Analysis

  • max time kernel
    146s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-05-2024 17:47

General

  • Target

    474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe

  • Size

    221KB

  • MD5

    474f76977fa109dd9a1a8a7e51c49659

  • SHA1

    aed91b01397c5a067201e0eed886f7fe2acdc02e

  • SHA256

    1c77bceb256e2c7e570830558b2084008f961483981d352b874af0e6e2ee3f10

  • SHA512

    997f426de2c1942c7eb2efee57946eaa50f0f67e3cf1603b9e9ebf4bf9e09008172c74ca30b34943c25e0dc64815749f474ececc4ac84d5ef2217dd4efb0a1e8

  • SSDEEP

    6144:zwHysaOmXtsnUpyzaAV+vCQ+xTGth9/oG:oaOmXanUpSV+vCQ+xTob/z

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community #Cerber+Rans0mware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://52uo5k3t73ypjije.5b1s82.top/9C8B-BC2F-C947-006D-F790 | | 2. http://52uo5k3t73ypjije.thyx30.top/9C8B-BC2F-C947-006D-F790 | | 3. http://52uo5k3t73ypjije.vrid8l.top/9C8B-BC2F-C947-006D-F790 | | 4. http://52uo5k3t73ypjije.o08a6d.top/9C8B-BC2F-C947-006D-F790 | | 5. http://52uo5k3t73ypjije.onion.to/9C8B-BC2F-C947-006D-F790 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://52uo5k3t73ypjije.5b1s82.top/9C8B-BC2F-C947-006D-F790); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://52uo5k3t73ypjije.5b1s82.top/9C8B-BC2F-C947-006D-F790 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://52uo5k3t73ypjije.5b1s82.top/9C8B-BC2F-C947-006D-F790); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://52uo5k3t73ypjije.onion/9C8B-BC2F-C947-006D-F790 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://52uo5k3t73ypjije.5b1s82.top/9C8B-BC2F-C947-006D-F790

