Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 05:18

General

  • Target

    3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe

  • Size

    191KB

  • MD5

    3874199af9bef338ffc8dcd9a9d2dbf0

  • SHA1

    14f4aa746d391393bd2fdd112a430266bf20a8f2

  • SHA256

    a80f30ee99a8d0d12abe3c6b631f8c8870d4f4f5ac776f1febb7cca78d7af964

  • SHA512

    38c177e59a2d36ed2e25e61930275e474c4cc628485581393dee8202bccdd3576149416fa10b74c9b7ac192c689f08db9ee3553a8e90f06c7ac691c5c2a34fec

  • SSDEEP

    3072:eyAaQqe90u5DdXJP45JQRCK5Z4AhJvKI+EXWML6KyugTxfvDcO3g+xJ+88aQ4VVn:eyAge9RNOQg+ZP12EX5L6154+N8apiPi

Malware Config

Extracted

Path

C:\Users\Admin\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.xmfir0.win/DDAE-5801-9A99-0063-70F2 | | 2. http://cerberhhyed5frqa.gkfit9.win/DDAE-5801-9A99-0063-70F2 | | 3. http://cerberhhyed5frqa.305iot.win/DDAE-5801-9A99-0063-70F2 | | 4. http://cerberhhyed5frqa.dkrti5.win/DDAE-5801-9A99-0063-70F2 | | 5. http://cerberhhyed5frqa.cneo59.win/DDAE-5801-9A99-0063-70F2 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.xmfir0.win/DDAE-5801-9A99-0063-70F2); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.xmfir0.win/DDAE-5801-9A99-0063-70F2 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.xmfir0.win/DDAE-5801-9A99-0063-70F2); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/DDAE-5801-9A99-0063-70F2 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.xmfir0.win/DDAE-5801-9A99-0063-70F2

http://cerberhhyed5frqa.gkfit9.win/DDAE-5801-9A99-0063-70F2

http://cerberhhyed5frqa.305iot.win/DDAE-5801-9A99-0063-70F2

http://cerberhhyed5frqa.dkrti5.win/DDAE-5801-9A99-0063-70F2

http://cerberhhyed5frqa.cneo59.win/DDAE-5801-9A99-0063-70F2

http://cerberhhyed5frqa.onion/DDAE-5801-9A99-0063-70F2

Extracted

Path

C:\Users\Admin\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://cerberhhyed5frqa.xmfir0.win/DDAE-5801-9A99-0063-70F2" target="_blank">http://cerberhhyed5frqa.xmfir0.win/DDAE-5801-9A99-0063-70F2</a></li> <li><a href="http://cerberhhyed5frqa.gkfit9.win/DDAE-5801-9A99-0063-70F2" target="_blank">http://cerberhhyed5frqa.gkfit9.win/DDAE-5801-9A99-0063-70F2</a></li> <li><a href="http://cerberhhyed5frqa.305iot.win/DDAE-5801-9A99-0063-70F2" target="_blank">http://cerberhhyed5frqa.305iot.win/DDAE-5801-9A99-0063-70F2</a></li> <li><a href="http://cerberhhyed5frqa.dkrti5.win/DDAE-5801-9A99-0063-70F2" target="_blank">http://cerberhhyed5frqa.dkrti5.win/DDAE-5801-9A99-0063-70F2</a></li> <li><a href="http://cerberhhyed5frqa.cneo59.win/DDAE-5801-9A99-0063-70F2" target="_blank">http://cerberhhyed5frqa.cneo59.win/DDAE-5801-9A99-0063-70F2</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfir0.win/DDAE-5801-9A99-0063-70F2" target="_blank">http://cerberhhyed5frqa.xmfir0.win/DDAE-5801-9A99-0063-70F2</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.xmfir0.win/DDAE-5801-9A99-0063-70F2" target="_blank">http://cerberhhyed5frqa.xmfir0.win/DDAE-5801-9A99-0063-70F2</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfir0.win/DDAE-5801-9A99-0063-70F2" target="_blank">http://cerberhhyed5frqa.xmfir0.win/DDAE-5801-9A99-0063-70F2</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/DDAE-5801-9A99-0063-70F2</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Contacts a large (16405) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2472
    • C:\Users\Admin\AppData\Local\Temp\3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Adds Run key to start application
      • Modifies Control Panel
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4224
      • C:\Users\Admin\AppData\Roaming\{7F378566-32CC-194C-63ED-AAB4EF64314A}\setx.exe
        "C:\Users\Admin\AppData\Roaming\{7F378566-32CC-194C-63ED-AAB4EF64314A}\setx.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2784
        • C:\Users\Admin\AppData\Roaming\{7F378566-32CC-194C-63ED-AAB4EF64314A}\setx.exe
          "C:\Users\Admin\AppData\Roaming\{7F378566-32CC-194C-63ED-AAB4EF64314A}\setx.exe"
          4⤵
          • Adds policy Run key to start application
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Sets desktop wallpaper using registry
          • Modifies Control Panel
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3080
          • C:\Windows\system32\vssadmin.exe
            "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:3424
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2028
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
            5⤵
              PID:2644
            • C:\Windows\system32\NOTEPAD.EXE
              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
              5⤵
                PID:516
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.xmfir0.win/DDAE-5801-9A99-0063-70F2
                5⤵
                  PID:4408
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
                  5⤵
                    PID:1888
                  • C:\Windows\system32\cmd.exe
                    /d /c taskkill /t /f /im "setx.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{7F378566-32CC-194C-63ED-AAB4EF64314A}\setx.exe" > NUL
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4904
                    • C:\Windows\system32\taskkill.exe
                      taskkill /t /f /im "setx.exe"
                      6⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1708
                    • C:\Windows\system32\PING.EXE
                      ping -n 1 127.0.0.1
                      6⤵
                      • Runs ping.exe
                      PID:952
              • C:\Windows\SysWOW64\cmd.exe
                /d /c taskkill /t /f /im "3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe" > NUL
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2020
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /t /f /im "3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe"
                  4⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3632
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 1 127.0.0.1
                  4⤵
                  • Runs ping.exe
                  PID:1120
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4028,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:8
            1⤵
              PID:4860
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1596
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4064,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:1
              1⤵
                PID:4964
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4884,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4688 /prefetch:1
                1⤵
                  PID:3616
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5272,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=5292 /prefetch:1
                  1⤵
                    PID:520
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5436,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=5468 /prefetch:8
                    1⤵
                      PID:228
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5324,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=5672 /prefetch:8
                      1⤵
                        PID:872
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5848,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=5944 /prefetch:1
                        1⤵
                          PID:4388
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=5908,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=6048 /prefetch:1
                          1⤵
                            PID:4532
                          • C:\Windows\system32\AUDIODG.EXE
                            C:\Windows\system32\AUDIODG.EXE 0x554 0x54c
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2592
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6292,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=6356 /prefetch:1
                            1⤵
                              PID:4656
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6328,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4736 /prefetch:1
                              1⤵
                                PID:2384
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=5460,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=6532 /prefetch:1
                                1⤵
                                  PID:2616

                                Network

                                MITRE ATT&CK Matrix ATT&CK v13

                                Execution

                                Windows Management Instrumentation

                                1
                                T1047

                                Persistence

                                Boot or Logon Autostart Execution

                                2
                                T1547

                                Registry Run Keys / Startup Folder

                                2
                                T1547.001

                                Privilege Escalation

                                Boot or Logon Autostart Execution

                                2
                                T1547

                                Registry Run Keys / Startup Folder

                                2
                                T1547.001

                                Defense Evasion

                                Indicator Removal

                                2
                                T1070

                                File Deletion

                                2
                                T1070.004

                                Modify Registry

                                3
                                T1112

                                Credential Access

                                Unsecured Credentials

                                1
                                T1552

                                Credentials In Files

                                1
                                T1552.001

                                Discovery

                                Network Service Discovery

                                2
                                T1046

                                Query Registry

                                1
                                T1012

                                System Information Discovery

                                2
                                T1082

                                Remote System Discovery

                                1
                                T1018

                                Collection

                                Data from Local System

                                1
                                T1005

                                Impact

                                Inhibit System Recovery

                                2
                                T1490

                                Defacement

                                1
                                T1491

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\# DECRYPT MY FILES #.html
                                  Filesize

                                  12KB

                                  MD5

                                  b4601173193b3fdb7ac5a9c987244965

                                  SHA1

                                  dc1a9513924212369181d7d219bfb8ec6752328d

                                  SHA256

                                  1917037f9e8166847d5a532b230e6d3fd55eec1a3ab9665d5addd0257b184c5d

                                  SHA512

                                  489cc4aba7c539d3133b85b9adb2642470799aa7a55c4b4a1ae6b99d8431c011a1bb4af7696017829e406fde50c5866b1022c09e2e4a64fa83655f74ff609079

                                • C:\Users\Admin\# DECRYPT MY FILES #.txt
                                  Filesize

                                  10KB

                                  MD5

                                  e7409e73cad4539868ca427f6386b2cb

                                  SHA1

                                  b4d3f70d9ef020676b401cd680aec98f69d87a9f

                                  SHA256

                                  43bc2544e57b7bf14255a37bfc5ff863f3c3d5ec0d367187fca73f7fb4579a59

                                  SHA512

                                  55e7cae89ff11b4c60900826d21516329fc23e6679539b43a8e377ed590507b87820fbce30c34ad927cff8d60d9db0f60108a705c953eba74191fdb8265a078a

                                • C:\Users\Admin\# DECRYPT MY FILES #.url
                                  Filesize

                                  85B

                                  MD5

                                  b276cd26a443459785c65dbc3e858f41

                                  SHA1

                                  dc80495bda5960561c349b6921528b06b62d5451

                                  SHA256

                                  9fb21b290ebb9791f18ed511f15e6186d6dc5915052a2f8734c64021f441913b

                                  SHA512

                                  6eddb5ad6ba452af287e561cd4ca7562849f10fc82086dfa707c9f87221f5e50c215272c5ccad6b9578d10cf86c35dc97e689ce6e5b334e36e635eb83c2fa507

