Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13-05-2024 19:01

General

  • Target

    3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe

  • Size

    203KB

  • MD5

    3c4e73f8346f6040a61543da072f0e0a

  • SHA1

    75c75fa47a6d09eb0a5b40d0d6fc5675a0246040

  • SHA256

    478765a2dd947d1539117b672b1eb77fc5aaea020764ba954acf65e3e480a7e9

  • SHA512

    a888c53f14ce166ba53a78bb395c0d4cb62888ee463c66e094966225428dea2e05ab2d8ce4ae19b8468b8146a8e263eb0f7a8edd0dd353657df123aabdf430b2

  • SSDEEP

    3072:lyAaQqe90u5DdXJP45OYmXsZHY3X22R1/GPx/goWpJWFqV+5GlhVm4gSSIqk2X4E:lyAge9RNJPsEG2z/GZo/4dE1gfY26H+

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.sims6n.win/200B-9787-BCD3-0063-72EE | | 2. http://cerberhhyed5frqa.dkrti5.top/200B-9787-BCD3-0063-72EE | | 3. http://cerberhhyed5frqa.wins4n.win/200B-9787-BCD3-0063-72EE | | 4. http://cerberhhyed5frqa.5kti58.win/200B-9787-BCD3-0063-72EE | | 5. http://cerberhhyed5frqa.we34re.top/200B-9787-BCD3-0063-72EE |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.sims6n.win/200B-9787-BCD3-0063-72EE); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.sims6n.win/200B-9787-BCD3-0063-72EE appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.sims6n.win/200B-9787-BCD3-0063-72EE); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/200B-9787-BCD3-0063-72EE | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.sims6n.win/200B-9787-BCD3-0063-72EE

http://cerberhhyed5frqa.dkrti5.top/200B-9787-BCD3-0063-72EE

http://cerberhhyed5frqa.wins4n.win/200B-9787-BCD3-0063-72EE

http://cerberhhyed5frqa.5kti58.win/200B-9787-BCD3-0063-72EE

http://cerberhhyed5frqa.we34re.top/200B-9787-BCD3-0063-72EE

http://cerberhhyed5frqa.onion/200B-9787-BCD3-0063-72EE

Extracted

Path

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber &#082;ansomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://cerberhhyed5frqa.sims6n.win/200B-9787-BCD3-0063-72EE" target="_blank">http://cerberhhyed5frqa.sims6n.win/200B-9787-BCD3-0063-72EE</a></li> <li><a href="http://cerberhhyed5frqa.dkrti5.top/200B-9787-BCD3-0063-72EE" target="_blank">http://cerberhhyed5frqa.dkrti5.top/200B-9787-BCD3-0063-72EE</a></li> <li><a href="http://cerberhhyed5frqa.wins4n.win/200B-9787-BCD3-0063-72EE" target="_blank">http://cerberhhyed5frqa.wins4n.win/200B-9787-BCD3-0063-72EE</a></li> <li><a href="http://cerberhhyed5frqa.5kti58.win/200B-9787-BCD3-0063-72EE" target="_blank">http://cerberhhyed5frqa.5kti58.win/200B-9787-BCD3-0063-72EE</a></li> <li><a href="http://cerberhhyed5frqa.we34re.top/200B-9787-BCD3-0063-72EE" target="_blank">http://cerberhhyed5frqa.we34re.top/200B-9787-BCD3-0063-72EE</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.sims6n.win/200B-9787-BCD3-0063-72EE" target="_blank">http://cerberhhyed5frqa.sims6n.win/200B-9787-BCD3-0063-72EE</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.sims6n.win/200B-9787-BCD3-0063-72EE" target="_blank">http://cerberhhyed5frqa.sims6n.win/200B-9787-BCD3-0063-72EE</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.sims6n.win/200B-9787-BCD3-0063-72EE" target="_blank">http://cerberhhyed5frqa.sims6n.win/200B-9787-BCD3-0063-72EE</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/200B-9787-BCD3-0063-72EE</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Contacts a large (2054) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 61 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Users\Admin\AppData\Local\Temp\3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Modifies Control Panel
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\verclsid.exe
        "C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\verclsid.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\verclsid.exe
          "C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\verclsid.exe"
          4⤵
          • Adds policy Run key to start application
          • Drops startup file
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Sets desktop wallpaper using registry
          • Modifies Control Panel
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1292
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2712
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2712 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1608
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2712 CREDAT:275458 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2364
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
            5⤵
              PID:2984
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
              5⤵
                PID:1688
              • C:\Windows\system32\cmd.exe
                /d /c taskkill /t /f /im "verclsid.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\verclsid.exe" > NUL
                5⤵
                  PID:2128
                  • C:\Windows\system32\taskkill.exe
                    taskkill /t /f /im "verclsid.exe"
                    6⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2312
                  • C:\Windows\system32\PING.EXE
                    ping -n 1 127.0.0.1
                    6⤵
                    • Runs ping.exe
                    PID:2932
            • C:\Windows\SysWOW64\cmd.exe
              /d /c taskkill /t /f /im "3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe" > NUL
              3⤵
              • Deletes itself
              • Suspicious use of WriteProcessMemory
              PID:2440
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /t /f /im "3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe"
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2264
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 1 127.0.0.1
                4⤵
                • Runs ping.exe
                PID:2820
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {8C7F304A-A5F8-4A9D-97AE-734F3C0CCE79} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1768
          • C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\verclsid.exe
            C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\verclsid.exe
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1328
            • C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\verclsid.exe
              C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\verclsid.exe
              3⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1988
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:880
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:880 CREDAT:275457 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1864
        • C:\Windows\SysWOW64\DllHost.exe
          C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
          1⤵
            PID:2192

