Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-05-2024 18:52

General

  • Target

    4293cb973c261b7c3a8b8d020406c21a_JaffaCakes118.exe

  • Size

    217KB

  • MD5

    4293cb973c261b7c3a8b8d020406c21a

  • SHA1

    93baf6c2dffff4265f810207e8a3e9fe223d4a6d

  • SHA256

    e12a0e6fecd5d164d2675400765304978347e5906be34f4ab166e32de37e71e7

  • SHA512

    608ee092198ceae5dcd07586219ed3fbbfff47b84e9c9280494b072430017227085ecc5f8654f8d10c5cbc3a9824a706fdb9f5242d69c10e5b84edbf0375547b

  • SSDEEP

    6144:Bg1KQjoFBs04ikLiwlUgrdV4OK2k9Joa6uAdk3d5avV:jFBSJiw5j5K2uJWWe9

Malware Config

Extracted

Path

C:\Users\Admin\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.xmfir0.win/AD31-9B4A-B753-006D-F262 | | 2. http://cerberhhyed5frqa.gkfit9.win/AD31-9B4A-B753-006D-F262 | | 3. http://cerberhhyed5frqa.305iot.win/AD31-9B4A-B753-006D-F262 | | 4. http://cerberhhyed5frqa.dkrti5.win/AD31-9B4A-B753-006D-F262 | | 5. http://cerberhhyed5frqa.cneo59.win/AD31-9B4A-B753-006D-F262 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.xmfir0.win/AD31-9B4A-B753-006D-F262); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.xmfir0.win/AD31-9B4A-B753-006D-F262 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.xmfir0.win/AD31-9B4A-B753-006D-F262); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/AD31-9B4A-B753-006D-F262 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.xmfir0.win/AD31-9B4A-B753-006D-F262

http://cerberhhyed5frqa.gkfit9.win/AD31-9B4A-B753-006D-F262

http://cerberhhyed5frqa.305iot.win/AD31-9B4A-B753-006D-F262

http://cerberhhyed5frqa.dkrti5.win/AD31-9B4A-B753-006D-F262

http://cerberhhyed5frqa.cneo59.win/AD31-9B4A-B753-006D-F262

http://cerberhhyed5frqa.onion/AD31-9B4A-B753-006D-F262

Extracted

Path

C:\Users\Admin\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://cerberhhyed5frqa.xmfir0.win/AD31-9B4A-B753-006D-F262" target="_blank">http://cerberhhyed5frqa.xmfir0.win/AD31-9B4A-B753-006D-F262</a></li> <li><a href="http://cerberhhyed5frqa.gkfit9.win/AD31-9B4A-B753-006D-F262" target="_blank">http://cerberhhyed5frqa.gkfit9.win/AD31-9B4A-B753-006D-F262</a></li> <li><a href="http://cerberhhyed5frqa.305iot.win/AD31-9B4A-B753-006D-F262" target="_blank">http://cerberhhyed5frqa.305iot.win/AD31-9B4A-B753-006D-F262</a></li> <li><a href="http://cerberhhyed5frqa.dkrti5.win/AD31-9B4A-B753-006D-F262" target="_blank">http://cerberhhyed5frqa.dkrti5.win/AD31-9B4A-B753-006D-F262</a></li> <li><a href="http://cerberhhyed5frqa.cneo59.win/AD31-9B4A-B753-006D-F262" target="_blank">http://cerberhhyed5frqa.cneo59.win/AD31-9B4A-B753-006D-F262</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfir0.win/AD31-9B4A-B753-006D-F262" target="_blank">http://cerberhhyed5frqa.xmfir0.win/AD31-9B4A-B753-006D-F262</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.xmfir0.win/AD31-9B4A-B753-006D-F262" target="_blank">http://cerberhhyed5frqa.xmfir0.win/AD31-9B4A-B753-006D-F262</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfir0.win/AD31-9B4A-B753-006D-F262" target="_blank">http://cerberhhyed5frqa.xmfir0.win/AD31-9B4A-B753-006D-F262</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/AD31-9B4A-B753-006D-F262</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Contacts a large (16397) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\4293cb973c261b7c3a8b8d020406c21a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4293cb973c261b7c3a8b8d020406c21a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3840
    • C:\Users\Admin\AppData\Local\Temp\4293cb973c261b7c3a8b8d020406c21a_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\4293cb973c261b7c3a8b8d020406c21a_JaffaCakes118.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Adds Run key to start application
      • Modifies Control Panel
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Users\Admin\AppData\Roaming\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\certreq.exe
        "C:\Users\Admin\AppData\Roaming\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\certreq.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2900
        • C:\Users\Admin\AppData\Roaming\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\certreq.exe
          "C:\Users\Admin\AppData\Roaming\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\certreq.exe"
          4⤵
          • Adds policy Run key to start application
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Sets desktop wallpaper using registry
          • Modifies Control Panel
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:848
          • C:\Windows\system32\vssadmin.exe
            "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:1380
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4232
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:5044
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb263f46f8,0x7ffb263f4708,0x7ffb263f4718
              6⤵
                PID:2972
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,18026172263759263172,15907193987141614715,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
                6⤵
                  PID:1468
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,18026172263759263172,15907193987141614715,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
                  6⤵
                    PID:236
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,18026172263759263172,15907193987141614715,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
                    6⤵
                      PID:2332
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,18026172263759263172,15907193987141614715,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
                      6⤵
                        PID:1788
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,18026172263759263172,15907193987141614715,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
                        6⤵
                          PID:2044
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,18026172263759263172,15907193987141614715,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
                          6⤵
                            PID:1464
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,18026172263759263172,15907193987141614715,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4352 /prefetch:1
                            6⤵
                              PID:1552
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,18026172263759263172,15907193987141614715,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
                              6⤵
                                PID:3304
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,18026172263759263172,15907193987141614715,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4472 /prefetch:8
                                6⤵
                                  PID:240
                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,18026172263759263172,15907193987141614715,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4472 /prefetch:8
                                  6⤵
                                    PID:4060
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,18026172263759263172,15907193987141614715,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4396 /prefetch:1
                                    6⤵
                                      PID:1248
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,18026172263759263172,15907193987141614715,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:1
                                      6⤵
                                        PID:1608
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,18026172263759263172,15907193987141614715,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4328 /prefetch:1
                                        6⤵
                                          PID:1588
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,18026172263759263172,15907193987141614715,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:1
                                          6⤵
                                            PID:2128
                                        • C:\Windows\system32\NOTEPAD.EXE
                                          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
                                          5⤵
                                            PID:1064
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.xmfir0.win/AD31-9B4A-B753-006D-F262
                                            5⤵
                                              PID:5100
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb263f46f8,0x7ffb263f4708,0x7ffb263f4718
                                                6⤵
                                                  PID:4948
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
                                                5⤵
                                                  PID:2828
                                                • C:\Windows\system32\cmd.exe
                                                  /d /c taskkill /t /f /im "certreq.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\certreq.exe" > NUL
                                                  5⤵
                                                    PID:3084
                                                    • C:\Windows\system32\taskkill.exe
                                                      taskkill /t /f /im "certreq.exe"
                                                      6⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:3604
                                                    • C:\Windows\system32\PING.EXE
                                                      ping -n 1 127.0.0.1
                                                      6⤵
                                                      • Runs ping.exe
                                                      PID:288
                                              • C:\Windows\SysWOW64\cmd.exe
                                                /d /c taskkill /t /f /im "4293cb973c261b7c3a8b8d020406c21a_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\4293cb973c261b7c3a8b8d020406c21a_JaffaCakes118.exe" > NUL
                                                3⤵
                                                • Suspicious use of WriteProcessMemory
                                                PID:4256
                                                • C:\Windows\SysWOW64\taskkill.exe
                                                  taskkill /t /f /im "4293cb973c261b7c3a8b8d020406c21a_JaffaCakes118.exe"
                                                  4⤵
                                                  • Kills process with taskkill
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:3264
                                                • C:\Windows\SysWOW64\PING.EXE
                                                  ping -n 1 127.0.0.1
                                                  4⤵
                                                  • Runs ping.exe
                                                  PID:1036
                                          • C:\Windows\system32\vssvc.exe
                                            C:\Windows\system32\vssvc.exe
                                            1⤵
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1192
                                          • C:\Windows\System32\CompPkgSrv.exe
                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                            1⤵
                                              PID:3416
                                            • C:\Windows\System32\CompPkgSrv.exe
                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                              1⤵
                                                PID:1556
                                              • C:\Windows\system32\AUDIODG.EXE
                                                C:\Windows\system32\AUDIODG.EXE 0x390 0x508
                                                1⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2108