http://52uo5k3t73ypjije.thyx30.top/9C8B-BC2F-C947-006D-F790

http://52uo5k3t73ypjije.vrid8l.top/9C8B-BC2F-C947-006D-F790

http://52uo5k3t73ypjije.o08a6d.top/9C8B-BC2F-C947-006D-F790

http://52uo5k3t73ypjije.onion.to/9C8B-BC2F-C947-006D-F790

http://52uo5k3t73ypjije.onion/9C8B-BC2F-C947-006D-F790

Extracted

Path

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber &#082;ansomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://52uo5k3t73ypjije.5b1s82.top/9C8B-BC2F-C947-006D-F790" target="_blank">http://52uo5k3t73ypjije.5b1s82.top/9C8B-BC2F-C947-006D-F790</a></li> <li><a href="http://52uo5k3t73ypjije.thyx30.top/9C8B-BC2F-C947-006D-F790" target="_blank">http://52uo5k3t73ypjije.thyx30.top/9C8B-BC2F-C947-006D-F790</a></li> <li><a href="http://52uo5k3t73ypjije.vrid8l.top/9C8B-BC2F-C947-006D-F790" target="_blank">http://52uo5k3t73ypjije.vrid8l.top/9C8B-BC2F-C947-006D-F790</a></li> <li><a href="http://52uo5k3t73ypjije.o08a6d.top/9C8B-BC2F-C947-006D-F790" target="_blank">http://52uo5k3t73ypjije.o08a6d.top/9C8B-BC2F-C947-006D-F790</a></li> <li><a href="http://52uo5k3t73ypjije.onion.to/9C8B-BC2F-C947-006D-F790" target="_blank">http://52uo5k3t73ypjije.onion.to/9C8B-BC2F-C947-006D-F790</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://52uo5k3t73ypjije.5b1s82.top/9C8B-BC2F-C947-006D-F790" target="_blank">http://52uo5k3t73ypjije.5b1s82.top/9C8B-BC2F-C947-006D-F790</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://52uo5k3t73ypjije.5b1s82.top/9C8B-BC2F-C947-006D-F790" target="_blank">http://52uo5k3t73ypjije.5b1s82.top/9C8B-BC2F-C947-006D-F790</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://52uo5k3t73ypjije.5b1s82.top/9C8B-BC2F-C947-006D-F790" target="_blank">http://52uo5k3t73ypjije.5b1s82.top/9C8B-BC2F-C947-006D-F790</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://52uo5k3t73ypjije.onion/9C8B-BC2F-C947-006D-F790</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Contacts a large (517) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 59 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Users\Admin\AppData\Local\Temp\474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Modifies Control Panel
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\wuapp.exe
        "C:\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\wuapp.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1388
        • C:\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\wuapp.exe
          "C:\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\wuapp.exe"
          4⤵
          • Adds policy Run key to start application
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Sets desktop wallpaper using registry
          • Modifies Control Panel
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:896
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1708
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1708 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1724
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1708 CREDAT:406530 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:836
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
            5⤵
              PID:1644
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
              5⤵
                PID:3052
              • C:\Windows\system32\cmd.exe
                /d /c taskkill /t /f /im "wuapp.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\wuapp.exe" > NUL
                5⤵
                  PID:2712
                  • C:\Windows\system32\taskkill.exe
                    taskkill /t /f /im "wuapp.exe"
                    6⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2584
                  • C:\Windows\system32\PING.EXE
                    ping -n 1 127.0.0.1
                    6⤵
                    • Runs ping.exe
                    PID:2496
            • C:\Windows\SysWOW64\cmd.exe
              /d /c taskkill /t /f /im "474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe" > NUL
              3⤵
              • Deletes itself
              • Suspicious use of WriteProcessMemory
              PID:1188
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /t /f /im "474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe"
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1200
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 1 127.0.0.1
                4⤵
                • Runs ping.exe
                PID:2728
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {FE593FA7-6924-4E19-B8C0-94DE9923264B} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1432
          • C:\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\wuapp.exe
            C:\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\wuapp.exe
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1584
            • C:\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\wuapp.exe
              C:\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\wuapp.exe
              3⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2608
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:1836
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1836 CREDAT:275457 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1992
        • C:\Windows\SysWOW64\DllHost.exe
          C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
          1⤵
            PID:1704
          • C:\Windows\system32\AUDIODG.EXE
            C:\Windows\system32\AUDIODG.EXE 0x594
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2044

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Defense Evasion

          Modify Registry

          4
          T1112

          Credential Access

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Network Service Discovery

          1
          T1046

          System Information Discovery

          2
          T1082

          Remote System Discovery

          1
          T1018

          Collection

          Data from Local System

          1
          T1005

          Impact

          Defacement

          1
          T1491

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html
            Filesize

            12KB

            MD5

            0916192ff00a8b72ea123bba5f713795

            SHA1

            b95c6aeb1e6e0343db7b8138be4eab61a1a5524b

            SHA256

            346772e4abcfb7529fb992847c5b9ec1275bea38904527c5b63dfe3544e4a116

            SHA512

            b835cf13f51b5a23a3f8b3074097cb58c3f4fc70dfbd4306ab59c4af73cd0894f76b89e77483c4a1e58783b3aea85ae273f7ae3408220e3f56ac17f190001d63

          • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
            Filesize

            10KB

            MD5

            eb4692178412be4d8c9f4f2f5579f0a9

            SHA1

            c0d6961b2dc15af28e378af818d388ba8b14f031

            SHA256

            602afb51afb52777f6bf0e22881efe9edb38da71cc9e53d765a31aa163913798

            SHA512

            13214b352ef6c9a4bf70d5f9d38ca4ca2e3a5594220980ac6fe0af41403358a53fad68cb94427e8a6702de10ae3a34d67a1293deb95697ff5fea822a2c90f6ae

          • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url
            Filesize

            90B

            MD5

            7b8cd30bc64167fcdb96ae9496aa3238

            SHA1

            09bf25f7b78c93cd3ded50ed51a7fc65b6425b9c

            SHA256

            714d7fbeb70ea079f4fd833fde49c7137e1002560d1fd8d6cc2ef1ca73a50ef5

            SHA512

            5985c2ef9592007ea79a13b3da31dfb86634b555e6b53802d2cc373fb15c402bf839c12e4b4add0cb2e755323b39bf20f11b79997825748671f90970ffce46a7

          • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs
            Filesize

            234B

            MD5

            6f84dbf74ef41dc3d861f5fb3e0f45ff

            SHA1

            3e5f17e9b9589f33ce6add7f2518a666ff2253a4

            SHA256

            df5f432d7e0d2bd1c4dddb1fabbf1e77bd1065b9020f71abaf1a45fbb950bbb8

            SHA512

            9f9ec25b815be7b20df26244d31848c9a4896b130241b63636d63511a290eaad78d289a9bb04592c0ba31492064671351b4c7359310f03469e27764132a20a5a

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
            Filesize

            68KB

            MD5

            29f65ba8e88c063813cc50a4ea544e93

            SHA1

            05a7040d5c127e68c25d81cc51271ffb8bef3568

            SHA256

            1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

            SHA512

            e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            ec0ae3de8ee5cea0656d10775f792158

            SHA1

            bd6d4c9d9c504c3afbd41f89f93bd3124e5a4036

            SHA256

            3527bb6521ca509f0f145ef8145b51c4bf31b07993865ad2daad82f9aa498571

            SHA512

            e381909aefa66f9d72ee3af33d4c7145d53e385dd1e6fb7e31f9fe3a525ea61269595a5025f7a865b7d956a74ba2aa4cc575d696d8af2e3a6dcbb807aaa92816

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            9378cb0ff00fcc966f63514e196f6512

            SHA1

            038c5cdd393cfa2d580d4dccac3e25f6ed51b35a

            SHA256

            8f14765062bda183513120dfe6f14ba51ecb1aa3a34c466e6b4e30072c3aa2fa

            SHA512

            3cad339735434be52202943ecf0a5f97db396d802844d9be7b226f6719f329129fc44af21e95b4e5dfcf4e223b4f76565022f35314e369a363d521a6d630f923

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            cd5380aae71095579e9119b77c66493b

            SHA1

            cacea0325ce50598d71b3e78c40397ae8549ffbd

            SHA256

            fb47bf42260375d0e5baa89704a2185cd5a58bc40ef04d8e7aee2c1c3a2f647f

            SHA512

            2f293a530a359560f65134aa0732f2784d7490a4cc18fe474210de20108e7060cbdd1125bf0c908ad50dbbb8cb04c305775930fbefb346c0a58daa67d1499dc1

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            7f48f90ecf0cc9b4c49e4274b452dfd6

            SHA1

            d5f78329418ea5912014a4451a9b5558e1795b41

            SHA256

            15c06ba1db1ab9fa1a0f5ff81935b33060e4724bbc7313bcdadf8332f1082c4b

            SHA512

            f7dc61a799053083b556bf64ea21b32e47ec2c39c2aecf63c385c50c1fc100ba9f4e82e8a07a014eca4464213205b048c519a69980627ba01b50e448bd5bad94

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            f6db639ad706a519183c5c4aa6952611

            SHA1

            426aed153cfa8a6640e9c7c6abce735b762330cb

            SHA256

            abf83df4539c950a1302ba620588aff22662151001a96abfb9df2e15b72ba622

            SHA512

            f461b32f8d0fc2c7139794a6692d1708dd3f3695761314c59f5379dc8295657cde312f829da219ae44c6578153d303e23683d668a857b8f7940f1447a5c845da

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            fa277bf7af1a7fe68963527bd4461b89

            SHA1

            027d641fcf15b42728f8c029cd98b1da6daaa7aa

            SHA256

            7b878884c71a3d26b6074f13520abaeba0055520dbc4bdf86098f7d9aee581ac

            SHA512

            b26b4f8f1b098ab77b2355d69afae5a4aa7e70cb8bc0c63bf9affb93fb5c0d5dc84c8f456cdc08912ca883827d230a66aaa7860d924312293f2b357b88a9ece7

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            210587eadd03be7eefecd64d03626c52

            SHA1

            9d673aba14a16606f10c3d57355d3431729b9775

            SHA256

            1b2358f979ec3ae8ddf550f2fb484159ab4bace773bf3ec642bb45e35651a34d

            SHA512

            84df5f39242c597acb039303574875501f8a3be32e8b92750988965a5240d858ddbe5c81fa41d81dbc6d32475968d0682984639e45a7c0ff830fc06725899f33

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            f769f0bb13be2167fd6712bd9ec1d015

