOW64\DllHost.exe
          C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
          1⤵
            PID:1280

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Execution

          Windows Management Instrumentation

          1
          T1047

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Defense Evasion

          Indicator Removal

          2
          T1070

          File Deletion

          2
          T1070.004

          Modify Registry

          4
          T1112

          Credential Access

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Network Service Discovery

          2
          T1046

          System Information Discovery

          2
          T1082

          Remote System Discovery

          1
          T1018

          Collection

          Data from Local System

          1
          T1005

          Impact

          Inhibit System Recovery

          3
          T1490

          Defacement

          1
          T1491

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html
            Filesize

            12KB

            MD5

            910aba8f2f455442349c2536fc7590bb

            SHA1

            84672cb812499acce4610d94fbe1068d5cf97634

            SHA256

            eec908fd22f838ffc934fadc59f61614444f1dde4b9cae0a0effad888d14a081

            SHA512

            3e43c2555dd1222bb6dcfb9e229394c2e9c866bd66401281f147130512c13a00e36b3165dd71c0831e8d31bdf5a43b3f11311b705f26292b0637be9f83efb190

          • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
            Filesize

            10KB

            MD5

            7e70d22dae63c4d2e3d12afd54d077e1

            SHA1

            31ae66531d79e77123da99fbe7a9abee5f1381e6

            SHA256

            ece7fb891ea6c7bf5d6bcd1e443c8055d145fd4f749bbe82b6f917b7f67ba1fa

            SHA512

            436cc05964e7a45dc35c11153284a768f4a542064d6499bcdfb34b1e12ea3a47c34be12e21510165f9dd359eea87ececafe6e4a69e1e83188f2f07a19c2a1673

          • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url
            Filesize

            85B

            MD5

            b5ccb05cea8257f8138feb75cad3c1ad

            SHA1

            19f96b581c0164b37149ac2857ff2635ff481275

            SHA256

            1537b9a7138cbca4ede18bb86e1e0207c1d472ae003fac68fada89c5e3927c07

            SHA512

            6a7be0beeb86d9aab45637c10e72155c2bfa1f7f0ad770eaca3b8b77d4cdbb7c5874400d115b36273a8f0f9cd18b750e79e4545df8ac1c03c58adcff701907f9

          • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs
            Filesize

            225B

            MD5

            f6d629f2a4c0815f005230185bd892fe

            SHA1

            1572070cf8773883a6fd5f5d1eb51ec724bbf708

            SHA256

            ff1de66f8a5386adc3363ee5e5f5ead298104d47de1db67941dcbfc0c4e7781f

            SHA512

            b63ecf71f48394df16ef117750ed8608cc6fd45a621796478390a5d8e614255d12c96881811de1fd687985839d7401efb89b956bb4ea7c8af00c406d51afbc7c

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
            Filesize

            68KB

            MD5

            29f65ba8e88c063813cc50a4ea544e93

            SHA1

            05a7040d5c127e68c25d81cc51271ffb8bef3568

            SHA256

            1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

            SHA512

            e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            8dc78de12b3ab6b68f629e4dbc729155

            SHA1

            b00236cbec30bb7ca98789c98b83902094620a12

            SHA256

            72a27464dd1ea59a42aec77ed37087e6e1949a2a8f688d437ccf54afcc0332f5

            SHA512

            be4c3031e1bb3c727dcf419c507ad0d91497c763b4751ce72bfb1fb890e17acd390b5830ed8073548e5d42af4d66a0dd382fc6108bb2c09db73275da20fc1773

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            fc592daacc2febea6360ca91f8c066b8

            SHA1

            bf801ce34f2fde9c0b12122829a9154bb31a633c

            SHA256

            91a1e1a9a1b0fc4e09906eeba2f20fb3da0201ff23fcdf6fe07821a488b323ec

            SHA512

            a88e093586b667e78ce515dedf6520bd47c41c62b8cf1c56f7c178d4bbd5ec978069772e2ac67f46eb130fa6a8dc7b62e06d5197e621350b40267172271d321e