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Defense Evasion

          Modify Registry

          4
          T1112

          Credential Access

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Network Service Discovery

          2
          T1046

          System Information Discovery

          2
          T1082

          Remote System Discovery

          1
          T1018

          Collection

          Data from Local System

          1
          T1005

          Impact

          Defacement

          1
          T1491

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html
            Filesize

            12KB

            MD5

            bb0ef7df59589f7c90d13e293809ac73

            SHA1

            7b23b1dfa4355413840e4b0298725d349672bf19

            SHA256

            dfbd77b4d67d2382d85d677a2552c066add2b33feeb7d0f634b0bd4c8d7da2dc

            SHA512

            69bc4eb56e8fe4c53be41e2e171a8cdc0ca354e669a8878e23d659c1ddc6721405d893509e5426d3fb941667bffecb2bdec16e1c5dd0e85d3d81253b9e2f0aad

          • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
            Filesize

            10KB

            MD5

            e3da9b6a12f669a6b736837a69447de0

            SHA1

            9134bc765dd020e05a550aaa88d82ec2ce5108ea

            SHA256

            b3a64a8fba131e376492c539698f04977c87811bec4d2b604b5615173182a3c3

            SHA512

            138379a0eb072a6e19db83a14758b547821e67ec7f6400231b7b64530ac93c392d035085e85d9f1986518ac4835c32e78e4b5c978971d8f61172a6f968c63ba7

          • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url
            Filesize

            85B

            MD5

            edc78324ecca2c43cf0336d5c6e77945

            SHA1

            07b83376e032b58ba8372ab7c4ed42e3338977d8

            SHA256

            d5d2290d94924200da16f2ca32b0732dd9a8eb4c7b1535389a256164292bb8ac

            SHA512

            20ed116e0651784e6e26ef5e1ea2a6f20f547e12c6b9cd4b208444c3c55d62c8f572c474dca90c74c9414979ca4d5b8e3ff1d8fc4bbef64ae7d5425c66d7911a

          • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs
            Filesize

            231B

            MD5

            9d8c4bfbd009c4d6001e2125abaa8b02

            SHA1

            cd040558172b5fca5b200447a281843956243741

            SHA256

            a652297987f14317100f8c5f7eb26d1bc67eb8a64f0b39b72b5fd5046a9f29b0

            SHA512

            c4c84f43642b805a105acce9ebc9f01aa0e6ef553ea32be3f8b890fc7440f0b7d3ddf99b9336bce20ce7a3d9b9f6434a704651a8af425ffc8407ba39d5de735f

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
            Filesize

            68KB

            MD5

            29f65ba8e88c063813cc50a4ea544e93

            SHA1

            05a7040d5c127e68c25d81cc51271ffb8bef3568

            SHA256

            1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

            SHA512

            e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            d5119bc56640d31a676d7bd616f5d822

            SHA1

            fc811f059fae630abd552797ae37173aad96431d

            SHA256

            780c820ea0d5b9f7296e44f434348d08e6509bce00c2b354ba1ca6ba806c394a

            SHA512

            44d2476ca8fb480e02abf86b2db3c34c87d716674fb9d68f814f4781919edcb1503eee704d8ee090934aad8fc380e5ca9c722d88e14a951c51be5532078d700f

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            0eca166bb67427b5c7dcabb4e5cb2614

            SHA1

            727285d2f49d45ce63bf6d3a20558069f156a277

            SHA256

            486694100d69b98503c9d2cfd29078ceede2c05decdc8ec29c2d5a38bb8af55c

            SHA512

            35a881788234477e656305c5a1948682011aa8094d417db195fb8266b204f3d23660a99dba4f08306cf4adf77c9642ec83a12b4e917ce7fb8a97afd58e54b1df

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            9a623853e6eb2fba6dcbaa6ac3ee70e4