            SHA1

            075e5e1e113bd38e189fc83ebf5317052f0daa75

            SHA256

            0d3e2c9002cf99be9401e27835765a19788e9f033110ab5ee089fd3a7696134c

            SHA512

            664ea53da455d5aa076eaad94673530f225a37f481b9b38c31dc1df691420a9e6eb13c7d8305825a7ad11db56779f9b2c75e4ffd5927599f2b49d67dae0e00ea

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            5537a09cefab31a21f69b62511645cf7

            SHA1

            de3233cb1e1856d96d357475564f9a52ee5c5f2a

            SHA256

            80237aee45e9635f656fbfd50b8f97a6c055362c6c3643ea9191310b6a8cb022

            SHA512

            80f7050d5ab6dc7fd78f4f6fc2b334e1a628133e47efd22af796eb27f6e1e0f8e4750eadc6a55357540ac17048b5c1d17e994a0c1248ee730d324eb08044f544

          • C:\Users\Admin\AppData\Local\Temp\CabAA27.tmp
            Filesize

            65KB

            MD5

            ac05d27423a85adc1622c714f2cb6184

            SHA1

            b0fe2b1abddb97837ea0195be70ab2ff14d43198

            SHA256

            c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

            SHA512

            6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

          • C:\Users\Admin\AppData\Local\Temp\TarAB09.tmp
            Filesize

            177KB

            MD5

            435a9ac180383f9fa094131b173a2f7b

            SHA1

            76944ea657a9db94f9a4bef38f88c46ed4166983

            SHA256

            67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

            SHA512

            1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

          • C:\Users\Admin\AppData\Roaming\403.htm
            Filesize

            1KB

            MD5

            394a5c0cee0392d04fad577c6766f06b

            SHA1

            16197acb33ddc2e8c5d1f7fc04aaa0cf1f26b95f

            SHA256

            ed1e1c39e647d0aa8b950c98ff6ba2e7d551927263e45d4ba86b8747ce5149ee

            SHA512

            9027e504499d057097c2b149ae3743519178cb570c48d4f0dd5cc735554199ad2525915af3b8e4ff1bafc471ebe3cefcd4760fc6c2c5a9e8f7bfde5805a89397

          • C:\Users\Admin\AppData\Roaming\9.gif
            Filesize

            1KB

            MD5

            ada7438f0d47718c45548579475b4de5

            SHA1

            8753c024c8d33f30cea3c8a013175a99155c3637

            SHA256

            80229e356eb97dadb177598440e752c4d300fd44baefe4cf09e37e36a82f9b65

            SHA512

            b2eeeaedc6f571d1bae97f9c0f0663f1a85158b197702796440015bfa21d4864a2ffadb714d71d3cbd1f5835338690a8f0bb541f0447216e45b17b2256549740

          • C:\Users\Admin\AppData\Roaming\9.gif
            Filesize

            923B

            MD5

            89ef56055c93539c44f2a59def331ff8

            SHA1

            68de36276c6482f4a596b9881be44625fce0996e

            SHA256

            e3274dae4562db681c6e7ef3f4f52dbbd86c25d8810d919d7b7a89bd57af53f8

            SHA512

            6a6c36641ab25b6f39a8eb33f3ea65af7afaa4c24005aeed27eaba69aab105dd9a41c11a130af5269874a8aded230273ab681cd124513ba4664ad364a0e27e90

          • C:\Users\Admin\AppData\Roaming\Adobe-CNS1-6
            Filesize

            4KB

            MD5

            632dcddcbedcb4c38a4cffabd99dedf3

            SHA1

            c033e731c067d0732961f656d9bee65f46da9594

            SHA256

            70942bcd54b48fcc2ebdfd19da8031c9c5b4c710f5d2543f12b3f0fe0f4d2592

            SHA512

            ea04f016d74c3da10d2aaefc400f99a3b76d0ea4591995d8eb418a32a955552e2ed13c365fecec65ab52938dd99982dc794df89d200fba231b85d2ed2269cd2e

          • C:\Users\Admin\AppData\Roaming\Adobe-Korea1-0
            Filesize

            3KB

            MD5

            41a6fcc09060a5ac59c9b48e4cffdf66

            SHA1

            79a83a69c8d994f27fb44f315c755839d997ad1d

            SHA256

            a3cc88d1aec75afa3677e069ffe35d24498e587f7eb3730d9976d16ef04f044d

            SHA512

            9d15801891b745eaf62411015db16ea13dc20294c97de71a877f91ae62161a7cf530cf10209d89f31d66f67ba2d4142f02b00f006de56a7fb16b5d9d1efba369

          • C:\Users\Admin\AppData\Roaming\Bl soft CG9 CG2.ADO
            Filesize

            524B

            MD5

            4965e28a04e6047d390e8798dce77eb6

            SHA1

            8abe2196dfcb8fcf664c036b6f55acad0a638a6f

            SHA256

            425f1c29b829c23c1728cabe2bedb7b9d00298749c1530c932ac1f96d93c07fe

            SHA512

            c9b12151f06aee6b86a538f1057c1d201bb75db1094b93a4e3d4a94dbd292b2dda7ffe74b99d2c60b2eb994f04c6e5137de7e8ebb3edd65661bf5e1278056c8f

          • C:\Users\Admin\AppData\Roaming\Damascus
            Filesize

            1KB

            MD5

            93657662177fdc9183a0fd632790c0ae

            SHA1

            5586f64b641545aa2610b3bcd5df7750a17955de

            SHA256

            a353644ae75ca0a454a56caa9a442e361f1097ff429d035fc7ba73e87650e21e

            SHA512

            c0a0deb8e5773c783e3656084fb751847b71b2b1e6b2bf489f31f97100e4c629c0266c10d3f1a75c6811a2a195308d564d7216be8bce01b8ec5dda3a5096eb93

          • C:\Users\Admin\AppData\Roaming\Darker.alv
            Filesize

            630B

            MD5

            7f2d29a5e3ded93d9a3bdadf45ccec15

            SHA1

            2e03d94db3ab943514a3e61e79fb7fa22f9e1155

            SHA256

            4f56ea00303af5b79de9a12422a764a6d7942c369a0ecf5bb4dc945a7f545ec7

            SHA512

            2a07cb08608f3fc15f00cc4a151cf2eb757e69a35f8f9e5a9f03e60e28b1122a4df5f3f891fb6a48c060d181b1457e360a29fa569fe7fda213c71ae12a7ed5a4

          • C:\Users\Admin\AppData\Roaming\Escudo.qBC
            Filesize

            125KB

            MD5

            60eddd78af5fb9e8236f86ee672eb97d

            SHA1

            f76a5f7400e193f53683553e6562262521a32a74

            SHA256

            354b3fa35d71922a72c3d9b55a53099948d135bb7d49366d106e9a938786ffc6

            SHA512

            22ebbe27e3e524792478a9f3e63c42d9b391a604bbcf870dbe3ffc195e693fd47a2830e3ee995d0d561d59c67ecfcfea3f17d5497c063ffed838d9968eb38377

          • C:\Users\Admin\AppData\Roaming\GMT+7
            Filesize

            27B

            MD5

            11f8e73ad57571383afa5eaf6bc0456a

            SHA1

            65a736dddd8e9a3f1dd6fbe999b188910b5f7931

            SHA256

            0e6a7f1ab731ae6840eacc36b37cbe3277a991720a7c779e116ab488e0eeed4e

            SHA512

            578665a0897a2c05eda59fb6828f4a9f440fc784059a5f97c8484f164a5fcec95274159c6ff6336f4863b942129cb884110d14c9bd507a2d12d83a4e17f596d2

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\wuapp.lnk
            Filesize

            1KB

            MD5

            4767e8499d1e6c2bf1ac18999c7c5e37

            SHA1

            a991c45c099875101c0641c19e8e846efdb3739f

            SHA256

            c7c4f746d6d1376837caec9bd34789cf76d67258766cf8432b54432106904a4b

            SHA512

            e55d0b1bb50afe5e24585a8e1c27c524c10ff73ebaf7f17750fd134d61b3a6fd5217f4cccd4b66caa91b4e57b71ac0d1e0d6e8c63eb397088f53b6a7a347e066