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            8e30a1dccb34132058d6896610386f62

            SHA1

            259b1d6d389cb703bb744acdf0bc63f271c18257

            SHA256

            945f030ae42da16bf871346d5129b6c0354f2991651802d2c5f29efcd712ba4f

            SHA512

            ee67d073cfd2b14c6912f01ddf31b99205c2bf42f5581cbb25a5d2c232a457bf7e265cc3f1863c2a364258bfc205a399d6c2a669158dab91384834ec1d2b4d3e

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            0e1a3c93150d121359c14fec2c19ec27

            SHA1

            7ba24a44f770eb0d193ca0e8c3ef26784dc544d6

            SHA256

            799d6d7bc974252b6f9fc075a37407196f0c6b1e03b63c439b0cc0f7779fc52e

            SHA512

            b91db795b4d5f12b29ab8fde5f421ad172920ecce0df532f25beed84359eba644bc462dfdaa1c72d074da0e37894eef161fb3a7429798fa5af97780de0893600

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            526a58670b82831a4c930dc0b5f30f51

            SHA1

            c9586fe6b70e521808c2d3cf167ef2549e9a7d8d

            SHA256

            652b4e2f12dde72115ee3ad6d1626c56c55d4ecc5510593928ebc7b02f6aa109

            SHA512

            7b50713705e461622364e2f3e9dbcd3e59c2acf16b6478d798db510eda01a3b8a67eee8bee45a44ac9249d4faeeaecc447b255e5e2294f8b15fe9beb867b9d76

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4090F8C1-101F-11EF-BE0C-E2E647A5CFB6}.dat
            Filesize

            6KB

            MD5

            465de9ad51fb9824c453232ce9d70bdf

            SHA1

            82225e4f6b0a91221d1f241d5bd3a1bf1cfb13cc

            SHA256

            a3a9a73dc199785dc7733e175b7cea50f9671be0fe2d13208e8fce5210889990

            SHA512

            e7863f82d483944dda0729b127d0460c755936e683c450b9f9294bd1deff089feeb0c21c31512a08f8e98d85dfe7e5a2f4b8069b58a0c5951f61ba11c3d0d29d

          • C:\Users\Admin\AppData\Local\Temp\CabABEA.tmp
            Filesize

            65KB

            MD5

            ac05d27423a85adc1622c714f2cb6184

            SHA1

            b0fe2b1abddb97837ea0195be70ab2ff14d43198

            SHA256

            c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

            SHA512

            6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

          • C:\Users\Admin\AppData\Local\Temp\TarACDD.tmp
            Filesize

            177KB

            MD5

            435a9ac180383f9fa094131b173a2f7b

            SHA1

            76944ea657a9db94f9a4bef38f88c46ed4166983

            SHA256

            67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

            SHA512

            1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

          • C:\Users\Admin\AppData\Roaming\14.svg
            Filesize

            1KB

            MD5

            d7d1c6533532e504e092fbfa3629a0c6

            SHA1

            cd4e2a1baa46a9fea795687c671e2b7ef68f5cfe

            SHA256

            2ee5d7f1a317992aecbefb6ae3285a599feb6d0898c378c4fa6096554d9ea18c

            SHA512

            cfa4ef2c6fa42ea7be1c382cdf8a68f3ba6cd073e0431b58a98cc3bc3b17b65fae9e17b89835e4853f0b933849b629dd2dc5e6739b664dcdd6554a4e6a58a95f

          • C:\Users\Admin\AppData\Roaming\5.svg
            Filesize

            967B

            MD5

            d4aa38a90c2dd724b569ae28f314ce9c

            SHA1

            9041c2905b6a95f10ff1ce22eec51d76ed008703

            SHA256

            84ebb2d82c7a1ceabdd698fe823cf23c1eaff7c73458b410fb1ce76c8fbb9b48

            SHA512

            45d67e17bd0ac8e9184554d8fb378a952fae4b3654c1baad269cd750ce52a744f55bccf48506042f82955132f6a25c5429a3b33bfff7ce0d4383f7d230b579e9