            SHA1

            ad92162334b20468de6b6041171da858e14f9a27

            SHA256

            eea02334efe4727eff7bcb0ccea03a18c3285713560acb3d6606584a2706c4fc

            SHA512

            4d8c2b4fa9ff1c5f88c751bbe6835035f02812b2da0aa3f30e0e16e50498f9ea093008df5a42e34b3b214d63e5bd7e642e663348390045fe0068faf6e9522ab6

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            d36c6622a6b39c244e15847c50956704

            SHA1

            f42f2d100816c7ed5760748b38e12a9ad34fecd8

            SHA256

            5d82cf147930f57ad86dac33553d6f9d7ee4c3e32c1b975c808587dbaa9f7a70

            SHA512

            c59bd4a541dacfaad313f01f34607b9eecad55ff33dcee2cf8f3cf1593c4ee8e626e1673990c98191bb460448cdcc1c00e37933f69e5f2df6030bf5556da79ad

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            dba8df17a8a5206c109c3672bef6169d

            SHA1

            058f1b520e5acfc0b142150875ecac619cc668bf

            SHA256

            5ad652e5759b5fd10d00522b20fe2eb700d96983235d92fe570a4319a1057553

            SHA512

            7f3f0c455737a20b7c75ad7e63dcb9ae5b99323bab6fa279ec7a9ea0cc87178c739a1cfc997584682b8c810ae4aeb68d9bf2d4852e1b7838ef5c4bbc1870a72c

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            b841574b048ce816d89b73e515f2f15d

            SHA1

            94a565716e804bc302c4377bd12e461938d7adeb

            SHA256

            d4ab83b4da808b0eb7c868b92062fe5d855708ffcfb89f9239878e5dbd594579

            SHA512

            7ba9b425c0e973b90d2595c6a64cb2f1160d4244e69d68805a701e02fe1df841c8e29e8744dd37d0861f0f84b009e7309d0c84798a8ee5568ddeeda0012ff0f9

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            caca74d8745d76c35641321a4ca3d241

            SHA1

            7ae28466c2729595b2c213b0755254b09d34ac80

            SHA256

            969c1a406187c8f8615cdf70f7912ae098c2e36ca42d80dd8a6de6a5bf74a842

            SHA512

            50153cd889f719f058f0a8088969399c7396766b4e0220281f31257fc50d698f8a4036cb3a5db5586fc65321ee1bcdafb2e61b486c3c299523ad64833145b4ce

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            c7e5e7036bcbbf8ef94a39a9417dbc13

            SHA1

            7addacf810ad540dc85db55a3c14102ad9db18d3

            SHA256

            631db06f499742d27802af5181010226918b712651fb473f5a0e9e0862419d27

            SHA512

            9dd59cc2b5e158f25df35a4ff2194aa532e01c4a036f9f7d3f8af949e49563ecc344b0e48cc4886d77519ca18b87d2ab9135bfb41c899b83edbd99931ad48c6a

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            feb4f0f3470c7fd068b43c06100a12cb

            SHA1

            585893dfccb85fa03df50f8362767d43a8d14c6a

            SHA256

            5587b6438f46c89e96e659779ae6b0fa78c0563f13656bd07e4ff48f24d8ff5a

            SHA512

            c39f8575626d1e38961afe58002a23c7fa5cb3676240ae2e06c67fdf643fcafbe56e221527a1e7e87fcc52111772d3e81966218a39ff6e2db74dbe3dec82678d

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            098f3397a48e7fd293f1360a84056ac5

            SHA1

            e289ff0c1b59e96adfcb7d598e6ae785368719c1

            SHA256

            814598294adc0b22b84f33c91b8adabbcc4d43f29125ea463f4052aaf802b0e2

            SHA512

            d15a1d217165b82d3afa191e7a2656b0779038577212621cf6038bd388ebb8d08b63a694c9ac3aa16b21158a284c09610fb1149f901aef3c3fbfdc88633e9f39

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            43f3cf838ae12673480d47fc6ca4a532

            SHA1

            10f4d9082d6b2a5552085accabb5f5031d3f3a39

            SHA256

            7b72627be647c84250c0f0f78be45e149449e3e166fb2d3b0b650149e60e20d1

            SHA512

            fdfae24bbb36f2369ce70195e413d89e00c56fb4187c9bd61d95ca8c52599d48d250d343125ff478de0cd15001eb5655e2ae80e3cd6c6e95b70d8f22f929cc18

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            50a1b90d4b19e0ed86610f0c606e94d7

            SHA1

            f5d42526dfcab50c50762c8f570ec69fcb70396a

            SHA256

            f1eaf7e2b88cb6b799fb1e3cd3df7a7b36788dc0ba1d7c16ee154f76d9f6734b

            SHA512

            1c908ccded863715f1bdb337148268bd884d211e4a57ff6a2fb092b5547d9e20d49b5ca8b528b412150d26056a78bc6caccf4499906f3658f5163628b6374c6e