          • C:\Users\Admin\AppData\Roaming\SildMajorgeneralship.U
            MD5

            d41d8cd98f00b204e9800998ecf8427e

            SHA1

            da39a3ee5e6b4b0d3255bfef95601890afd80709

            SHA256

            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

            SHA512

            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

          • C:\Users\Admin\AppData\Roaming\SildMajorgeneralship.U
            Filesize

            3KB

            MD5

            91b9526efaad7322ac339490015bffc1

            SHA1

            6798644896cfec5d07ecdb5d38fe006c8817e6ab

            SHA256

            f7ffcfc355e940c68ae80173552ab703f1d9a2b1bbe6e75229bca2ccfa3357d6

            SHA512

            65c7901c2da54fe7785e13257c129258838c01b3109274ff8343790723a0f8b0471d24a7fb1ba27f7821cb814eef28b34d66fb8de8371c6208c0dcfeaf564d6e

          • C:\Users\Admin\AppData\Roaming\appcmd.xml
            Filesize

            3KB

            MD5

            f01e192cf16800c99b67daccc5327414

            SHA1

            f9ec74ccbd0a2e61b62620cb31bcb9cbeea7cd25

            SHA256

            2c99d8143cea36ecd92e0fbbd64c0c9853d6c0e09c129c797ba47216bfc4eac6

            SHA512

            a09056a25175be0dae3357103897664383193d2709f8ea830b35f9c845316960a0a3ede2133006ea6664a1f105e1603a5ba1b89d7dc7a0fc6f937feaaf00c832

          • C:\Users\Admin\AppData\Roaming\appcmd.xml
            Filesize

            3KB

            MD5

            a1abf60add7c54a1a444e83b523f8095

            SHA1

            ac7571cde28c55642f44f35e25fb66597233636f

            SHA256

            24c63a00a384d26a929c3285e41822631a846c5c69627360dec267b35c55410a

            SHA512

            a8b35138bc9495ad7ef64dc0c4bbe1fda1f4bf34530c77080be9f54ccfadac96b3a45eb018dc3ef30bdbf6013ec8b0ffd18475516ea680a6308008806d4374d7

          • C:\Users\Admin\AppData\Roaming\arbortext.extensions.xml
            Filesize

            1KB

            MD5

            285746e28b644e1ac847e5c990e32a56

            SHA1

            d1cb002a48fadac4daa7880f3a023d52c5b10ccc

            SHA256

            6f3c48b811d7042d7822f767f5b84289fb8e0697be9ef81020aad650dd6c046a

            SHA512

            2f6a18154552e7979743fda05ae5b856d3274a60e14673021bc3ffc819d737202d5790af4ec699493232cb01a5437f7673d7cd9cb777b40491730bbb40bb0ca7

          • C:\Users\Admin\AppData\Roaming\arbortext.extensions.xml
            Filesize

            1KB

            MD5

            b7a3d5891858ec987692f843d0da635e

            SHA1

            144dfcf7282b499e4b07b3b4ae10bbb5dc23e08c

            SHA256

            a021af7e7c49f2c338f12e715d4e2f853f4f53327dadb73b11d089fb43bf6a85

            SHA512

            c7bb9f9f0cec125ae61617bc2b6ce1b449b736d7bf5d776605d830a4a2e2e9b7957de4b1d146faa403e169052eb54af00f551e392bdc286c190e62df3df3f7f6

          • C:\Users\Admin\AppData\Roaming\arrow_right_disabled.png
            Filesize

            1KB

            MD5

            bfa2f168336eab987a39861125d2231c

            SHA1

            a5db7e462fa06a74e4f1ce13e87ec8b2d8f06e6c

            SHA256

            bb27419f29f973a0e6365a3534bf4fc32182a7b2bd3512dcc4e561f7f543b658

            SHA512

            13fda2115ef335af425262b5e839b5436f396395ca5f780d613b360b3d3170ee9d16609a7f9a17784aeb629b019ec178d5942c5958daa5a7e927ea605ed801d7

          • C:\Users\Admin\AppData\Roaming\arrow_right_disabled.png
            Filesize

            1KB

            MD5

            399856c91725d77cf54be89fb5736f42

            SHA1

            b368497d9c460757b466d08cd2487aea335e52f2

            SHA256

            5000bb746100b29ac857d20248f373d0bfc2bad66c88043e27a68dd0dd7313c9

            SHA512

            3169bf57a46a6900c05c67a3bdd86cbc282fe9a64b5adc784d1097c4d6527ba06eb0ebc0902b953c1664a0a61157d7e34494debabec7dfcc9a2b42e73d419848

          • C:\Users\Admin\AppData\Roaming\axf.extensions.xml
            Filesize

            1KB

            MD5

            af841ee6aa03ff9847d5bdd00473ff90

            SHA1

            2ef974619172b802252ffac7576a3762f6236dd1

            SHA256

            7a28d8ac66543a242f64890404d706d649224b6b43fd4f8f0c20455052b7dc41

            SHA512

            a48523b843a06fe158dc4ca3d9c5ba2346261d33f0515fb2018bec52cb4315f06981d5cb658dad5f4d83c2af49cc36f6c55cb746386b0bfbf8863c0c3b70c9ac

          • C:\Users\Admin\AppData\Roaming\battery.png
            Filesize

            4KB

            MD5

            1ed001d1427fa0a32e4ab6cb81d01ce3

            SHA1

            1a933f36ca48c52ff8085f272c7d66dd249154a5

            SHA256

            e4ead39126138a19651b074531a4dd312a86d0e3addd1ac8c943814b106453b0

            SHA512

            8d279f3dd7b0b5d778b4852e0b5fa3c5bf688a487d581c303813de6bf8edf0395de1559d3cd3a24f7782e491ef1108078bcdbb0c43c837c442b098cc106721b2

          • C:\Users\Admin\AppData\Roaming\data_transfer.png
            Filesize

            1KB

            MD5

            6dcfd632eb0a8124ea05a92209e73bab

            SHA1

            094612b281c4d378ec3def211d60a259bcb41fca

            SHA256

            0b7e998b98af82bbf0e9f8916aa5e1614a3e42d7a79cd2877c7c72690a42272e

            SHA512

            581f7f73592c3cf0999a76a2400e0d385330d0594f12c1fe7e37cdef492fd2eafafaec2b6310000efac34c507a1bc660a7e9d38158c888e3869d19ca3f74acab

          • C:\Users\Admin\AppData\Roaming\en-US.pak
            Filesize

            4KB

            MD5

            375253e9ff91d59171322445c14873ab

            SHA1

            6c2dd2a90b40d7d35f0baa8f762761deae6903ff

            SHA256

            2f5e83acc8bbb76507342f6e7d22728113519e86cc645170035148dc36074951

            SHA512

            ac0762dc5b49da6c26728af8809527dfc1576771728d09426b9459f0cf20dd5982c2054fe1b999c2fbf9e0139c340aa56c2e7867a873620c2c5a839e0a5280f6

          • C:\Users\Admin\AppData\Roaming\external-link.gif
            Filesize

            71B

            MD5

            bae65d05d67c86148948fdf7a773a207

            SHA1

            37313e079df4ee9020c2ff14eedee17b65ac6880

            SHA256

            67ce0e5ca8696537cb2c4fce9e8e945c6134e36945c719c879b9b7288bcd5d96

            SHA512

            09e4b5d0328b02adeca1855c37235007e6d711f835fcccddcc2ed2b0dc5de6cd32a3ac07c97140e376c1e71a362fd59dafe41db697187ecd9bf636d8f8655e46

          • C:\Users\Admin\AppData\Roaming\flash.icon1.ico
            Filesize

            2KB

            MD5

            5b6d410767b3f51805b65bd53047ddff

            SHA1

            7eae072adbc3b102a3e06873f643e5e11674d936

            SHA256

            c665dbded35fd10240134d7199cba83e69eedeb893fdffa73235e5f3ceaacaa3

            SHA512

            45a409739c6f7ef6444d0fd80134941a20806b7248336b5bc76f757107fd0637f292b2827c0b90c26c1bc5ee4fb6658a1a1d6c2a23b55b8b8bd550a2671c04f4

          • C:\Users\Admin\AppData\Roaming\forward_disabled.png
            Filesize

            1KB

            MD5

            875ff3260a35602560fa96c60aab9b09

            SHA1

            457c51cb571ed8c2f66860b884b3897094832563

            SHA256

            e6ca6d6e4408a85d06dec320917eaface8871796c5bc5c7974d99b8415e49e2e

            SHA512

            aab5a58ee6147c1d2dd40722d6ca56df336d49103f08c123936a8efe2f3250a5ce1d0e90c1c54edbb82e1014213aa78b74ea3570c3c53d9a3ad36af37e42d09f

          • C:\Users\Admin\AppData\Roaming\goURL_lr_photoshop_en.csv
            Filesize

            510B

            MD5

            72846352548853b375cd1966c5b25a3a

            SHA1

            c51c6d5641dfcabdb6569e071c502deacda8d2d1

            SHA256

            97f1d4f62e381f8f65d3e7d3da9f3c5d8194c73a2d30a2d08057d0d5ce30e130

            SHA512

            b4c5a4be9a676323e3f1df1eed60761def150a91e237d830c96413770397df3138176ffb1374580b10abb1466bebc8f8aef99d0a44be0fa29ac5edce3cf9874e

          • C:\Users\Admin\AppData\Roaming\microseism.rjh
            Filesize

            62KB

            MD5

            7be3aa61e943269fd4f504dcd95e7016

            SHA1

            8bcc960f9128d1ff1004174f4f78dd839a5a1684

            SHA256

            92c02f210805bd497e288299ee3da1b46cff3c93da4f5f5af7f65f6e83b5429d

            SHA512

            aa858e3f0e8aaf77b70aea820d808ca01860f0d1e27c93ad361a27830848ed64677327d12c75bd6860434f5be8e98b7f865aa40a00d3429b8831991cd2cd5b69

          • C:\Users\Admin\AppData\Roaming\variability.kpd
            Filesize

            63KB

            MD5

            59b666941a1ca106c9d3a0bf58b7b7d4

            SHA1

            392e93b08a658dea9e24a5ef34e5daf591c43247

            SHA256

            b9ea6983a6eec38a0e120361ca843da7a9f52de1569b5dbab19bd4b90b4a0ab1

            SHA512

            0bc1592ceb10c2e1b774ad357f97ef3757b86a3c1c5ecb89b35be5231330b7c0b02ab36223edcd8b06776ec5540e3183c2378d8a229263454cc53ddb3a99a1a7

          • \Users\Admin\AppData\Local\Temp\nsoBAA9.tmp\System.dll
            Filesize

            11KB

            MD5

            a436db0c473a087eb61ff5c53c34ba27

            SHA1

            65ea67e424e75f5065132b539c8b2eda88aa0506

            SHA256

            75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

            SHA512

            908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

          • \Users\Admin\AppData\Roaming\DumpLog.dll
            Filesize

            26KB

            MD5

            a7071875105cb81943f72ecb7c3d10f1

            SHA1

            7353fbdda3fed9bb8dbec6df39547bdac910c185

            SHA256

            8eecdcb35325eaad230f69747759a7eac9642be32be799db28cbaf4e076769b5

            SHA512

            31a24168d9a37cbff1ee93d2d69e6d50545625e5d2751cd68286aad099894402cbdea1fe2995adc2e721e97dceed213c1886332e2130597b409ac2350e5edac2

          • \Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\wuapp.exe
            Filesize

            221KB

            MD5

            474f76977fa109dd9a1a8a7e51c49659

            SHA1

            aed91b01397c5a067201e0eed886f7fe2acdc02e

            SHA256

            1c77bceb256e2c7e570830558b2084008f961483981d352b874af0e6e2ee3f10

            SHA512

            997f426de2c1942c7eb2efee57946eaa50f0f67e3cf1603b9e9ebf4bf9e09008172c74ca30b34943c25e0dc64815749f474ececc4ac84d5ef2217dd4efb0a1e8

          • memory/896-144-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/896-222-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/896-225-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/896-142-0x0000000001F10000-0x0000000001F11000-memory.dmp
            Filesize

            4KB

          • memory/896-140-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/896-223-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/896-139-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/896-138-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/1388-122-0x00000000004E0000-0x00000000004EA000-memory.dmp
            Filesize

            40KB

          • memory/1584-207-0x00000000006C0000-0x00000000006CA000-memory.dmp
            Filesize

            40KB

          • memory/2672-52-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2672-51-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2672-50-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2672-49-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2672-37-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2672-39-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2672-41-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2672-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
            Filesize

            4KB

          • memory/2672-47-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2672-43-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2672-35-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2672-65-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

          • memory/2896-32-0x00000000003F0000-0x00000000003FA000-memory.dmp
            Filesize

            40KB