          • C:\Users\Admin\AppData\Roaming\5.svg
            Filesize

            1KB

            MD5

            757fecfa3662470da55a0ecea6d340ce

            SHA1

            488e3389f09d98aa7ace2108db38f04c076bf3f9

            SHA256

            ca04a696c323a4b3981059fe22dc5f9a8f137e9b0d4fb879755d8d673422b1a3

            SHA512

            30fd845e9c5a00ce1790c534f63b1ee026380e7a12b3af1b3052bb84101043c0f7ea4d6dcce6f355afeccf277bb0705b9837a9eff41f9b6a5cbde61b8a7d86ab

          • C:\Users\Admin\AppData\Roaming\Adobe-Korea1-2
            Filesize

            4KB

            MD5

            ae6e76ce3e42a164f3dc16386372eba2

            SHA1

            7f9033a222218108bbeb011f956c672ea50402ef

            SHA256

            c3cc324e8610138120375f8023eca6ba4f6fee22639bc8594cec3412e7796b1d

            SHA512

            1cbf330e1219623060b367d595f0598e47868cd341c110581be4092c1c3b1206075143c5818a361a52ae08bffbdecb23430e9f5e083016c8b4ac69eb5119d662

          • C:\Users\Admin\AppData\Roaming\Baghdad
            Filesize

            489B

            MD5

            c9ef37edfba00afb0e15b457af8c30b5

            SHA1

            e8b4bcaacc6292e57030264fff25bc0739f9989e

            SHA256

            4ab1803957c4629ed07601a3b0ec2780c0336182b56356479d3ec939c1665d67

            SHA512

            bcb6ab1c7784dcabc0429e3d0a9b6c5416e0fdbd9b99a891120724f1b7eaa81d9058717c0e6003574518b49daab12b9293198f1d8554aa2fe764bf27c1581a37

          • C:\Users\Admin\AppData\Roaming\Belem
            MD5

            d41d8cd98f00b204e9800998ecf8427e

            SHA1

            da39a3ee5e6b4b0d3255bfef95601890afd80709

            SHA256

            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

            SHA512

            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

          • C:\Users\Admin\AppData\Roaming\CHANGELOG.md
            Filesize

            4KB

            MD5

            316d0933205629da92943baa76fcbb01

            SHA1

            b4b9f86a7e3198d4264d78326dcd358f768a0dd4

            SHA256

            8bd629f9a93f04fd38e02515dbcc0e654fd414581a4ea700e8568d7f730cfe83

            SHA512

            3cbbc23549d5eee79a96f26996d3716bde8dee6d7e1bc3ebbc116a1cf24b077ba80c62c08d6863285461d2577b42fc3d4f99767108667d8574458b8624d7b962

          • C:\Users\Admin\AppData\Roaming\CHANGELOG.md
            Filesize

            4KB

            MD5

            e6f2520cedb0df21cc115a52eb3f7758

            SHA1

            27d37567e0739177af8915ebfd1d3f17fe53d52d

            SHA256

            daf6ffb3678d5e74a87aa550af9bd34c6e049562a771b38fcc39d5f8ec1df45a

            SHA512

            ea91d35f654f1275dfd437ffd44ebe8b2ec5690f32ee78c2507ebb807570306f20b18b22085a4592c215458885fb9dfbff5919f93ca19fe8e0be94cd425d8060

          • C:\Users\Admin\AppData\Roaming\Cube Wrap.dae
            Filesize

            4KB

            MD5

            2fbce568bf33721ee9a3b169e45e1c6e

            SHA1

            f6843c7f30a7080102f54022378f5db5f9b54604

            SHA256

            6ee6c6b5dd0a5fd77cbf192d34e34c906a5c8d03e8bbbdad844be0b3be0eb244

            SHA512

            d74e7de308caf935100a7e68325dad64be10125ac1f458646967e44b8ebd3308c50d54d05c9bedf4909301cbbb43794ba05a14c3c1343a090691b4c370609fc7

