Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-05-2024 17:32

General

  • Target

    4741333a78be539951c661ddbd47442f_JaffaCakes118.exe

  • Size

    225KB

  • MD5

    4741333a78be539951c661ddbd47442f

  • SHA1

    e642cbf75a235b76f2f7ec6b8222d21ec518ed98

  • SHA256

    5fb92c512e17ae11f78d2c8eca04440fd89bd32e0b0bcca3d86784f7ab5581e4

  • SHA512

    2b159ae11a567060ac0e17fa85da98ac334cdf1b6edc1d4179bfa879116e15349003d657abc2555b1b13240e40541c3bd3e69ff282cc1b4edf6f1bc3caac3a24

  • SSDEEP

    6144:Mg1KQjoGwizt5vq/vPWLbxOSin2cNUt+J+gr:SGws2+LISi2E0+Jxr

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.xmfir0.win/0431-A279-F511-006D-FE2A | | 2. http://cerberhhyed5frqa.gkfit9.win/0431-A279-F511-006D-FE2A | | 3. http://cerberhhyed5frqa.305iot.win/0431-A279-F511-006D-FE2A | | 4. http://cerberhhyed5frqa.dkrti5.win/0431-A279-F511-006D-FE2A | | 5. http://cerberhhyed5frqa.cneo59.win/0431-A279-F511-006D-FE2A |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.xmfir0.win/0431-A279-F511-006D-FE2A); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.xmfir0.win/0431-A279-F511-006D-FE2A appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.xmfir0.win/0431-A279-F511-006D-FE2A); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/0431-A279-F511-006D-FE2A | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.xmfir0.win/0431-A279-F511-006D-FE2A