                                • C:\Users\Admin\# DECRYPT MY FILES #.vbs
                                  Filesize

                                  225B

                                  MD5

                                  f6d629f2a4c0815f005230185bd892fe

                                  SHA1

                                  1572070cf8773883a6fd5f5d1eb51ec724bbf708

                                  SHA256

                                  ff1de66f8a5386adc3363ee5e5f5ead298104d47de1db67941dcbfc0c4e7781f

                                  SHA512

                                  b63ecf71f48394df16ef117750ed8608cc6fd45a621796478390a5d8e614255d12c96881811de1fd687985839d7401efb89b956bb4ea7c8af00c406d51afbc7c

                                • C:\Users\Admin\AppData\Local\Temp\nshF109.tmp\System.dll
                                  Filesize

                                  11KB

                                  MD5

                                  6f5257c0b8c0ef4d440f4f4fce85fb1b

                                  SHA1

                                  b6ac111dfb0d1fc75ad09c56bde7830232395785

                                  SHA256

                                  b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

                                  SHA512

                                  a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

                                • C:\Users\Admin\AppData\Roaming\14.svg
                                  Filesize

                                  1KB

                                  MD5

                                  03fca4964c3e6990bbabdba51d05364c

                                  SHA1

                                  76adc77af189a574671ce7a83e4b0f79be366a71

                                  SHA256

                                  5f2229abd53f6a6d064e0fd1654534fb3c6c91982b90be99017911e4fbf2d65a

                                  SHA512

                                  11aec001e784535a58642f5d0a8303427f7d9fca2a5b9a07d7dbba13a25a19b8ac817fa15bfe3633637ae40ff7c4a62784d99f2e51a8080fe708e89f329a75ad

                                • C:\Users\Admin\AppData\Roaming\14.svg
                                  Filesize

                                  906B

                                  MD5

                                  821b4b1bfebd42f747465153006eef8f

                                  SHA1

                                  0283713c0f75aeb9ff524268cecbccea3c76a735

                                  SHA256

                                  d1fae5d438c33909d34190ce684e1f646420c7cafd402008a6b251e1b0910e76

                                  SHA512

                                  e18008e287b2f8ad6465836439d526710586a6bf0e1f77f5363d38f5fdf3115d41aa48bc49ed6de3ae279c256f8407414e6028ff6ea4b0532079dc411f4b834c

                                • C:\Users\Admin\AppData\Roaming\5.svg
                                  Filesize

                                  1KB

                                  MD5

                                  1dc37da15cb9363ca45ed9eea820b945

                                  SHA1

                                  e09c510cfdb9280ff9b51c312492b602b2fd694a

                                  SHA256

                                  58b9d08cde335dbcf22b0db8e2d018921b95b2b5d36188de6a99584fd22c4341

                                  SHA512

                                  37bc1fedca957d5b9d712946d8b76a840eec2fcc35e10e96be29150ad8db9b14314831f14e5932ea46291a5962f07300fcfe5af13da2b47b775a8ae63053102b

                                • C:\Users\Admin\AppData\Roaming\5.svg
                                  Filesize

                                  967B

                                  MD5

                                  d4aa38a90c2dd724b569ae28f314ce9c

                                  SHA1

                                  9041c2905b6a95f10ff1ce22eec51d76ed008703

                                  SHA256

                                  84ebb2d82c7a1ceabdd698fe823cf23c1eaff7c73458b410fb1ce76c8fbb9b48

                                  SHA512

                                  45d67e17bd0ac8e9184554d8fb378a952fae4b3654c1baad269cd750ce52a744f55bccf48506042f82955132f6a25c5429a3b33bfff7ce0d4383f7d230b579e9

                                • C:\Users\Admin\AppData\Roaming\Adobe-Korea1-2
                                  Filesize

                                  4KB

                                  MD5

                                  ae6e76ce3e42a164f3dc16386372eba2

                                  SHA1

                                  7f9033a222218108bbeb011f956c672ea50402ef

                                  SHA256

                                  c3cc324e8610138120375f8023eca6ba4f6fee22639bc8594cec3412e7796b1d

                                  SHA512

                                  1cbf330e1219623060b367d595f0598e47868cd341c110581be4092c1c3b1206075143c5818a361a52ae08bffbdecb23430e9f5e083016c8b4ac69eb5119d662

                                • C:\Users\Admin\AppData\Roaming\Baghdad
                                  Filesize

                                  489B

                                  MD5

                                  c9ef37edfba00afb0e15b457af8c30b5

                                  SHA1

                                  e8b4bcaacc6292e57030264fff25bc0739f9989e

                                  SHA256

                                  4ab1803957c4629ed07601a3b0ec2780c0336182b56356479d3ec939c1665d67

                                  SHA512

                                  bcb6ab1c7784dcabc0429e3d0a9b6c5416e0fdbd9b99a891120724f1b7eaa81d9058717c0e6003574518b49daab12b9293198f1d8554aa2fe764bf27c1581a37

                                • C:\Users\Admin\AppData\Roaming\Belem
                                  Filesize

                                  297B

                                  MD5

                                  c4f7dbf780bfd55650b460eb7cde3e3d

                                  SHA1

                                  0a2a148be00876a3be18a7debf587716e5b75f64

                                  SHA256

                                  7c01888c2869320277f3cdc5591cc0da59276bfdfc9f96ce4d6da370d1319fbe

                                  SHA512

                                  5cc7c3f7e8a96f9a73c8115ac217c3318b702cee98b702085afd286d90ea61141f33d806f116efec62886e7f0724199e24dbedecec1db1809b69a44a0c5deb7d

                                • C:\Users\Admin\AppData\Roaming\CHANGELOG.md
                                  Filesize

                                  4KB

                                  MD5

                                  8e76b59df485c90b44b2516788f505aa

                                  SHA1

                                  8f751f7aeb7be74cc2529cfb9ec596fe07617b3f

                                  SHA256

                                  4db6df2dc7c15b3f625a99d763018c8e44dd5d3f3b6194e8e6910e99c7e29bad

                                  SHA512

                                  f2b2065101ed369fca9e375fdb00e1db999af98bc87737c40d355a4cb3c1a6c421c2b77fc9d75cd39290e44bd7b8434fe773d3140bdf8b9662a1c424c24c12e8

                                • C:\Users\Admin\AppData\Roaming\CHANGELOG.md
                                  Filesize

                                  4KB

                                  MD5

                                  e6f2520cedb0df21cc115a52eb3f7758

                                  SHA1

                                  27d37567e0739177af8915ebfd1d3f17fe53d52d

                                  SHA256

                                  daf6ffb3678d5e74a87aa550af9bd34c6e049562a771b38fcc39d5f8ec1df45a

                                  SHA512

                                  ea91d35f654f1275dfd437ffd44ebe8b2ec5690f32ee78c2507ebb807570306f20b18b22085a4592c215458885fb9dfbff5919f93ca19fe8e0be94cd425d8060

                                • C:\Users\Admin\AppData\Roaming\CreatePSPrefsDir
                                  Filesize

                                  33B

                                  MD5

                                  1f3bc75daaf847977f7cf3529e4c48df

                                  SHA1

                                  f4dc15cada37c0eb4277dfb13f054c0c4e26f381

                                  SHA256

                                  d4368f7873c76dc461ffbcea9c96ec52db4de2e97f0c02762b78b5af1d1b4678

                                  SHA512

                                  01fee9822070f4413f7125e94a82794861da82f5d77dec0e3a1b6db90f605fc25f07926ef0fb4792e8e910cc90b868a89a50b16d5119084fe7c8ad8fa89df87d

                                • C:\Users\Admin\AppData\Roaming\Cube Wrap.dae
                                  Filesize

                                  4KB

                                  MD5

                                  2fbce568bf33721ee9a3b169e45e1c6e

                                  SHA1

                                  f6843c7f30a7080102f54022378f5db5f9b54604

                                  SHA256

                                  6ee6c6b5dd0a5fd77cbf192d34e34c906a5c8d03e8bbbdad844be0b3be0eb244

                                  SHA512

                                  d74e7de308caf935100a7e68325dad64be10125ac1f458646967e44b8ebd3308c50d54d05c9bedf4909301cbbb43794ba05a14c3c1343a090691b4c370609fc7

                                • C:\Users\Admin\AppData\Roaming\Dialogs.dll
                                  Filesize

                                  27KB

                                  MD5

                                  98041c3b26ffcd6c4371cd6922cc9dfb

                                  SHA1

                                  384bd07ad9523353d9c67337af7369834b52914d

                                  SHA256

                                  c000e9cc700265ee10be1c811fac455fca938cb5b5144e431eb5286520af94cd

                                  SHA512

                                  a2bb8a799dc6c4e25624fd3a6a21ad890c9bddca6fe0a698455c486e4525180cd6767f66db9b5becf06105bef38d924a34179c2416978adccc2707999183f9c3

                                • C:\Users\Admin\AppData\Roaming\Dubai
                                  Filesize

                                  65B

                                  MD5

                                  163a95a3a62f08b92168f8d587fee2b1

                                  SHA1

                                  8c26887717038aa2a3d87ad95223f43304ea2728

                                  SHA256

                                  e5e18fbc7153bd73932dec7870bef4664d2afc831bedd739eef8ca0da3c93161

                                  SHA512

                                  3c0696dc0204359e197ffdbefc21373cd432ea224b0a95b2f78ad8e7d66ec9c9e870e66004c148a2a1229eb3964e9daa19b7d1d7426f4a27c3dfde9b95319252

                                • C:\Users\Admin\AppData\Roaming\EST5EDT
                                  Filesize

                                  2KB

                                  MD5

                                  19205afc9ddf867b7e1c2f8c09ca4bc2

                                  SHA1

                                  f74d5966035fde6527038979e6c7a6ab76c16ef9

                                  SHA256

                                  5e426725f89f7406c59f805f0c0c6fe8a3823ccb96b11eb6b053e2a2723c2658

                                  SHA512

                                  d1edadf8aa510880da7a8b7b59450744e933b719f19ca8e14eaf3d20d15556a163869f357adb22a29789c194bb17d53ad5b684d3178d59a7ac59f4a395186a05