          • C:\Users\Admin\AppData\Roaming\GMT+10
            Filesize

            27B

            MD5

            715dc3fcec7a4b845347b628caf46c84

            SHA1

            1b194cdd0a0dc5560680c33f19fc2e7c09523cd1

            SHA256

            3144bc5353ebbd941cdccbbd9f5fb5a06f38abf5cc7b672111705c9778412d08

            SHA512

            72ab4b4ad0990cce0723a882652bf4f37aac09b32a8dd33b56b1fbf25ac56ae054328909efd68c8243e54e449d845fb9d53dd95f47eaaf5873762fcd55a39662

          • C:\Users\Admin\AppData\Roaming\LowlandJade.9
            Filesize

            1KB

            MD5

            ff4bf91598146d03cd1509a5a8e573eb

            SHA1

            1fb7cc8826cb01ab125a8ded4e81362c9f00c39b

            SHA256

            14f3c22b4eb2a917f7d88595625ce17dca8028d7e1ab59e887ff8de649f9187b

            SHA512

            42e8f92f3db305ce3dd8541fdd98390af80290edd333652bd4624f7d0bbb69a7848d17749cfa07acdc8e86be546531a133d7b497b1b0d1304eb15f0f1d6cb649

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\msdt.lnk
            Filesize

            1KB

            MD5

            6d86251f2db18110b700ac8c21f6f519

            SHA1

            b2fe5b97f042b14b5e6c54d1699acc5943b4982e

            SHA256

            c79e14abfa67c8dc574f5f452259c3b5aad149dc87ecd423d3278a2aee2072db

            SHA512

            25cc1f8fca9f819b3e0e540377b9caa0d569a49d992f07b375a2ad48f356ecbf39a2282ba928286e0a7fa245e0d5c6c377e1da4311d8ac8caa23a2dd0858be7d

          • C:\Users\Admin\AppData\Roaming\additional_tools_pc_checkup_icon.png
            Filesize

            3KB

            MD5

            a7e29dfb14752aa51496d4481c16fd66

            SHA1

            8adc704c9e114fd41e799ec88dd14e0eac70dba6

            SHA256

            2547989292007a538218e507c3a62665bdd10bb5020145fd3be4130a29f2afae

            SHA512

            c7fd358b405063c897e09ef35645839a1908a7ff2347af20707d24a8197c1b8a13cbc4930babe50eac24cd9d7f6b789c595cf8b314c29b9f7c64bc044db55762

          • C:\Users\Admin\AppData\Roaming\additional_tools_pc_checkup_icon.png
            Filesize

            3KB

            MD5

            2f5da6ef0e4770691fd130dfb87448db

            SHA1

            01590c3ab8cccf149d4733c67224bbff86877150

            SHA256

            e280acf94ea4effc559485f8a1b6a879e04cf1f5d7c2b7388a132dddf22a8afd

            SHA512

            9aa0e3783dd2439db06abed8a1604a8fe24cd52a9d62d9feeba0cd9e1f4a25f1c7e7c23a417b650fa0b90e4ee55f1ab108d17a3d6d4a4fc35e0eb460a4285c2b

          • C:\Users\Admin\AppData\Roaming\admon.graphics.path.xml
            Filesize

            1KB

            MD5

            71f6c3f678dcff31f094c2064f4248f3

            SHA1

            5f12a05ccbc96ec8981ae4485b0add68c052575d

            SHA256

            fbbc759260f66fe9e4a60f3afde3fea06250a0fe56ff02b050fd1b4cba8c1b76

            SHA512

            99dc7d864898cb4ec9a5fa7fcf1ecb7dff571e826b366a3454e87eb63da165e19fcac0455f407a49d6feeee634ed05ebd3b3fed7fece4a87f12983b67f4d69e8

          • C:\Users\Admin\AppData\Roaming\admon.graphics.path.xml
            Filesize

            1KB

            MD5

            acc6fac45115b2d4030ae09702754446

            SHA1

            9329ac3e4884d2b8639cded9c7770f625e860f52

            SHA256

            dc2f6cf27e787c9af6ce69a16ecda15a43b91e3cf937e50472ca911fa9841e2a

            SHA512

            1b261357a756bb561b8c5b7c8f6ec0910f9764b222c115522590ecb64f33f9ebe6f74a31b5cb81bb3fbcdf4248552a36d55c0c79e0cbe0eab3f0b7c1584d0165

          • C:\Users\Admin\AppData\Roaming\arrow.gif
            Filesize

            144B

            MD5

            0b31842824faacd1751abbb01ddf5fa9

            SHA1

            5674b77233b89be37cdcc2f869072f453c485534

            SHA256

            6cd839340040110df50a75eb6078718895a178b09769daf36e70978ec6ce4c73

            SHA512

            cc65c25adbc41813461b15716558ebef11faadbefa82b2afd16b610e54f3b978f8e4736cb7be495aaa8eec7aea295b983dec888fb1138101480d1cd816ca0d36

          • C:\Users\Admin\AppData\Roaming\aspnet.config
            Filesize

            1KB

            MD5

            8aa2398eb508075d6092e6c5b0ca9fdd

            SHA1

            9d9ba333a3376e9daa04fa99069d2e8219e71da6

            SHA256

            854b2b0fe534ec3551a5c221583c26281c4cbdf539be9253a9a452689b6968e4

            SHA512

            cc1ce888246c61fbf6b803d05b98be1255b6379dd7d577629fbb717a16f0ae7eac7595ea042bcb170091c97770a47b33a8b1107fade80423a820b06e4f765f98

          • C:\Users\Admin\AppData\Roaming\bridgehead.in.toc.xml
            Filesize

            1KB

            MD5

            3cbff1f2a4ff61dbd5e429062244c80b

            SHA1

            a3894b7495784f2784abd5bb308bc5c2c65e9b68

            SHA256

            4258d4c1f80a138d2ce4a27da538d0bd57b40e3986787368fb6222d0aba026e3

            SHA512

            a35582afb3c0be80456b9fdeac031e554a162f9a2399001654565a665d59ecd80f8b196074c4fbf8d24292302b66865a410c90ed8ebf8705a9c1dbaf17e4d4f5

          • C:\Users\Admin\AppData\Roaming\bridgehead.in.toc.xml
            Filesize

            1004B

            MD5

            c1cf25885988504b0f6f90f1cb545382

            SHA1

            5e1f1c88ab034e14dd6f3aeb9da857f5815b4c6e

            SHA256

            7808de9b4c36f737a88e309454101d3655597393323cafcf87d42e4411baa7b0

            SHA512

            7adf12507347a9dbc84c93bc38a14c3dd42ba1e2c2f0f937b0915066d437288103b831b33f5dd99ea252a9f2a0a1e6eaf6289cccb04090b8a20ae00cd652660a

          • C:\Users\Admin\AppData\Roaming\buildMenu.jsx
            Filesize

            1KB

            MD5

            ec19d87bf31be0f9022d069803f67073

            SHA1

            fd8fbc60713955a4a895904da7970f13f815acd7

            SHA256

            e7b4fea1f0f74e66664301e1a34e4a6017fcb04aa6d249a38b901f8dd8fb3732

            SHA512

            df5bc4aefaa26ef5d47d2902c494242d1167cdbbb34e661894af0ca0b76192e00c27bdeb7d2d5dab01b3452e109c11824ae8715a0c5113dbef124829e9574b3d

          • C:\Users\Admin\AppData\Roaming\directories.png
            Filesize

            1KB

            MD5

            82142ba9138b7b0849d2079a70a8f3a2

            SHA1

            cf8f17e2bc3e2832d9ba45ca606f2b5d88569bd4

            SHA256

            afb3077d6e75785a6a14f1196e36c39e23fd610b8cd88bebab3ec6b5bc0bcea9

            SHA512

            d308fec0b23aaf8d408a52cb25998f82510b5f17142b3154d8105b342084890fc14beac40d6f509f0a3172615ccce25b55650e7410e718917b6210dd50342360

          • C:\Users\Admin\AppData\Roaming\directories.png
            Filesize

            1KB

            MD5

            b8431ad28846eedb63a0839d378a0367

            SHA1

            908301e17f7f34e0b452e7cdbced92c1278307a4

            SHA256

            b981d068c80d4b1a60d9c010516aeffb43b8a2afaaa0731bab7665ffcd5cd208

            SHA512

            d4803aee4c3dc8b041565cc2b3050303d4d27815acb547219947a5672862015e91b4ae15c663f2d62ee2c73fbf7660cb1f72cad5e9e52b4de26bf71fd3f4494f

          • C:\Users\Admin\AppData\Roaming\f37.png
            Filesize

            1KB

            MD5

            446a6ee8969bbb6743d4ed22d343e541

            SHA1

            69010f652fc701d3f505a9c416b6ce09ddf9bb93

            SHA256

            8c8e83025f6a61d08194e852269a5b45f33f0313b59d41140cdb679757356fc3

            SHA512

            a58555fd9abb577ebb6eeec9cb138dbc67aaa4b5b1ad99397f0ede4c63f447a6f4e9af0e67c46e5778a3318676025430efa707c555c37ce19d624f9cc4b1ff67

          • C:\Users\Admin\AppData\Roaming\footnote.mark.properties.xml
            Filesize

            1KB

            MD5

            f7813114f7e6ba1b377b1b02242ad9a7

            SHA1

            422598ffb70fd5e138ab8b9293332d43ade81b59

            SHA256

            24b42dd9fb2410027bc91dd03191e3d78a1d705d09f96e595e19eda7933b53dc

            SHA512

            d393e9f4b92ab144a88dfaeceb4efc549ad8241da6ef602a018f9aee6e43b4b2375dc5eb55fa20415640fca8276f8b446779df6bb878dddc2ad06eac618abc47

          • C:\Users\Admin\AppData\Roaming\generate.index.xml
            Filesize

            1KB

            MD5

            7af160ad2704d87bd0ece9a19fdc9ee8

            SHA1

            21fda1c6f96eaa402fff9f361dc256a97da1dc7e

            SHA256

            b555fd5b2ef9c3dd9e13d412781fcbdbf3b97a6b18dee985bd8da86e391e4950

            SHA512

            ea415816adbd47554f4215d0ffd741a0045dc9cdda0624e4b5d0553f893c954b2abd8a90db0284659a14dce0f5a80f15e8353295ba4da2156e2d0a2905cdd1ae

          • C:\Users\Admin\AppData\Roaming\generate.index.xml
            Filesize

            847B

            MD5

            dac670dc3250ec2a38be195646386c89

            SHA1

            1373182d015c82b47d4bbc5dda88da5fbc1bca3a

            SHA256

            8c4591b205a866468afe6779ac4af70e54e37a105361671fd448895a06c351a7

            SHA512

            0b08bddc4b4723f39650acd68ad14b75783d739e473f64e9a692142b2ecb2577e21f0b41376d5d0de3b6e30744c5b390d9d4d8b74ad05c3060bea4ca393b1d18

          • C:\Users\Admin\AppData\Roaming\glossterm.auto.link.xml
            Filesize

            1KB

            MD5

            a057463e49cc7a282b9de9bd1f98c940

            SHA1

            17f203dd324b4dc61fc85a2848b93f0941946d4e

            SHA256

            ca43ac52dec0ed1083c006678f4e1e0b7e6c2882e8bcc66e76bc776b7340bfe8

            SHA512

            b18514215cc196d457629ee48c08b05078aa7b61dcd26a540ef9aa107e4231a27a80de11e068a03611c85966fcb511bf22f0ab40fc8e461cb817a1caba9c0734