http://cerberhhyed5frqa.gkfit9.win/0431-A279-F511-006D-FE2A

http://cerberhhyed5frqa.305iot.win/0431-A279-F511-006D-FE2A

http://cerberhhyed5frqa.dkrti5.win/0431-A279-F511-006D-FE2A

http://cerberhhyed5frqa.cneo59.win/0431-A279-F511-006D-FE2A

http://cerberhhyed5frqa.onion/0431-A279-F511-006D-FE2A

Extracted

Path

C:\Recovery\WindowsRE\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://cerberhhyed5frqa.xmfir0.win/0431-A279-F511-006D-FE2A" target="_blank">http://cerberhhyed5frqa.xmfir0.win/0431-A279-F511-006D-FE2A</a></li> <li><a href="http://cerberhhyed5frqa.gkfit9.win/0431-A279-F511-006D-FE2A" target="_blank">http://cerberhhyed5frqa.gkfit9.win/0431-A279-F511-006D-FE2A</a></li> <li><a href="http://cerberhhyed5frqa.305iot.win/0431-A279-F511-006D-FE2A" target="_blank">http://cerberhhyed5frqa.305iot.win/0431-A279-F511-006D-FE2A</a></li> <li><a href="http://cerberhhyed5frqa.dkrti5.win/0431-A279-F511-006D-FE2A" target="_blank">http://cerberhhyed5frqa.dkrti5.win/0431-A279-F511-006D-FE2A</a></li> <li><a href="http://cerberhhyed5frqa.cneo59.win/0431-A279-F511-006D-FE2A" target="_blank">http://cerberhhyed5frqa.cneo59.win/0431-A279-F511-006D-FE2A</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfir0.win/0431-A279-F511-006D-FE2A" target="_blank">http://cerberhhyed5frqa.xmfir0.win/0431-A279-F511-006D-FE2A</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.xmfir0.win/0431-A279-F511-006D-FE2A" target="_blank">http://cerberhhyed5frqa.xmfir0.win/0431-A279-F511-006D-FE2A</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfir0.win/0431-A279-F511-006D-FE2A" target="_blank">http://cerberhhyed5frqa.xmfir0.win/0431-A279-F511-006D-FE2A</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/0431-A279-F511-006D-FE2A</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Contacts a large (16404) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\4741333a78be539951c661ddbd47442f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4741333a78be539951c661ddbd47442f_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3076
    • C:\Users\Admin\AppData\Local\Temp\4741333a78be539951c661ddbd47442f_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\4741333a78be539951c661ddbd47442f_JaffaCakes118.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Adds Run key to start application
      • Modifies Control Panel
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1596
      • C:\Users\Admin\AppData\Roaming\{B57C951B-33C8-2D1D-8AA8-20866904D814}\ieUnatt.exe
        "C:\Users\Admin\AppData\Roaming\{B57C951B-33C8-2D1D-8AA8-20866904D814}\ieUnatt.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4784
        • C:\Users\Admin\AppData\Roaming\{B57C951B-33C8-2D1D-8AA8-20866904D814}\ieUnatt.exe
          "C:\Users\Admin\AppData\Roaming\{B57C951B-33C8-2D1D-8AA8-20866904D814}\ieUnatt.exe"
          4⤵
          • Adds policy Run key to start application
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Sets desktop wallpaper using registry
          • Modifies Control Panel
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2816
          • C:\Windows\system32\vssadmin.exe
            "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:4880
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2148
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:5192
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd23aa46f8,0x7ffd23aa4708,0x7ffd23aa4718
              6⤵
                PID:5216
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
                6⤵
                  PID:5540
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
                  6⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:5548
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
                  6⤵
                    PID:5556
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
                    6⤵
                      PID:5676
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
                      6⤵
                        PID:5684
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
                        6⤵
                          PID:6076
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
                          6⤵
                            PID:6132
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
                            6⤵
                              PID:4296
                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3600 /prefetch:8
                              6⤵
                                PID:3660
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3600 /prefetch:8
                                6⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:3596
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
                                6⤵
                                  PID:4304
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
                                  6⤵
                                    PID:4140
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
                                    6⤵
                                      PID:4412
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
                                      6⤵
                                        PID:2960
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1824 /prefetch:1
                                        6⤵
                                          PID:4320
                                      • C:\Windows\system32\NOTEPAD.EXE
                                        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
                                        5⤵
                                          PID:5224
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.xmfir0.win/0431-A279-F511-006D-FE2A
                                          5⤵
                                            PID:5888
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd23aa46f8,0x7ffd23aa4708,0x7ffd23aa4718
                                              6⤵
                                                PID:5908
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
                                              5⤵
                                                PID:6036
                                              • C:\Windows\system32\cmd.exe
                                                /d /c taskkill /t /f /im "ieUnatt.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{B57C951B-33C8-2D1D-8AA8-20866904D814}\ieUnatt.exe" > NUL
                                                5⤵
                                                  PID:3648
                                                  • C:\Windows\system32\taskkill.exe
                                                    taskkill /t /f /im "ieUnatt.exe"
                                                    6⤵
                                                    • Kills process with taskkill
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:5340
                                                  • C:\Windows\system32\PING.EXE
                                                    ping -n 1 127.0.0.1
                                                    6⤵
                                                    • Runs ping.exe
                                                    PID:5772
                                            • C:\Windows\SysWOW64\cmd.exe
                                              /d /c taskkill /t /f /im "4741333a78be539951c661ddbd47442f_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\4741333a78be539951c661ddbd47442f_JaffaCakes118.exe" > NUL
                                              3⤵
                                              • Suspicious use of WriteProcessMemory
                                              PID:2280
                                              • C:\Windows\SysWOW64\taskkill.exe
                                                taskkill /t /f /im "4741333a78be539951c661ddbd47442f_JaffaCakes118.exe"
                                                4⤵
                                                • Kills process with taskkill
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1724
                                              • C:\Windows\SysWOW64\PING.EXE
                                                ping -n 1 127.0.0.1
                                                4⤵
                                                • Runs ping.exe
                                                PID:2004
                                        • C:\Windows\system32\vssvc.exe
                                          C:\Windows\system32\vssvc.exe
                                          1⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3192
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:5876
                                          • C:\Windows\System32\CompPkgSrv.exe
                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                            1⤵
                                              PID:6064
                                            • C:\Windows\system32\AUDIODG.EXE
                                              C:\Windows\system32\AUDIODG.EXE 0x4e8 0x470
                                              1⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2496

                                            Network

                                            MITRE ATT&CK Matrix ATT&CK v13

                                            Execution

                                            Windows Management Instrumentation

                                            1
                                            T1047

                                            Persistence

                                            Boot or Logon Autostart Execution

                                            2
                                            T1547

                                            Registry Run Keys / Startup Folder

                                            2
                                            T1547.001

                                            Privilege Escalation

                                            Boot or Logon Autostart Execution

                                            2
                                            T1547

                                            Registry Run Keys / Startup Folder

                                            2
                                            T1547.001

                                            Defense Evasion

                                            Indicator Removal

                                            2
                                            T1070

                                            File Deletion

                                            2
                                            T1070.004

                                            Modify Registry

                                            3
                                            T1112

                                            Credential Access

                                            Unsecured Credentials

                                            1
                                            T1552

                                            Credentials In Files

                                            1
                                            T1552.001

                                            Discovery

                                            Network Service Discovery

                                            2
                                            T1046

                                            Query Registry

                                            2
                                            T1012

                                            System Information Discovery

                                            3
                                            T1082

                                            Remote System Discovery

                                            1
                                            T1018

                                            Collection

                                            Data from Local System

                                            1
                                            T1005

                                            Impact

                                            Inhibit System Recovery

                                            2
                                            T1490

                                            Defacement

                                            1
                                            T1491

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Recovery\WindowsRE\# DECRYPT MY FILES #.html
                                              Filesize

                                              12KB

                                              MD5

                                              c79bec354cef77402e41dcc81924d51c

                                              SHA1

                                              e3ba664ab3bfb6751d08838eb7df972deebb3998

                                              SHA256

                                              43f71c8f5d5f9fdb6d4f556ec69972e5a83c54502725f368ac992461313515b4

                                              SHA512

                                              2dfc643c2842e7225731442cb99049d7e45ea1858d4759a5b4392df05a3e7b55deb13a873879ca67b4d2116cdaa58383f2f30d29a5e3643b53d368056fcf03f4

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                              Filesize

                                              152B

                                              MD5

                                              8b167567021ccb1a9fdf073fa9112ef0

                                              SHA1

                                              3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

                                              SHA256

                                              26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

                                              SHA512

                                              726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                              Filesize

                                              152B

                                              MD5

                                              537815e7cc5c694912ac0308147852e4

                                              SHA1

                                              2ccdd9d9dc637db5462fe8119c0df261146c363c

                                              SHA256

                                              b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

                                              SHA512

                                              63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                              Filesize

                                              6KB

                                              MD5

                                              b6ff413d711167f3042fbe3fd5022e84

                                              SHA1

                                              1df87f943f52ab5cad920a1e481fa5693781aac8

                                              SHA256

                                              1144cac194c85a5f31209372d8ccdd27a4d7d8a7628a3401273ff4d017074d58

                                              SHA512

                                              9a2ecd15053d1e35826312601d8d55b2bf8221fafeea01d4d6029b17009dfad5a82780c888ecbaf5d067210d7f6fc35d06acccac11e1c3a365669265f8742a50

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                              Filesize

                                              5KB

                                              MD5

                                              7fd38f5c87d72c121ae043052ed68e1e

                                              SHA1

                                              9b97a9f8ab06bc8313393a5eaf96e888771ff29f

                                              SHA256

                                              2228e2c5ca29953238a50fbb58b5735c7aef3d3e1a94b528aaefae4ce47f4447

                                              SHA512

                                              0bba78408136e4f9af5cf020704cdf25de3652d53d19a20ab86391f717f46857c7be8427b75fa77be0cbf169fc8a4284bd158afb11cee0d0dd8086f535dba78a

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                              Filesize

                                              16B

                                              MD5

                                              6752a1d65b201c13b62ea44016eb221f

                                              SHA1

                                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                              SHA256

                                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                              SHA512

                                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                              Filesize

                                              11KB

                                              MD5

                                              cd5596ac50099a9d33857053fb8154a3

                                              SHA1

                                              dd12426e4fd75443c9c5dfc6307d37abfe31ea97

                                              SHA256

                                              0d83492c29bebf075c8573268e71b1c88e1f204292d22a5d219a4d532fced3be

                                              SHA512

                                              ab74e88fb1172cc43b872e00da6fe6aa73320f63d01fc1a7dd1398d306a9832f54d86f4855e99da478ddfff26cfcad1987a06e5960840673bd8a1e7f1ffb6a53

                                            • C:\Users\Admin\AppData\Local\Temp\nsf2CCE.tmp\System.dll
                                              Filesize

                                              11KB

                                              MD5

                                              6f5257c0b8c0ef4d440f4f4fce85fb1b

                                              SHA1

                                              b6ac111dfb0d1fc75ad09c56bde7830232395785

                                              SHA256

                                              b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

                                              SHA512

                                              a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

                                            • C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.vbs
                                              Filesize

                                              219B

                                              MD5

                                              35a3e3b45dcfc1e6c4fd4a160873a0d1

                                              SHA1

                                              a0bcc855f2b75d82cbaae3a8710f816956e94b37

                                              SHA256

                                              8ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934

                                              SHA512

                                              6d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853

                                            • C:\Users\Admin\AppData\Roaming\1047x576black.png
                                              Filesize

                                              4KB

                                              MD5

                                              7ed0ada46ab3a86299bca20b255a685e

                                              SHA1

                                              658c094d23172a564034be21db111fadef455bbf

                                              SHA256

                                              fd62ff7938fbea377931a0bd6f15aa834adb38574e851bf95fc4c2892f82c89c

                                              SHA512

                                              92d32f625c205daf4f5fca4317277eece9cb02fdd5a09289b1e466e8e3a3b8caa00f0d2a2663e791d0f4101cdaac0b9435438b06ff19171c0cbbb97c1095373d

                                            • C:\Users\Admin\AppData\Roaming\404-2.htm
                                              Filesize

                                              1KB

                                              MD5

                                              78f1a9d75f7e25e5e14ea3804e7102d1

                                              SHA1

                                              878e200221853fc23e8d1e338cb6030d4a2bf39e

                                              SHA256

                                              c43f04e0a10120ac19d2b1fc162887e56759409a6233de3c14366ca97a0a5f80

                                              SHA512

                                              fb37cf9f45d9366abdb307c364ac8e5813abe758516ace319a0afce8103afb558d78bef9e83be0e24a098ef93192099150b63158ada65f070bc77ab4d75bc959