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            535cd3d7373cff8ff388f359e4d54779

            SHA1

            c72aa99f472d4e338bd2b9c4ead3f90b49101af2

            SHA256

            eb82787d0b647c438815d5a4840b2b9f2bbb190535670b2a9a1d87136edcb577

            SHA512

            ac08ecffaed4a9d8acc06aad8f96133206474abf6a681ead157dfdd08412759999c403da3ca05a3c8ee0337db2ef85576461c837804b4628508a5907a46b4d83

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            805060e4e9469e3dd7da83e4e9117cf7

            SHA1

            cfe739ab176a1973c0274bc0f01d61a9d9b13ce6

            SHA256

            bc51649e99c5be37edf85ce4dfdcaca8a72183fada9a5faf6cf0e3e3d85aface

            SHA512

            0b2c54ce7abd073e78afd81db897dae2df2617268fa5131f7c647b250308bb495fe0d61dd50ca6392a3859a8270e013a92de3998646aa87d53defc97f45198e7

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            245e55f7a4f780e4f01d3abd8d7c0463

            SHA1

            581da3e11ed537536b3673a39787ed189b9c3904

            SHA256

            db66e7ea6cc268969c97480a482f51bc4aa27cff8d2ead131a187a615e2d7a4c

            SHA512

            26c60a51382ba5fa78168d51b16ca3163acd7ce4d406c7078f94c1dcdbf29d64681630dce437546ebe32896a8531b0addcdaba5e8dfc4ad6926a9510e1bbe1d9

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            3d6ef0c31b377e59fe1a1e94c7e1f5ad

            SHA1

            74fbab1a7cbcb6f2e9dfdbde49904be676bcc58a

            SHA256

            8757f716f2387dc88151a99a3674fe8713f2e52d02991534d46122f57b29e78c

            SHA512

            6da71749529b3753c420f10019274d113dc9f07457a4b84578b959580cb8bfff59e01eb93326ca2dbe9690f96d0c755d4a2c5a55ba87a305b6e424e4e8c444c6

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            68a92656f34709d846f5bf5368b99214

            SHA1

            f71b3abdafe6078ee4939fc4c45f58c003b9788b

            SHA256

            c49c4ebbb7ac798b9dfb5ec7b748178a2c2451ac28676730ecf2f920184f7a87

            SHA512

            ecff1ff889b235a7931c85237f54bc3b19aff5daffe716901e62e0317edfe6b68c402847828bf57e68480d22454d20436e5fa1569b92036d7301a54dc6150a81

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            0d9341ae292ef26a400d863d7b230b85

            SHA1

            ed203cc3317816a5f114ecf7757993709e874541

            SHA256

            ae3f5b28620e87c266cb13da19373ed0972b0af95824bb7e331638e2b1d96c45

            SHA512

            a167fc42e2c61a0ff730aae70080bdc8eb504827460ba1e7565c51aec1de85ce3f441f65191fc5c5f07a2e5fb5adb3760e99211ceb7f432e01fe0be90112d061

          • C:\Users\Admin\AppData\Local\Temp\Cab6A0C.tmp
            Filesize

            65KB

            MD5

            ac05d27423a85adc1622c714f2cb6184

            SHA1

            b0fe2b1abddb97837ea0195be70ab2ff14d43198

            SHA256

            c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

            SHA512

            6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

          • C:\Users\Admin\AppData\Local\Temp\Tar6ADE.tmp
            Filesize

            177KB

            MD5

            435a9ac180383f9fa094131b173a2f7b

            SHA1

            76944ea657a9db94f9a4bef38f88c46ed4166983

            SHA256

            67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

            SHA512

            1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

          • C:\Users\Admin\AppData\Roaming\2.gif
            Filesize

            907B

            MD5

            7d8fe06464db3b31cb3cff59370eee7a

            SHA1

            5966a8ba6a9a84e12eb42c85c800d96eb310483b

            SHA256

            03a5111fb4ab54d731271991ade518fb435d973c92a14772ccba0897e25e640a

            SHA512

            694ff8a15e1902b9a927b46b8566138ac31cd4617f18cc8a2cc3c9139b10c21eaecab9f2f6c7c4e219327a8247f18a445c0cc3ba2cdd8f033cb299b78639bdcb

          • C:\Users\Admin\AppData\Roaming\26.svg
            Filesize

            1KB

            MD5

            47a79f6b53517a55fe36724f81469efe

            SHA1

            71296cca083a0b50a7e8ffb08f0d8f51dd1dd9d6

            SHA256

            9e3641ed276a521c02d7947dcc1f6053298a26e2f6c4815563cfa2aa36a0902e

            SHA512

            106c5d8d956b0ef84a7eb6a0b2e4f4ef95f097d31437c5c189a84621ba0b685d14c3c630e3675b318a9454b499aff02648f3ea28eaef2b2baf18461bbb33e38f

          • C:\Users\Admin\AppData\Roaming\3BSYBS1-DCSA_Alerts_05172015040008.xml
            Filesize

            1KB

            MD5

            6b4c09a2ef0528c2998ac0bc19757af2

            SHA1

            51cdd849771499a0de0d8cce746fddd5d177d4bf

            SHA256

            d5fa42c3b71d032313cb07595432f8e177fd77cfe2ef026dc7dc114576415c5b

            SHA512

            f63f32f550d456bf2227c41be3c891f492937714309e8b91d663267bf0a2f8403c7056dad53f008acf9b34951a2bd3d800ba1187daecae9e89057786d4a7c28b

          • C:\Users\Admin\AppData\Roaming\412.htm
            Filesize

            1KB

            MD5

            762b8a05975cdf24fb3e7473f1e2b9e3

            SHA1

            3af16a6a4ccb39a9aad888c78267ad07b615bcf5

            SHA256

            ae6f77b15cdbf802bf06496ebbbd27718f15c99739048e2d065026e90f0919fd

            SHA512

            8c5600e31862ff99eae1e2b0ed2666f3f758d39ac84b5d08baea770a7487d0796be07de22ceceb0a556604703ce156c657408fc1b839fdba37f839fb04c08322

          • C:\Users\Admin\AppData\Roaming\500-15.htm
            Filesize

            1KB

            MD5

            717c0ab650644d871db6f259347a11f9

            SHA1

            e4dcc903de38e4497a4735739ccb725766664241

            SHA256

            098c2af6ac5bbe1323cc25d35e8cc5e79be50a064f898e0574505e11788cae94

            SHA512

            dd593ec5253e44388dbfda33e948e5f5ef61a064e0719944ca1b16784dce2489eb0a480083d7a116342636b115c7a43c85a04e9eda13aea2c74e3f58ac604e3b

          • C:\Users\Admin\AppData\Roaming\Adobe-CNS1-0
            Filesize

            3KB

            MD5

            98117545fe9a800c71c33cf92cf9be1b

            SHA1

            e5aedcbbccfde97dba8d4c1e64e6cbb8566cf441

            SHA256

            a349c99568003e7910751c6de3d5f8f2e6a32231c4e6041d1db953fb9e27731b

            SHA512

            5342fc1507337793c199fe3539a43b5b9c5a139c6f4d7fc3a884891db48cf38a37c5e99145ca49419ea2bba1bdccc6999c04a8746cf46e1d296f3b32f8a454ff

          • C:\Users\Admin\AppData\Roaming\AsteroidVertexShaderInstanced.hlsl
            Filesize

            1KB

            MD5

            fe97ee17f001e5724ef103754fb32f7e

            SHA1

            b12ad571d8201d5584446c20df7302947b94ae5e

            SHA256

            c44863944bc085c1c8af13b0d22d79f44689c0dcaa19dfefcab8532906baf27c

            SHA512

            30cb641808fd1959915a0e1fbcf45da3be5630f1df0a859377737e9651bd56ab1fdf2d94594233f36a093ee74d919a102e3e2ae2a66947c109c9780ed31d10b2

          • C:\Users\Admin\AppData\Roaming\ConflictingProcesses
            Filesize

            33B

            MD5

            1f3bc75daaf847977f7cf3529e4c48df

            SHA1

            f4dc15cada37c0eb4277dfb13f054c0c4e26f381

            SHA256

            d4368f7873c76dc461ffbcea9c96ec52db4de2e97f0c02762b78b5af1d1b4678

            SHA512

            01fee9822070f4413f7125e94a82794861da82f5d77dec0e3a1b6db90f605fc25f07926ef0fb4792e8e910cc90b868a89a50b16d5119084fe7c8ad8fa89df87d

          • C:\Users\Admin\AppData\Roaming\Escarp.mnv
            Filesize

            125KB

            MD5

            1e31f35e85c9a3948ac21067f41c264f

            SHA1

            82f48efa206380a5e89eb9d5a01d2c3460fb4fee

            SHA256

            50620ab403cb9a7b39f31a4e1d0f8081e1859c9c0a34658b4c56041149232a2b

            SHA512

            130dec64ebdfc083aeeceff195ae70d9159a90038d1b053a4befe07fe1bafb6b157f5ddf78c50d186c9410264e7ea2f7e78c180061908d922f130f4fa238cef9