          • C:\Users\Admin\AppData\Roaming\glossterm.auto.link.xml
            Filesize

            1KB

            MD5

            a626c5a8c265d96c010034638f43e34a

            SHA1

            d83a92c1598ee53829ac98bdbd18883b9d3c77f9

            SHA256

            c76077bfe25d85d98b8b351875e6822f0e815cb726a18809ecec32234800b129

            SHA512

            8947a71d7b7c0c5e0e0fbd1d169e721757d541a561fbc5bee7705ccc72f10e8301f76a7b0dd163d931177781133aaf7fc33e198d5c8aaee6dcc9de24c8259ee1

          • C:\Users\Admin\AppData\Roaming\goURL_lr_photoshop_kr.csv
            Filesize

            727B

            MD5

            2a2bb6e24be66b74f0a8fc256a6fd5f0

            SHA1

            6e80db667076704ecb753d8921c873cf90128f70

            SHA256

            c03c0859d17296986028e5bc16ca6f5167f2d6c966bd03b499619fb25de93da4

            SHA512

            1f054451c4d86bc1d35f015c754cf5c8d5d3e6a2908217b6383e1e8085e1bdeeeb3e4e5b981599e4c5b2cffe5e2fca6c4ea8fb50744748b07966bd30ea5e423a

          • C:\Users\Admin\AppData\Roaming\goURL_lr_photoshop_kr.csv
            Filesize

            315B

            MD5

            e7b835efd565a6bd02237591a64416fa

            SHA1

            7ea8027ff98e318758a48907a1f69b1b35f63c72

            SHA256

            67ca7823ea8b02127ea8e4c198585e8442530e7e803b2832666257c4050ad605

            SHA512

            911bd83c92eaa36464bcb00c45102bc1b5eacfc83cd8d7ccebf920874fd5156a975d1c0bcfe0d96ca0461ddb287f43c2c8204722d93c6f0ea8663d8f75e14f81

          • C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\msdt.exe
            Filesize

            191KB

            MD5

            3874199af9bef338ffc8dcd9a9d2dbf0

            SHA1

            14f4aa746d391393bd2fdd112a430266bf20a8f2

            SHA256

            a80f30ee99a8d0d12abe3c6b631f8c8870d4f4f5ac776f1febb7cca78d7af964

            SHA512

            38c177e59a2d36ed2e25e61930275e474c4cc628485581393dee8202bccdd3576149416fa10b74c9b7ac192c689f08db9ee3553a8e90f06c7ac691c5c2a34fec

          • \Users\Admin\AppData\Local\Temp\nst6B7.tmp\System.dll
            Filesize

            11KB

            MD5

            6f5257c0b8c0ef4d440f4f4fce85fb1b

            SHA1

            b6ac111dfb0d1fc75ad09c56bde7830232395785

            SHA256

            b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

            SHA512

            a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

          • \Users\Admin\AppData\Roaming\Dialogs.dll
            Filesize

            27KB

            MD5

            98041c3b26ffcd6c4371cd6922cc9dfb

            SHA1

            384bd07ad9523353d9c67337af7369834b52914d

            SHA256

            c000e9cc700265ee10be1c811fac455fca938cb5b5144e431eb5286520af94cd

            SHA512

            a2bb8a799dc6c4e25624fd3a6a21ad890c9bddca6fe0a698455c486e4525180cd6767f66db9b5becf06105bef38d924a34179c2416978adccc2707999183f9c3

          • memory/852-141-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/852-559-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/852-143-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/852-152-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/852-140-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/852-150-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/852-147-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/852-148-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/852-555-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/852-563-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/852-153-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/852-566-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/852-145-0x0000000003600000-0x0000000003601000-memory.dmp
            Filesize

            4KB

          • memory/2472-125-0x0000000000440000-0x000000000044A000-memory.dmp
            Filesize

            40KB

          • memory/2580-49-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/2580-51-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/2580-63-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/2580-35-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/2580-37-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/2580-39-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/2580-44-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/2580-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
            Filesize

            4KB

          • memory/2580-47-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/2580-41-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/2924-33-0x00000000026E0000-0x00000000026EA000-memory.dmp
            Filesize

            40KB