                                              Network

                                              MITRE ATT&CK Matrix ATT&CK v13

                                              Execution

                                              Windows Management Instrumentation

                                              1
                                              T1047

                                              Persistence

                                              Boot or Logon Autostart Execution

                                              2
                                              T1547

                                              Registry Run Keys / Startup Folder

                                              2
                                              T1547.001

                                              Privilege Escalation

                                              Boot or Logon Autostart Execution

                                              2
                                              T1547

                                              Registry Run Keys / Startup Folder

                                              2
                                              T1547.001

                                              Defense Evasion

                                              Indicator Removal

                                              2
                                              T1070

                                              File Deletion

                                              2
                                              T1070.004

                                              Modify Registry

                                              3
                                              T1112

                                              Credential Access

                                              Unsecured Credentials

                                              1
                                              T1552

                                              Credentials In Files

                                              1
                                              T1552.001

                                              Discovery

                                              Network Service Discovery

                                              2
                                              T1046

                                              Query Registry

                                              2
                                              T1012

                                              System Information Discovery

                                              3
                                              T1082

                                              Remote System Discovery

                                              1
                                              T1018

                                              Collection

                                              Data from Local System

                                              1
                                              T1005

                                              Impact

                                              Inhibit System Recovery

                                              2
                                              T1490

                                              Defacement

                                              1
                                              T1491

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\# DECRYPT MY FILES #.html
                                                Filesize

                                                12KB

                                                MD5

                                                9510827d6edc3bd2bf3af5bf096bc631

                                                SHA1

                                                16e8a84b066f6012ffea69a0cd8978f808515ba4

                                                SHA256

                                                b15cc90be702021fee9fba8dc2802e1f6181605e7db8a32909eba2378c9a5bf9

                                                SHA512

                                                5161770780d403eb51cf4fcc61386fb32aab11315a710749087af8ece9d4291ac74795498a48d3b4c100f4d6ad72156ceac920590c0ed2aa7823d41515783d0e

                                              • C:\Users\Admin\# DECRYPT MY FILES #.txt
                                                Filesize

                                                10KB

                                                MD5

                                                e1a3941c986e2a74f07184605936dc40

                                                SHA1

                                                bc54773418bacebd1955cfe557629066da3c5629

                                                SHA256

                                                721d428379e31c5f39bacaebe9eae98a79f89d08448ec0bd57a54dc72114c415

                                                SHA512

                                                5f75792d9a81ca5f71155e614f0cbbcd1eedd201f0595904c0cf9ab158d072762b9b5e901695a6306e20c8eb110f89c60df9692924b8288c47dd5e42640d0c54

                                              • C:\Users\Admin\# DECRYPT MY FILES #.url
                                                Filesize

                                                85B

                                                MD5

                                                f1559a79faab7ab39171b19cf7c01417

                                                SHA1

                                                e1ceff6bc8b6eab8176051672f7ebc9fe53bd894

                                                SHA256

                                                09b5692ab53e04b81dac5021358682cb186c65289a041ac0d7c74ef6d899b852

                                                SHA512

                                                fd760d1a627c89e17e68b74e01b7a13311288923080f94c499e2424819b9121ce9af63ff8aa3899ad9bf15e2da5781678005f8de821d0b0fbe1152356e568621

                                              • C:\Users\Admin\# DECRYPT MY FILES #.vbs
                                                Filesize

                                                225B

                                                MD5

                                                f6d629f2a4c0815f005230185bd892fe

                                                SHA1

                                                1572070cf8773883a6fd5f5d1eb51ec724bbf708

                                                SHA256

                                                ff1de66f8a5386adc3363ee5e5f5ead298104d47de1db67941dcbfc0c4e7781f

                                                SHA512

                                                b63ecf71f48394df16ef117750ed8608cc6fd45a621796478390a5d8e614255d12c96881811de1fd687985839d7401efb89b956bb4ea7c8af00c406d51afbc7c

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                Filesize

                                                152B

                                                MD5

                                                87f7abeb82600e1e640b843ad50fe0a1

                                                SHA1

                                                045bbada3f23fc59941bf7d0210fb160cb78ae87

                                                SHA256

                                                b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

                                                SHA512

                                                ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                Filesize

                                                152B

                                                MD5

                                                f61fa5143fe872d1d8f1e9f8dc6544f9

                                                SHA1

                                                df44bab94d7388fb38c63085ec4db80cfc5eb009

                                                SHA256

                                                284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

                                                SHA512

                                                971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                Filesize

                                                6KB

                                                MD5

                                                f4055713628b43fc5318e1d6c4a63f99

                                                SHA1

                                                69358f75658a338773475978e293efef76129c44

                                                SHA256

                                                d3eb9a7349a190c6b5108e030645766650784c9a22ee280cabed54ca854da621

                                                SHA512

                                                2da442ff34f3276ea0f1fa046b45f19a6ad8c2f0f725044e11d982768710893cf8a8cd08df55ee4d81e7b39ffaed482a355e300cc44f7fea21596960d08635e7

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                Filesize

                                                6KB

                                                MD5

                                                fd3f4b95a6552f147aadff8c856eaa7a

                                                SHA1

                                                99bb95b1db74b1c5ae4ec28412c00db66788062f

                                                SHA256

                                                2b12d1f31715f2f1ffe8cd3d2583df5de4860931a360b650e1bec6f1f31d7704

                                                SHA512

                                                5e43f82fdb4c52a20032e4aa5a4ad261c42a2aa924adf4795ac6c323d5cdad1550c1307d1b04b3a93220795b8500cfa391c34422560eeac2a9f2d89f4b3cbeb8

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                Filesize

                                                16B

                                                MD5

                                                6752a1d65b201c13b62ea44016eb221f

                                                SHA1

                                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                SHA256

                                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                SHA512

                                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                Filesize

                                                11KB

                                                MD5

                                                a8729734e4d46ce07dd5bc29efb79c3b

                                                SHA1

                                                7338a3ac70c810a2ae5be39e923d58fb214dda71

                                                SHA256

                                                5ef92d66a1cdec8e4b8d7dab410d56bdc87f1cabe89730152e482a4da9b83981

                                                SHA512

                                                51b90ca4ed4aec6a7d3f0c9aea1a6c7ee61060970a158d0b37b86f7afecd0d4a369f26b50eb47fb28b11a17a21a4554968ae5dc6025491dd9e3de02189332b44

                                              • C:\Users\Admin\AppData\Local\Temp\nsb6320.tmp\System.dll
                                                Filesize

                                                11KB

                                                MD5

                                                6f5257c0b8c0ef4d440f4f4fce85fb1b

                                                SHA1

                                                b6ac111dfb0d1fc75ad09c56bde7830232395785

                                                SHA256

                                                b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

                                                SHA512

                                                a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

                                              • C:\Users\Admin\AppData\Roaming\10.gif
                                                Filesize

                                                1KB

                                                MD5

                                                cd56f529b988149f2347fff885af0270

                                                SHA1

                                                c5b9dbee03dfd357e04f6bbaa4c5930d079a2d56

                                                SHA256

                                                8500e53517720b19a429657145e11c856d3b8f4e41ba5b3ed584bd16fb092d50

                                                SHA512

                                                bd3aead6f5b4519c01df4709ecb70a3c95b90545222a25ba51fdf925bb5eeeb434cc5f0f009b258c72e1025f53ebe54c2a3e155e7cb42385a5a73f0cbda71e7d

                                              • C:\Users\Admin\AppData\Roaming\10.gif
                                                Filesize

                                                929B

                                                MD5

                                                9a4f4434219b8ad1c86771bd1acfd377

                                                SHA1

                                                a6e16b2de2080d361c54e374417cd20e65f8422b

                                                SHA256

                                                6414a965bfdb613d97c86d032731f5189edab1d2eb3cb6583b6da135498040b7

                                                SHA512

                                                2a47fcb00bb234a54d0e47cc7bd8921ca590292f271e8c38a5bf5f05f04010a835049e214e3134a689ec168d21824d6eea096f1ddfb7d8bc89c9b97add5611a9

                                              • C:\Users\Admin\AppData\Roaming\15.svg
                                                Filesize

                                                1KB

                                                MD5

                                                0c93f7227f87c0e7d9f4d77d75acad15

                                                SHA1

                                                d7b032788083e77d2f0da09daf37244aef374249

                                                SHA256

                                                0563f30bacef9fa713949eaefeca4ecff9b45fdb0fe6b6ec64d9dd81fc69e0f2

                                                SHA512

                                                34b8e22cb725e56c11105d545e59fcccad6100414d938003bc3ca8ad1b36240dc9093e5c5f11a8f3d80467a6eb81ca8760e7e2869e868af7f236b80a100e34d3

                                              • C:\Users\Admin\AppData\Roaming\15.svg
                                                Filesize

                                                1KB

                                                MD5

                                                8892628f8bb64d88d6e63b05922fc7a9

                                                SHA1

                                                753cb9ddfba6b3b3680354fd0a150b27cd808254

                                                SHA256

                                                fd8237f45c39e7accab285af2253a8c72f37bef3012d98860d0f6663fdea0fd9

                                                SHA512

                                                fd0fe28a462bff6fb3e647dae2a8fc1f44cb5029b42d2e7963d9404d365fc3a1c1e2879b560b5d74f88448db462c0111b4475e444c7bd70183e4e1611b3ca099

                                              • C:\Users\Admin\AppData\Roaming\19.svg
                                                Filesize

                                                1KB

                                                MD5

                                                cbcad8179a3c55df1406c498ddf3e7f4

                                                SHA1

                                                2024a353a1d30b6a8128b2f8e1828ffae26fe05f

                                                SHA256

                                                49e89ee3e6d7d7e5aefae563763ca915b88ca13abb99057d7de9328f0fce0e94

                                                SHA512

                                                92998cdf072f1e58001200922d65287a9cc184edc5e8aadc3b99d9fd9de4617e2b77ac702e997824b215995c460c58c2fa1b993fd404369f3131daefd73a3ee2

                                              • C:\Users\Admin\AppData\Roaming\19.svg
                                                Filesize

                                                1KB

                                                MD5

                                                a642b9c6bae900f579d3ea539565548f

                                                SHA1

                                                e9c72e49a2e192dc6ee070c867e6d69e817831ba

                                                SHA256

                                                ed446cebcaafb93b3b5823010fa2acffcac982d32cde77c9639593c6a3b2c8b8

                                                SHA512

                                                7437989341f3ccabc25a6acd2abb694a0275f1614027aba2b26367d60001a3933f838ecb33c2c767f41dffa16e7c83e1867728b4dc755571735727b060ff451e

                                              • C:\Users\Admin\AppData\Roaming\78-V
                                                Filesize

                                                3KB

                                                MD5

                                                afebec81a2af0f038de317a304e3772c

                                                SHA1

                                                a1a91d201d2c9ac3a0517cfeb59fead9b3990135

                                                SHA256

                                                14da3022f89b695a4cc374b30ae6d1a5db407a8225c369fa0b46d4e4a17c3666

                                                SHA512

                                                31dea25cd9a428005eb7c58348f8eb728dfa07336cc3e03210ea6bed2938bf6625734697c4bbb701b722dcb124392b591f79f46ee3bc3e82dc3e1ea82a54ae85

                                              • C:\Users\Admin\AppData\Roaming\90-synthetic.conf
                                                Filesize

                                                1KB

                                                MD5

                                                7659edb861f44ff8e9f4e31567d24e47

                                                SHA1

                                                686d2c581106d0f236ceb708cf24c98907f01b87

                                                SHA256

                                                bbea65e32cef73fcb80efa1b32fc54e31c31477d808a8b206682f1ab06baa523

                                                SHA512

                                                a0dca254fb22266624c1bb4f0a487c0164fb0271e64f5e45db943315951f82f3a4f2df734ad61745ceecd5c5da683e1960f039eda8060e3d2e0c01618b8bd909

                                              • C:\Users\Admin\AppData\Roaming\Amman
                                                Filesize

                                                1KB

                                                MD5

                                                88dbc6c76db7bfcbe320624f0a10fd8f

                                                SHA1

                                                f2499cd551b11f788a07c5e96aadd49fd298aa88

                                                SHA256

                                                a2142a3b7003bf9292edb1285f75455425b7f118d7edef631b127c2fed8e50d8

                                                SHA512

                                                73662a02ec312e348e6dabe7705a2b68d53d5c55b48c4e3ad70ab8b0a7b5c4914024b23cb8a0679b1d846130615dcbb60fae683524d95106ce9994cbfe0e8160

                                              • C:\Users\Admin\AppData\Roaming\Andorra
                                                Filesize

                                                968B

                                                MD5

                                                0078823326e029eda17ce0467dece604

                                                SHA1

                                                36bf45f54f457ec184e0f3e5464d6ed8b13a67a0

                                                SHA256

                                                414586fc64c3e44da6de5e841324198ede5242c8a0f473b4d9f0e6a05d1af954

                                                SHA512

                                                0e873bef7db6be7239568e33a2dce8a723ede0bed1b3286b684def05b508a0cc09c8799eef77530b4267f68fd2f9e4b331d8e27cddd2eda7e1f27d44e5b1c48c

                                              • C:\Users\Admin\AppData\Roaming\BCY green 2.ADO
                                                Filesize

                                                524B

                                                MD5

                                                c5db28a2e96c21437f165c6383197907

                                                SHA1

                                                291fd6e83f7bb84ca7867cfeb0fd09ce1b8d4d03

                                                SHA256

                                                533cd7262b177c70e80265298c1956d86bf49bc7936d8817b218abbe8f28fafd

                                                SHA512

                                                714fb27977897bf8026bdae465a207d35aec54237d4accfaec65cd2362aecae410e3e4bdb09b568b029a96e6534e63e3569b83b40b52e4a3dd1e5ca2cf79e83b

                                              • C:\Users\Admin\AppData\Roaming\BCY green 4.ADO
                                                Filesize

                                                524B

                                                MD5

                                                2d9cd2960c268bfacbace0cf3fa18b54

                                                SHA1

                                                bfcebf2091293d1603910b5573da36c6825f8cac

                                                SHA256

                                                104ff6d638e599031efae3a2f88e2804a9c7a4bdb79bf00bcc299216d86ba35c

                                                SHA512

                                                e8903554230ffe66b4494bb0adbbeecbbe5120fab3f36772eed8a70e6d14c61bbf76b08c0e044e03722dfb16f2e8bb7bb9d1af4774e8d5bdf4d4f181295baa29

                                              • C:\Users\Admin\AppData\Roaming\BadBits.mm
                                                Filesize

                                                1KB

                                                MD5

                                                45ed0fb06f0ce6c9ba9613926d1cb1e6

                                                SHA1

                                                a19206ff3bb1f5f2109e3c2233aefd2a6285d05f

                                                SHA256

                                                aee530dc1e94d53130035d2ace33d0147b96aa970c764eb4e86fb6b5d07200f4

                                                SHA512

                                                d989bee283acef837ecb3b2995be8098e6d4f886456972a42ab5ef5a98ae48ba3a88a71193a7aa4dba179d57ed0912a0203e0a1aa46e9873f97399f0238c9128

                                              • C:\Users\Admin\AppData\Roaming\Bahia
                                                Filesize

                                                553B

                                                MD5

                                                6656f68b03c382e314212b62d4817274

                                                SHA1

                                                db263debd84e88483762295fa8c8768c40ac0a0c

                                                SHA256

                                                ccf031df63e19fc09d26b91fe2eb8431b6a509a43abcf26399dae34b20eb7948

                                                SHA512

                                                5cdcdb1f2e4092537adb87051bfdba1198a3509bafa72f35a6edf988fdbbbf33b651d44cd5257f88fa165eb4366c365f0d3e4d1a291b940f2c4bb9df0d533f9f

                                              • C:\Users\Admin\AppData\Roaming\Bl 334 green 437 mauve.ADO
                                                Filesize

                                                524B

                                                MD5

                                                294665abeb751fa6f13f2ce04b6192c9

                                                SHA1

                                                c1a5d694dd14c68c9b815001a6c3742b2195b43d

                                                SHA256

                                                da0322cc9df21f2442e222aa0b41716ac761d8649d953f74f550dddd47da89d4

                                                SHA512

                                                5f45e55c707e54d75df5da6a2415604cadfa0b24f55e0ebb50b90adc015437491a46ae22d883bc6d11e31b5d145d5e1fadf17f9ba0d6850843bc65c8b926fd8a

                                              • C:\Users\Admin\AppData\Roaming\Bl 430 493 557.ADO
                                                Filesize

                                                524B

                                                MD5

                                                c71b0a6d9dff3f02cff6d346595c70df

                                                SHA1

                                                5bd7c973576c7278474690f66d1e03d3787cc9d2

                                                SHA256

                                                07dc216d9f330aca77ff916e9afbac9c13b297ce235afa23e7071bfbba87cecc

                                                SHA512

                                                2c0d9fffde543acac0190b33a87cd2cbb9ca33331445a63db62fafc4c23653e330eae371c18a766bc391630db0fcaa80889925073b98b9919571dcd0689ff637

                                              • C:\Users\Admin\AppData\Roaming\CMYK cool.ADO
                                                Filesize

                                                524B

                                                MD5

                                                b274038f05c95134310ce53f790781ba

                                                SHA1

                                                9677c8a573902d394cb5960f80c31704f5301d5c

                                                SHA256

                                                06a4b1b8abc514d9e49e648fa1456578fe4a439b0e410d3d6ef0212bead4293e

                                                SHA512

                                                e53396bb4c2b483dc749d7312305502e7ec2bcd92e52fe72afe91d606dba011770c46cd026720cb6d4fd813225d2d611b75507fe2a4dc7a317e6308409c7a362

                                              • C:\Users\Admin\AppData\Roaming\Chicago
                                                Filesize

                                                1KB

                                                MD5

                                                a428232b9c6438b69a90872ce558a077

                                                SHA1

                                                421b787b6b68b2c842fc16329e4d354bd5d5f7d8

                                                SHA256

                                                c0ef816f0f643169e7691487dfd91cc84484dc558239363fcd18f2e0be93790c

                                                SHA512

                                                aa1e343d3be5ffb4f22bb31fea837c8bc9171a3fd19ada2edc3f4cf116ff0fbe68040d213c2b44e9beebaf22381062c3b51ee31c9a8021b2ebf28de1ea73fc3b

                                              • C:\Users\Admin\AppData\Roaming\Compressibility.mm
                                                Filesize

                                                2KB

                                                MD5

                                                6a96987317e130e2d636cb3944745e7d

                                                SHA1

                                                2d4edb51888fe667e59712eba309a1938ad880e3

                                                SHA256

                                                5d1f0e58cc22de1503316807dff1b482aa5a186fbdf9dd12ef2a360c1e0c8a0e

                                                SHA512

                                                63a69705e6c93b2dda36a4ca634f2c2bed489f2e6f63d03847fb6acb37bc17c14014723a2db7647f0e4a285627fb98621e8ab86b1e7b7bd79a6048c54135be10

                                              • C:\Users\Admin\AppData\Roaming\Dialogs.dll
                                                Filesize

                                                73KB

                                                MD5

                                                bf29edc9667509adc15019cd5550d62c

                                                SHA1

                                                f53d3dbebf1206f684ff12a4ee73aecf46b29ae7

                                                SHA256

                                                0c5e7eaf04664b5eca4f0756b5c0ba80a9a2eaff31816bad51fff1ab018ddc62

                                                SHA512

                                                3c58b6ab066243ac839461a5c0fc4f45fd1e9c629e000ad7bed4bc22b9b4dd5e9a1c062db9571fe660fd40f5566f55ce9785ead8947b52c58ba36c4b66e7f70a

                                              • C:\Users\Admin\AppData\Roaming\Dubai
                                                Filesize

                                                65B

                                                MD5

                                                163a95a3a62f08b92168f8d587fee2b1

                                                SHA1

                                                8c26887717038aa2a3d87ad95223f43304ea2728

                                                SHA256

                                                e5e18fbc7153bd73932dec7870bef4664d2afc831bedd739eef8ca0da3c93161

                                                SHA512

                                                3c0696dc0204359e197ffdbefc21373cd432ea224b0a95b2f78ad8e7d66ec9c9e870e66004c148a2a1229eb3964e9daa19b7d1d7426f4a27c3dfde9b95319252

                                              • C:\Users\Admin\AppData\Roaming\ETen-B5-V
                                                Filesize

                                                3KB

                                                MD5

                                                a3e529b21072e84d917b9d4e88852fd5

                                                SHA1

                                                ff2a14165b5979fed1fb218aff9afae4868e64e7

                                                SHA256

                                                ed61518848c69c5ec6f3b8cc2e401bc6aee9901e7b7e7a0038e379ef2b76472c

                                                SHA512

                                                65f575ed023fc081e0936da8d3c043b2e4e7d4540eae6a0d7004a78a1e20f497be285804ed27825e36530863def87b347d51154094219f9a826b6cb30b02b999

                                              • C:\Users\Admin\AppData\Roaming\Fakaofo
                                                Filesize

                                                77B

                                                MD5

                                                74bfd4f051bf911f31c5aa8afefda951

                                                SHA1

                                                db8802a88d8b11b93c4a284b93c978c970ef9aad

                                                SHA256

                                                6157610fe6135f5b5690fd25aeb07163329f745d7c266d5d8d92ce9019cd5861

                                                SHA512

                                                c3ffcd425f008f798d86da0600e04217adce3415b276721842f9aa4b4fab333ef5f63d04b4f63cceb7b9b0312fd95f60ecd16abfce0c76b24388bc7e9774a7c0

                                              • C:\Users\Admin\AppData\Roaming\Godthab
                                                Filesize

                                                1KB

                                                MD5

                                                6e069759f1edacefff41329fb1431809

                                                SHA1

                                                fd51c57b875209ff1d460e1e4ee72ac774bc0ff9

                                                SHA256

                                                c0b7be23c59096e690d8cece41fd8de55fc30a53a43cd399d12ecd4a447e0182

                                                SHA512

                                                a3fbf875eddf2314f151cd0303ab9ed7a8727e8588fe8e3cb19f72949e20821a180d06dae6b211951c64dc68d6e424590ff68600d2766a7d1486a61b5bff3147

                                              • C:\Users\Admin\AppData\Roaming\LexSurgeoncy.FV8
                                                Filesize

                                                1KB

                                                MD5

                                                70790cbd9050e13b75ffdefd539f1fbb

                                                SHA1

                                                8d98b37ce416a557572610b5d58a955bf8bce923

                                                SHA256

                                                04fc795b742ff541132add2282c999cad9a69a288fdf6ae3b2866ad05d760ff2

                                                SHA512

                                                ccc563a0b3e88d45cf92a1af17213ac18952fe38cba93ec99d637a533b0a5970d02d8c5e8a506c88c93793bbb66514e748ddd095c68b1d0f4ad0e0ac5c199c25

                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\certreq.lnk
                                                Filesize

                                                1KB

                                                MD5

                                                78d9c7a8017d04f3651109c0c7a9c380

                                                SHA1

                                                cbc96919912d8f2563b5dd9f0ddb49a32955aeb3

                                                SHA256

                                                1a21947b856e96d70547f5e604a1b021799e21387ca39a7206a2291bf9b8fca8

                                                SHA512

                                                0d09062fabf3ef077b8a0123660b89fff4f2ffaef1375084ac1f5350e7a032c13f1e4617a2c0279441af5d79d702ab6ab9f230c0e48b3840f0cea5df86bcb5e6

                                              • C:\Users\Admin\AppData\Roaming\Sissy.K
                                                Filesize

                                                123KB

                                                MD5

                                                58acd81760dbc9febd4bec1fdcc48c23

                                                SHA1

                                                7877ee49ecb61efd2eaa193f3fd4bb50bcd95657

                                                SHA256

                                                689b35d9b9b48f9a44b4f09fcd2e4ec71e98d769ed8242bc1431f8a8926990df

                                                SHA512

                                                ec60e5a1d6791e53f1cf55f320ede4d03a267ec7cac9d29dac951383302e83e31ee1004c1eb63f86b5e59ad31577e5522ebf544918dbd11c8dcf0b0650bb7dea

                                              • C:\Users\Admin\AppData\Roaming\active.toc.xml
                                                Filesize

                                                1KB

                                                MD5

                                                5839c773d03fcb3ab1a93fa32a937efe

                                                SHA1

                                                5a834e3b0ea22ca4f5cedfe638229bee0f1e04bc

                                                SHA256

                                                8efc198b244d8db6ba8b91fc137170ae32709137b8f1063465d5b617e16cbcb6

                                                SHA512

                                                b169b2a36e3e8bd1ac513d97066186311dc8dcf555904828d0dcbca3a5d879594946ee26e269af99d1958f5f751cb03016b584e640994b93ffb17b208e9ce2b2

                                              • C:\Users\Admin\AppData\Roaming\active.toc.xml
                                                Filesize

                                                958B

                                                MD5

                                                7fcadb7a190fff78815caf324cc54d92

                                                SHA1

                                                63140f3db5d31643f6184af891502add0c59b772

                                                SHA256

                                                ee860ee1d00847be488bb64b746868794f817a52792ddca29fac6a9979c1f0ed

                                                SHA512

                                                66c9959eab0e436f412c18816f10dd3b814f6f27b920447c7180c1536817082a5a32a531a777a4c69b978375826b209dfba7ee36f41ce903ab346ea4211bbb3a

                                              • C:\Users\Admin\AppData\Roaming\alien.jpg
                                                Filesize

                                                1KB

                                                MD5

                                                4190e588c160ac5b36f115af7444523f

                                                SHA1

                                                f688118564de21f505c00d6aa7a4d33d8f6c748c

                                                SHA256

                                                08ee68e1658706664de60264f8d5ed5e589a47fa98c6f672ec221be7a22edb58

                                                SHA512

                                                a99cdf25224abb8002f1fb9b649d608d54003fe2570fda5c3139291839fe0f9f4f57043e81face78f66d26bdc84534604c9255d4c8de1f23e3f8c8b51ccf008d

                                              • C:\Users\Admin\AppData\Roaming\alien.jpg
                                                Filesize

                                                1KB

                                                MD5

                                                38a279f166e375571698a6d089e2722c

                                                SHA1

                                                941234d4ea901fce8d4d5c903c35ec0696ae33f8

                                                SHA256

                                                91c46c57c902e77553ee405a1d1e0cfc49277fd6aca5af69b6c232507fdcea93

                                                SHA512

                                                a5314dca3760b99975e0f4d33cc664576c268b14caea8569fff64207f76e31c0a5625d57d3153c1c8253524152324c2918ec3b6ba5e50f95fce3f3ba929be748

                                              • C:\Users\Admin\AppData\Roaming\axf.extensions.xml
                                                Filesize

                                                1KB

                                                MD5

                                                af841ee6aa03ff9847d5bdd00473ff90

                                                SHA1

                                                2ef974619172b802252ffac7576a3762f6236dd1

                                                SHA256

                                                7a28d8ac66543a242f64890404d706d649224b6b43fd4f8f0c20455052b7dc41

                                                SHA512

                                                a48523b843a06fe158dc4ca3d9c5ba2346261d33f0515fb2018bec52cb4315f06981d5cb658dad5f4d83c2af49cc36f6c55cb746386b0bfbf8863c0c3b70c9ac

                                              • C:\Users\Admin\AppData\Roaming\bn_IN.aff
                                                Filesize

                                                197B

                                                MD5

                                                6c0fb6fd9810560e7b438cdf662c2734

                                                SHA1

                                                26304263ffc6724e5bd5a0dc440d74f233bc2fa2

                                                SHA256

                                                bff0a0f00c9adb0ac7bcc8421882b4bcd0fb5b47d278ed64cd661ec7dce51cde

                                                SHA512

                                                d85b9b780ef0ecac44e9af6ca0c766c04dcbc22cf3bf65efd23395806042d8cdadebbe088d21a0be75b37b2c6ddeb7aa726483c9b139d4284ef6b51101ca8c8b

                                              • C:\Users\Admin\AppData\Roaming\boot_path_2.png
                                                Filesize

                                                1KB

                                                MD5

                                                787216b93a905a88d9d02aad1b94484e

                                                SHA1

                                                9af9bc1eb88d26d06030223ae50280cbc49842a0

                                                SHA256

                                                e21133e8bfc3d52a2fee2002e7ee199f37ef97d3bbdea023d0b84f0f54870c0c

                                                SHA512

                                                eb855ce4827e9966127b1cf4836f337d70de02eedf3780c8f8ac84040ed18655700dd80d55198582c4d9f6b44a51b31da508cc77e1588b9a102cf47319d27471

                                              • C:\Users\Admin\AppData\Roaming\callout.icon.size.xml
                                                Filesize

                                                923B

                                                MD5

                                                524be3d8b21c7b33c619ceb3d968fbf4

                                                SHA1

                                                3b14fa89d2cb0541da1482d21b06d640a787e45f

                                                SHA256

                                                f6993201c3af85c8461426c311c099894d2a0f70632f4e51e96b60b544dffb41

                                                SHA512

                                                ff5628c5c5f05a25f08047ec25531f82d06c8ca32bfbc8aa992da62b94af50f3a501fcbc90337f292a471edfd00d285bb3c6f267eb809d26f1e2bcea9a9f83ab

                                              • C:\Users\Admin\AppData\Roaming\caution.png
                                                Filesize

                                                887B

                                                MD5

                                                c81b5317d4908545f44864fce61f1851

                                                SHA1

                                                2845725264796608d781187d95d7d41ab872dea5

                                                SHA256

                                                e9faf89885257ccdf9b9cdea3c4104079977d43d907fd948f4c1526aee0c923a

                                                SHA512

                                                f1cfa4d3aaa99bfcd51fd39314b75547e5ba26df5daf3ca432d95941e42099b5e429367ee80caae0f4e00ce5a62a4e5c4eea9e7b4deddc82c68ba7fe382a51e8

                                              • C:\Users\Admin\AppData\Roaming\collect.xref.targets.xml
                                                Filesize

                                                1KB

                                                MD5

                                                b315d71c7feca1a5c1611675c577d2df

                                                SHA1

                                                df93907f42140b3c6f932a2b5b40deb730dd5109

                                                SHA256

                                                575d396d6995c2f4c9cfe493c76847df2d468a49d2a379139521bd00fa1c1abf

                                                SHA512

                                                0a0513f58f33a27803bfdaa3e635928317d40de7488bef0b6d040d58414e60fd252f7ca348ef9d50827192f03e9e15675c5a5e3870cc8b36252671d4bbb5e680

                                              • C:\Users\Admin\AppData\Roaming\column.gap.back.xml
                                                Filesize

                                                944B

                                                MD5

                                                d5b628f67a88cd1a0847ccbdc7a9491d

                                                SHA1

                                                be7ae49145091cfea153788a46f8ff2a742b51c4

                                                SHA256

                                                dc1a854522613dffadfe7b1a81881a436ba49d3a05c075a12bf68e01b258f143

                                                SHA512

                                                fed8a51ff011b526bb0661278035310b824b2ccc992e4300dcbf53c756170ef3e04b0407cb91fe9c4a61647a6ad511365132a12f1f33e8122f5d30a591be414a

                                              • C:\Users\Admin\AppData\Roaming\component.label.includes.part.label.xml
                                                Filesize

                                                1KB

                                                MD5

                                                59159241399b141689dfb8bcd7a97687

                                                SHA1

                                                cec2775a0afc540b4593cb616b1c6ce43ea2c7c3

                                                SHA256

                                                94122f4fa60f0c0a794c1f48ba7739bfbbba944fb2465b1c37bcd00bad358907

                                                SHA512

                                                7b12619fb230871fde5649fcac0487fb082de6139234de2a57bd6c40999e93b8217b015ec081cbbc3c80cc2803f990dedefdf84d0fa40e817ff2e607adcd66ae

                                              • C:\Users\Admin\AppData\Roaming\component.title.properties.xml
                                                Filesize

                                                1KB

                                                MD5

                                                6755734329cebe04209233b269fe421f

                                                SHA1

                                                63eda5b799fc6f46c9de49d6ee3bc5a865d2e2ff

                                                SHA256

                                                626e9b34c4e837eac7524f40525770cbd5c5c8606937a51211bc48599c7bf2de

                                                SHA512

                                                c8a17d70b7200a34e523b133d8d477782aa3f6b3a00a34857853b95fce970497bceb8d312c2d180f864f832043cc87db8c5890d8b0250d28ad8ee79b1b3cf461

                                              • C:\Users\Admin\AppData\Roaming\crop.mark.offset.xml
                                                Filesize

                                                916B

                                                MD5

                                                9419fc0ba857750e69199ad2b89db5f8

                                                SHA1

                                                e356d10c83acecbdef31dfd932d678d85edee2b9

                                                SHA256

                                                2c70df725a10bdc5d9d0ed1ba3f271ee93a1167030f3720ec78ba8825cab61b9

                                                SHA512

                                                bf84129c609f9c56d6e90b7c510828a94edbfac4414da52cdf3c47904816b330d8df77f06be27b6571e913b95b30fbd652120c6ad4e06e6ccb07349725a3023c

                                              • C:\Users\Admin\AppData\Roaming\css.stylesheet.xml
                                                Filesize

                                                998B

                                                MD5

                                                b27806125d136297c6491c7d17daac4a

                                                SHA1

                                                cd9e20ee968624cc92bdd34d72cfd8e3e831bfba

                                                SHA256

                                                a4db7ffac669e9ac65caf2376e6a84da54736423f581c6df937b6f90158eee18

                                                SHA512

                                                bb0b3a27964d98fcf7548fe582ae5e037d54632b1e039da637769f32afd550a10db6bebabfb8a95621a6358c2130cab6228a55aaac68a4e4d733a90e0584580e

                                              • C:\Users\Admin\AppData\Roaming\data_transfer.png
                                                Filesize

                                                1KB

                                                MD5

                                                6dcfd632eb0a8124ea05a92209e73bab

                                                SHA1

                                                094612b281c4d378ec3def211d60a259bcb41fca

                                                SHA256

                                                0b7e998b98af82bbf0e9f8916aa5e1614a3e42d7a79cd2877c7c72690a42272e

                                                SHA512

                                                581f7f73592c3cf0999a76a2400e0d385330d0594f12c1fe7e37cdef492fd2eafafaec2b6310000efac34c507a1bc660a7e9d38158c888e3869d19ca3f74acab

                                              • C:\Users\Admin\AppData\Roaming\desc_en_US.txt
                                                Filesize

                                                190B

                                                MD5

                                                a9ad2430bde4bd11b1a0e26e92dd9145

                                                SHA1

                                                b66a455fdeacde13191bb09320228136f96f8bf7

                                                SHA256

                                                71ff584ccd03ef5b8c8410d4b92fc6c096fb7ba1c867bcbf5859719eab1009ae

                                                SHA512

                                                323af72280ce9ea10fec40fc141cc94f333612cec54006affa1c6480993d973d6a544cd647eaf7a249e2f965f61bec1257474fa24a6a2ea7272ebee84dca1d6e

                                              • C:\Users\Admin\AppData\Roaming\diagnostics_queued.png
                                                Filesize

                                                250B

                                                MD5

                                                42d41cbebc9df064e55e06bf3bcc5a2c

                                                SHA1

                                                b037f0eef44b874aad0091b2c5e3b6bd12f219b1

                                                SHA256

                                                b8a3ce2bc7d65d8f2c18b570f14ba03a8729b460e2e6e9a7364308199efbdb40

                                                SHA512

                                                fff2355aa493f321eeba30417aa223fae2a57403b26bdc65ef67bdd5a943a32f62bf92c48f1db8fd2fca1f7efa0f8109ba89ee2d14215c663f758e7bed22e989

                                              • C:\Users\Admin\AppData\Roaming\ebnf.statement.terminator.xml
                                                Filesize

                                                1KB

                                                MD5

                                                81db7c654497a6da6d53d8ac1d1ddf0e

                                                SHA1

                                                0d411e7fb3da69ca293af728ecc75f2aa18e4941

                                                SHA256

                                                ddd9a56a8e9ff95f5a4dfa91a655182d3504ebd7993f40281b500baa552aa4eb

                                                SHA512

                                                a2b3b741f2bfab3bbe6312218cdfabd773bc7f8e73b24aea62765d45244b1fe3bbe66be59cda7f27c9846f7ed4c8c84f50735f8ad958ab7e52a89d7af1cb4679

                                              • C:\Users\Admin\AppData\Roaming\error_1.png
                                                Filesize

                                                3KB

                                                MD5

                                                6f42ca6b4105204fcd946cc2ae17d9a1

                                                SHA1

                                                7d4a234e40ef4564943ece66d46d9e1417586887

                                                SHA256

                                                7d4b3a73836005095e230d6d34297baa68f816b71cc6b78ced7a6f60b46c829c

                                                SHA512

                                                724726aa1b898646522140872210fb4766d5c9998eed3192f112313081377e68077536f6589d98f3300909592584bf3b65820da253feea8eeb558153900cf97a

                                              • C:\Users\Admin\AppData\Roaming\et.pak
                                                Filesize

                                                4KB

                                                MD5

                                                55e0753f726f7e0be3ab3fc78ce35f0b

                                                SHA1

                                                d3adcae3ee8bca1098f9f1916c4f499231e2c012

                                                SHA256

                                                c4e343024c1e4bfd5aca91753208e7809957697afefce27fa19e5ea5b3d23e3b

                                                SHA512

                                                1536805f3ba721c015398636499b3be401aa264f17e281dffdaf59fbd929f797e05a51b622b4b349601e1a62ec2c473ad0408b7b4460bdae67b40c1ce3361a21

                                              • C:\Users\Admin\AppData\Roaming\external-link.gif
                                                Filesize

                                                71B

                                                MD5

                                                bae65d05d67c86148948fdf7a773a207

                                                SHA1

                                                37313e079df4ee9020c2ff14eedee17b65ac6880

                                                SHA256

                                                67ce0e5ca8696537cb2c4fce9e8e945c6134e36945c719c879b9b7288bcd5d96

                                                SHA512

                                                09e4b5d0328b02adeca1855c37235007e6d711f835fcccddcc2ed2b0dc5de6cd32a3ac07c97140e376c1e71a362fd59dafe41db697187ecd9bf636d8f8655e46

                                              • C:\Users\Admin\AppData\Roaming\f9.png
                                                Filesize

                                                1KB

                                                MD5

                                                ce379358c7d3aece48553d6f03db7148

                                                SHA1

                                                a0cc9a64ba8a6b058ab885795e5b5d2420c21ffc

                                                SHA256

                                                096e6dba467383f5f2e76c7ff8dd1832cc0c9222b2f57ad645b25f4f631f95af

                                                SHA512

                                                2db75cfaa5c7a5c56b756323e24bc2e6083265fd3cfa97986b5c7d022e46c5287e8b9598d7e62c4c1d49436008a5aaf5ea44bc4a15050fa714cc3bae3e509081

                                              • C:\Users\Admin\AppData\Roaming\finphon.env
                                                Filesize

                                                3KB

                                                MD5

                                                79b3a21390acc4bdc3cd43c435c65ae7

                                                SHA1

                                                52ffb55b676582330c037e81f84807237da26632

                                                SHA256

                                                efa3336c0deb3388a21cec1bfd905cdf915cb9a910346684b6e5b30dd07dcb25

                                                SHA512

                                                3842841b25aa4fcdf54f002d7e9abdae355a4d55cddd372eee7e2d0c6c9ae4e06593d08a4528582d1b571e01805daaa366ba36053f921318b27a151f1a73c18d

                                              • C:\Users\Admin\AppData\Roaming\flash.icon1.ico
                                                Filesize

                                                2KB

                                                MD5

                                                5b6d410767b3f51805b65bd53047ddff

                                                SHA1

                                                7eae072adbc3b102a3e06873f643e5e11674d936

                                                SHA256

                                                c665dbded35fd10240134d7199cba83e69eedeb893fdffa73235e5f3ceaacaa3

                                                SHA512

                                                45a409739c6f7ef6444d0fd80134941a20806b7248336b5bc76f757107fd0637f292b2827c0b90c26c1bc5ee4fb6658a1a1d6c2a23b55b8b8bd550a2671c04f4

                                              • C:\Users\Admin\AppData\Roaming\g3_11 x 14 in 300 dpi.IMZ
                                                Filesize

                                                46B

                                                MD5

                                                e67bb39e43493d3882b7673ef76d4a3c

                                                SHA1

                                                e5273781bcef374a1586c448e1f08b46d2532211

                                                SHA256

                                                97807b9b758a5a8a70fe85a5a4a70b7b931ab76b1e530e226c97415766d1b8be

                                                SHA512

                                                768ad4a01a0f32fb9851919b8e10f46b637f1dd31308942eb21c66db4ff1941f3e8289c5b5632754ff2bd82344fa5ec029d0bc751463cdef5f5ada335f348883

                                              • C:\Users\Admin\AppData\Roaming\glossentry.show.acronym.xml
                                                Filesize

                                                1KB

                                                MD5

                                                78f4d4b7c04a5a2f334e17074da3a930

                                                SHA1

                                                28cea4924ca5ba3f264b6510c340803bdeb8ad3f

                                                SHA256

                                                8ff96e8547967e398ed4e521ae671928f1b53b9acb55ae970e99b41cb04ef7c7

                                                SHA512

                                                5496008df243ae61b1edd6928ac15586fdf2102493effb361299aed8382ca64347c7280415491bfcc855c71d3739ca0eca17226c9a92bbf5e75d273ffd0ee788

                                              • C:\Users\Admin\AppData\Roaming\goURL_lr_photoshop_nl.csv
                                                Filesize

                                                518B

                                                MD5

                                                d079e92dca2256821156d003c4eef6ec

                                                SHA1

                                                93e6af3c991428387e8dfa402494b1b4d114dea4

                                                SHA256

                                                522d4251c6b4d3a403f96e6dabe135e7c792d7199926ef66bcca7f84a60da852

                                                SHA512

                                                d7b6ad98a047c27b4cba9aed91752d33a1a3e5cedf842d2e7a2a892d4ed0b5da00e9af7362b3126809dad17fb59d9033ed67ae13f26729e7c68bd8ad6856c101

                                              • C:\Users\Admin\AppData\Roaming\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\certreq.exe
                                                Filesize

                                                217KB

                                                MD5

                                                4293cb973c261b7c3a8b8d020406c21a

                                                SHA1

                                                93baf6c2dffff4265f810207e8a3e9fe223d4a6d

                                                SHA256

                                                e12a0e6fecd5d164d2675400765304978347e5906be34f4ab166e32de37e71e7

                                                SHA512

                                                608ee092198ceae5dcd07586219ed3fbbfff47b84e9c9280494b072430017227085ecc5f8654f8d10c5cbc3a9824a706fdb9f5242d69c10e5b84edbf0375547b

                                              • memory/848-197-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/848-535-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/848-199-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/848-201-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/848-203-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/848-202-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/848-194-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/848-193-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/848-192-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/848-190-0x0000000003C30000-0x0000000003C31000-memory.dmp
                                                Filesize

                                                4KB

                                              • memory/848-188-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/848-187-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/848-186-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/848-631-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/848-575-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/848-529-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/848-526-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/848-538-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/848-546-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/848-195-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/848-555-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/848-572-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/848-570-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/848-568-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/848-566-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/848-564-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/848-562-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/848-560-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/848-558-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/848-532-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/2000-74-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/2000-64-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/2000-62-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/2000-58-0x0000000000400000-0x0000000000423000-memory.dmp
                                                Filesize

                                                140KB

                                              • memory/2900-180-0x00000000021C0000-0x00000000021DD000-memory.dmp
                                                Filesize

                                                116KB

                                              • memory/2900-183-0x00000000021C0000-0x00000000021DD000-memory.dmp
                                                Filesize

                                                116KB

                                              • memory/3840-59-0x0000000002280000-0x000000000229D000-memory.dmp
                                                Filesize

                                                116KB

                                              • memory/3840-56-0x0000000002280000-0x000000000229D000-memory.dmp
                                                Filesize

                                                116KB