Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    14-05-2024 18:52

General

  • Target

    4293cb973c261b7c3a8b8d020406c21a_JaffaCakes118.exe

  • Size

    217KB

  • MD5

    4293cb973c261b7c3a8b8d020406c21a

  • SHA1

    93baf6c2dffff4265f810207e8a3e9fe223d4a6d

  • SHA256

    e12a0e6fecd5d164d2675400765304978347e5906be34f4ab166e32de37e71e7

  • SHA512

    608ee092198ceae5dcd07586219ed3fbbfff47b84e9c9280494b072430017227085ecc5f8654f8d10c5cbc3a9824a706fdb9f5242d69c10e5b84edbf0375547b

  • SSDEEP

    6144:Bg1KQjoFBs04ikLiwlUgrdV4OK2k9Joa6uAdk3d5avV:jFBSJiw5j5K2uJWWe9

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.xmfir0.win/8968-5556-3D65-006D-FCFE | | 2. http://cerberhhyed5frqa.gkfit9.win/8968-5556-3D65-006D-FCFE | | 3. http://cerberhhyed5frqa.305iot.win/8968-5556-3D65-006D-FCFE | | 4. http://cerberhhyed5frqa.dkrti5.win/8968-5556-3D65-006D-FCFE | | 5. http://cerberhhyed5frqa.cneo59.win/8968-5556-3D65-006D-FCFE |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.xmfir0.win/8968-5556-3D65-006D-FCFE); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.xmfir0.win/8968-5556-3D65-006D-FCFE appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.xmfir0.win/8968-5556-3D65-006D-FCFE); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/8968-5556-3D65-006D-FCFE | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.xmfir0.win/8968-5556-3D65-006D-FCFE

http://cerberhhyed5frqa.gkfit9.win/8968-5556-3D65-006D-FCFE

http://cerberhhyed5frqa.305iot.win/8968-5556-3D65-006D-FCFE

http://cerberhhyed5frqa.dkrti5.win/8968-5556-3D65-006D-FCFE

http://cerberhhyed5frqa.cneo59.win/8968-5556-3D65-006D-FCFE

http://cerberhhyed5frqa.onion/8968-5556-3D65-006D-FCFE

Extracted

Path

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://cerberhhyed5frqa.xmfir0.win/8968-5556-3D65-006D-FCFE" target="_blank">http://cerberhhyed5frqa.xmfir0.win/8968-5556-3D65-006D-FCFE</a></li> <li><a href="http://cerberhhyed5frqa.gkfit9.win/8968-5556-3D65-006D-FCFE" target="_blank">http://cerberhhyed5frqa.gkfit9.win/8968-5556-3D65-006D-FCFE</a></li> <li><a href="http://cerberhhyed5frqa.305iot.win/8968-5556-3D65-006D-FCFE" target="_blank">http://cerberhhyed5frqa.305iot.win/8968-5556-3D65-006D-FCFE</a></li> <li><a href="http://cerberhhyed5frqa.dkrti5.win/8968-5556-3D65-006D-FCFE" target="_blank">http://cerberhhyed5frqa.dkrti5.win/8968-5556-3D65-006D-FCFE</a></li> <li><a href="http://cerberhhyed5frqa.cneo59.win/8968-5556-3D65-006D-FCFE" target="_blank">http://cerberhhyed5frqa.cneo59.win/8968-5556-3D65-006D-FCFE</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfir0.win/8968-5556-3D65-006D-FCFE" target="_blank">http://cerberhhyed5frqa.xmfir0.win/8968-5556-3D65-006D-FCFE</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.xmfir0.win/8968-5556-3D65-006D-FCFE" target="_blank">http://cerberhhyed5frqa.xmfir0.win/8968-5556-3D65-006D-FCFE</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfir0.win/8968-5556-3D65-006D-FCFE" target="_blank">http://cerberhhyed5frqa.xmfir0.win/8968-5556-3D65-006D-FCFE</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/8968-5556-3D65-006D-FCFE</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Contacts a large (16392) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 63 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\4293cb973c261b7c3a8b8d020406c21a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4293cb973c261b7c3a8b8d020406c21a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Users\Admin\AppData\Local\Temp\4293cb973c261b7c3a8b8d020406c21a_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\4293cb973c261b7c3a8b8d020406c21a_JaffaCakes118.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Modifies Control Panel
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\ndadmin.exe
        "C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\ndadmin.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2836
        • C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\ndadmin.exe
          "C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\ndadmin.exe"
          4⤵
          • Adds policy Run key to start application
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Sets desktop wallpaper using registry
          • Modifies Control Panel
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1900
          • C:\Windows\system32\vssadmin.exe
            "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:2668
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1084
          • C:\Windows\System32\bcdedit.exe
            "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2880
          • C:\Windows\System32\bcdedit.exe
            "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2312
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1604
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1604 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1180
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1604 CREDAT:406530 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1444
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
            5⤵
              PID:952
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
              5⤵
                PID:2064
              • C:\Windows\system32\cmd.exe
                /d /c taskkill /t /f /im "ndadmin.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\ndadmin.exe" > NUL
                5⤵
                  PID:880
                  • C:\Windows\system32\taskkill.exe
                    taskkill /t /f /im "ndadmin.exe"
                    6⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:584
                  • C:\Windows\system32\PING.EXE
                    ping -n 1 127.0.0.1
                    6⤵
                    • Runs ping.exe
                    PID:1480
            • C:\Windows\SysWOW64\cmd.exe
              /d /c taskkill /t /f /im "4293cb973c261b7c3a8b8d020406c21a_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\4293cb973c261b7c3a8b8d020406c21a_JaffaCakes118.exe" > NUL
              3⤵
              • Deletes itself
              • Suspicious use of WriteProcessMemory
              PID:2400
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /t /f /im "4293cb973c261b7c3a8b8d020406c21a_JaffaCakes118.exe"
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2520
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 1 127.0.0.1
                4⤵
                • Runs ping.exe
                PID:1860
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1792
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:1844
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1844 CREDAT:275457 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2540
        • C:\Windows\SysWOW64\DllHost.exe
          C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
          1⤵
            PID:2144

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Execution

          Windows Management Instrumentation

          1
          T1047

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Defense Evasion

          Indicator Removal

          2
          T1070

          File Deletion

          2
          T1070.004

          Modify Registry

          4
          T1112

          Credential Access

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Network Service Discovery

          2
          T1046

          System Information Discovery

          2
          T1082

          Remote System Discovery

          1
          T1018

          Collection

          Data from Local System

          1
          T1005

          Impact

          Inhibit System Recovery

          3
          T1490

          Defacement

          1
          T1491

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url
            Filesize

            85B

            MD5

            68439a981e17c9a34ebec85c74c3114e

            SHA1

            05b9018e8a35b1c67169fbfa58b4152d7e3350b1

            SHA256

            e7193d40fb820abdda3716f163b825ee5651cc6f9e72e0d044a732675425c7ba

            SHA512

            8d8a80e13bd13d4966d994644a0d4e33c645b387873b022089a071e16b00e6c75d3f8b125bdf3755c3962aa95afd98a6964fa54a5e6549af635d577b6aa9b6da

          • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs
            Filesize

            225B

            MD5

            f6d629f2a4c0815f005230185bd892fe

            SHA1

            1572070cf8773883a6fd5f5d1eb51ec724bbf708

            SHA256

            ff1de66f8a5386adc3363ee5e5f5ead298104d47de1db67941dcbfc0c4e7781f

            SHA512

            b63ecf71f48394df16ef117750ed8608cc6fd45a621796478390a5d8e614255d12c96881811de1fd687985839d7401efb89b956bb4ea7c8af00c406d51afbc7c

          • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html
            Filesize

            12KB

            MD5

            a20174eb2376311f8a57a84e20df03ef

            SHA1

            4734244053d3a12aaa00f171481f43bcc677b59e

            SHA256

            bf5960e48a323623ba6ae6fe14ccc687b74143c0d32442f262b4900802e36e5a

            SHA512

            c5e7e8b9a446ca30449376449dbee1918e6daad6d041a72a16c9fb9fdb5694f49126cecd893b746b80e00415c528ad1c8ad9a58c6393e8c4551741a04cc510a7

          • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
            Filesize

            10KB

            MD5

            507c0d81a2f82ff63e31187439b33e5b

            SHA1

            4ca01e2808f0df9bdfe6c7eecffd4b53f7017b67

            SHA256

            2c62785d1d91d8ff0e43427790ddd15c1afb2f7c2ea6ff5f598c4991324a3b01

            SHA512

            53510d81b3cabd716e469a5e80aeb1eec1b26eea950c657e02586c1e923d0e932f16fe236a5ea874f9a5f8f5e31b451cffcc7d62d173c63cd98bb1aa7137e0f4

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
            Filesize

            914B

            MD5

            e4a68ac854ac5242460afd72481b2a44

            SHA1

            df3c24f9bfd666761b268073fe06d1cc8d4f82a4

            SHA256

            cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

            SHA512

            5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
            Filesize

            68KB

            MD5

            29f65ba8e88c063813cc50a4ea544e93

            SHA1

            05a7040d5c127e68c25d81cc51271ffb8bef3568

            SHA256

            1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

            SHA512

            e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
            Filesize

            1KB

            MD5

            a266bb7dcc38a562631361bbf61dd11b

            SHA1

            3b1efd3a66ea28b16697394703a72ca340a05bd5

            SHA256

            df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

            SHA512

            0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
            Filesize

            252B

            MD5

            e6de5c649069d4d5ed317ef8ef5d386a

            SHA1

            58b4655a807457cafc47be66b5433beae87b72c6

            SHA256

            fa25a1dd63e207bfa1a9e3e8f6bea5178fe00825bf410d3f433263150ed6d12e

            SHA512

            2bb2782f24c98513dfbff24b96cc5d704e0a56d58272086925f818f1363004edbbb2e77cb967c7c2cee3fd8b6c576f0739d4cd0b6ce6e71429be30e603d04ab6

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            e3875f01e3b79e7f351c96ae0c0ff835

            SHA1

            c536c1368bdbb55d1de44f4e6305a3b1b8cc7d39

            SHA256

            50ba6ac14ac0cd3fe83cbc54f29fad28ae2043230d33e3c2df601de973cd23a8

            SHA512

            605397a2c1ee9acd7df9265cbdab603464c32c4b5f37ecdf1ae0e832f2a5e1ee374efd28f7b449c34ff0b081b1549461646cd5b197163cfa569b35b4298a00f9

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            e2ad002dccc2ba2ff596bd9858504a6a

            SHA1

            1524abe2978bf79552066aece3a1df40bee5959e

            SHA256

            de7550a1bf7f937fd294a18d3eee0304ef9124461c02b2c14fd2b1d211fa30b1

            SHA512

            db5fe4fef1146df5dbe7ac8eddc806a6c0df96aa3f521fa71dc7ef442de7777855d3d87dac4d7d43b8d7cf614eac03e92f3ced3cb9b1f0a6b9c1c57e49867139

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            6a262f60b201e0f091ef568316b95bb0

            SHA1

            de9a1fb068e41f5334ebcce7ce16c739f5af50bf

            SHA256

            91cb43802b39e7813afb654a0da1c68df45014da34607b2f5a0223e44741335e

            SHA512

            3087dba850313d0eb8e68e17c57ecf71003fe100da04a000478e752a14b2ed76ea8b7c047b0e7764fdbcdac03cec33656a3fff0247830ee03bb6dfb7b0cb2c2d

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            a6c41481499a4ccfdeefc0d05449d625

            SHA1

            1f1577e15383eb0abfdfa294b77a82e1772e2783

            SHA256

            99754c1b165b90867bccfca13594866c6fc297cb8438216945a4edf05e94f88b

            SHA512

            f9a27018652bb3b42760f7f95dafa12a77c5d745e6fcedb9f3cbb1c206dc1893f8a1f88728b19cc7a0f8d310db9ffbf52e650016f76cca7bb71f9882807a2084

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            9f740112781cca24f4d0dc5610e3e8fd

            SHA1

            4b3613632bdff08b9a5ae816206a5e1d72e82ae8

            SHA256

            2957c97178678f2ba4c6040265407625f66515bd7772a3fff1c64b9c4cc143bb

            SHA512

            3d6b860cf6830378a4dd756eb2d27e342f2fab585ea720c57c76978d8c8a371405cbf1cba8f1106a8f9d7f929fad67a69c8d66857e7a7e077a05a8009e43522a

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            cb88fe7992aa192f6365aa70b7403627

            SHA1

            8efc74049be899add110c6c63568a8c0e1bf33a8

            SHA256

            0c11d1dd963f67bb12a651ce0adbd8a29c07d9871cc983190f6c7d3c3bf0b316

            SHA512

            3960277aeaa913a263031df4c197079c35a871f701ba73345b7ebc36210cb5567010c377e7e70a5b5d50c603cb925cc97ae764b9e116ee59ee33d30ed1722107

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
            Filesize

            242B

            MD5

            4d10eff7c24c34c79897868cc947c6a8

            SHA1

            04380cddf6d1ec6d76912c6a2edba99419550e77

            SHA256

            464aa4b762e95142d04ae48a81fcc0f18c7d5c1edb2392805f04700ca58154d9

            SHA512

            0405d8b8290f41314ed14f67899c570498418ebfc0d26a134da77ab4da5244053bd6c85a2d90bba80a1c00cdd6aa393a8210b04c660764bdb98999bcbe743f0b

          • C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
            Filesize

            4KB

            MD5

            da597791be3b6e732f0bc8b20e38ee62

            SHA1

            1125c45d285c360542027d7554a5c442288974de

            SHA256

            5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

            SHA512

            d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

          • C:\Users\Admin\AppData\Local\Temp\TarBA50.tmp
            Filesize

            177KB

            MD5

            435a9ac180383f9fa094131b173a2f7b

            SHA1

            76944ea657a9db94f9a4bef38f88c46ed4166983

            SHA256

            67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

            SHA512

            1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

          • C:\Users\Admin\AppData\Roaming\10.gif
            Filesize

            929B

            MD5

            9a4f4434219b8ad1c86771bd1acfd377

            SHA1

            a6e16b2de2080d361c54e374417cd20e65f8422b

            SHA256

            6414a965bfdb613d97c86d032731f5189edab1d2eb3cb6583b6da135498040b7

            SHA512

            2a47fcb00bb234a54d0e47cc7bd8921ca590292f271e8c38a5bf5f05f04010a835049e214e3134a689ec168d21824d6eea096f1ddfb7d8bc89c9b97add5611a9

          • C:\Users\Admin\AppData\Roaming\10.gif
            Filesize

            1KB

            MD5

            43cc380c12e4f12b96bd2f96abd62dfb

            SHA1

            012d102a1e97d1f7f8d3e46405a2919df5e04926

            SHA256

            126296bc092032f79e43220cc1b7e05c16f35cda2549bd837e4bcac11b2de536

            SHA512

            63a335454eb547c4d7fb3ea62ed0fab5e6719c91000ec5e8257fb891e219028bf28653148490b8da105eb28733529076581ce64b5ef84f4c7f506e442677b064

          • C:\Users\Admin\AppData\Roaming\15.svg
            Filesize

            1KB

            MD5

            0c93f7227f87c0e7d9f4d77d75acad15

            SHA1

            d7b032788083e77d2f0da09daf37244aef374249

            SHA256

            0563f30bacef9fa713949eaefeca4ecff9b45fdb0fe6b6ec64d9dd81fc69e0f2

            SHA512

            34b8e22cb725e56c11105d545e59fcccad6100414d938003bc3ca8ad1b36240dc9093e5c5f11a8f3d80467a6eb81ca8760e7e2869e868af7f236b80a100e34d3

          • C:\Users\Admin\AppData\Roaming\15.svg
            Filesize

            1KB

            MD5

            70d94ef395a6544b8a6b3c17d31b1198

            SHA1

            a74494ab081968f95f1799e0a308bb38573bed36

            SHA256

            4b68308fa80d352d68442f4207ea96e6053fe65c04d92b52a34f0d3b72595fe7

            SHA512

            43191bb668c530f8c851b7d704e029a32ce1decccd211dec25242e0c79eecb27fa9dc17c0d6d2cab3153a313aa7246e6908fd49fe5d0d9219869ea7fdd30e7ba

          • C:\Users\Admin\AppData\Roaming\19.svg
            Filesize

            1KB

            MD5

            73d8a85df57e3023b400f9aa410785ba

            SHA1

            1a5bc685653586cbaafde0597ed97398a2569ec9

            SHA256

            b24c6ea4f16f46e025f3005cc7180289b5b80f8a2556105c9d3b9fc3672568b5

            SHA512

            d7abada533ff8ff117b16360da873b56b049d8c74c930a2fbf6e75f70c43c220e4646b1e2e27cc760164d114b4b4e681c5c68639b14af828a0cc66868e8c7c0f

          • C:\Users\Admin\AppData\Roaming\19.svg
            Filesize

            1KB

            MD5

            a642b9c6bae900f579d3ea539565548f

            SHA1

            e9c72e49a2e192dc6ee070c867e6d69e817831ba

            SHA256

            ed446cebcaafb93b3b5823010fa2acffcac982d32cde77c9639593c6a3b2c8b8

            SHA512

            7437989341f3ccabc25a6acd2abb694a0275f1614027aba2b26367d60001a3933f838ecb33c2c767f41dffa16e7c83e1867728b4dc755571735727b060ff451e

          • C:\Users\Admin\AppData\Roaming\78-V
            Filesize

            3KB

            MD5

            afebec81a2af0f038de317a304e3772c

            SHA1

            a1a91d201d2c9ac3a0517cfeb59fead9b3990135

            SHA256

            14da3022f89b695a4cc374b30ae6d1a5db407a8225c369fa0b46d4e4a17c3666

            SHA512

            31dea25cd9a428005eb7c58348f8eb728dfa07336cc3e03210ea6bed2938bf6625734697c4bbb701b722dcb124392b591f79f46ee3bc3e82dc3e1ea82a54ae85

          • C:\Users\Admin\AppData\Roaming\90-synthetic.conf
            Filesize

            1KB

            MD5

            7659edb861f44ff8e9f4e31567d24e47

            SHA1

            686d2c581106d0f236ceb708cf24c98907f01b87

            SHA256

            bbea65e32cef73fcb80efa1b32fc54e31c31477d808a8b206682f1ab06baa523

            SHA512

            a0dca254fb22266624c1bb4f0a487c0164fb0271e64f5e45db943315951f82f3a4f2df734ad61745ceecd5c5da683e1960f039eda8060e3d2e0c01618b8bd909

          • C:\Users\Admin\AppData\Roaming\Amman
            Filesize

            1KB

            MD5

            88dbc6c76db7bfcbe320624f0a10fd8f

            SHA1

            f2499cd551b11f788a07c5e96aadd49fd298aa88

            SHA256

            a2142a3b7003bf9292edb1285f75455425b7f118d7edef631b127c2fed8e50d8

            SHA512

            73662a02ec312e348e6dabe7705a2b68d53d5c55b48c4e3ad70ab8b0a7b5c4914024b23cb8a0679b1d846130615dcbb60fae683524d95106ce9994cbfe0e8160

          • C:\Users\Admin\AppData\Roaming\Andorra
            Filesize

            968B

            MD5

            0078823326e029eda17ce0467dece604

            SHA1

            36bf45f54f457ec184e0f3e5464d6ed8b13a67a0

            SHA256

            414586fc64c3e44da6de5e841324198ede5242c8a0f473b4d9f0e6a05d1af954

            SHA512

            0e873bef7db6be7239568e33a2dce8a723ede0bed1b3286b684def05b508a0cc09c8799eef77530b4267f68fd2f9e4b331d8e27cddd2eda7e1f27d44e5b1c48c

          • C:\Users\Admin\AppData\Roaming\BCY green 2.ADO
            Filesize

            524B

            MD5

            c5db28a2e96c21437f165c6383197907

            SHA1

            291fd6e83f7bb84ca7867cfeb0fd09ce1b8d4d03

            SHA256

            533cd7262b177c70e80265298c1956d86bf49bc7936d8817b218abbe8f28fafd

            SHA512

            714fb27977897bf8026bdae465a207d35aec54237d4accfaec65cd2362aecae410e3e4bdb09b568b029a96e6534e63e3569b83b40b52e4a3dd1e5ca2cf79e83b

          • C:\Users\Admin\AppData\Roaming\BCY green 4.ADO
            Filesize

            524B

            MD5

            2d9cd2960c268bfacbace0cf3fa18b54

            SHA1

            bfcebf2091293d1603910b5573da36c6825f8cac

            SHA256

            104ff6d638e599031efae3a2f88e2804a9c7a4bdb79bf00bcc299216d86ba35c

            SHA512

            e8903554230ffe66b4494bb0adbbeecbbe5120fab3f36772eed8a70e6d14c61bbf76b08c0e044e03722dfb16f2e8bb7bb9d1af4774e8d5bdf4d4f181295baa29

          • C:\Users\Admin\AppData\Roaming\BadBits.mm
            Filesize

            1KB

            MD5

            45ed0fb06f0ce6c9ba9613926d1cb1e6

            SHA1

            a19206ff3bb1f5f2109e3c2233aefd2a6285d05f

            SHA256

            aee530dc1e94d53130035d2ace33d0147b96aa970c764eb4e86fb6b5d07200f4

            SHA512

            d989bee283acef837ecb3b2995be8098e6d4f886456972a42ab5ef5a98ae48ba3a88a71193a7aa4dba179d57ed0912a0203e0a1aa46e9873f97399f0238c9128

          • C:\Users\Admin\AppData\Roaming\Bahia
            Filesize

            553B

            MD5

            6656f68b03c382e314212b62d4817274

            SHA1

            db263debd84e88483762295fa8c8768c40ac0a0c

            SHA256

            ccf031df63e19fc09d26b91fe2eb8431b6a509a43abcf26399dae34b20eb7948

            SHA512

            5cdcdb1f2e4092537adb87051bfdba1198a3509bafa72f35a6edf988fdbbbf33b651d44cd5257f88fa165eb4366c365f0d3e4d1a291b940f2c4bb9df0d533f9f

          • C:\Users\Admin\AppData\Roaming\Bl 334 green 437 mauve.ADO
            Filesize

            524B

            MD5

            294665abeb751fa6f13f2ce04b6192c9

            SHA1

            c1a5d694dd14c68c9b815001a6c3742b2195b43d

            SHA256

            da0322cc9df21f2442e222aa0b41716ac761d8649d953f74f550dddd47da89d4

            SHA512

            5f45e55c707e54d75df5da6a2415604cadfa0b24f55e0ebb50b90adc015437491a46ae22d883bc6d11e31b5d145d5e1fadf17f9ba0d6850843bc65c8b926fd8a

          • C:\Users\Admin\AppData\Roaming\Bl 430 493 557.ADO
            Filesize

            524B

            MD5

            c71b0a6d9dff3f02cff6d346595c70df

            SHA1

            5bd7c973576c7278474690f66d1e03d3787cc9d2

            SHA256

            07dc216d9f330aca77ff916e9afbac9c13b297ce235afa23e7071bfbba87cecc

            SHA512

            2c0d9fffde543acac0190b33a87cd2cbb9ca33331445a63db62fafc4c23653e330eae371c18a766bc391630db0fcaa80889925073b98b9919571dcd0689ff637

          • C:\Users\Admin\AppData\Roaming\CMYK cool.ADO
            Filesize

            524B

            MD5

            b274038f05c95134310ce53f790781ba

            SHA1

            9677c8a573902d394cb5960f80c31704f5301d5c

            SHA256

            06a4b1b8abc514d9e49e648fa1456578fe4a439b0e410d3d6ef0212bead4293e

            SHA512

            e53396bb4c2b483dc749d7312305502e7ec2bcd92e52fe72afe91d606dba011770c46cd026720cb6d4fd813225d2d611b75507fe2a4dc7a317e6308409c7a362

          • C:\Users\Admin\AppData\Roaming\Chicago
            MD5

            d41d8cd98f00b204e9800998ecf8427e

            SHA1

            da39a3ee5e6b4b0d3255bfef95601890afd80709

            SHA256

            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

            SHA512

            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

          • C:\Users\Admin\AppData\Roaming\Compressibility.mm
            Filesize

            2KB

            MD5

            6a96987317e130e2d636cb3944745e7d

            SHA1

            2d4edb51888fe667e59712eba309a1938ad880e3

            SHA256

            5d1f0e58cc22de1503316807dff1b482aa5a186fbdf9dd12ef2a360c1e0c8a0e

            SHA512

            63a69705e6c93b2dda36a4ca634f2c2bed489f2e6f63d03847fb6acb37bc17c14014723a2db7647f0e4a285627fb98621e8ab86b1e7b7bd79a6048c54135be10

          • C:\Users\Admin\AppData\Roaming\Dubai
            Filesize

            65B

            MD5

            163a95a3a62f08b92168f8d587fee2b1

            SHA1

            8c26887717038aa2a3d87ad95223f43304ea2728

            SHA256

            e5e18fbc7153bd73932dec7870bef4664d2afc831bedd739eef8ca0da3c93161

            SHA512

            3c0696dc0204359e197ffdbefc21373cd432ea224b0a95b2f78ad8e7d66ec9c9e870e66004c148a2a1229eb3964e9daa19b7d1d7426f4a27c3dfde9b95319252

          • C:\Users\Admin\AppData\Roaming\ETen-B5-V
            Filesize

            3KB

            MD5

            a3e529b21072e84d917b9d4e88852fd5

            SHA1

            ff2a14165b5979fed1fb218aff9afae4868e64e7

            SHA256

            ed61518848c69c5ec6f3b8cc2e401bc6aee9901e7b7e7a0038e379ef2b76472c

            SHA512

            65f575ed023fc081e0936da8d3c043b2e4e7d4540eae6a0d7004a78a1e20f497be285804ed27825e36530863def87b347d51154094219f9a826b6cb30b02b999

          • C:\Users\Admin\AppData\Roaming\Fakaofo
            Filesize

            77B

            MD5

            74bfd4f051bf911f31c5aa8afefda951

            SHA1

            db8802a88d8b11b93c4a284b93c978c970ef9aad

            SHA256

            6157610fe6135f5b5690fd25aeb07163329f745d7c266d5d8d92ce9019cd5861

            SHA512

            c3ffcd425f008f798d86da0600e04217adce3415b276721842f9aa4b4fab333ef5f63d04b4f63cceb7b9b0312fd95f60ecd16abfce0c76b24388bc7e9774a7c0

          • C:\Users\Admin\AppData\Roaming\Godthab
            Filesize

            1KB

            MD5

            6e069759f1edacefff41329fb1431809

            SHA1

            fd51c57b875209ff1d460e1e4ee72ac774bc0ff9

            SHA256

            c0b7be23c59096e690d8cece41fd8de55fc30a53a43cd399d12ecd4a447e0182

            SHA512

            a3fbf875eddf2314f151cd0303ab9ed7a8727e8588fe8e3cb19f72949e20821a180d06dae6b211951c64dc68d6e424590ff68600d2766a7d1486a61b5bff3147

          • C:\Users\Admin\AppData\Roaming\LexSurgeoncy.FV8
            Filesize

            1KB

            MD5

            70790cbd9050e13b75ffdefd539f1fbb

            SHA1

            8d98b37ce416a557572610b5d58a955bf8bce923

            SHA256

            04fc795b742ff541132add2282c999cad9a69a288fdf6ae3b2866ad05d760ff2

            SHA512

            ccc563a0b3e88d45cf92a1af17213ac18952fe38cba93ec99d637a533b0a5970d02d8c5e8a506c88c93793bbb66514e748ddd095c68b1d0f4ad0e0ac5c199c25

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ndadmin.lnk
            Filesize

            1KB

            MD5

            e75895fa5df2308a9ff11900ad7131ce

            SHA1

            199511abd9b44841f8fc26ade0d04bd5235b056e

            SHA256

            1a93d503f4541d42bcf5f0e31a84a5c9ff90ef441c982bcd6cd5423a306c8d1c

            SHA512

            8cd1370dca006635e4dcefd647627d536a5bc2e2f4ef7f5c27a44fea54fe866f1626db3877c0629012e55ddb66f54e0da4e076b98f946db4dd0b587f4c87505b

          • C:\Users\Admin\AppData\Roaming\Sissy.K
            Filesize

            123KB

            MD5

            58acd81760dbc9febd4bec1fdcc48c23

            SHA1

            7877ee49ecb61efd2eaa193f3fd4bb50bcd95657

            SHA256

            689b35d9b9b48f9a44b4f09fcd2e4ec71e98d769ed8242bc1431f8a8926990df

            SHA512

            ec60e5a1d6791e53f1cf55f320ede4d03a267ec7cac9d29dac951383302e83e31ee1004c1eb63f86b5e59ad31577e5522ebf544918dbd11c8dcf0b0650bb7dea

          • C:\Users\Admin\AppData\Roaming\active.toc.xml
            Filesize

            1KB

            MD5

            e93efeb327276284b8332152d583efae

            SHA1

            f9f3f6d89d535ab434729894076e0afed03e13d7

            SHA256

            a27d207e5b7429fc897e1da598565e6c34ccfc24478397c5e6cf88c42e25f54b

            SHA512

            67a764ca8dd18dfc465015c16aa65d50c43a73d288bf1ae4866a6518b61baee5ada2b40b0adfb87b77e9aea03aebd848976654c993be850d019308e65599d286

          • C:\Users\Admin\AppData\Roaming\active.toc.xml
            Filesize

            958B

            MD5

            7fcadb7a190fff78815caf324cc54d92

            SHA1

            63140f3db5d31643f6184af891502add0c59b772

            SHA256

            ee860ee1d00847be488bb64b746868794f817a52792ddca29fac6a9979c1f0ed

            SHA512

            66c9959eab0e436f412c18816f10dd3b814f6f27b920447c7180c1536817082a5a32a531a777a4c69b978375826b209dfba7ee36f41ce903ab346ea4211bbb3a

          • C:\Users\Admin\AppData\Roaming\alien.jpg
            Filesize

            1KB

            MD5

            4190e588c160ac5b36f115af7444523f

            SHA1

            f688118564de21f505c00d6aa7a4d33d8f6c748c

            SHA256

            08ee68e1658706664de60264f8d5ed5e589a47fa98c6f672ec221be7a22edb58

            SHA512

            a99cdf25224abb8002f1fb9b649d608d54003fe2570fda5c3139291839fe0f9f4f57043e81face78f66d26bdc84534604c9255d4c8de1f23e3f8c8b51ccf008d

          • C:\Users\Admin\AppData\Roaming\alien.jpg
            Filesize

            1KB

            MD5

            529526c268f39ee5e25831590134aacb

            SHA1

            31e7ce6f3c41053770340376f8dd9c38fa8d79a7

            SHA256

            2f07cd31e85af0a03263bdb41ecbb9bba2c3b998b8c69a63f6d1dd0859d1d205

            SHA512

            d90cefe2cc2a2e74d94c0e989c2fb914827c678b93a08f6376ed6800d44b8be77eb198e6c2eccd02a64e55bdb0ed608834a0acd4fbb4360221e73f7cd99f9e24

          • C:\Users\Admin\AppData\Roaming\axf.extensions.xml
            Filesize

            1KB

            MD5

            af841ee6aa03ff9847d5bdd00473ff90

            SHA1

            2ef974619172b802252ffac7576a3762f6236dd1

            SHA256

            7a28d8ac66543a242f64890404d706d649224b6b43fd4f8f0c20455052b7dc41

            SHA512

            a48523b843a06fe158dc4ca3d9c5ba2346261d33f0515fb2018bec52cb4315f06981d5cb658dad5f4d83c2af49cc36f6c55cb746386b0bfbf8863c0c3b70c9ac

          • C:\Users\Admin\AppData\Roaming\axf.extensions.xml
            Filesize

            1KB

            MD5

            58d2e4370f36d039d4630d5dcc27a43e

            SHA1

            a1e723fe4ab50015390364e8d775e836ba2ac7a1

            SHA256

            5bbe925066ddeff9a6e134acd0a67041e06ae049392ef67e8c43332b6740c979

            SHA512

            c1b46f61c782486dcf9d018c90c157014d4131c074a9f0d474ea67425be22f8294db9abb1274d78b71630b54084dec5c69b0316cb56043e0c9254229d45a419d

          • C:\Users\Admin\AppData\Roaming\bn_IN.aff
            Filesize

            197B

            MD5

            6c0fb6fd9810560e7b438cdf662c2734

            SHA1

            26304263ffc6724e5bd5a0dc440d74f233bc2fa2

            SHA256

            bff0a0f00c9adb0ac7bcc8421882b4bcd0fb5b47d278ed64cd661ec7dce51cde

            SHA512

            d85b9b780ef0ecac44e9af6ca0c766c04dcbc22cf3bf65efd23395806042d8cdadebbe088d21a0be75b37b2c6ddeb7aa726483c9b139d4284ef6b51101ca8c8b

          • C:\Users\Admin\AppData\Roaming\boot_path_2.png
            Filesize

            1KB

            MD5

            787216b93a905a88d9d02aad1b94484e

            SHA1

            9af9bc1eb88d26d06030223ae50280cbc49842a0

            SHA256

            e21133e8bfc3d52a2fee2002e7ee199f37ef97d3bbdea023d0b84f0f54870c0c

            SHA512

            eb855ce4827e9966127b1cf4836f337d70de02eedf3780c8f8ac84040ed18655700dd80d55198582c4d9f6b44a51b31da508cc77e1588b9a102cf47319d27471

          • C:\Users\Admin\AppData\Roaming\callout.icon.size.xml
            Filesize

            923B

            MD5

            524be3d8b21c7b33c619ceb3d968fbf4

            SHA1

            3b14fa89d2cb0541da1482d21b06d640a787e45f

            SHA256

            f6993201c3af85c8461426c311c099894d2a0f70632f4e51e96b60b544dffb41

            SHA512

            ff5628c5c5f05a25f08047ec25531f82d06c8ca32bfbc8aa992da62b94af50f3a501fcbc90337f292a471edfd00d285bb3c6f267eb809d26f1e2bcea9a9f83ab

          • C:\Users\Admin\AppData\Roaming\caution.png
            Filesize

            887B

            MD5

            c81b5317d4908545f44864fce61f1851

            SHA1

            2845725264796608d781187d95d7d41ab872dea5

            SHA256

            e9faf89885257ccdf9b9cdea3c4104079977d43d907fd948f4c1526aee0c923a

            SHA512

            f1cfa4d3aaa99bfcd51fd39314b75547e5ba26df5daf3ca432d95941e42099b5e429367ee80caae0f4e00ce5a62a4e5c4eea9e7b4deddc82c68ba7fe382a51e8

          • C:\Users\Admin\AppData\Roaming\collect.xref.targets.xml
            Filesize

            1KB

            MD5

            b315d71c7feca1a5c1611675c577d2df

            SHA1

            df93907f42140b3c6f932a2b5b40deb730dd5109

            SHA256

            575d396d6995c2f4c9cfe493c76847df2d468a49d2a379139521bd00fa1c1abf

            SHA512

            0a0513f58f33a27803bfdaa3e635928317d40de7488bef0b6d040d58414e60fd252f7ca348ef9d50827192f03e9e15675c5a5e3870cc8b36252671d4bbb5e680

          • C:\Users\Admin\AppData\Roaming\column.gap.back.xml
            Filesize

            944B

            MD5

            d5b628f67a88cd1a0847ccbdc7a9491d

            SHA1

            be7ae49145091cfea153788a46f8ff2a742b51c4

            SHA256

            dc1a854522613dffadfe7b1a81881a436ba49d3a05c075a12bf68e01b258f143

            SHA512

            fed8a51ff011b526bb0661278035310b824b2ccc992e4300dcbf53c756170ef3e04b0407cb91fe9c4a61647a6ad511365132a12f1f33e8122f5d30a591be414a

          • C:\Users\Admin\AppData\Roaming\component.label.includes.part.label.xml
            Filesize

            1KB

            MD5

            59159241399b141689dfb8bcd7a97687

            SHA1

            cec2775a0afc540b4593cb616b1c6ce43ea2c7c3

            SHA256

            94122f4fa60f0c0a794c1f48ba7739bfbbba944fb2465b1c37bcd00bad358907

            SHA512

            7b12619fb230871fde5649fcac0487fb082de6139234de2a57bd6c40999e93b8217b015ec081cbbc3c80cc2803f990dedefdf84d0fa40e817ff2e607adcd66ae

          • C:\Users\Admin\AppData\Roaming\component.title.properties.xml
            Filesize

            1KB

            MD5

            6755734329cebe04209233b269fe421f

            SHA1

            63eda5b799fc6f46c9de49d6ee3bc5a865d2e2ff

            SHA256

            626e9b34c4e837eac7524f40525770cbd5c5c8606937a51211bc48599c7bf2de

            SHA512

            c8a17d70b7200a34e523b133d8d477782aa3f6b3a00a34857853b95fce970497bceb8d312c2d180f864f832043cc87db8c5890d8b0250d28ad8ee79b1b3cf461

          • C:\Users\Admin\AppData\Roaming\crop.mark.offset.xml
            Filesize

            916B

            MD5

            9419fc0ba857750e69199ad2b89db5f8

            SHA1

            e356d10c83acecbdef31dfd932d678d85edee2b9

            SHA256

            2c70df725a10bdc5d9d0ed1ba3f271ee93a1167030f3720ec78ba8825cab61b9

            SHA512

            bf84129c609f9c56d6e90b7c510828a94edbfac4414da52cdf3c47904816b330d8df77f06be27b6571e913b95b30fbd652120c6ad4e06e6ccb07349725a3023c

          • C:\Users\Admin\AppData\Roaming\css.stylesheet.xml
            Filesize

            998B

            MD5

            b27806125d136297c6491c7d17daac4a

            SHA1

            cd9e20ee968624cc92bdd34d72cfd8e3e831bfba

            SHA256

            a4db7ffac669e9ac65caf2376e6a84da54736423f581c6df937b6f90158eee18

            SHA512

            bb0b3a27964d98fcf7548fe582ae5e037d54632b1e039da637769f32afd550a10db6bebabfb8a95621a6358c2130cab6228a55aaac68a4e4d733a90e0584580e

          • C:\Users\Admin\AppData\Roaming\data_transfer.png
            Filesize

            1KB

            MD5

            6dcfd632eb0a8124ea05a92209e73bab

            SHA1

            094612b281c4d378ec3def211d60a259bcb41fca

            SHA256

            0b7e998b98af82bbf0e9f8916aa5e1614a3e42d7a79cd2877c7c72690a42272e

            SHA512

            581f7f73592c3cf0999a76a2400e0d385330d0594f12c1fe7e37cdef492fd2eafafaec2b6310000efac34c507a1bc660a7e9d38158c888e3869d19ca3f74acab

          • C:\Users\Admin\AppData\Roaming\desc_en_US.txt
            Filesize

            190B

            MD5

            a9ad2430bde4bd11b1a0e26e92dd9145

            SHA1

            b66a455fdeacde13191bb09320228136f96f8bf7

            SHA256

            71ff584ccd03ef5b8c8410d4b92fc6c096fb7ba1c867bcbf5859719eab1009ae

            SHA512

            323af72280ce9ea10fec40fc141cc94f333612cec54006affa1c6480993d973d6a544cd647eaf7a249e2f965f61bec1257474fa24a6a2ea7272ebee84dca1d6e

          • C:\Users\Admin\AppData\Roaming\diagnostics_queued.png
            Filesize

            250B

            MD5

            42d41cbebc9df064e55e06bf3bcc5a2c

            SHA1

            b037f0eef44b874aad0091b2c5e3b6bd12f219b1

            SHA256

            b8a3ce2bc7d65d8f2c18b570f14ba03a8729b460e2e6e9a7364308199efbdb40

            SHA512

            fff2355aa493f321eeba30417aa223fae2a57403b26bdc65ef67bdd5a943a32f62bf92c48f1db8fd2fca1f7efa0f8109ba89ee2d14215c663f758e7bed22e989

          • C:\Users\Admin\AppData\Roaming\ebnf.statement.terminator.xml
            Filesize

            1KB

            MD5

            81db7c654497a6da6d53d8ac1d1ddf0e

            SHA1

            0d411e7fb3da69ca293af728ecc75f2aa18e4941

            SHA256

            ddd9a56a8e9ff95f5a4dfa91a655182d3504ebd7993f40281b500baa552aa4eb

            SHA512

            a2b3b741f2bfab3bbe6312218cdfabd773bc7f8e73b24aea62765d45244b1fe3bbe66be59cda7f27c9846f7ed4c8c84f50735f8ad958ab7e52a89d7af1cb4679

          • C:\Users\Admin\AppData\Roaming\error_1.png
            Filesize

            3KB

            MD5

            6f42ca6b4105204fcd946cc2ae17d9a1

            SHA1

            7d4a234e40ef4564943ece66d46d9e1417586887

            SHA256

            7d4b3a73836005095e230d6d34297baa68f816b71cc6b78ced7a6f60b46c829c

            SHA512

            724726aa1b898646522140872210fb4766d5c9998eed3192f112313081377e68077536f6589d98f3300909592584bf3b65820da253feea8eeb558153900cf97a

          • C:\Users\Admin\AppData\Roaming\et.pak
            Filesize

            4KB

            MD5

            55e0753f726f7e0be3ab3fc78ce35f0b

            SHA1

            d3adcae3ee8bca1098f9f1916c4f499231e2c012

            SHA256

            c4e343024c1e4bfd5aca91753208e7809957697afefce27fa19e5ea5b3d23e3b

            SHA512

            1536805f3ba721c015398636499b3be401aa264f17e281dffdaf59fbd929f797e05a51b622b4b349601e1a62ec2c473ad0408b7b4460bdae67b40c1ce3361a21

          • C:\Users\Admin\AppData\Roaming\external-link.gif
            Filesize

            71B

            MD5

            bae65d05d67c86148948fdf7a773a207

            SHA1

            37313e079df4ee9020c2ff14eedee17b65ac6880

            SHA256

            67ce0e5ca8696537cb2c4fce9e8e945c6134e36945c719c879b9b7288bcd5d96

            SHA512

            09e4b5d0328b02adeca1855c37235007e6d711f835fcccddcc2ed2b0dc5de6cd32a3ac07c97140e376c1e71a362fd59dafe41db697187ecd9bf636d8f8655e46

          • C:\Users\Admin\AppData\Roaming\f9.png
            Filesize

            1KB

            MD5

            ce379358c7d3aece48553d6f03db7148

            SHA1

            a0cc9a64ba8a6b058ab885795e5b5d2420c21ffc

            SHA256

            096e6dba467383f5f2e76c7ff8dd1832cc0c9222b2f57ad645b25f4f631f95af

            SHA512

            2db75cfaa5c7a5c56b756323e24bc2e6083265fd3cfa97986b5c7d022e46c5287e8b9598d7e62c4c1d49436008a5aaf5ea44bc4a15050fa714cc3bae3e509081

          • C:\Users\Admin\AppData\Roaming\finphon.env
            Filesize

            3KB

            MD5

            79b3a21390acc4bdc3cd43c435c65ae7

            SHA1

            52ffb55b676582330c037e81f84807237da26632

            SHA256

            efa3336c0deb3388a21cec1bfd905cdf915cb9a910346684b6e5b30dd07dcb25

            SHA512

            3842841b25aa4fcdf54f002d7e9abdae355a4d55cddd372eee7e2d0c6c9ae4e06593d08a4528582d1b571e01805daaa366ba36053f921318b27a151f1a73c18d

          • C:\Users\Admin\AppData\Roaming\flash.icon1.ico
            Filesize

            2KB

            MD5

            5b6d410767b3f51805b65bd53047ddff

            SHA1

            7eae072adbc3b102a3e06873f643e5e11674d936

            SHA256

            c665dbded35fd10240134d7199cba83e69eedeb893fdffa73235e5f3ceaacaa3

            SHA512

            45a409739c6f7ef6444d0fd80134941a20806b7248336b5bc76f757107fd0637f292b2827c0b90c26c1bc5ee4fb6658a1a1d6c2a23b55b8b8bd550a2671c04f4

          • C:\Users\Admin\AppData\Roaming\g3_11 x 14 in 300 dpi.IMZ
            Filesize

            46B

            MD5

            e67bb39e43493d3882b7673ef76d4a3c

            SHA1

            e5273781bcef374a1586c448e1f08b46d2532211

            SHA256

            97807b9b758a5a8a70fe85a5a4a70b7b931ab76b1e530e226c97415766d1b8be

            SHA512

            768ad4a01a0f32fb9851919b8e10f46b637f1dd31308942eb21c66db4ff1941f3e8289c5b5632754ff2bd82344fa5ec029d0bc751463cdef5f5ada335f348883

          • C:\Users\Admin\AppData\Roaming\glossentry.show.acronym.xml
            Filesize

            1KB

            MD5

            78f4d4b7c04a5a2f334e17074da3a930

            SHA1

            28cea4924ca5ba3f264b6510c340803bdeb8ad3f

            SHA256

            8ff96e8547967e398ed4e521ae671928f1b53b9acb55ae970e99b41cb04ef7c7

            SHA512

            5496008df243ae61b1edd6928ac15586fdf2102493effb361299aed8382ca64347c7280415491bfcc855c71d3739ca0eca17226c9a92bbf5e75d273ffd0ee788

          • C:\Users\Admin\AppData\Roaming\goURL_lr_photoshop_nl.csv
            Filesize

            518B

            MD5

            d079e92dca2256821156d003c4eef6ec

            SHA1

            93e6af3c991428387e8dfa402494b1b4d114dea4

            SHA256

            522d4251c6b4d3a403f96e6dabe135e7c792d7199926ef66bcca7f84a60da852

            SHA512

            d7b6ad98a047c27b4cba9aed91752d33a1a3e5cedf842d2e7a2a892d4ed0b5da00e9af7362b3126809dad17fb59d9033ed67ae13f26729e7c68bd8ad6856c101

          • \Users\Admin\AppData\Local\Temp\nst530.tmp\System.dll
            Filesize

            11KB

            MD5

            6f5257c0b8c0ef4d440f4f4fce85fb1b

            SHA1

            b6ac111dfb0d1fc75ad09c56bde7830232395785

            SHA256

            b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

            SHA512

            a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

          • \Users\Admin\AppData\Roaming\Dialogs.dll
            Filesize

            73KB

            MD5

            bf29edc9667509adc15019cd5550d62c

            SHA1

            f53d3dbebf1206f684ff12a4ee73aecf46b29ae7

            SHA256

            0c5e7eaf04664b5eca4f0756b5c0ba80a9a2eaff31816bad51fff1ab018ddc62

            SHA512

            3c58b6ab066243ac839461a5c0fc4f45fd1e9c629e000ad7bed4bc22b9b4dd5e9a1c062db9571fe660fd40f5566f55ce9785ead8947b52c58ba36c4b66e7f70a

          • \Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\ndadmin.exe
            Filesize

            217KB

            MD5

            4293cb973c261b7c3a8b8d020406c21a

            SHA1

            93baf6c2dffff4265f810207e8a3e9fe223d4a6d

            SHA256

            e12a0e6fecd5d164d2675400765304978347e5906be34f4ab166e32de37e71e7

            SHA512

            608ee092198ceae5dcd07586219ed3fbbfff47b84e9c9280494b072430017227085ecc5f8654f8d10c5cbc3a9824a706fdb9f5242d69c10e5b84edbf0375547b

          • memory/1900-210-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/1900-236-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/1900-222-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/1900-219-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/1900-218-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/1900-217-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/1900-237-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/1900-221-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/1900-216-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/1900-215-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/1900-213-0x0000000002D30000-0x0000000002D31000-memory.dmp
            Filesize

            4KB

          • memory/1900-211-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/1900-209-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/2364-70-0x0000000000480000-0x000000000049D000-memory.dmp
            Filesize

            116KB

          • memory/2364-55-0x0000000000480000-0x000000000049D000-memory.dmp
            Filesize

            116KB

          • memory/2740-84-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/2740-73-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/2740-75-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/2740-62-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/2740-59-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/2740-63-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/2740-65-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/2740-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
            Filesize

            4KB

          • memory/2740-69-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/2740-57-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/2836-206-0x0000000000790000-0x00000000007AD000-memory.dmp
            Filesize

            116KB

          • memory/2836-192-0x0000000000790000-0x00000000007AD000-memory.dmp
            Filesize

            116KB