                                • C:\Users\Admin\AppData\Roaming\GMT+10
                                  Filesize

                                  27B

                                  MD5

                                  715dc3fcec7a4b845347b628caf46c84

                                  SHA1

                                  1b194cdd0a0dc5560680c33f19fc2e7c09523cd1

                                  SHA256

                                  3144bc5353ebbd941cdccbbd9f5fb5a06f38abf5cc7b672111705c9778412d08

                                  SHA512

                                  72ab4b4ad0990cce0723a882652bf4f37aac09b32a8dd33b56b1fbf25ac56ae054328909efd68c8243e54e449d845fb9d53dd95f47eaaf5873762fcd55a39662

                                • C:\Users\Admin\AppData\Roaming\LowlandJade.9
                                  Filesize

                                  1KB

                                  MD5

                                  ff4bf91598146d03cd1509a5a8e573eb

                                  SHA1

                                  1fb7cc8826cb01ab125a8ded4e81362c9f00c39b

                                  SHA256

                                  14f3c22b4eb2a917f7d88595625ce17dca8028d7e1ab59e887ff8de649f9187b

                                  SHA512

                                  42e8f92f3db305ce3dd8541fdd98390af80290edd333652bd4624f7d0bbb69a7848d17749cfa07acdc8e86be546531a133d7b497b1b0d1304eb15f0f1d6cb649

                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\setx.lnk
                                  Filesize

                                  1KB

                                  MD5

                                  1a7ce1e5d53c71f2dff0663cfee60308

                                  SHA1

                                  63ed9182e6b31095f00f361d8d4773434f7c2401

                                  SHA256

                                  32f277be550b992a5e29203f9fb85e97ef8b75969e49a5bf8aa3cecb532399f4

                                  SHA512

                                  005bbdfcf0f4756ce53aa861e4e972c63500a486ddcdadfefdb72c07d1a7a6597ecc2549d330018941fb06102b7f39d023a74663d49d161f5182ef8ab8e836ea

                                • C:\Users\Admin\AppData\Roaming\Tetragon.aMA
                                  Filesize

                                  123KB

                                  MD5

                                  46ec9c3eb69156de5003428d22081b53

                                  SHA1

                                  8a3d45a4058a2dbc8097f3f8a74e467401adc76f

                                  SHA256

                                  b2c432adc3a20be4b3d465c695231e9756db2b26d9112d026cd9751320e3405a

                                  SHA512

                                  40f4b3f5dde800dc00b4d9ce60af94c67f48d56cbeea30ff6177b630c744d15488f7bb9ed1ccef3584a6763f57232400a098b89db1cfe02f57d5d735d64f515a

                                • C:\Users\Admin\AppData\Roaming\additional_tools_pc_checkup_icon.png
                                  Filesize

                                  3KB

                                  MD5

                                  8a60c614feba622c63eef290fbe419e8

                                  SHA1

                                  7c396293ae0754e9a676559e8ad108e48fa5eb33

                                  SHA256

                                  ae4fb477fbd21414862451f90a19dd1f572dc8327f14cba1b8f17fb3c3cf9e7c

                                  SHA512

                                  1c3ac3c89b2a81a4e2d8a453fac3539217a9ef1c7b7b5069607f12660bda48a9287929056eaf80744734599ebbcb9ff05c6523aa2142b67eb29b3da8c81b0b73

                                • C:\Users\Admin\AppData\Roaming\additional_tools_pc_checkup_icon.png
                                  Filesize

                                  3KB

                                  MD5

                                  2f5da6ef0e4770691fd130dfb87448db

                                  SHA1

                                  01590c3ab8cccf149d4733c67224bbff86877150

                                  SHA256

                                  e280acf94ea4effc559485f8a1b6a879e04cf1f5d7c2b7388a132dddf22a8afd

                                  SHA512

                                  9aa0e3783dd2439db06abed8a1604a8fe24cd52a9d62d9feeba0cd9e1f4a25f1c7e7c23a417b650fa0b90e4ee55f1ab108d17a3d6d4a4fc35e0eb460a4285c2b

                                • C:\Users\Admin\AppData\Roaming\admon.graphics.path.xml
                                  Filesize

                                  1KB

                                  MD5

                                  71f6c3f678dcff31f094c2064f4248f3

                                  SHA1

                                  5f12a05ccbc96ec8981ae4485b0add68c052575d

                                  SHA256

                                  fbbc759260f66fe9e4a60f3afde3fea06250a0fe56ff02b050fd1b4cba8c1b76

                                  SHA512

                                  99dc7d864898cb4ec9a5fa7fcf1ecb7dff571e826b366a3454e87eb63da165e19fcac0455f407a49d6feeee634ed05ebd3b3fed7fece4a87f12983b67f4d69e8

                                • C:\Users\Admin\AppData\Roaming\admon.graphics.path.xml
                                  Filesize

                                  1KB

                                  MD5

                                  294a7c5aa0c512d7100f743d02c5ae0e

                                  SHA1

                                  e4bc220a40448cc5cf62de150f83fedbcceccd9d

                                  SHA256

                                  f8b5fd179798e0240174dba2b5ae4c3f090e1758d6306479f596c497e29052e8

                                  SHA512

                                  eab5e0e646f8c5fbe7d640a6d51286cc272d421069674a2c3ebfd89017b97be7a756006167e5bf2fc3253b5d710ea06d1db955c74ae43c1bc6501a440db68635

                                • C:\Users\Admin\AppData\Roaming\arrow.gif
                                  Filesize

                                  524B

                                  MD5

                                  03f9ce60b93cf5b50cf5e69e60f1396d

                                  SHA1

                                  3b410af32f58fcd7f1692e8e47cafc594a77fd7f

                                  SHA256

                                  eb26e944c3fb23e9f0463201da776e0937a287e4b5487fd8a87061b1bce9bb3c

                                  SHA512

                                  faa01c9e10f28844ad0d6e2809a7cfd7b5f28a430fbcee587a33df13dc186fc000b4c084d15aa103f0381f316c4eeca47a5ba55dd8ac15d1c093a62a2c7e3908

                                • C:\Users\Admin\AppData\Roaming\arrow.gif
                                  Filesize

                                  144B

                                  MD5

                                  0b31842824faacd1751abbb01ddf5fa9

                                  SHA1

                                  5674b77233b89be37cdcc2f869072f453c485534

                                  SHA256

                                  6cd839340040110df50a75eb6078718895a178b09769daf36e70978ec6ce4c73

                                  SHA512

                                  cc65c25adbc41813461b15716558ebef11faadbefa82b2afd16b610e54f3b978f8e4736cb7be495aaa8eec7aea295b983dec888fb1138101480d1cd816ca0d36

                                • C:\Users\Admin\AppData\Roaming\aspnet.config
                                  Filesize

                                  1KB

                                  MD5

                                  416dfa4233efdca75d25c79ae2bb7d59

                                  SHA1

                                  8a3bd385f4a83b062440547ce2873354e9a3140a

                                  SHA256

                                  ac8465eee799e2061a7ea472fbeb16efc5891ca2702a4229aafecd9fe190d8d6

                                  SHA512

                                  c638e637554dfbdc572e719069e573d5c17c371b82b24d5e452653074c6859687f5081397e0a0c587234e54191fdc4f7e11579f42fe96e73337b50de082ec2d1

                                • C:\Users\Admin\AppData\Roaming\aspnet.config
                                  Filesize

                                  1KB

                                  MD5

                                  494066d0a081130639ae0ad93870eee8

                                  SHA1

                                  1ae55a49d67c50991c91a7bee074f422300d0d07

                                  SHA256

                                  3145ba33cbfd51fb664f59e5ff413b9eccfd06c25a94c6edd3ce94edfbd1a96b

                                  SHA512

                                  abab23e585bcf8f04fa0d5caa6fc614e93a492f12dc72354b00eb75f83209a1af601aaca6ab50c88cf9464354a37eadb47f2a27dfb64c64fcad5335d4a1532f7

                                • C:\Users\Admin\AppData\Roaming\bridgehead.in.toc.xml
                                  Filesize

                                  1KB

                                  MD5

                                  21a994cd4f3fc0d7bbfe24006f726487

                                  SHA1

                                  2b02136327614bfc0c09c4d6b0e9cc97ceed48b3

                                  SHA256

                                  add1fad1f46005038aab6ab829e4381f7b91e2f2f0f073ff0299a433f32ec376

                                  SHA512

                                  60dc5044ec4d1977b49ea27435c85acbdedd03be239cbb090571eab37653a0989850a690166adaf11cdb14ecd86bddb0efc808a5f368138bda00f01ef7689992

                                • C:\Users\Admin\AppData\Roaming\bridgehead.in.toc.xml
                                  Filesize

                                  1004B

                                  MD5

                                  c1cf25885988504b0f6f90f1cb545382

                                  SHA1

                                  5e1f1c88ab034e14dd6f3aeb9da857f5815b4c6e

                                  SHA256

                                  7808de9b4c36f737a88e309454101d3655597393323cafcf87d42e4411baa7b0

                                  SHA512

                                  7adf12507347a9dbc84c93bc38a14c3dd42ba1e2c2f0f937b0915066d437288103b831b33f5dd99ea252a9f2a0a1e6eaf6289cccb04090b8a20ae00cd652660a

                                • C:\Users\Admin\AppData\Roaming\buildMenu.jsx
                                  Filesize

                                  1KB

                                  MD5

                                  ec19d87bf31be0f9022d069803f67073

                                  SHA1

                                  fd8fbc60713955a4a895904da7970f13f815acd7

                                  SHA256

                                  e7b4fea1f0f74e66664301e1a34e4a6017fcb04aa6d249a38b901f8dd8fb3732

                                  SHA512

                                  df5bc4aefaa26ef5d47d2902c494242d1167cdbbb34e661894af0ca0b76192e00c27bdeb7d2d5dab01b3452e109c11824ae8715a0c5113dbef124829e9574b3d

                                • C:\Users\Admin\AppData\Roaming\directories.png
                                  Filesize

                                  1KB

                                  MD5

                                  8b95a0090d39a3b8a9a04c4a152637bb

                                  SHA1

                                  62dbb10eff701f4946ff4a9e498f24ce3b84a581

                                  SHA256

                                  26b5ec85f2a654507111646ee18da725c22cb5df4b7dec6cfb6595bdc024d579

                                  SHA512

                                  9170086ee8e450513fbccffb5d342bd0b92194deed6a8fccfdcc5f9f3edef6aa546f2e4d213fb3c6b0480edc0b5d81f8529e7bb92bca6f0231d71016230750be

                                • C:\Users\Admin\AppData\Roaming\directories.png
                                  Filesize

                                  1KB

                                  MD5

                                  b8431ad28846eedb63a0839d378a0367

                                  SHA1

                                  908301e17f7f34e0b452e7cdbced92c1278307a4

                                  SHA256

                                  b981d068c80d4b1a60d9c010516aeffb43b8a2afaaa0731bab7665ffcd5cd208

                                  SHA512

                                  d4803aee4c3dc8b041565cc2b3050303d4d27815acb547219947a5672862015e91b4ae15c663f2d62ee2c73fbf7660cb1f72cad5e9e52b4de26bf71fd3f4494f

                                • C:\Users\Admin\AppData\Roaming\docbook-xsl-update
                                  Filesize

                                  1KB

                                  MD5

                                  d485a5cd6ca8feeebc079fcc6e914fc2

                                  SHA1

                                  55994d62a8a6c6ea39f1e9c5792fa1343839f2e8

                                  SHA256

                                  6785bc061d585d645cd76d14828928133433cdb329ccc694541f8321f424460a

                                  SHA512

                                  498eec9a93437c580d8f9f92c575330554c9e48a47af4015d32cd6fb03aebb863b1bf084df7a237feea59d477b6a835d59c43ceec07d4d8d048053282de365dc

                                • C:\Users\Admin\AppData\Roaming\f37.png
                                  Filesize

                                  1KB

                                  MD5

                                  c652c652b28d3a6fcf2ded441edbf8eb

                                  SHA1

                                  97dc375b2c78c2b1ad46e8346476a200ae119a1b

                                  SHA256

                                  b5d7a8919d7887994ca7cb3dfb3877d584d73505d889f266616b632b8ffc931a

                                  SHA512

                                  ae962d919803441fb239ad9adedf9f24697c91e925d1de55fbb961461d718f763d9be1faa343681e040ad433cc6c5354477ec762f423ef13e3e5357822101f75

                                • C:\Users\Admin\AppData\Roaming\f37.png
                                  Filesize

                                  1KB

                                  MD5

                                  3cefff53c1064680594a5f98e65849a7

                                  SHA1

                                  c681f94cb3dd872f02a274365ac21d81afb86ab3

                                  SHA256

                                  1691375f12c985b72d6c2fb6596972eaf3efdfc86fb655d308d96c38f64a6f06

                                  SHA512

                                  6a1e07af5f5d20cb7ebe9df97b67b4f98884c5300985876e8fca416959f324ad0d323bf3e94e858dba795853ec643f88da0bcb27c51595ee4e08f0989f3de1c4

                                • C:\Users\Admin\AppData\Roaming\footnote.mark.properties.xml
                                  Filesize

                                  1KB

                                  MD5

                                  cbbcd7df4ad4679cdae899d3cfc6bb32

                                  SHA1

                                  22cf97f4d1a1edd0e4f27bf712f63feacfd205da

                                  SHA256

                                  a39669f516b56f4d803f696423899d358bcc8a90aee9dbc787be48acae55282c

                                  SHA512

                                  e5e9da52c8eb943a7705ad0111599210a924ff18fe68c74742e5e487a51c6a1b1890a165a281c99c1a32626d712ef224ffa9181a0c2866d3f2e020341364129d

                                • C:\Users\Admin\AppData\Roaming\footnote.mark.properties.xml
                                  Filesize

                                  1KB

                                  MD5

                                  8f442e9bf42dbf4a7997d52ed3e37492

                                  SHA1

                                  0160d624330596c6303c590c223aaf644d161e2c

                                  SHA256

                                  c117b2b0b0667cac6ff8e7266c17561c2d9ac9f021fb040ef71df7878f3ed24a

                                  SHA512

                                  a744960b586e37e8bd33ba613f1e1a384529634bfc4c1aa58068dd9b4ee8bc149e7048e1e3263eee526af6d7ac43ac89dceac2d7ad0a7d4818dfbd6dbb22cd58

                                • C:\Users\Admin\AppData\Roaming\generate.index.xml
                                  Filesize

                                  1KB

                                  MD5

                                  fec6c7b575773a511f51596bf6854587

                                  SHA1

                                  4e320e01a19da6dba6d2c30c936d138a16a6560c

                                  SHA256

                                  9f36ad3e16ff2e222d3eb99376529b720a100199642eb52639fd656b600df46b

                                  SHA512

                                  409083df462f9135609dc78ae1318492ddbfeb4497c95d4a31012dea553b2fe29d56fd5ed0c6ff9ed5ca965e87223222c70f0e83ec3ba2f9c484ac933c7308f4

                                • C:\Users\Admin\AppData\Roaming\generate.index.xml
                                  Filesize

                                  847B

                                  MD5

                                  dac670dc3250ec2a38be195646386c89

                                  SHA1

                                  1373182d015c82b47d4bbc5dda88da5fbc1bca3a

                                  SHA256

                                  8c4591b205a866468afe6779ac4af70e54e37a105361671fd448895a06c351a7

                                  SHA512

                                  0b08bddc4b4723f39650acd68ad14b75783d739e473f64e9a692142b2ecb2577e21f0b41376d5d0de3b6e30744c5b390d9d4d8b74ad05c3060bea4ca393b1d18

                                • C:\Users\Admin\AppData\Roaming\glossterm.auto.link.xml
                                  Filesize

                                  1KB

                                  MD5

                                  a057463e49cc7a282b9de9bd1f98c940

                                  SHA1

                                  17f203dd324b4dc61fc85a2848b93f0941946d4e

                                  SHA256

                                  ca43ac52dec0ed1083c006678f4e1e0b7e6c2882e8bcc66e76bc776b7340bfe8

                                  SHA512

                                  b18514215cc196d457629ee48c08b05078aa7b61dcd26a540ef9aa107e4231a27a80de11e068a03611c85966fcb511bf22f0ab40fc8e461cb817a1caba9c0734

                                • C:\Users\Admin\AppData\Roaming\glossterm.auto.link.xml
                                  Filesize

                                  1KB

                                  MD5

                                  c5513e9d05cc5679171549eb5e714373

                                  SHA1

                                  3b3e5a7b02b431e9f92680acbc71cde462026bd5

                                  SHA256

                                  932fa94a268cc14bc363491dede4a477dd3fbb9b758c6aa0a9f19f445b9719dc

                                  SHA512

                                  5e8474953dd890bb42fbf5c29b281d223549f65566ca2eede2207cbdd462c774e4342ca99cdc35e03de2660e0a0370ca632e018f324f31c19606ed32584bda82

                                • C:\Users\Admin\AppData\Roaming\goURL_lr_photoshop_kr.csv
                                  Filesize

                                  315B

                                  MD5

                                  22f5329bdaa9ce6afdc94416fdb0a693

                                  SHA1

                                  23e281b1a54e69a441a26a093613c2135c510582

                                  SHA256

                                  c1ed5d3f8cd2410d52977c569131b7fdfdfb5c286718154c0540ab652cdab004

                                  SHA512

                                  97f61643b6ec17d8619880f54b1b2e62e073e9538ee89f00b72ec6de7d0dc1e6ca9706b10978ba8f72ecd0ddb42c11384c52238dfa9c2adef571cb14834dc9a4

                                • C:\Users\Admin\AppData\Roaming\goURL_lr_photoshop_kr.csv
                                  Filesize

                                  315B

                                  MD5

                                  e7b835efd565a6bd02237591a64416fa

                                  SHA1

                                  7ea8027ff98e318758a48907a1f69b1b35f63c72

                                  SHA256

                                  67ca7823ea8b02127ea8e4c198585e8442530e7e803b2832666257c4050ad605

                                  SHA512

                                  911bd83c92eaa36464bcb00c45102bc1b5eacfc83cd8d7ccebf920874fd5156a975d1c0bcfe0d96ca0461ddb287f43c2c8204722d93c6f0ea8663d8f75e14f81

                                • C:\Users\Admin\AppData\Roaming\{7F378566-32CC-194C-63ED-AAB4EF64314A}\setx.exe
                                  Filesize

                                  191KB

                                  MD5

                                  3874199af9bef338ffc8dcd9a9d2dbf0

                                  SHA1

                                  14f4aa746d391393bd2fdd112a430266bf20a8f2

                                  SHA256

                                  a80f30ee99a8d0d12abe3c6b631f8c8870d4f4f5ac776f1febb7cca78d7af964

                                  SHA512

                                  38c177e59a2d36ed2e25e61930275e474c4cc628485581393dee8202bccdd3576149416fa10b74c9b7ac192c689f08db9ee3553a8e90f06c7ac691c5c2a34fec

                                • memory/2472-34-0x0000000002170000-0x000000000217A000-memory.dmp
                                  Filesize

                                  40KB

                                • memory/2784-112-0x00000000021D0000-0x00000000021DA000-memory.dmp
                                  Filesize

                                  40KB

                                • memory/3080-116-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-449-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-117-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-118-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-131-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-130-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-128-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-127-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-125-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-124-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-504-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-123-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-505-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-502-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-488-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-122-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-443-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-120-0x0000000003C30000-0x0000000003C31000-memory.dmp
                                  Filesize

                                  4KB

                                • memory/3080-461-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-476-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-473-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-471-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-467-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-464-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-458-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-455-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-452-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-440-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-446-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-482-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-485-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/3080-479-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/4224-36-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/4224-38-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/4224-40-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB

                                • memory/4224-52-0x0000000000400000-0x0000000000423000-memory.dmp
                                  Filesize

                                  140KB