                                            • C:\Users\Admin\AppData\Roaming\406.htm
                                              Filesize

                                              1KB

                                              MD5

                                              3ecc8613572d7e5b305bf90f59f9be58

                                              SHA1

                                              9627e5b8dcf39a6a9f48c4d770f0ca7e49748f78

                                              SHA256

                                              9b29d1934ff2f61d0583b4f31496aa053473d631653f04845d695326419f2424

                                              SHA512

                                              930b00b4a3863cabf53e678e4a99094a328b1d49e0c2a3d5e3cf480fdc87b99707c381650a9f076d99f7c4a4b41586f2bbce78c976ca5e0f2a53a2edf2c6f700

                                            • C:\Users\Admin\AppData\Roaming\7.gif
                                              Filesize

                                              907B

                                              MD5

                                              3b65f2e2286842f3df086d355aceb01b

                                              SHA1

                                              079d7bd2561bc0d4921dc3842071d6bfe8caa68b

                                              SHA256

                                              3a3f2e5fa85bca0e33c9fe947820658177ae754eb212782f863bc1d55119357b

                                              SHA512

                                              87ecac60ec60558770e5bb489f6486401370b54b84eba13c55d67bab5311b6b708f94e15c85ba42137f98e7b0bdfa4d4c05d327eed041bb165cd7b8f1c21ed69

                                            • C:\Users\Admin\AppData\Roaming\7.gif
                                              Filesize

                                              1KB

                                              MD5

                                              746a12f10d4eadd55a89f36b8faf300c

                                              SHA1

                                              73fec37fd50aeff90b2370140ac6a57d69985c43

                                              SHA256

                                              00696a87d4827368cffd4a509562925bc79b66a1d0a97be510c7a8c67df2bfe6

                                              SHA512

                                              3c22a6a3c92de519ae5b45615a0f180c89699a50b19281a09109cfef993cbb389e008c82cff6da974c6a7da5ea1e51eec03ee2fe9442fd8e2826636625d5d528

                                            • C:\Users\Admin\AppData\Roaming\7.svg
                                              Filesize

                                              1KB

                                              MD5

                                              d2e2950f9f4ccc910ede5b372598baf3

                                              SHA1

                                              a84d8cc9b700a196db4cf9ca26d20e429fb43e1b

                                              SHA256

                                              388e30970607450766c09e78a9e9344f97cc130666dd16973ab693eb450d6d31

                                              SHA512

                                              35b205dab690bf6f188e9b432f86bf9740de85b351dff60837a2bd08b1e35952f545bf9932f1f7a9c5b84f01c961942f08cdccae9ede448d5dfed3b9294d9664

                                            • C:\Users\Admin\AppData\Roaming\BMY red 3.ADO
                                              Filesize

                                              524B

                                              MD5

                                              f603a2c217b5b63995d8c39730d35491

                                              SHA1

                                              bb25bbde47ecb5f2c40db35c9bd4f6621a403337

                                              SHA256

                                              bcda37996eadb7820490356c0f70c4f47811bea513b48de5e1566c6f365945e5

                                              SHA512

                                              c2ff6fe9761eaaf520678989d516819349aa585d872dce806aca137ae23e934fee8a1462eed68cfd4cca15db40ddd02e9d32f9c4f9b69f46c267162cfa2ceb8e

                                            • C:\Users\Admin\AppData\Roaming\Choibalsan
                                              Filesize

                                              449B

                                              MD5

                                              c3d77a7327602f3ef5d81c5fa45e3311

                                              SHA1

                                              dd5fc349c0377248989a596ec2571f10bd563994

                                              SHA256

                                              c7f453fcc2ac619ac906b694c9ba90a876acbd3e7e01862d2966585de3323584

                                              SHA512

                                              f29f7f5c52691041f0feea5837a89c7f38aa2f4e37401f09ba560955f9cc1de0f8df61b5e8fbfdeba9f7afc1e5b93c4bb4be345396c1cf11b931f378311b0e91

                                            • C:\Users\Admin\AppData\Roaming\CommandTemplate.mws
                                              Filesize

                                              4KB

                                              MD5

                                              c3f6ff0818d66a2a3725998f5c44ffa4

                                              SHA1

                                              127417dc331619716ba8f3b3aa63d23d0c59c443

                                              SHA256

                                              fd5d297ec3edf6973d7c2cf834dd8fbd7ded61748ba82f3e259507f30eee09f3

                                              SHA512

                                              c69b0cf5e2f62a1b5be3137fda26d1d3c5cca810b845f2c51e8c5253297bffcabcedb845c322dd643cd467504f82569545f1c03626b0d60d59d604845722b6e9

                                            • C:\Users\Admin\AppData\Roaming\DEU.zdct
                                              Filesize

                                              1KB

                                              MD5

                                              a0a1920cffb51a8ac629fe603a1769af

                                              SHA1

                                              7cab3cd12f20a6c76554a58eb70470446b7a63e1

                                              SHA256

                                              e2f92b3123f18a3445303862c16acdf82b133783ac52ed61094168f83935f7da

                                              SHA512

                                              089c78f98acf74217904b9709f33dabbca5e7f40419e24cfc5ca82492f353e4b5a090d764cd8ce842b06217edf34ba6d374b0bc5dafa6729b7d43c5e32a24b6c

                                            • C:\Users\Admin\AppData\Roaming\Dibranchiate.J
                                              Filesize

                                              113KB

                                              MD5

                                              fb262871a32ae1bae9ed58901fa71f98

                                              SHA1

                                              ffa6bfb134d7fe6c670b10ab48075d767b2dffbb

                                              SHA256

                                              c5e522c13dd07ea3b3184d6be278715933043cf9851265c2cedd6f9a4542e573

                                              SHA512

                                              5fb20b93854ac72a8bfa4986f7fdce43bedc30bbd81a1611e7a034985537c455709a7a713defba76914ea31a00d04f6f0de654df40daae909506d92b7496bd82

                                            • C:\Users\Admin\AppData\Roaming\Frosted Detail Plastic - Frosted Ultra Detail.3PP
                                              Filesize

                                              1KB

                                              MD5

                                              f3ea89e2ff94329f2fe06046f3397131

                                              SHA1

                                              813d806951418ae29f8d6514f1e8619e09bb1c0e

                                              SHA256

                                              c8588b373d6f9e4445a7f0420e86f0ead65284c78a28866f6979a80008f1dfd1

                                              SHA512

                                              5ba1c20e1fd834cec01d505be15bb19b0e67d63eef4856890fe41d8f6d206f1cb3c2b4f5e0321c3ad669bfcc6c28028827b1b7447993e6422df2c026f8214478

                                            • C:\Users\Admin\AppData\Roaming\GMT+11
                                              Filesize

                                              27B

                                              MD5

                                              41dc583620885308274e1af0be12e78e

                                              SHA1

                                              9f96a25b7539ebc2a5bc0661b65a03992b63e210

                                              SHA256

                                              f3236a2b39954dc659c25482fde3dcdc735b6b6829e3827bedb7c8c8dc72dd54

                                              SHA512

                                              ec50aefdae3b9e276b1ca87677dbb89841a91169350eb88da1bd61b84726c8ffd19de6ab037bc0159a16bd44587f01daa3421298640c168ac2562a66170f9e3e

                                            • C:\Users\Admin\AppData\Roaming\GRAY.pf
                                              Filesize

                                              632B

                                              MD5

                                              1002f18fc4916f83e0fc7e33dcc1fa09

                                              SHA1

                                              27f93961d66b8230d0cdb8b166bc8b4153d5bc2d

                                              SHA256

                                              081caac386d968add4c2d722776e259380dcf78a306e14cc790b040ab876d424

                                              SHA512

                                              334d932d395b46dfc619576b391f2adc2617e345aff032b592c25e333e853735da8b286ef7542eb19059cde8215cdcea147a3419ed56bdd6006ca9918d0618e1

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ieUnatt.lnk
                                              Filesize

                                              1KB

                                              MD5

                                              490d4463d06374c1de36cefcdbb14360

                                              SHA1

                                              f6d32bf93b1f514d32952af467692aca7d874ac4

                                              SHA256

                                              121698f47075fcfc49c4530404adc4d7542b8cafd0413cff1880a63396b42771

                                              SHA512

                                              54839dd8458cf0f7a744d2ce829df86b8a14fd5329ac45db3955ba341c0c2f8dd89039a1dbb293367be7faf16dd86cb8fcce463f1bcd11ad83647e013c8f0086

                                            • C:\Users\Admin\AppData\Roaming\Services.dll
                                              Filesize

                                              57KB

                                              MD5

                                              bc9a77439744af3f7fad690872190509

                                              SHA1

                                              e878df68c65b47e3de3d0b23666718668250a462

                                              SHA256

                                              0ea3132bf6bb7290b373174a82f9112bcda8d745174d16d364aefb6fa66c79a7

                                              SHA512

                                              40bcacdb105077ed814fe25bad7f32a680624f106e1e06a6bb0c17522839d9ae6745c00c02664f4329aeb10ae849df4f02cc37651449bb89b14ae571f17ba8ec

                                            • C:\Users\Admin\AppData\Roaming\Skullduggery.amx
                                              Filesize

                                              1KB

                                              MD5

                                              c38a9a83d65b6e83d9b71eedb039bbb9

                                              SHA1

                                              2644f2ea208a6bb4d895c260a9f91b226d813a27

                                              SHA256

                                              413e764638d70f96e9032c06c489eda58318eccb6ac8225aeddb18ff82d41cc9

                                              SHA512

                                              d83b1078fc46df5563c49dda178bf1e7910f883d2ecde82d3f6c16968632b8db3ab7f38339cd0d306f99f469e3401ed2cd870270cad18998b8dc616cb0d8091a

                                            • C:\Users\Admin\AppData\Roaming\add_licenses.png
                                              Filesize

                                              1KB

                                              MD5

                                              e8a2b07854032ed884e15558d45cf227

                                              SHA1

                                              733914f98c81adb9ca0e0c5e90a264e446c7308a

                                              SHA256

                                              441d8eac3139cc3d28d7f3ca5f8412a99f0ef37466d1d578abfdc315b4840d7e

                                              SHA512

                                              d13ea83232a9d76049e9b79ba70bea422e51fd113505082da81044d6ebfa10c1b4510507b960f2b6d4c66f82a819c586416645e5fc4171ae2d08b24a7bff3391

                                            • C:\Users\Admin\AppData\Roaming\add_licenses.png
                                              Filesize

                                              1KB

                                              MD5

                                              f45b055127acd79ca0d98cbf168bd1d5

                                              SHA1

                                              d6966507ccf14917d1f39bf9750daa8e424eb5df

                                              SHA256

                                              5b433ecb62dc22e37c5ae6672d91c32de214c0949672f2fdf98e66e06afa9680

                                              SHA512

                                              7f4b15c3cc369a3f14488b064664734939737ddb2e02df550557446169d9cd22f68b931cf385e4b4f03d7a9f1d01f7d8387de6445bf939d710386cebba997a93

                                            • C:\Users\Admin\AppData\Roaming\app_updater_body.png
                                              Filesize

                                              3KB

                                              MD5

                                              984ba7332a9dbada93fa91e7b82a2258

                                              SHA1

                                              06c4dff2cec4bf5851ec9d7d030ae7ba778344d6

                                              SHA256

                                              c2b4629a5c4afe4cb70e2a28a8d143db01bc174c1636be15090f02c8b37f37ff

                                              SHA512

                                              3f9a6311c59b342fd42a63ec8b10f75c7ead039a447f474a113c23d2bcedc6e02e3068a6ef95cc9b79cd36a39af078fdff34b90ecafb8e5a0d9cca3c1c6aea69

                                            • C:\Users\Admin\AppData\Roaming\app_updater_body.png
                                              Filesize

                                              2KB

                                              MD5

                                              86c9a4c802b04a554b3829d4be312828

                                              SHA1

                                              773f47126a7a7fa0aa23e1ca894d9912df2f57ac

                                              SHA256

                                              ceec03700eee7c9342a537d53ab8cb25d1e7e2c152ca9d977045dc0d22364d8d

                                              SHA512

                                              99244fe9a66d7f30589054b0f33a21ea5b4ea7f47dad6ed4301aa2c652277b345eca8ffbdc4420d86dcc6163e570baf59dbe3f7dbff7f88bd554733cd6c6504a

                                            • C:\Users\Admin\AppData\Roaming\arrow_up.png
                                              Filesize

                                              2KB

                                              MD5

                                              07b3126cfe4ab7297cbc21fde173c930

                                              SHA1

                                              95fc835cfe39e9a938696c5bf5020a6a3fb75369

                                              SHA256

                                              7ca400062c5571a845b5968a4cb4c46e0588511b7776d30f8d418ae753bb067d

                                              SHA512

                                              ea7ec034541f34753a7d580c052e1c9dbeffdf2bc730874ccad54bfdd548928eaed865b8223a1fda3f4bd9010bae7c9b5315b5a02f451bcb35f935db6e200a42

                                            • C:\Users\Admin\AppData\Roaming\article.appendix.title.properties.xml
                                              Filesize

                                              1KB

                                              MD5

                                              adb1a285a2b926f98c062fbb74e1e992

                                              SHA1

                                              1f9799a61072673042a1a3da0fdf3fa93cf10f90

                                              SHA256

                                              4ba4637bffa741ba5619c3de97b6c209b5a9deb330385efc7a588492a98b7b45

                                              SHA512

                                              aa65628e34601645dfcdcb1f5f0347ae84555bd1a99432d4c25a50044dae932385bfa1f50551f6577d184de684f9264743facb53f4aa2e46bdfeff5c85bc6bd7

                                            • C:\Users\Admin\AppData\Roaming\blank.png
                                              MD5

                                              d41d8cd98f00b204e9800998ecf8427e

                                              SHA1

                                              da39a3ee5e6b4b0d3255bfef95601890afd80709

                                              SHA256

                                              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                              SHA512

                                              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                            • C:\Users\Admin\AppData\Roaming\computer_diagnostics.png
                                              Filesize

                                              3KB

                                              MD5

                                              bd8078dcc074aaebdc63ba53082e75c2

                                              SHA1

                                              a3887f75154e5de9921871a82fe3d6e33b7b5ba7

                                              SHA256

                                              9e35270e3510c195a64635292dfcc6dc508e93dcb5715c3e30cf3ec15af6951e

                                              SHA512

                                              9a0b6c67c52ba0a0c9175a62680e9e35793676e4e06dfc6b5bafbff3b50474c94c5434e700d19eff4c46ee84ef0a424e850a3e7fd78d6f62d1d19912a8a38e66

                                            • C:\Users\Admin\AppData\Roaming\copy.js
                                              Filesize

                                              154B

                                              MD5

                                              77ea68c673c183a92ecc07e600e956a8

                                              SHA1

                                              c2f17a0351e2c9361580408eef9e19b16c0a0fa3

                                              SHA256

                                              a7e7893e6867a93582a0e78dfa1261145068e01535db0d157409be338dd0d0d8

                                              SHA512

                                              886664c977d8ac7e251a8a2730d6c2fc207026f18e93a5c3676bf42ce64ae4125ba058e570788467f989e8e91e49463fbdd1661a47f664ac17c38d568551d61c

                                            • C:\Users\Admin\AppData\Roaming\dutphon.env
                                              Filesize

                                              2KB

                                              MD5

                                              d3fd7121b844308f5e0d98218b25f7a1

                                              SHA1

                                              57eda098a5ac50befbbaed81c9358542508d2025

                                              SHA256

                                              3f19660f2ffcb1b75ce092e05a9d02128025f89a378cfa302a3fe406c065139b

                                              SHA512

                                              0512e3887235754102c623ba704421c745f43d5300a8dd31cc79d1d70a537158dd5a2a25e8e0eab69dfd8cfa234a437ebfa89abafb5c31dcaf28f745a17feca5

                                            • C:\Users\Admin\AppData\Roaming\example.xsl
                                              Filesize

                                              2KB

                                              MD5

                                              ccfab72640a4d5de19096e61cc1111e7

                                              SHA1

                                              e5f992187707c256949fee3987482de01527776f

                                              SHA256

                                              963cca28032d4a5e5fc05cb3cb509ac235bd390161fa862611ee1543ae5b744b

                                              SHA512

                                              93d7a787626f9444527574257a41266512565a5e3543b1026984ec5b2e606b8339d5a5901059b8e7fef502f62be50992d7bbe96522d7536ca4341bb9a4f1cc67

                                            • C:\Users\Admin\AppData\Roaming\green 349 bl 1.ADO
                                              Filesize

                                              524B

                                              MD5

                                              1289782651c9af159c54bd25c344a26e

                                              SHA1

                                              5ff702833f8e0b9b2bc066d7de9e9d3885984135

                                              SHA256

                                              82020a2103aa444d0b44638ee2666fa3f077af7b5dda85433607d871d103fc39

                                              SHA512

                                              afe7c5e2df5643fec0c486c7efd9b8a440d2ac9631b70369e35b14561995ca91151c1859ef2d49e20621652cf38f024ea94898ff4c2b258380f5a92613a3df51

                                            • C:\Users\Admin\AppData\Roaming\{B57C951B-33C8-2D1D-8AA8-20866904D814}\ieUnatt.exe
                                              Filesize

                                              225KB

                                              MD5

                                              4741333a78be539951c661ddbd47442f

                                              SHA1

                                              e642cbf75a235b76f2f7ec6b8222d21ec518ed98

                                              SHA256

                                              5fb92c512e17ae11f78d2c8eca04440fd89bd32e0b0bcca3d86784f7ab5581e4

                                              SHA512

                                              2b159ae11a567060ac0e17fa85da98ac334cdf1b6edc1d4179bfa879116e15349003d657abc2555b1b13240e40541c3bd3e69ff282cc1b4edf6f1bc3caac3a24

                                            • C:\Users\Admin\Documents\# DECRYPT MY FILES #.url
                                              Filesize

                                              85B

                                              MD5

                                              04dba0137e322946b154e75e9801ec94

                                              SHA1

                                              3749e703f1b37affff0483d172241decb0127db7

                                              SHA256

                                              5cc27e7f54d7c7e8ab48ff2b33decf7b3ac2b46e3592ed3e05dac0301024c90a

                                              SHA512

                                              c191e8bc46b450fd0ee529422931f0ab978df68460c7f98ea25398b2c3efbea001690686eac244164821a32be7103c5770fc269c3498f8aea83cc78062f6480a

                                            • C:\Users\Admin\Pictures\# DECRYPT MY FILES #.txt
                                              Filesize

                                              10KB

                                              MD5

                                              c1402bd0986fffdd50470533e09025bf

                                              SHA1

                                              89379c00c8095ac9b00ebcf576b24ac583ea8cd3

                                              SHA256

                                              cea63186c5f8aa865d2ee80e8c651972c95e91d25f41d5e4ed96fbac03ad3d3d

                                              SHA512

                                              9750a72263d2a1902b94e01193a3f64896cffce85c4b542a5879221516579f41f8dce7f295a5ab5d100d4f064abc36aa4f148973abdc7dbd6af189802ff029fa

                                            • memory/1596-79-0x0000000000400000-0x0000000000420000-memory.dmp
                                              Filesize

                                              128KB

                                            • memory/1596-65-0x0000000000400000-0x0000000000420000-memory.dmp
                                              Filesize

                                              128KB

                                            • memory/1596-64-0x0000000000400000-0x0000000000420000-memory.dmp
                                              Filesize

                                              128KB

                                            • memory/1596-63-0x0000000000400000-0x0000000000420000-memory.dmp
                                              Filesize

                                              128KB

                                            • memory/1596-59-0x0000000000400000-0x0000000000420000-memory.dmp
                                              Filesize

                                              128KB

                                            • memory/2816-190-0x0000000000400000-0x0000000000420000-memory.dmp
                                              Filesize

                                              128KB

                                            • memory/2816-203-0x0000000000400000-0x0000000000420000-memory.dmp
                                              Filesize

                                              128KB

                                            • memory/2816-522-0x0000000000400000-0x0000000000420000-memory.dmp
                                              Filesize

                                              128KB

                                            • memory/2816-519-0x0000000000400000-0x0000000000420000-memory.dmp
                                              Filesize

                                              128KB

                                            • memory/2816-515-0x0000000000400000-0x0000000000420000-memory.dmp
                                              Filesize

                                              128KB

                                            • memory/2816-514-0x0000000000400000-0x0000000000420000-memory.dmp
                                              Filesize

                                              128KB

                                            • memory/2816-509-0x0000000000400000-0x0000000000420000-memory.dmp
                                              Filesize

                                              128KB

                                            • memory/2816-507-0x0000000000400000-0x0000000000420000-memory.dmp
                                              Filesize

                                              128KB

                                            • memory/2816-505-0x0000000000400000-0x0000000000420000-memory.dmp
                                              Filesize

                                              128KB

                                            • memory/2816-536-0x0000000000400000-0x0000000000420000-memory.dmp
                                              Filesize

                                              128KB

                                            • memory/2816-530-0x0000000000400000-0x0000000000420000-memory.dmp
                                              Filesize

                                              128KB

                                            • memory/2816-517-0x0000000000400000-0x0000000000420000-memory.dmp
                                              Filesize

                                              128KB

                                            • memory/2816-204-0x0000000000400000-0x0000000000420000-memory.dmp
                                              Filesize

                                              128KB

                                            • memory/2816-533-0x0000000000400000-0x0000000000420000-memory.dmp
                                              Filesize

                                              128KB

                                            • memory/2816-201-0x0000000000400000-0x0000000000420000-memory.dmp
                                              Filesize

                                              128KB

                                            • memory/2816-197-0x0000000000400000-0x0000000000420000-memory.dmp
                                              Filesize

                                              128KB

                                            • memory/2816-195-0x0000000000400000-0x0000000000420000-memory.dmp
                                              Filesize

                                              128KB

                                            • memory/2816-194-0x0000000000400000-0x0000000000420000-memory.dmp
                                              Filesize

                                              128KB

                                            • memory/2816-192-0x0000000003B20000-0x0000000003B21000-memory.dmp
                                              Filesize

                                              4KB

                                            • memory/2816-189-0x0000000000400000-0x0000000000420000-memory.dmp
                                              Filesize

                                              128KB

                                            • memory/2816-610-0x0000000000400000-0x0000000000420000-memory.dmp
                                              Filesize

                                              128KB

                                            • memory/2816-590-0x0000000000400000-0x0000000000420000-memory.dmp
                                              Filesize

                                              128KB

                                            • memory/3076-60-0x0000000002ED0000-0x0000000002EE6000-memory.dmp
                                              Filesize

                                              88KB

                                            • memory/3076-57-0x0000000002ED0000-0x0000000002EE6000-memory.dmp
                                              Filesize

                                              88KB

                                            • memory/4784-183-0x0000000002F20000-0x0000000002F36000-memory.dmp
                                              Filesize

                                              88KB

                                            • memory/4784-186-0x0000000002F20000-0x0000000002F36000-memory.dmp
                                              Filesize

                                              88KB