          • C:\Users\Admin\AppData\Roaming\ExampleObj2XML.java
            Filesize

            4KB

            MD5

            cd0452ce0dba54ffdc3ed9853a2e7c1c

            SHA1

            9bac6a39c5ae514c3168ac4396b986636139633b

            SHA256

            abd6d9f494ea80c4050eaf04cb50f2813bbc9b587d45db47488fae5dd978eb06

            SHA512

            bdcd6cfed2ede3411bfb11d844101c462c8fb869105dbb32403bb464d2498c6cffe3dc8a546d40682174a0fe882624a996c8f0ff0386cf0d3488061805cdc002

          • C:\Users\Admin\AppData\Roaming\Intertexture.4
            Filesize

            3KB

            MD5

            2dbc9a99be65f59024f14bd20f67417d

            SHA1

            3a42697cd2790da75713cccf81a1976c78da5abe

            SHA256

            1d66d9570cb69bf6b0a3a4cdba1e848015fff4c668f5e24d0f63ef306a3e77dc

            SHA512

            998122a6077b81acc2475e8c7d5b7ae4bfbc91a763e83395fbe96d981c6de8c83b3bf671938c126691aff0db3d9224c4d9b5d6ee12155011b26e89abd2d6a320

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\verclsid.lnk
            Filesize

            1KB

            MD5

            498f5e7003f63ec06e25db2742a16555

            SHA1

            754d029328903079556be68e09980eaf69252d4c

            SHA256

            856660fd0c4a42eb279f5d8065a277a93c10a94f143233b8fbe6c7f113301254

            SHA512

            126bd6a8fca41d157f6328c13aec130d9f998d8079e763ae4c95928c29f631cbeedf11e914f92552c3fa6bf1b8fbb83ad19510f969bcdde5ea356d6d6b08d1e5

          • C:\Users\Admin\AppData\Roaming\action_center.png
            Filesize

            1KB

            MD5

            e63b3d79ef21e80350c7b1f2dd7267a8

            SHA1

            55809d306007998b3dcecaad783ddff864addeae

            SHA256

            c63e1881be15d5352f089fa87c8f1eff802ab1bb763c5e00e664a4d099bab6fc

            SHA512

            10fd852b5e6f9d80f120427e705186097453bba35bf723122badf51fb5071d379c2ba1c10ac1636bb860fa9663891cc273249e52468ec0affb514125e8f9f1e0

          • C:\Users\Admin\AppData\Roaming\appIcon.png
            Filesize

            4KB

            MD5

            bbe9120f8e0841c852a94d08e9cd9878

            SHA1

            feb75c97961a446431ad9b377210e84bd8e896ab

            SHA256

            99e6e61959baaea9d044e6bee5dd53efcf112d913b25f0dfa2936f7a4edc299a

            SHA512

            78f56704d8f3dbcddf023718a4db94f21394a91eefb15ee08b6428bd622f0b14986a292a334c5657e18cf5f68db694e485e53ddcf8d99996a7c257fd62bc6097

          • C:\Users\Admin\AppData\Roaming\appendix.autolabel.xml
            Filesize

            2KB

            MD5

            d009a4291e99eb0acc463d103fd186d6

            SHA1

            852fe5f187cf340e8c1b8d5867339b4798c532c1

            SHA256

            589eb103d741402ee76a4e75413d400375adda6e96f7f420e3ca69e4b210cc6f

            SHA512

            816f55df21b5ecc298f9bae9f743e4534f2987188912cd43bd237ea5a3c533398af2ff28826226b7ef3bbd31127f1bad9dd4f435467ccb4a8db410a94ac25d27

          • C:\Users\Admin\AppData\Roaming\bibliography.numbered.xml
            Filesize

            911B

            MD5

            9c8aeaf281f10c5ea0bf02791afb54f2

            SHA1

            fc613c7e8691fb0b83ec9fa71de62fd08a3da8cc

            SHA256

            a340c62b234faeaee7011e435cfca4ccbb7021aad1dd4d77e89240d8da503e3d

            SHA512

            ec81f6eeadba2208ad14327de2a226c940542cb858b6fe5c34df2bce1d22d0ad0a6ada80344a14d516359f6e88851a75eaaac4052aa95d4424c327bea308c226

          • C:\Users\Admin\AppData\Roaming\blue 286 bl 2.ADO
            Filesize

            524B

            MD5

            a4c0299e39c677afd7a7517d2980bf15

            SHA1

            8748961f6bda83bec226430bf60589d6b2344211

            SHA256

            5b2da553b3587b710311b4b6318464456cbb2cdfd1c8bd7a831b3bb36aa8ca23

            SHA512

            1e0491cbb298f18b192e96d23fd629739ea48de85ee1b7ed3a7e96a3a645d1ca8471580b6bb0545f10d0edc845612d002920071870bf69a7c90ed9705f8f52d1

          • C:\Users\Admin\AppData\Roaming\cert.cer
            Filesize

            1KB

            MD5

            27b82a7a73d2a5ad04f3ae7471f490b5

            SHA1

            95359916fa95d0b523293e11f84ca683afc9f7ef

            SHA256

            95489873b5c2a844583cc2a5e63fe276adfd51067bad9c051f42557f1f5b8426

            SHA512

            7f74e1c2cb0d5755dc2a68d4926a75b6af065c9b578d0f4ef1a9bb2c1e1da0f8c4cee91505cb5489e004f880728269723c6bc0e4fd6dd7a53064fa8e48c4b40e

          • C:\Users\Admin\AppData\Roaming\column.gap.front.xml
            Filesize

            956B

            MD5

            7bc409b7645ec7b8da88d7476af3d3bc

            SHA1

            49a73eb68fbbfbbfa799f695703b9a4b0605b91e

            SHA256

            e1973a32a2a0b16dda8a813c1d1096ac0e91224fbe25d16667ee93e8b76f8c6e

            SHA512

            0c9aaf3a4ea70d918587ce30917dcc9219a687a30b8b68fbe5969ca6136e5adc919e55d92d79fbe39f73ec3c758fb7487bcf615241948ba054fdd68043edccad

          • C:\Users\Admin\AppData\Roaming\defaultProfilerFilter_restorepoints.xml
            Filesize

            592B

            MD5

            b14872001828a70ca9f8cb55f37d8e7f

            SHA1

            ceec1f59f82ef6991eeb3f931707716f76ae4c38

            SHA256

            9ca7847addfc688efad2575b3c949fd296890731b3865cd7aeef3166a3a9b900

            SHA512

            21a5d902d045ce1eb73c8f8e5183152445bb95eaf2b24b76a21f32e39be801f2ab19e7b90743de2926afc12334fe168230effe24d622ca2816ed039f30080f79

          • C:\Users\Admin\AppData\Roaming\desktop_settings.png
            Filesize

            1KB

            MD5

            30d4b351117ef25ded894659f14d5c37

            SHA1

            3037e0929a310cb6f88c1898efe0f3ddd0d09c61

            SHA256

            03b3920409fbd4158c298fe98e5ddfd4f61871cbaf1f83bfe7efd6f4c1855152

            SHA512

            6fd014f3fdb693c947fbc6fb8df68d7647ede489108719f84081d2ce1e96ec5afc2c2a28ccb0257f9f9af9239f930d22711ffe1743a5c9765289d341abc86d8f

          • C:\Users\Admin\AppData\Roaming\doc_to_html.xsl
            Filesize

            423B

            MD5

            cb43650edd662a8f3db2032c0d55c3f3

            SHA1

            1544d7f37cf53169191c845187b1b02be0372479

            SHA256

            38187ff4172798fe3ca79b1119e1d7d64968bccd147105b937db86e5298d6a13

            SHA512

            dd7ff292f86ecac1ab859f1e9c3780dfeb2f5421738470d0e02a39a9b7e000956a915397b919438b215cd274a3e88d8141838f7a89f114dc97ddccc58f34fa53

          • C:\Users\Admin\AppData\Roaming\download_9.ico
            Filesize

            2KB

            MD5

            abff65be1893e7978dd0b6e1bdb42d23

            SHA1

            ae69e505a80403424311c1bfa3dc2874f5c37d6d

            SHA256

            a1231846b1bf79751d6c5f29dedb7326895761c892ee9fe523f03121bb6e580d

            SHA512

            2006d68a1f536e12f851a9181b94da271f6ae3b9d47722620aa3ce2c964db82fbe46e2bb93310e5f2d5ecc413df61d08b4444a1f3bcf4126065864c6f5638748

          • C:\Users\Admin\AppData\Roaming\error-2.png
            Filesize

            4KB

            MD5

            03bb2810172dbaec0061344c74909121

            SHA1

            5f865501f722f0f7438f0fa8b41cf39797f939d0

            SHA256

            c82b31f78c0b8231e00186c1ce03c14fbf2fe830a89e231bb089f1f84decdc0d

            SHA512

            ab99ee2cc7e9222a7d7d44fd66f1ea5ed8d862eacdaf946a43d94f06e75e93d90a83c45bbe92da8885cb373cd5b6f60c199f6f3bb854c7822bc1a46cc282631c

          • C:\Users\Admin\AppData\Roaming\f16.png
            Filesize

            1KB

            MD5

            04e342c4c897da1280973c56fdfa4017

            SHA1

            b035ecefbb20dbf906fe3dcee8bc39e8341f8346

            SHA256

            14130d579b728d41dddeead049bd96a1fa1b41a93bf0de5776164ce467e47790

            SHA512

            aaaaa5f84671de83a894bd5531a0f8dc842763023352db3a74dba9629beaa0020a1bcfd0d6a83752338a13b862cdb69dcf26c6ee4df0c26db0a99a61bf77ab39

          • C:\Users\Admin\AppData\Roaming\f36.png
            Filesize

            1KB

            MD5

            d8aeb2d62490a438ab2eef0016c79b68

            SHA1

            ee14175e6dee1283d62260605ea1ee4769e0e67f

            SHA256

            2fbf742695cc09d871ee943f7115136e33236a31a56f8a27a03bff46391a5bb6

            SHA512

            7de1aae2d9e87632fc09eeea3ebc6f1038049590bc97d82af74f03f0587c8ccf8675e75a8bf19b0e632b26a7a0ba21ca3b2ad9c5f6374916c327b62074adc6d3

          • C:\Users\Admin\AppData\Roaming\forrest-credit-logo.png
            MD5

            d41d8cd98f00b204e9800998ecf8427e

            SHA1

            da39a3ee5e6b4b0d3255bfef95601890afd80709

            SHA256

            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

            SHA512

            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

          • C:\Users\Admin\AppData\Roaming\forrest-credit-logo.png
            Filesize

            4KB

            MD5

            16c7c07e2b54a06d72db929643c7693e

            SHA1

            dfb1cdd39ad9aeca1dbdec2a2adc88b762f1ad13

            SHA256

            f9bff20afb094c9035335c27b2a77e8ff80e5b4aa5183281ae88572b030d7c6b

            SHA512

            93eeb5260857dd04aaee75f8cfa8538c6134eb8b8bd44ba3b4839dfd014cfd16c3c971eb07173c64376ae0d7a5c975c878356d8baba3d0630224b9ba8ee890ff

          • C:\Users\Admin\AppData\Roaming\g1_1136 x 640 px 144 ppi.IMZ
            Filesize

            46B

            MD5

            af3bc9f93007146857ec5a55e32702c6

            SHA1

            42cc41386c2709a53b8ffa4552790e164e4db59f

            SHA256

            c552f73678b4e4d8a9c28600a4a3a3a611e2badc2c9f91ce23ba734e6f7a4858

            SHA512

            19f2908f53b74778ae8fbf2b25efb9a05871e114382601cc6092335eb9b0fa90da10cff4384bca946297f4334c26e421b176dbda7ba0c6fd0ff3e81851701fe7

          • C:\Users\Admin\AppData\Roaming\glossdef.block.properties.xml
            Filesize

            1KB

            MD5

            08db45baad2609606ec0a40b6acb6ba7

            SHA1

            11ead502e7d2715a13e259a2b7153107db67d837

            SHA256

            8a3a0aac4b5a5a33899ef1f56ab60d959972c40b9faf4eabb6ff2962b5e157ef

            SHA512

            37f4290a10b7dfc5e214292dc6eb9f9dba372141030d684dbbcb47b5834cfbd77b002fa93121485314dbdcee66ba6338c0571648bc1d99a9485ecceb2caeeae1

          • \Users\Admin\AppData\Local\Temp\nso21B6.tmp\System.dll
            Filesize

            11KB

            MD5

            6f5257c0b8c0ef4d440f4f4fce85fb1b

            SHA1

            b6ac111dfb0d1fc75ad09c56bde7830232395785

            SHA256

            b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

            SHA512

            a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

          • \Users\Admin\AppData\Roaming\CDRom.dll
            Filesize

            10KB

            MD5

            87458a5d77ab92e141e7700ea2583b3d

            SHA1

            2d4b7ee89a6cf63e2e21d0822598ed926d938ab3

            SHA256

            21958292b4577a18228dd8d1ad800753134c751758398691245d17c9967ffd30

            SHA512

            5581e5d81c3ba7537dcfdcb650e79ad27e6c433578b1d499cb25086b59ae92e0012e7bf0cef863f0eaf28d5ac9cc7dd26a175500797720d4fe2d49f136e2e92a

          • \Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\verclsid.exe
            Filesize

            203KB

            MD5

            3c4e73f8346f6040a61543da072f0e0a

            SHA1

            75c75fa47a6d09eb0a5b40d0d6fc5675a0246040

            SHA256

            478765a2dd947d1539117b672b1eb77fc5aaea020764ba954acf65e3e480a7e9

            SHA512

            a888c53f14ce166ba53a78bb395c0d4cb62888ee463c66e094966225428dea2e05ab2d8ce4ae19b8468b8146a8e263eb0f7a8edd0dd353657df123aabdf430b2

          • memory/1292-144-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/1292-226-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/1292-227-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/1292-225-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/1292-152-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/1292-150-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/1292-149-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/1292-145-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/1292-147-0x0000000000510000-0x0000000000511000-memory.dmp
            Filesize

            4KB

          • memory/2724-52-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2724-51-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2724-53-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2724-50-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2724-38-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2724-40-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2724-42-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2724-44-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2724-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
            Filesize

            4KB

          • memory/2724-48-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2724-36-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2724-62-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB