Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
13-05-2024 19:01
Static task
static1
Behavioral task
behavioral1
Sample
3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe
-
Size
203KB
-
MD5
3c4e73f8346f6040a61543da072f0e0a
-
SHA1
75c75fa47a6d09eb0a5b40d0d6fc5675a0246040
-
SHA256
478765a2dd947d1539117b672b1eb77fc5aaea020764ba954acf65e3e480a7e9
-
SHA512
a888c53f14ce166ba53a78bb395c0d4cb62888ee463c66e094966225428dea2e05ab2d8ce4ae19b8468b8146a8e263eb0f7a8edd0dd353657df123aabdf430b2
-
SSDEEP
3072:lyAaQqe90u5DdXJP45OYmXsZHY3X22R1/GPx/goWpJWFqV+5GlhVm4gSSIqk2X4E:lyAge9RNJPsEG2z/GZo/4dE1gfY26H+
Malware Config
Extracted
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.sims6n.win/F324-75BE-BD7C-0063-798C
http://cerberhhyed5frqa.dkrti5.top/F324-75BE-BD7C-0063-798C
http://cerberhhyed5frqa.wins4n.win/F324-75BE-BD7C-0063-798C
http://cerberhhyed5frqa.5kti58.win/F324-75BE-BD7C-0063-798C
http://cerberhhyed5frqa.we34re.top/F324-75BE-BD7C-0063-798C
http://cerberhhyed5frqa.onion/F324-75BE-BD7C-0063-798C
Extracted
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (2066) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exelabel.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\label.exe\"" 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\label.exe\"" label.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
label.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation label.exe -
Drops startup file 2 IoCs
Processes:
3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exelabel.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\label.lnk 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\label.lnk label.exe -
Executes dropped EXE 4 IoCs
Processes:
label.exelabel.exelabel.exelabel.exepid process 3596 label.exe 980 label.exe 2036 label.exe 4920 label.exe -
Loads dropped DLL 9 IoCs
Processes:
3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exelabel.exelabel.exepid process 4356 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe 4356 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe 4356 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe 3596 label.exe 3596 label.exe 3596 label.exe 2036 label.exe 2036 label.exe 2036 label.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
label.exe3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\label = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\label.exe\"" label.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\label = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\label.exe\"" label.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\label = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\label.exe\"" 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\label = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\label.exe\"" 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 34 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
label.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpD2FB.bmp" label.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exelabel.exelabel.exedescription pid process target process PID 4356 set thread context of 696 4356 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe PID 3596 set thread context of 980 3596 label.exe label.exe PID 2036 set thread context of 4920 2036 label.exe label.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\label.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\label.exe nsis_installer_2 -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2504 taskkill.exe 5360 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exelabel.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\label.exe\"" 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop label.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\label.exe\"" label.exe -
Modifies registry class 1 IoCs
Processes:
label.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings label.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
label.exepid process 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe 980 label.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exetaskkill.exelabel.exelabel.exeAUDIODG.EXEtaskkill.exedescription pid process Token: SeDebugPrivilege 696 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe Token: SeDebugPrivilege 2504 taskkill.exe Token: SeDebugPrivilege 980 label.exe Token: SeDebugPrivilege 4920 label.exe Token: 33 4468 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4468 AUDIODG.EXE Token: SeDebugPrivilege 5360 taskkill.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe 376 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.execmd.exelabel.exelabel.exelabel.exemsedge.exedescription pid process target process PID 4356 wrote to memory of 696 4356 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe PID 4356 wrote to memory of 696 4356 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe PID 4356 wrote to memory of 696 4356 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe PID 4356 wrote to memory of 696 4356 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe PID 4356 wrote to memory of 696 4356 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe PID 4356 wrote to memory of 696 4356 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe PID 4356 wrote to memory of 696 4356 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe PID 4356 wrote to memory of 696 4356 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe PID 4356 wrote to memory of 696 4356 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe PID 696 wrote to memory of 3596 696 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe label.exe PID 696 wrote to memory of 3596 696 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe label.exe PID 696 wrote to memory of 3596 696 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe label.exe PID 696 wrote to memory of 1568 696 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe cmd.exe PID 696 wrote to memory of 1568 696 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe cmd.exe PID 696 wrote to memory of 1568 696 3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe cmd.exe PID 1568 wrote to memory of 2504 1568 cmd.exe taskkill.exe PID 1568 wrote to memory of 2504 1568 cmd.exe taskkill.exe PID 1568 wrote to memory of 2504 1568 cmd.exe taskkill.exe PID 1568 wrote to memory of 3912 1568 cmd.exe PING.EXE PID 1568 wrote to memory of 3912 1568 cmd.exe PING.EXE PID 1568 wrote to memory of 3912 1568 cmd.exe PING.EXE PID 3596 wrote to memory of 980 3596 label.exe label.exe PID 3596 wrote to memory of 980 3596 label.exe label.exe PID 3596 wrote to memory of 980 3596 label.exe label.exe PID 3596 wrote to memory of 980 3596 label.exe label.exe PID 3596 wrote to memory of 980 3596 label.exe label.exe PID 3596 wrote to memory of 980 3596 label.exe label.exe PID 3596 wrote to memory of 980 3596 label.exe label.exe PID 3596 wrote to memory of 980 3596 label.exe label.exe PID 3596 wrote to memory of 980 3596 label.exe label.exe PID 2036 wrote to memory of 4920 2036 label.exe label.exe PID 2036 wrote to memory of 4920 2036 label.exe label.exe PID 2036 wrote to memory of 4920 2036 label.exe label.exe PID 2036 wrote to memory of 4920 2036 label.exe label.exe PID 2036 wrote to memory of 4920 2036 label.exe label.exe PID 2036 wrote to memory of 4920 2036 label.exe label.exe PID 2036 wrote to memory of 4920 2036 label.exe label.exe PID 2036 wrote to memory of 4920 2036 label.exe label.exe PID 2036 wrote to memory of 4920 2036 label.exe label.exe PID 980 wrote to memory of 376 980 label.exe msedge.exe PID 980 wrote to memory of 376 980 label.exe msedge.exe PID 376 wrote to memory of 3476 376 msedge.exe msedge.exe PID 376 wrote to memory of 3476 376 msedge.exe msedge.exe PID 980 wrote to memory of 1664 980 label.exe NOTEPAD.EXE PID 980 wrote to memory of 1664 980 label.exe NOTEPAD.EXE PID 376 wrote to memory of 116 376 msedge.exe msedge.exe PID 376 wrote to memory of 116 376 msedge.exe msedge.exe PID 376 wrote to memory of 116 376 msedge.exe msedge.exe PID 376 wrote to memory of 116 376 msedge.exe msedge.exe PID 376 wrote to memory of 116 376 msedge.exe msedge.exe PID 376 wrote to memory of 116 376 msedge.exe msedge.exe PID 376 wrote to memory of 116 376 msedge.exe msedge.exe PID 376 wrote to memory of 116 376 msedge.exe msedge.exe PID 376 wrote to memory of 116 376 msedge.exe msedge.exe PID 376 wrote to memory of 116 376 msedge.exe msedge.exe PID 376 wrote to memory of 116 376 msedge.exe msedge.exe PID 376 wrote to memory of 116 376 msedge.exe msedge.exe PID 376 wrote to memory of 116 376 msedge.exe msedge.exe PID 376 wrote to memory of 116 376 msedge.exe msedge.exe PID 376 wrote to memory of 116 376 msedge.exe msedge.exe PID 376 wrote to memory of 116 376 msedge.exe msedge.exe PID 376 wrote to memory of 116 376 msedge.exe msedge.exe PID 376 wrote to memory of 116 376 msedge.exe msedge.exe PID 376 wrote to memory of 116 376 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\label.exe"C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\label.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\label.exe"C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\label.exe"4⤵
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff61f746f8,0x7fff61f74708,0x7fff61f747186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:26⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:36⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,16158508918227179054,13764838332134007879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:16⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.sims6n.win/F324-75BE-BD7C-0063-798C5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff61f746f8,0x7fff61f74708,0x7fff61f747186⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"5⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "label.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\label.exe" > NUL5⤵
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "label.exe"6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.16⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe" > NUL3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "3c4e73f8346f6040a61543da072f0e0a_JaffaCakes118.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\label.exeC:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\label.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\label.exeC:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\label.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x468 0x4a01⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.htmlFilesize
12KB
MD5dc8968ad7785386032341b6a3c99338d
SHA1056c51ee1478197f044fed9bd856637c7ca99bcf
SHA256707a5b55df3eec794ee93739c8b7039ccba318027456d45dbdd1f3480ebb6fe6
SHA5125089809f5c60999566b5f891379910489a5d0105585903c6d4636fd43642078070d48bf17b3bae63488a1b459432a7e822be8fa4cfaf1cdaa4a8361546309d85
-
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.txtFilesize
10KB
MD5b89a5b3f1540e38e38b8143775462437
SHA1ae57abf1789659b7d14c96965ba1caeda0aa3c65
SHA256e4b1a39466e7c4ba37abc436519f97ae1eb9c4da3a694f60b7630111d4ac419f
SHA512aabe203db193d175f5123202f19ef9fbaceb2e95f1d560e6c4c9437e9f1286c24c1f310278c69ea61d6a54b0cc4fc35f1897d6b602360d21a94f5170ae7ae41b
-
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.urlFilesize
85B
MD5ccf717bc1903d83e0dde16a2f4e4559d
SHA192e878878deaed3b18523ed9d85dfe699e308628
SHA256a83172fd90f6e69a70a6eec56ef95458f06304c86ebb21315d67d95072d16c7b
SHA5120d72aa4b4f87825db94f12846fafd79518effb524e112648f85fe07b0c3a98f87901758932dd886afcd7d216ec642b71475de4a681dfb5b178f282921648a70f
-
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.vbsFilesize
231B
MD59d8c4bfbd009c4d6001e2125abaa8b02
SHA1cd040558172b5fca5b200447a281843956243741
SHA256a652297987f14317100f8c5f7eb26d1bc67eb8a64f0b39b72b5fd5046a9f29b0
SHA512c4c84f43642b805a105acce9ebc9f01aa0e6ef553ea32be3f8b890fc7440f0b7d3ddf99b9336bce20ce7a3d9b9f6434a704651a8af425ffc8407ba39d5de735f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b2a1398f937474c51a48b347387ee36a
SHA1922a8567f09e68a04233e84e5919043034635949
SHA2562dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6
SHA5124a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51ac52e2503cc26baee4322f02f5b8d9c
SHA138e0cee911f5f2a24888a64780ffdf6fa72207c8
SHA256f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4
SHA5127670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5b8d0731e2f49dc2bb6572713f4264a87
SHA1921c98eb88eee5717a5c800ec60be149e4d0a3cb
SHA256bc052226d8068cd5bd4f6f2e502fbaa4314891d4812ae9be4d6840357809e536
SHA5124cfb83f637a9130c4fec58377848b8978b8b94b7e0009ea37f481a39cc369e3f807be9752fba35c705c9c9c9bf0ad0c6e6c36899a7b8158af5186f529d9869e3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5d03a1af554a825f296a4d654730451dc
SHA10bd56991775185a4219b2a3cafb31c35bcd70ecc
SHA256c0ece313c486d6512b67af6f0a30cd1128216b0775f59bc91800687749420ca6
SHA512707cc1fc2b58a57d032832bf65e462872a4dbe97392ac2a05ab520bc878708154bb4f4af88943450ef89507956b92e7b130224cecf1dcd7904390b7143df1961
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5194af26209b0fc42bdf8c7698fb0eb45
SHA1e1aff14a51b5ff325d063dd8590cd72ee64dca24
SHA256fd01a0856cc6cd60f3190bdc23290715c8d97e47fffe1bb49211f7a3c4bb2e26
SHA512b43e59652d8d9acead86927840de1411fd09cf97e958a5fda0bbca4f09f8abf73408e457a6051cfec845354b1e558e4618c9becde98c4c16eeebe6a78bc849d3
-
C:\Users\Admin\AppData\Local\Temp\nsd353B.tmp\System.dllFilesize
11KB
MD56f5257c0b8c0ef4d440f4f4fce85fb1b
SHA1b6ac111dfb0d1fc75ad09c56bde7830232395785
SHA256b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1
SHA512a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8
-
C:\Users\Admin\AppData\Roaming\2.gifFilesize
907B
MD57d8fe06464db3b31cb3cff59370eee7a
SHA15966a8ba6a9a84e12eb42c85c800d96eb310483b
SHA25603a5111fb4ab54d731271991ade518fb435d973c92a14772ccba0897e25e640a
SHA512694ff8a15e1902b9a927b46b8566138ac31cd4617f18cc8a2cc3c9139b10c21eaecab9f2f6c7c4e219327a8247f18a445c0cc3ba2cdd8f033cb299b78639bdcb
-
C:\Users\Admin\AppData\Roaming\26.svgFilesize
1KB
MD547a79f6b53517a55fe36724f81469efe
SHA171296cca083a0b50a7e8ffb08f0d8f51dd1dd9d6
SHA2569e3641ed276a521c02d7947dcc1f6053298a26e2f6c4815563cfa2aa36a0902e
SHA512106c5d8d956b0ef84a7eb6a0b2e4f4ef95f097d31437c5c189a84621ba0b685d14c3c630e3675b318a9454b499aff02648f3ea28eaef2b2baf18461bbb33e38f
-
C:\Users\Admin\AppData\Roaming\3BSYBS1-DCSA_Alerts_05172015040008.xmlFilesize
1KB
MD56b4c09a2ef0528c2998ac0bc19757af2
SHA151cdd849771499a0de0d8cce746fddd5d177d4bf
SHA256d5fa42c3b71d032313cb07595432f8e177fd77cfe2ef026dc7dc114576415c5b
SHA512f63f32f550d456bf2227c41be3c891f492937714309e8b91d663267bf0a2f8403c7056dad53f008acf9b34951a2bd3d800ba1187daecae9e89057786d4a7c28b
-
C:\Users\Admin\AppData\Roaming\412.htmFilesize
1KB
MD5762b8a05975cdf24fb3e7473f1e2b9e3
SHA13af16a6a4ccb39a9aad888c78267ad07b615bcf5
SHA256ae6f77b15cdbf802bf06496ebbbd27718f15c99739048e2d065026e90f0919fd
SHA5128c5600e31862ff99eae1e2b0ed2666f3f758d39ac84b5d08baea770a7487d0796be07de22ceceb0a556604703ce156c657408fc1b839fdba37f839fb04c08322
-
C:\Users\Admin\AppData\Roaming\500-15.htmFilesize
1KB
MD5717c0ab650644d871db6f259347a11f9
SHA1e4dcc903de38e4497a4735739ccb725766664241
SHA256098c2af6ac5bbe1323cc25d35e8cc5e79be50a064f898e0574505e11788cae94
SHA512dd593ec5253e44388dbfda33e948e5f5ef61a064e0719944ca1b16784dce2489eb0a480083d7a116342636b115c7a43c85a04e9eda13aea2c74e3f58ac604e3b
-
C:\Users\Admin\AppData\Roaming\Adobe-CNS1-0Filesize
3KB
MD598117545fe9a800c71c33cf92cf9be1b
SHA1e5aedcbbccfde97dba8d4c1e64e6cbb8566cf441
SHA256a349c99568003e7910751c6de3d5f8f2e6a32231c4e6041d1db953fb9e27731b
SHA5125342fc1507337793c199fe3539a43b5b9c5a139c6f4d7fc3a884891db48cf38a37c5e99145ca49419ea2bba1bdccc6999c04a8746cf46e1d296f3b32f8a454ff
-
C:\Users\Admin\AppData\Roaming\AsteroidVertexShaderInstanced.hlslFilesize
1KB
MD5fe97ee17f001e5724ef103754fb32f7e
SHA1b12ad571d8201d5584446c20df7302947b94ae5e
SHA256c44863944bc085c1c8af13b0d22d79f44689c0dcaa19dfefcab8532906baf27c
SHA51230cb641808fd1959915a0e1fbcf45da3be5630f1df0a859377737e9651bd56ab1fdf2d94594233f36a093ee74d919a102e3e2ae2a66947c109c9780ed31d10b2
-
C:\Users\Admin\AppData\Roaming\CDRom.dllFilesize
10KB
MD587458a5d77ab92e141e7700ea2583b3d
SHA12d4b7ee89a6cf63e2e21d0822598ed926d938ab3
SHA25621958292b4577a18228dd8d1ad800753134c751758398691245d17c9967ffd30
SHA5125581e5d81c3ba7537dcfdcb650e79ad27e6c433578b1d499cb25086b59ae92e0012e7bf0cef863f0eaf28d5ac9cc7dd26a175500797720d4fe2d49f136e2e92a
-
C:\Users\Admin\AppData\Roaming\ConflictingProcessesFilesize
33B
MD51f3bc75daaf847977f7cf3529e4c48df
SHA1f4dc15cada37c0eb4277dfb13f054c0c4e26f381
SHA256d4368f7873c76dc461ffbcea9c96ec52db4de2e97f0c02762b78b5af1d1b4678
SHA51201fee9822070f4413f7125e94a82794861da82f5d77dec0e3a1b6db90f605fc25f07926ef0fb4792e8e910cc90b868a89a50b16d5119084fe7c8ad8fa89df87d
-
C:\Users\Admin\AppData\Roaming\Escarp.mnvFilesize
125KB
MD51e31f35e85c9a3948ac21067f41c264f
SHA182f48efa206380a5e89eb9d5a01d2c3460fb4fee
SHA25650620ab403cb9a7b39f31a4e1d0f8081e1859c9c0a34658b4c56041149232a2b
SHA512130dec64ebdfc083aeeceff195ae70d9159a90038d1b053a4befe07fe1bafb6b157f5ddf78c50d186c9410264e7ea2f7e78c180061908d922f130f4fa238cef9
-
C:\Users\Admin\AppData\Roaming\ExampleObj2XML.javaFilesize
4KB
MD5cd0452ce0dba54ffdc3ed9853a2e7c1c
SHA19bac6a39c5ae514c3168ac4396b986636139633b
SHA256abd6d9f494ea80c4050eaf04cb50f2813bbc9b587d45db47488fae5dd978eb06
SHA512bdcd6cfed2ede3411bfb11d844101c462c8fb869105dbb32403bb464d2498c6cffe3dc8a546d40682174a0fe882624a996c8f0ff0386cf0d3488061805cdc002
-
C:\Users\Admin\AppData\Roaming\Intertexture.4MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\Intertexture.4Filesize
3KB
MD52dbc9a99be65f59024f14bd20f67417d
SHA13a42697cd2790da75713cccf81a1976c78da5abe
SHA2561d66d9570cb69bf6b0a3a4cdba1e848015fff4c668f5e24d0f63ef306a3e77dc
SHA512998122a6077b81acc2475e8c7d5b7ae4bfbc91a763e83395fbe96d981c6de8c83b3bf671938c126691aff0db3d9224c4d9b5d6ee12155011b26e89abd2d6a320
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\label.lnkFilesize
1KB
MD5a7a8ca0d222e78f0b1fe0a65d8e59776
SHA1562235d90ca0e8546b548a5e33ca0856c60db195
SHA256f9637ee021695e87e8f1cb2bb47c5d108b37ecc94fe8e77a0cdb5b9062158496
SHA5129bd25211b82f3dbd3ea2a7992810713c2191525b433719a065cd3818973037ff226f0fda3e32f0ee1fc9cb416133751305fd8d891f5a9bf458293216563a68b2
-
C:\Users\Admin\AppData\Roaming\action_center.pngFilesize
1KB
MD5e63b3d79ef21e80350c7b1f2dd7267a8
SHA155809d306007998b3dcecaad783ddff864addeae
SHA256c63e1881be15d5352f089fa87c8f1eff802ab1bb763c5e00e664a4d099bab6fc
SHA51210fd852b5e6f9d80f120427e705186097453bba35bf723122badf51fb5071d379c2ba1c10ac1636bb860fa9663891cc273249e52468ec0affb514125e8f9f1e0
-
C:\Users\Admin\AppData\Roaming\appIcon.pngFilesize
4KB
MD5bbe9120f8e0841c852a94d08e9cd9878
SHA1feb75c97961a446431ad9b377210e84bd8e896ab
SHA25699e6e61959baaea9d044e6bee5dd53efcf112d913b25f0dfa2936f7a4edc299a
SHA51278f56704d8f3dbcddf023718a4db94f21394a91eefb15ee08b6428bd622f0b14986a292a334c5657e18cf5f68db694e485e53ddcf8d99996a7c257fd62bc6097
-
C:\Users\Admin\AppData\Roaming\appendix.autolabel.xmlFilesize
2KB
MD5d009a4291e99eb0acc463d103fd186d6
SHA1852fe5f187cf340e8c1b8d5867339b4798c532c1
SHA256589eb103d741402ee76a4e75413d400375adda6e96f7f420e3ca69e4b210cc6f
SHA512816f55df21b5ecc298f9bae9f743e4534f2987188912cd43bd237ea5a3c533398af2ff28826226b7ef3bbd31127f1bad9dd4f435467ccb4a8db410a94ac25d27
-
C:\Users\Admin\AppData\Roaming\bibliography.numbered.xmlFilesize
911B
MD59c8aeaf281f10c5ea0bf02791afb54f2
SHA1fc613c7e8691fb0b83ec9fa71de62fd08a3da8cc
SHA256a340c62b234faeaee7011e435cfca4ccbb7021aad1dd4d77e89240d8da503e3d
SHA512ec81f6eeadba2208ad14327de2a226c940542cb858b6fe5c34df2bce1d22d0ad0a6ada80344a14d516359f6e88851a75eaaac4052aa95d4424c327bea308c226
-
C:\Users\Admin\AppData\Roaming\blue 286 bl 2.ADOFilesize
524B
MD5a4c0299e39c677afd7a7517d2980bf15
SHA18748961f6bda83bec226430bf60589d6b2344211
SHA2565b2da553b3587b710311b4b6318464456cbb2cdfd1c8bd7a831b3bb36aa8ca23
SHA5121e0491cbb298f18b192e96d23fd629739ea48de85ee1b7ed3a7e96a3a645d1ca8471580b6bb0545f10d0edc845612d002920071870bf69a7c90ed9705f8f52d1
-
C:\Users\Admin\AppData\Roaming\cert.cerFilesize
1KB
MD527b82a7a73d2a5ad04f3ae7471f490b5
SHA195359916fa95d0b523293e11f84ca683afc9f7ef
SHA25695489873b5c2a844583cc2a5e63fe276adfd51067bad9c051f42557f1f5b8426
SHA5127f74e1c2cb0d5755dc2a68d4926a75b6af065c9b578d0f4ef1a9bb2c1e1da0f8c4cee91505cb5489e004f880728269723c6bc0e4fd6dd7a53064fa8e48c4b40e
-
C:\Users\Admin\AppData\Roaming\column.gap.front.xmlFilesize
956B
MD57bc409b7645ec7b8da88d7476af3d3bc
SHA149a73eb68fbbfbbfa799f695703b9a4b0605b91e
SHA256e1973a32a2a0b16dda8a813c1d1096ac0e91224fbe25d16667ee93e8b76f8c6e
SHA5120c9aaf3a4ea70d918587ce30917dcc9219a687a30b8b68fbe5969ca6136e5adc919e55d92d79fbe39f73ec3c758fb7487bcf615241948ba054fdd68043edccad
-
C:\Users\Admin\AppData\Roaming\defaultProfilerFilter_restorepoints.xmlFilesize
592B
MD5b14872001828a70ca9f8cb55f37d8e7f
SHA1ceec1f59f82ef6991eeb3f931707716f76ae4c38
SHA2569ca7847addfc688efad2575b3c949fd296890731b3865cd7aeef3166a3a9b900
SHA51221a5d902d045ce1eb73c8f8e5183152445bb95eaf2b24b76a21f32e39be801f2ab19e7b90743de2926afc12334fe168230effe24d622ca2816ed039f30080f79
-
C:\Users\Admin\AppData\Roaming\desktop_settings.pngFilesize
1KB
MD530d4b351117ef25ded894659f14d5c37
SHA13037e0929a310cb6f88c1898efe0f3ddd0d09c61
SHA25603b3920409fbd4158c298fe98e5ddfd4f61871cbaf1f83bfe7efd6f4c1855152
SHA5126fd014f3fdb693c947fbc6fb8df68d7647ede489108719f84081d2ce1e96ec5afc2c2a28ccb0257f9f9af9239f930d22711ffe1743a5c9765289d341abc86d8f
-
C:\Users\Admin\AppData\Roaming\doc_to_html.xslFilesize
423B
MD5cb43650edd662a8f3db2032c0d55c3f3
SHA11544d7f37cf53169191c845187b1b02be0372479
SHA25638187ff4172798fe3ca79b1119e1d7d64968bccd147105b937db86e5298d6a13
SHA512dd7ff292f86ecac1ab859f1e9c3780dfeb2f5421738470d0e02a39a9b7e000956a915397b919438b215cd274a3e88d8141838f7a89f114dc97ddccc58f34fa53
-
C:\Users\Admin\AppData\Roaming\download_9.icoFilesize
2KB
MD5abff65be1893e7978dd0b6e1bdb42d23
SHA1ae69e505a80403424311c1bfa3dc2874f5c37d6d
SHA256a1231846b1bf79751d6c5f29dedb7326895761c892ee9fe523f03121bb6e580d
SHA5122006d68a1f536e12f851a9181b94da271f6ae3b9d47722620aa3ce2c964db82fbe46e2bb93310e5f2d5ecc413df61d08b4444a1f3bcf4126065864c6f5638748
-
C:\Users\Admin\AppData\Roaming\error-2.pngFilesize
4KB
MD503bb2810172dbaec0061344c74909121
SHA15f865501f722f0f7438f0fa8b41cf39797f939d0
SHA256c82b31f78c0b8231e00186c1ce03c14fbf2fe830a89e231bb089f1f84decdc0d
SHA512ab99ee2cc7e9222a7d7d44fd66f1ea5ed8d862eacdaf946a43d94f06e75e93d90a83c45bbe92da8885cb373cd5b6f60c199f6f3bb854c7822bc1a46cc282631c
-
C:\Users\Admin\AppData\Roaming\f16.pngFilesize
1KB
MD504e342c4c897da1280973c56fdfa4017
SHA1b035ecefbb20dbf906fe3dcee8bc39e8341f8346
SHA25614130d579b728d41dddeead049bd96a1fa1b41a93bf0de5776164ce467e47790
SHA512aaaaa5f84671de83a894bd5531a0f8dc842763023352db3a74dba9629beaa0020a1bcfd0d6a83752338a13b862cdb69dcf26c6ee4df0c26db0a99a61bf77ab39
-
C:\Users\Admin\AppData\Roaming\f36.pngFilesize
1KB
MD5d8aeb2d62490a438ab2eef0016c79b68
SHA1ee14175e6dee1283d62260605ea1ee4769e0e67f
SHA2562fbf742695cc09d871ee943f7115136e33236a31a56f8a27a03bff46391a5bb6
SHA5127de1aae2d9e87632fc09eeea3ebc6f1038049590bc97d82af74f03f0587c8ccf8675e75a8bf19b0e632b26a7a0ba21ca3b2ad9c5f6374916c327b62074adc6d3
-
C:\Users\Admin\AppData\Roaming\forrest-credit-logo.pngFilesize
4KB
MD516c7c07e2b54a06d72db929643c7693e
SHA1dfb1cdd39ad9aeca1dbdec2a2adc88b762f1ad13
SHA256f9bff20afb094c9035335c27b2a77e8ff80e5b4aa5183281ae88572b030d7c6b
SHA51293eeb5260857dd04aaee75f8cfa8538c6134eb8b8bd44ba3b4839dfd014cfd16c3c971eb07173c64376ae0d7a5c975c878356d8baba3d0630224b9ba8ee890ff
-
C:\Users\Admin\AppData\Roaming\g1_1136 x 640 px 144 ppi.IMZFilesize
46B
MD5af3bc9f93007146857ec5a55e32702c6
SHA142cc41386c2709a53b8ffa4552790e164e4db59f
SHA256c552f73678b4e4d8a9c28600a4a3a3a611e2badc2c9f91ce23ba734e6f7a4858
SHA51219f2908f53b74778ae8fbf2b25efb9a05871e114382601cc6092335eb9b0fa90da10cff4384bca946297f4334c26e421b176dbda7ba0c6fd0ff3e81851701fe7
-
C:\Users\Admin\AppData\Roaming\glossdef.block.properties.xmlFilesize
1KB
MD508db45baad2609606ec0a40b6acb6ba7
SHA111ead502e7d2715a13e259a2b7153107db67d837
SHA2568a3a0aac4b5a5a33899ef1f56ab60d959972c40b9faf4eabb6ff2962b5e157ef
SHA51237f4290a10b7dfc5e214292dc6eb9f9dba372141030d684dbbcb47b5834cfbd77b002fa93121485314dbdcee66ba6338c0571648bc1d99a9485ecceb2caeeae1
-
C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\label.exeFilesize
203KB
MD53c4e73f8346f6040a61543da072f0e0a
SHA175c75fa47a6d09eb0a5b40d0d6fc5675a0246040
SHA256478765a2dd947d1539117b672b1eb77fc5aaea020764ba954acf65e3e480a7e9
SHA512a888c53f14ce166ba53a78bb395c0d4cb62888ee463c66e094966225428dea2e05ab2d8ce4ae19b8468b8146a8e263eb0f7a8edd0dd353657df123aabdf430b2
-
memory/696-53-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/696-41-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/696-40-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/696-39-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/696-37-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/980-121-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/980-482-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/980-197-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/980-196-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/980-199-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/980-462-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/980-465-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/980-468-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/980-496-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/980-494-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/980-492-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/980-490-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/980-488-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/980-487-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/980-484-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/980-198-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/980-471-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/980-456-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/980-459-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/980-453-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/980-120-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/980-125-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/980-127-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/980-126-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/980-552-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/980-557-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/980-558-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4920-191-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4920-192-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB