Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2024 19:01

General

  • Target

    3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe

  • Size

    203KB

  • MD5

    3c4e73f8346f6040a61543da072f0e0a

  • SHA1

    75c75fa47a6d09eb0a5b40d0d6fc5675a0246040

  • SHA256

    478765a2dd947d1539117b672b1eb77fc5aaea020764ba954acf65e3e480a7e9

  • SHA512

    a888c53f14ce166ba53a78bb395c0d4cb62888ee463c66e094966225428dea2e05ab2d8ce4ae19b8468b8146a8e263eb0f7a8edd0dd353657df123aabdf430b2

  • SSDEEP

    3072:lyAaQqe90u5DdXJP45OYmXsZHY3X22R1/GPx/goWpJWFqV+5GlhVm4gSSIqk2X4E:lyAge9RNJPsEG2z/GZo/4dE1gfY26H+

Malware Config

Extracted

Path

C:\Recovery\WindowsRE\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.sims6n.win/F324-75BE-BD7C-0063-798C | | 2. http://cerberhhyed5frqa.dkrti5.top/F324-75BE-BD7C-0063-798C | | 3. http://cerberhhyed5frqa.wins4n.win/F324-75BE-BD7C-0063-798C | | 4. http://cerberhhyed5frqa.5kti58.win/F324-75BE-BD7C-0063-798C | | 5. http://cerberhhyed5frqa.we34re.top/F324-75BE-BD7C-0063-798C |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.sims6n.win/F324-75BE-BD7C-0063-798C); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.sims6n.win/F324-75BE-BD7C-0063-798C appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.sims6n.win/F324-75BE-BD7C-0063-798C); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/F324-75BE-BD7C-0063-798C | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.sims6n.win/F324-75BE-BD7C-0063-798C

http://cerberhhyed5frqa.dkrti5.top/F324-75BE-BD7C-0063-798C

http://cerberhhyed5frqa.wins4n.win/F324-75BE-BD7C-0063-798C

http://cerberhhyed5frqa.5kti58.win/F324-75BE-BD7C-0063-798C

http://cerberhhyed5frqa.we34re.top/F324-75BE-BD7C-0063-798C

http://cerberhhyed5frqa.onion/F324-75BE-BD7C-0063-798C

Extracted

Path

C:\Recovery\WindowsRE\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber &#082;ansomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://cerberhhyed5frqa.sims6n.win/F324-75BE-BD7C-0063-798C" target="_blank">http://cerberhhyed5frqa.sims6n.win/F324-75BE-BD7C-0063-798C</a></li> <li><a href="http://cerberhhyed5frqa.dkrti5.top/F324-75BE-BD7C-0063-798C" target="_blank">http://cerberhhyed5frqa.dkrti5.top/F324-75BE-BD7C-0063-798C</a></li> <li><a href="http://cerberhhyed5frqa.wins4n.win/F324-75BE-BD7C-0063-798C" target="_blank">http://cerberhhyed5frqa.wins4n.win/F324-75BE-BD7C-0063-798C</a></li> <li><a href="http://cerberhhyed5frqa.5kti58.win/F324-75BE-BD7C-0063-798C" target="_blank">http://cerberhhyed5frqa.5kti58.win/F324-75BE-BD7C-0063-798C</a></li> <li><a href="http://cerberhhyed5frqa.we34re.top/F324-75BE-BD7C-0063-798C" target="_blank">http://cerberhhyed5frqa.we34re.top/F324-75BE-BD7C-0063-798C</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.sims6n.win/F324-75BE-BD7C-0063-798C" target="_blank">http://cerberhhyed5frqa.sims6n.win/F324-75BE-BD7C-0063-798C</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.sims6n.win/F324-75BE-BD7C-0063-798C" target="_blank">http://cerberhhyed5frqa.sims6n.win/F324-75BE-BD7C-0063-798C</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.sims6n.win/F324-75BE-BD7C-0063-798C" target="_blank">http://cerberhhyed5frqa.sims6n.win/F324-75BE-BD7C-0063-798C</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/F324-75BE-BD7C-0063-798C</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Contacts a large (2066) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4356
    • C:\Users\Admin\AppData\Local\Temp\3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Adds Run key to start application
      • Modifies Control Panel
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:696
      • C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\label.exe
        "C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\label.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3596
        • C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\label.exe
          "C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\label.exe"
          4⤵
          • Adds policy Run key to start application
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Sets desktop wallpaper using registry
          • Modifies Control Panel
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:980
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:376
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff61f746f8,0x7fff61f74708,0x7fff61f74718
              6⤵
                PID:3476
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
                6⤵
                  PID:116
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
                  6⤵
                    PID:2028
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8
                    6⤵
                      PID:464
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
                      6⤵
                        PID:812
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
                        6⤵
                          PID:900
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
                          6⤵
                            PID:912
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
                            6⤵
                              PID:3912
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
                              6⤵
                                PID:3716
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 /prefetch:8
                                6⤵
                                  PID:228
                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 /prefetch:8
                                  6⤵
                                    PID:640
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
                                    6⤵
                                      PID:3744
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
                                      6⤵
                                        PID:2000
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
                                        6⤵
                                          PID:3944
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
                                          6⤵
                                            PID:5192
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:1
                                            6⤵
                                              PID:5892
                                          • C:\Windows\system32\NOTEPAD.EXE
                                            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
                                            5⤵
                                              PID:1664
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.sims6n.win/F324-75BE-BD7C-0063-798C
                                              5⤵
                                                PID:2940
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff61f746f8,0x7fff61f74708,0x7fff61f74718
                                                  6⤵
                                                    PID:4912
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
                                                  5⤵
                                                    PID:932
                                                  • C:\Windows\system32\cmd.exe
                                                    /d /c taskkill /t /f /im "label.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\label.exe" > NUL
                                                    5⤵
                                                      PID:5308
                                                      • C:\Windows\system32\taskkill.exe
                                                        taskkill /t /f /im "label.exe"
                                                        6⤵
                                                        • Kills process with taskkill
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:5360
                                                      • C:\Windows\system32\PING.EXE
                                                        ping -n 1 127.0.0.1
                                                        6⤵
                                                        • Runs ping.exe
                                                        PID:5412
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  /d /c taskkill /t /f /im "3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe" > NUL
                                                  3⤵
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:1568
                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                    taskkill /t /f /im "3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe"
                                                    4⤵
                                                    • Kills process with taskkill
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2504
                                                  • C:\Windows\SysWOW64\PING.EXE
                                                    ping -n 1 127.0.0.1
                                                    4⤵
                                                    • Runs ping.exe
                                                    PID:3912
                                            • C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\label.exe
                                              C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\label.exe
                                              1⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • Suspicious use of SetThreadContext
                                              • Suspicious use of WriteProcessMemory
                                              PID:2036
                                              • C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\label.exe
                                                C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\label.exe
                                                2⤵
                                                • Executes dropped EXE
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4920
                                            • C:\Windows\System32\CompPkgSrv.exe
                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                              1⤵
                                                PID:4412
                                              • C:\Windows\System32\CompPkgSrv.exe
                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                1⤵
                                                  PID:1408
                                                • C:\Windows\system32\AUDIODG.EXE
                                                  C:\Windows\system32\AUDIODG.EXE 0x468 0x4a0
                                                  1⤵
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:4468

                                                Network

                                                MITRE ATT&CK Matrix ATT&CK v13

                                                Persistence

                                                Boot or Logon Autostart Execution

                                                2
                                                T1547

                                                Registry Run Keys / Startup Folder

                                                2
                                                T1547.001

                                                Privilege Escalation

                                                Boot or Logon Autostart Execution

                                                2
                                                T1547

                                                Registry Run Keys / Startup Folder

                                                2
                                                T1547.001

                                                Defense Evasion

                                                Modify Registry

                                                3
                                                T1112

                                                Credential Access

                                                Unsecured Credentials

                                                1
                                                T1552

                                                Credentials In Files

                                                1
                                                T1552.001

                                                Discovery

                                                Network Service Discovery

                                                2
                                                T1046

                                                Query Registry

                                                2
                                                T1012

                                                System Information Discovery

                                                3
                                                T1082

                                                Remote System Discovery

                                                1
                                                T1018

                                                Collection

                                                Data from Local System

                                                1
                                                T1005

                                                Impact

                                                Defacement

                                                1
                                                T1491

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Recovery\WindowsRE\# DECRYPT MY FILES #.html
                                                  Filesize

                                                  12KB

                                                  MD5

                                                  dc8968ad7785386032341b6a3c99338d

                                                  SHA1

                                                  056c51ee1478197f044fed9bd856637c7ca99bcf

                                                  SHA256

                                                  707a5b55df3eec794ee93739c8b7039ccba318027456d45dbdd1f3480ebb6fe6

                                                  SHA512

                                                  5089809f5c60999566b5f891379910489a5d0105585903c6d4636fd43642078070d48bf17b3bae63488a1b459432a7e822be8fa4cfaf1cdaa4a8361546309d85

                                                • C:\Recovery\WindowsRE\# DECRYPT MY FILES #.txt
                                                  Filesize

                                                  10KB

                                                  MD5

                                                  b89a5b3f1540e38e38b8143775462437

                                                  SHA1

                                                  ae57abf1789659b7d14c96965ba1caeda0aa3c65

                                                  SHA256

                                                  e4b1a39466e7c4ba37abc436519f97ae1eb9c4da3a694f60b7630111d4ac419f

                                                  SHA512

                                                  aabe203db193d175f5123202f19ef9fbaceb2e95f1d560e6c4c9437e9f1286c24c1f310278c69ea61d6a54b0cc4fc35f1897d6b602360d21a94f5170ae7ae41b

                                                • C:\Recovery\WindowsRE\# DECRYPT MY FILES #.url
                                                  Filesize

                                                  85B

                                                  MD5

                                                  ccf717bc1903d83e0dde16a2f4e4559d

                                                  SHA1

                                                  92e878878deaed3b18523ed9d85dfe699e308628

                                                  SHA256

                                                  a83172fd90f6e69a70a6eec56ef95458f06304c86ebb21315d67d95072d16c7b

                                                  SHA512

                                                  0d72aa4b4f87825db94f12846fafd79518effb524e112648f85fe07b0c3a98f87901758932dd886afcd7d216ec642b71475de4a681dfb5b178f282921648a70f

                                                • C:\Recovery\WindowsRE\# DECRYPT MY FILES #.vbs
                                                  Filesize

                                                  231B

                                                  MD5

                                                  9d8c4bfbd009c4d6001e2125abaa8b02

                                                  SHA1

                                                  cd040558172b5fca5b200447a281843956243741

                                                  SHA256

                                                  a652297987f14317100f8c5f7eb26d1bc67eb8a64f0b39b72b5fd5046a9f29b0

                                                  SHA512

                                                  c4c84f43642b805a105acce9ebc9f01aa0e6ef553ea32be3f8b890fc7440f0b7d3ddf99b9336bce20ce7a3d9b9f6434a704651a8af425ffc8407ba39d5de735f

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                  Filesize

                                                  152B

                                                  MD5

                                                  b2a1398f937474c51a48b347387ee36a

                                                  SHA1

                                                  922a8567f09e68a04233e84e5919043034635949

                                                  SHA256

                                                  2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

                                                  SHA512

                                                  4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                  Filesize

                                                  152B

                                                  MD5

                                                  1ac52e2503cc26baee4322f02f5b8d9c

                                                  SHA1

                                                  38e0cee911f5f2a24888a64780ffdf6fa72207c8

                                                  SHA256

                                                  f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

                                                  SHA512

                                                  7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                  Filesize

                                                  5KB

                                                  MD5

                                                  b8d0731e2f49dc2bb6572713f4264a87

                                                  SHA1

                                                  921c98eb88eee5717a5c800ec60be149e4d0a3cb

                                                  SHA256

                                                  bc052226d8068cd5bd4f6f2e502fbaa4314891d4812ae9be4d6840357809e536

                                                  SHA512

                                                  4cfb83f637a9130c4fec58377848b8978b8b94b7e0009ea37f481a39cc369e3f807be9752fba35c705c9c9c9bf0ad0c6e6c36899a7b8158af5186f529d9869e3

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                  Filesize

                                                  6KB

                                                  MD5

                                                  d03a1af554a825f296a4d654730451dc

                                                  SHA1

                                                  0bd56991775185a4219b2a3cafb31c35bcd70ecc

                                                  SHA256

                                                  c0ece313c486d6512b67af6f0a30cd1128216b0775f59bc91800687749420ca6

                                                  SHA512

                                                  707cc1fc2b58a57d032832bf65e462872a4dbe97392ac2a05ab520bc878708154bb4f4af88943450ef89507956b92e7b130224cecf1dcd7904390b7143df1961

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                  Filesize

                                                  16B

                                                  MD5

                                                  6752a1d65b201c13b62ea44016eb221f

                                                  SHA1

                                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                  SHA256

                                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                  SHA512

                                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                  Filesize

                                                  11KB

                                                  MD5

                                                  194af26209b0fc42bdf8c7698fb0eb45

                                                  SHA1

                                                  e1aff14a51b5ff325d063dd8590cd72ee64dca24

                                                  SHA256

                                                  fd01a0856cc6cd60f3190bdc23290715c8d97e47fffe1bb49211f7a3c4bb2e26

                                                  SHA512

                                                  b43e59652d8d9acead86927840de1411fd09cf97e958a5fda0bbca4f09f8abf73408e457a6051cfec845354b1e558e4618c9becde98c4c16eeebe6a78bc849d3

                                                • C:\Users\Admin\AppData\Local\Temp\nsd353B.tmp\System.dll
                                                  Filesize

                                                  11KB

                                                  MD5

                                                  6f5257c0b8c0ef4d440f4f4fce85fb1b

                                                  SHA1

                                                  b6ac111dfb0d1fc75ad09c56bde7830232395785

                                                  SHA256

                                                  b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

                                                  SHA512

                                                  a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

                                                • C:\Users\Admin\AppData\Roaming\2.gif
                                                  Filesize

                                                  907B

                                                  MD5

                                                  7d8fe06464db3b31cb3cff59370eee7a

                                                  SHA1

                                                  5966a8ba6a9a84e12eb42c85c800d96eb310483b

                                                  SHA256

                                                  03a5111fb4ab54d731271991ade518fb435d973c92a14772ccba0897e25e640a

                                                  SHA512

                                                  694ff8a15e1902b9a927b46b8566138ac31cd4617f18cc8a2cc3c9139b10c21eaecab9f2f6c7c4e219327a8247f18a445c0cc3ba2cdd8f033cb299b78639bdcb

                                                • C:\Users\Admin\AppData\Roaming\26.svg
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  47a79f6b53517a55fe36724f81469efe

                                                  SHA1

                                                  71296cca083a0b50a7e8ffb08f0d8f51dd1dd9d6

                                                  SHA256

                                                  9e3641ed276a521c02d7947dcc1f6053298a26e2f6c4815563cfa2aa36a0902e

                                                  SHA512

                                                  106c5d8d956b0ef84a7eb6a0b2e4f4ef95f097d31437c5c189a84621ba0b685d14c3c630e3675b318a9454b499aff02648f3ea28eaef2b2baf18461bbb33e38f

                                                • C:\Users\Admin\AppData\Roaming\3BSYBS1-DCSA_Alerts_05172015040008.xml
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  6b4c09a2ef0528c2998ac0bc19757af2

                                                  SHA1

                                                  51cdd849771499a0de0d8cce746fddd5d177d4bf

                                                  SHA256

                                                  d5fa42c3b71d032313cb07595432f8e177fd77cfe2ef026dc7dc114576415c5b

                                                  SHA512

                                                  f63f32f550d456bf2227c41be3c891f492937714309e8b91d663267bf0a2f8403c7056dad53f008acf9b34951a2bd3d800ba1187daecae9e89057786d4a7c28b

                                                • C:\Users\Admin\AppData\Roaming\412.htm
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  762b8a05975cdf24fb3e7473f1e2b9e3

                                                  SHA1

                                                  3af16a6a4ccb39a9aad888c78267ad07b615bcf5

                                                  SHA256

                                                  ae6f77b15cdbf802bf06496ebbbd27718f15c99739048e2d065026e90f0919fd

                                                  SHA512

                                                  8c5600e31862ff99eae1e2b0ed2666f3f758d39ac84b5d08baea770a7487d0796be07de22ceceb0a556604703ce156c657408fc1b839fdba37f839fb04c08322

                                                • C:\Users\Admin\AppData\Roaming\500-15.htm
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  717c0ab650644d871db6f259347a11f9

                                                  SHA1

                                                  e4dcc903de38e4497a4735739ccb725766664241

                                                  SHA256

                                                  098c2af6ac5bbe1323cc25d35e8cc5e79be50a064f898e0574505e11788cae94

                                                  SHA512

                                                  dd593ec5253e44388dbfda33e948e5f5ef61a064e0719944ca1b16784dce2489eb0a480083d7a116342636b115c7a43c85a04e9eda13aea2c74e3f58ac604e3b

                                                • C:\Users\Admin\AppData\Roaming\Adobe-CNS1-0
                                                  Filesize

                                                  3KB

                                                  MD5

                                                  98117545fe9a800c71c33cf92cf9be1b

                                                  SHA1

                                                  e5aedcbbccfde97dba8d4c1e64e6cbb8566cf441

                                                  SHA256

                                                  a349c99568003e7910751c6de3d5f8f2e6a32231c4e6041d1db953fb9e27731b

                                                  SHA512

                                                  5342fc1507337793c199fe3539a43b5b9c5a139c6f4d7fc3a884891db48cf38a37c5e99145ca49419ea2bba1bdccc6999c04a8746cf46e1d296f3b32f8a454ff

                                                • C:\Users\Admin\AppData\Roaming\AsteroidVertexShaderInstanced.hlsl
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  fe97ee17f001e5724ef103754fb32f7e

                                                  SHA1

                                                  b12ad571d8201d5584446c20df7302947b94ae5e

                                                  SHA256

                                                  c44863944bc085c1c8af13b0d22d79f44689c0dcaa19dfefcab8532906baf27c

                                                  SHA512

                                                  30cb641808fd1959915a0e1fbcf45da3be5630f1df0a859377737e9651bd56ab1fdf2d94594233f36a093ee74d919a102e3e2ae2a66947c109c9780ed31d10b2

                                                • C:\Users\Admin\AppData\Roaming\CDRom.dll
                                                  Filesize

                                                  10KB

                                                  MD5

                                                  87458a5d77ab92e141e7700ea2583b3d

                                                  SHA1

                                                  2d4b7ee89a6cf63e2e21d0822598ed926d938ab3

                                                  SHA256

                                                  21958292b4577a18228dd8d1ad800753134c751758398691245d17c9967ffd30

                                                  SHA512

                                                  5581e5d81c3ba7537dcfdcb650e79ad27e6c433578b1d499cb25086b59ae92e0012e7bf0cef863f0eaf28d5ac9cc7dd26a175500797720d4fe2d49f136e2e92a

                                                • C:\Users\Admin\AppData\Roaming\ConflictingProcesses
                                                  Filesize

                                                  33B

                                                  MD5

                                                  1f3bc75daaf847977f7cf3529e4c48df

                                                  SHA1

                                                  f4dc15cada37c0eb4277dfb13f054c0c4e26f381

                                                  SHA256

                                                  d4368f7873c76dc461ffbcea9c96ec52db4de2e97f0c02762b78b5af1d1b4678

                                                  SHA512

                                                  01fee9822070f4413f7125e94a82794861da82f5d77dec0e3a1b6db90f605fc25f07926ef0fb4792e8e910cc90b868a89a50b16d5119084fe7c8ad8fa89df87d

                                                • C:\Users\Admin\AppData\Roaming\Escarp.mnv
                                                  Filesize

                                                  125KB

                                                  MD5

                                                  1e31f35e85c9a3948ac21067f41c264f

                                                  SHA1

                                                  82f48efa206380a5e89eb9d5a01d2c3460fb4fee

                                                  SHA256

                                                  50620ab403cb9a7b39f31a4e1d0f8081e1859c9c0a34658b4c56041149232a2b

                                                  SHA512

                                                  130dec64ebdfc083aeeceff195ae70d9159a90038d1b053a4befe07fe1bafb6b157f5ddf78c50d186c9410264e7ea2f7e78c180061908d922f130f4fa238cef9

                                                • C:\Users\Admin\AppData\Roaming\ExampleObj2XML.java
                                                  Filesize

                                                  4KB

                                                  MD5

                                                  cd0452ce0dba54ffdc3ed9853a2e7c1c

                                                  SHA1

                                                  9bac6a39c5ae514c3168ac4396b986636139633b

                                                  SHA256

                                                  abd6d9f494ea80c4050eaf04cb50f2813bbc9b587d45db47488fae5dd978eb06

                                                  SHA512

                                                  bdcd6cfed2ede3411bfb11d844101c462c8fb869105dbb32403bb464d2498c6cffe3dc8a546d40682174a0fe882624a996c8f0ff0386cf0d3488061805cdc002

                                                • C:\Users\Admin\AppData\Roaming\Intertexture.4
                                                  MD5

                                                  d41d8cd98f00b204e9800998ecf8427e

                                                  SHA1

                                                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                  SHA256

                                                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                  SHA512

                                                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                • C:\Users\Admin\AppData\Roaming\Intertexture.4
                                                  Filesize

                                                  3KB

                                                  MD5

                                                  2dbc9a99be65f59024f14bd20f67417d

                                                  SHA1

                                                  3a42697cd2790da75713cccf81a1976c78da5abe

                                                  SHA256

                                                  1d66d9570cb69bf6b0a3a4cdba1e848015fff4c668f5e24d0f63ef306a3e77dc

                                                  SHA512

                                                  998122a6077b81acc2475e8c7d5b7ae4bfbc91a763e83395fbe96d981c6de8c83b3bf671938c126691aff0db3d9224c4d9b5d6ee12155011b26e89abd2d6a320

                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\label.lnk
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  a7a8ca0d222e78f0b1fe0a65d8e59776

                                                  SHA1

                                                  562235d90ca0e8546b548a5e33ca0856c60db195

                                                  SHA256

                                                  f9637ee021695e87e8f1cb2bb47c5d108b37ecc94fe8e77a0cdb5b9062158496

                                                  SHA512

                                                  9bd25211b82f3dbd3ea2a7992810713c2191525b433719a065cd3818973037ff226f0fda3e32f0ee1fc9cb416133751305fd8d891f5a9bf458293216563a68b2

                                                • C:\Users\Admin\AppData\Roaming\action_center.png
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  e63b3d79ef21e80350c7b1f2dd7267a8

                                                  SHA1

                                                  55809d306007998b3dcecaad783ddff864addeae

                                                  SHA256

                                                  c63e1881be15d5352f089fa87c8f1eff802ab1bb763c5e00e664a4d099bab6fc

                                                  SHA512

                                                  10fd852b5e6f9d80f120427e705186097453bba35bf723122badf51fb5071d379c2ba1c10ac1636bb860fa9663891cc273249e52468ec0affb514125e8f9f1e0

                                                • C:\Users\Admin\AppData\Roaming\appIcon.png
                                                  Filesize

                                                  4KB

                                                  MD5

                                                  bbe9120f8e0841c852a94d08e9cd9878

                                                  SHA1

                                                  feb75c97961a446431ad9b377210e84bd8e896ab

                                                  SHA256

                                                  99e6e61959baaea9d044e6bee5dd53efcf112d913b25f0dfa2936f7a4edc299a

                                                  SHA512

                                                  78f56704d8f3dbcddf023718a4db94f21394a91eefb15ee08b6428bd622f0b14986a292a334c5657e18cf5f68db694e485e53ddcf8d99996a7c257fd62bc6097

                                                • C:\Users\Admin\AppData\Roaming\appendix.autolabel.xml
                                                  Filesize

                                                  2KB

                                                  MD5

                                                  d009a4291e99eb0acc463d103fd186d6

                                                  SHA1

                                                  852fe5f187cf340e8c1b8d5867339b4798c532c1

                                                  SHA256

                                                  589eb103d741402ee76a4e75413d400375adda6e96f7f420e3ca69e4b210cc6f

                                                  SHA512

                                                  816f55df21b5ecc298f9bae9f743e4534f2987188912cd43bd237ea5a3c533398af2ff28826226b7ef3bbd31127f1bad9dd4f435467ccb4a8db410a94ac25d27

                                                • C:\Users\Admin\AppData\Roaming\bibliography.numbered.xml
                                                  Filesize

                                                  911B

                                                  MD5

                                                  9c8aeaf281f10c5ea0bf02791afb54f2

                                                  SHA1

                                                  fc613c7e8691fb0b83ec9fa71de62fd08a3da8cc

                                                  SHA256

                                                  a340c62b234faeaee7011e435cfca4ccbb7021aad1dd4d77e89240d8da503e3d

                                                  SHA512

                                                  ec81f6eeadba2208ad14327de2a226c940542cb858b6fe5c34df2bce1d22d0ad0a6ada80344a14d516359f6e88851a75eaaac4052aa95d4424c327bea308c226

                                                • C:\Users\Admin\AppData\Roaming\blue 286 bl 2.ADO
                                                  Filesize

                                                  524B

                                                  MD5

                                                  a4c0299e39c677afd7a7517d2980bf15

                                                  SHA1

                                                  8748961f6bda83bec226430bf60589d6b2344211

                                                  SHA256

                                                  5b2da553b3587b710311b4b6318464456cbb2cdfd1c8bd7a831b3bb36aa8ca23

                                                  SHA512

                                                  1e0491cbb298f18b192e96d23fd629739ea48de85ee1b7ed3a7e96a3a645d1ca8471580b6bb0545f10d0edc845612d002920071870bf69a7c90ed9705f8f52d1

                                                • C:\Users\Admin\AppData\Roaming\cert.cer
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  27b82a7a73d2a5ad04f3ae7471f490b5

                                                  SHA1

                                                  95359916fa95d0b523293e11f84ca683afc9f7ef

                                                  SHA256

                                                  95489873b5c2a844583cc2a5e63fe276adfd51067bad9c051f42557f1f5b8426

                                                  SHA512

                                                  7f74e1c2cb0d5755dc2a68d4926a75b6af065c9b578d0f4ef1a9bb2c1e1da0f8c4cee91505cb5489e004f880728269723c6bc0e4fd6dd7a53064fa8e48c4b40e

                                                • C:\Users\Admin\AppData\Roaming\column.gap.front.xml
                                                  Filesize

                                                  956B

                                                  MD5

                                                  7bc409b7645ec7b8da88d7476af3d3bc

                                                  SHA1

                                                  49a73eb68fbbfbbfa799f695703b9a4b0605b91e

                                                  SHA256

                                                  e1973a32a2a0b16dda8a813c1d1096ac0e91224fbe25d16667ee93e8b76f8c6e

                                                  SHA512

                                                  0c9aaf3a4ea70d918587ce30917dcc9219a687a30b8b68fbe5969ca6136e5adc919e55d92d79fbe39f73ec3c758fb7487bcf615241948ba054fdd68043edccad

                                                • C:\Users\Admin\AppData\Roaming\defaultProfilerFilter_restorepoints.xml
                                                  Filesize

                                                  592B

                                                  MD5

                                                  b14872001828a70ca9f8cb55f37d8e7f

                                                  SHA1

                                                  ceec1f59f82ef6991eeb3f931707716f76ae4c38

                                                  SHA256

                                                  9ca7847addfc688efad2575b3c949fd296890731b3865cd7aeef3166a3a9b900

                                                  SHA512

                                                  21a5d902d045ce1eb73c8f8e5183152445bb95eaf2b24b76a21f32e39be801f2ab19e7b90743de2926afc12334fe168230effe24d622ca2816ed039f30080f79

                                                • C:\Users\Admin\AppData\Roaming\desktop_settings.png
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  30d4b351117ef25ded894659f14d5c37

                                                  SHA1

                                                  3037e0929a310cb6f88c1898efe0f3ddd0d09c61

                                                  SHA256

                                                  03b3920409fbd4158c298fe98e5ddfd4f61871cbaf1f83bfe7efd6f4c1855152

                                                  SHA512

                                                  6fd014f3fdb693c947fbc6fb8df68d7647ede489108719f84081d2ce1e96ec5afc2c2a28ccb0257f9f9af9239f930d22711ffe1743a5c9765289d341abc86d8f

                                                • C:\Users\Admin\AppData\Roaming\doc_to_html.xsl
                                                  Filesize

                                                  423B

                                                  MD5

                                                  cb43650edd662a8f3db2032c0d55c3f3

                                                  SHA1

                                                  1544d7f37cf53169191c845187b1b02be0372479

                                                  SHA256

                                                  38187ff4172798fe3ca79b1119e1d7d64968bccd147105b937db86e5298d6a13

                                                  SHA512

                                                  dd7ff292f86ecac1ab859f1e9c3780dfeb2f5421738470d0e02a39a9b7e000956a915397b919438b215cd274a3e88d8141838f7a89f114dc97ddccc58f34fa53

                                                • C:\Users\Admin\AppData\Roaming\download_9.ico
                                                  Filesize

                                                  2KB

                                                  MD5

                                                  abff65be1893e7978dd0b6e1bdb42d23

                                                  SHA1

                                                  ae69e505a80403424311c1bfa3dc2874f5c37d6d

                                                  SHA256

                                                  a1231846b1bf79751d6c5f29dedb7326895761c892ee9fe523f03121bb6e580d

                                                  SHA512

                                                  2006d68a1f536e12f851a9181b94da271f6ae3b9d47722620aa3ce2c964db82fbe46e2bb93310e5f2d5ecc413df61d08b4444a1f3bcf4126065864c6f5638748

                                                • C:\Users\Admin\AppData\Roaming\error-2.png
                                                  Filesize

                                                  4KB

                                                  MD5

                                                  03bb2810172dbaec0061344c74909121

                                                  SHA1

                                                  5f865501f722f0f7438f0fa8b41cf39797f939d0

                                                  SHA256

                                                  c82b31f78c0b8231e00186c1ce03c14fbf2fe830a89e231bb089f1f84decdc0d

                                                  SHA512

                                                  ab99ee2cc7e9222a7d7d44fd66f1ea5ed8d862eacdaf946a43d94f06e75e93d90a83c45bbe92da8885cb373cd5b6f60c199f6f3bb854c7822bc1a46cc282631c

                                                • C:\Users\Admin\AppData\Roaming\f16.png
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  04e342c4c897da1280973c56fdfa4017

                                                  SHA1

                                                  b035ecefbb20dbf906fe3dcee8bc39e8341f8346

                                                  SHA256

                                                  14130d579b728d41dddeead049bd96a1fa1b41a93bf0de5776164ce467e47790

                                                  SHA512

                                                  aaaaa5f84671de83a894bd5531a0f8dc842763023352db3a74dba9629beaa0020a1bcfd0d6a83752338a13b862cdb69dcf26c6ee4df0c26db0a99a61bf77ab39

                                                • C:\Users\Admin\AppData\Roaming\f36.png
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  d8aeb2d62490a438ab2eef0016c79b68

                                                  SHA1

                                                  ee14175e6dee1283d62260605ea1ee4769e0e67f

                                                  SHA256

                                                  2fbf742695cc09d871ee943f7115136e33236a31a56f8a27a03bff46391a5bb6

                                                  SHA512

                                                  7de1aae2d9e87632fc09eeea3ebc6f1038049590bc97d82af74f03f0587c8ccf8675e75a8bf19b0e632b26a7a0ba21ca3b2ad9c5f6374916c327b62074adc6d3

                                                • C:\Users\Admin\AppData\Roaming\forrest-credit-logo.png
                                                  Filesize

                                                  4KB

                                                  MD5

                                                  16c7c07e2b54a06d72db929643c7693e

                                                  SHA1

                                                  dfb1cdd39ad9aeca1dbdec2a2adc88b762f1ad13

                                                  SHA256

                                                  f9bff20afb094c9035335c27b2a77e8ff80e5b4aa5183281ae88572b030d7c6b

                                                  SHA512

                                                  93eeb5260857dd04aaee75f8cfa8538c6134eb8b8bd44ba3b4839dfd014cfd16c3c971eb07173c64376ae0d7a5c975c878356d8baba3d0630224b9ba8ee890ff

                                                • C:\Users\Admin\AppData\Roaming\g1_1136 x 640 px 144 ppi.IMZ
                                                  Filesize

                                                  46B

                                                  MD5

                                                  af3bc9f93007146857ec5a55e32702c6

                                                  SHA1

                                                  42cc41386c2709a53b8ffa4552790e164e4db59f

                                                  SHA256

                                                  c552f73678b4e4d8a9c28600a4a3a3a611e2badc2c9f91ce23ba734e6f7a4858

                                                  SHA512

                                                  19f2908f53b74778ae8fbf2b25efb9a05871e114382601cc6092335eb9b0fa90da10cff4384bca946297f4334c26e421b176dbda7ba0c6fd0ff3e81851701fe7

                                                • C:\Users\Admin\AppData\Roaming\glossdef.block.properties.xml
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  08db45baad2609606ec0a40b6acb6ba7

                                                  SHA1

                                                  11ead502e7d2715a13e259a2b7153107db67d837

                                                  SHA256

                                                  8a3a0aac4b5a5a33899ef1f56ab60d959972c40b9faf4eabb6ff2962b5e157ef

                                                  SHA512

                                                  37f4290a10b7dfc5e214292dc6eb9f9dba372141030d684dbbcb47b5834cfbd77b002fa93121485314dbdcee66ba6338c0571648bc1d99a9485ecceb2caeeae1

                                                • C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\label.exe
                                                  Filesize

                                                  203KB

                                                  MD5

                                                  3c4e73f8346f6040a61543da072f0e0a

                                                  SHA1

                                                  75c75fa47a6d09eb0a5b40d0d6fc5675a0246040

                                                  SHA256

                                                  478765a2dd947d1539117b672b1eb77fc5aaea020764ba954acf65e3e480a7e9

                                                  SHA512

                                                  a888c53f14ce166ba53a78bb395c0d4cb62888ee463c66e094966225428dea2e05ab2d8ce4ae19b8468b8146a8e263eb0f7a8edd0dd353657df123aabdf430b2

                                                • memory/696-53-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/696-41-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/696-40-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/696-39-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/696-37-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/980-121-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/980-482-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/980-197-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/980-196-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/980-199-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/980-462-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/980-465-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/980-468-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/980-496-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/980-494-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/980-492-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/980-490-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/980-488-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/980-487-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/980-484-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/980-198-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/980-471-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/980-456-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/980-459-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/980-453-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/980-120-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/980-125-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/980-127-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/980-126-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/980-552-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/980-557-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/980-558-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/4920-191-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/4920-192-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB