cerber | 7cb371a5b42b54e45cb52e7b45092b5f129e3e77a045bebe01b72f1a82d08af6

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe
Size

193KB
MD5

692d49625c7262324ab1aa9d720c3d3b
SHA1

75de252079b1f2d09fa93b5055334d8ca7f09627
SHA256

7cb371a5b42b54e45cb52e7b45092b5f129e3e77a045bebe01b72f1a82d08af6
SHA512

e4e8919b1373abcd3e4ac826a09a9135adfe63a489cb71db7f55dd20759cfd1356f467dbac896036bf0f1a3d18a39030e10b067a081637ec1e5a0e3b78ba86f3
SSDEEP

6144:Ig1KQjo9U8fM37zn2vvwwb2epWa2JlILAkrddCPu0:m9U8Q/SyepWaqlILFr30

Score

10^/10

cerber defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.onion.to/CEDD-76F3-C1C8-006D-AE26 | | 2. http://cerberhhyed5frqa.onion.cab/CEDD-76F3-C1C8-006D-AE26 | | 3. http://cerberhhyed5frqa.onion.nu/CEDD-76F3-C1C8-006D-AE26 | | 4. http://cerberhhyed5frqa.onion.link/CEDD-76F3-C1C8-006D-AE26 | | 5. http://cerberhhyed5frqa.tor2web.org/CEDD-76F3-C1C8-006D-AE26 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.onion.to/CEDD-76F3-C1C8-006D-AE26); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.onion.to/CEDD-76F3-C1C8-006D-AE26 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.onion.to/CEDD-76F3-C1C8-006D-AE26); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/CEDD-76F3-C1C8-006D-AE26 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.onion.to/CEDD-76F3-C1C8-006D-AE26

http://cerberhhyed5frqa.onion.cab/CEDD-76F3-C1C8-006D-AE26

http://cerberhhyed5frqa.onion.nu/CEDD-76F3-C1C8-006D-AE26

http://cerberhhyed5frqa.onion.link/CEDD-76F3-C1C8-006D-AE26

http://cerberhhyed5frqa.tor2web.org/CEDD-76F3-C1C8-006D-AE26

http://cerberhhyed5frqa.onion/CEDD-76F3-C1C8-006D-AE26

Extracted

Path

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.onion.to/CEDD-76F3-C1C8-006D-AE26" target="_blank">http://cerberhhyed5frqa.onion.to/CEDD-76F3-C1C8-006D-AE26</a></li> <li><a href="http://cerberhhyed5frqa.onion.cab/CEDD-76F3-C1C8-006D-AE26" target="_blank">http://cerberhhyed5frqa.onion.cab/CEDD-76F3-C1C8-006D-AE26</a></li> <li><a href="http://cerberhhyed5frqa.onion.nu/CEDD-76F3-C1C8-006D-AE26" target="_blank">http://cerberhhyed5frqa.onion.nu/CEDD-76F3-C1C8-006D-AE26</a></li> <li><a href="http://cerberhhyed5frqa.onion.link/CEDD-76F3-C1C8-006D-AE26" target="_blank">http://cerberhhyed5frqa.onion.link/CEDD-76F3-C1C8-006D-AE26</a></li> <li><a href="http://cerberhhyed5frqa.tor2web.org/CEDD-76F3-C1C8-006D-AE26" target="_blank">http://cerberhhyed5frqa.tor2web.org/CEDD-76F3-C1C8-006D-AE26</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.onion.to/CEDD-76F3-C1C8-006D-AE26" target="_blank">http://cerberhhyed5frqa.onion.to/CEDD-76F3-C1C8-006D-AE26</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.onion.to/CEDD-76F3-C1C8-006D-AE26" target="_blank">http://cerberhhyed5frqa.onion.to/CEDD-76F3-C1C8-006D-AE26</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.onion.to/CEDD-76F3-C1C8-006D-AE26" target="_blank">http://cerberhhyed5frqa.onion.to/CEDD-76F3-C1C8-006D-AE26</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/CEDD-76F3-C1C8-006D-AE26 in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (16388) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

344 bcdedit.exe
920 bcdedit.exe

pid	process
344	bcdedit.exe
920	bcdedit.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exetakeown.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\takeown.exe\""	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\takeown.exe\""	takeown.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3020 cmd.exe

pid	process
3020	cmd.exe

Drops startup file 2 IoCs

Processes:

692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exetakeown.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\takeown.lnk	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\takeown.lnk	takeown.exe

Executes dropped EXE 2 IoCs

Processes:

takeown.exetakeown.exe

pid process

2416 takeown.exe
2244 takeown.exe

pid	process
2416	takeown.exe
2244	takeown.exe

Loads dropped DLL 6 IoCs

Processes:

692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exetakeown.exetakeown.exe

pid	process
1796	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe
1796	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe
2672	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe
2416	takeown.exe
2416	takeown.exe
2244	takeown.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exetakeown.exe

pid process

2244 takeown.exe
2416 takeown.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

takeown.exe692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\takeown = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\takeown.exe\""	takeown.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\takeown = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\takeown.exe\""	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\takeown = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\takeown.exe\""	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\takeown = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\takeown.exe\""	takeown.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

takeown.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA takeown.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ipinfo.io

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	takeown.exe

flow	ioc
3	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

takeown.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp82E6.bmp"	takeown.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exetakeown.exe

description	pid	process	target process
PID 1796 set thread context of 2672	1796	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe
PID 2416 set thread context of 2244	2416	takeown.exe	takeown.exe

Drops file in Windows directory 2 IoCs

Processes:

takeown.exe692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\sonorant	takeown.exe
File opened for modification	C:\Windows\sonorant	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\takeown.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\takeown.exe	nsis_installer_2

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

696 vssadmin.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2876 taskkill.exe
2156 taskkill.exe

pid	process
696	vssadmin.exe

pid	process
2876	taskkill.exe
2156	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

Processes:

takeown.exe692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop	takeown.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\takeown.exe\""	takeown.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\takeown.exe\""	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6EBF0FD1-189D-11EF-906B-FA9381F5F0AB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70d07831aaacda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000f80b580d957eebad4b6b9ef2d95d029abd41244ccd89451f92439e249ddf6fa0000000000e80000000020000200000003d159b43c5d7d3c51e8cfa92860d11e0feda048dac3101db5f07f04bacdc4c9d90000000f445ddfa99575a2bcc56b77a26d5558ba9f2aac0eda70ff4acb3bf6525d84c27a463617e94077917a035d68e81d04dd208fdd81438b60758c0b2b5c79d366252d81b08cb7ed8f83624735c2681aa06ac6e2d3fcb1698b85d8dc5d3933e56c6c4456be9909f871a7fc334f136e836ee12e9b341bbbd9276697ee6a706256a56e41c0eb078f7ef1e08499186b09504ad0140000000a6afd98a8edde2b65c33979bb80f63f43b436cad4f6f3291805fba86e470d947c51dd55c726d075e86c6079e01233bf68da22c5fd9c912e37834a043d14ecf74	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6ECAF6B1-189D-11EF-906B-FA9381F5F0AB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000007b73cb86ada4fddc47fc8f975895efebd2fe303936ed4e22fc80f458f0b1d0d7000000000e8000000002000020000000b6a4c4eee90ee017f1374a70a1f4873b304a74f6ce59fafa768ca289ed9e151f20000000c2ebc8396dacbbec5d8c1efaaa8a64b0a0c999aca4de97cd2412b577771d01ec400000005941e73f4bf198533f8448434d9c5912f489d3a89842aac88b3ecadd31fb3adf32089c804bc09a82834033c2a5df4081e6d6683fc15d48169f43008245c7dcb7	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1924 PING.EXE
1652 PING.EXE

pid	process
1924	PING.EXE
1652	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

takeown.exe

pid	process
2244	takeown.exe
2244	takeown.exe
2244	takeown.exe
2244	takeown.exe
2244	takeown.exe
2244	takeown.exe
2244	takeown.exe
2244	takeown.exe
2244	takeown.exe
2244	takeown.exe
2244	takeown.exe
2244	takeown.exe
2244	takeown.exe
2244	takeown.exe
2244	takeown.exe
2244	takeown.exe
2244	takeown.exe
2244	takeown.exe
2244	takeown.exe
2244	takeown.exe
2244	takeown.exe
2244	takeown.exe
2244	takeown.exe
2244	takeown.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exetaskkill.exetakeown.exevssvc.exewmic.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2672	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe
Token: SeDebugPrivilege	2876	taskkill.exe
Token: SeDebugPrivilege	2244	takeown.exe
Token: SeBackupPrivilege	1984	vssvc.exe
Token: SeRestorePrivilege	1984	vssvc.exe
Token: SeAuditPrivilege	1984	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1784	wmic.exe
Token: SeSecurityPrivilege	1784	wmic.exe
Token: SeTakeOwnershipPrivilege	1784	wmic.exe
Token: SeLoadDriverPrivilege	1784	wmic.exe
Token: SeSystemProfilePrivilege	1784	wmic.exe
Token: SeSystemtimePrivilege	1784	wmic.exe
Token: SeProfSingleProcessPrivilege	1784	wmic.exe
Token: SeIncBasePriorityPrivilege	1784	wmic.exe
Token: SeCreatePagefilePrivilege	1784	wmic.exe
Token: SeBackupPrivilege	1784	wmic.exe
Token: SeRestorePrivilege	1784	wmic.exe
Token: SeShutdownPrivilege	1784	wmic.exe
Token: SeDebugPrivilege	1784	wmic.exe
Token: SeSystemEnvironmentPrivilege	1784	wmic.exe
Token: SeRemoteShutdownPrivilege	1784	wmic.exe
Token: SeUndockPrivilege	1784	wmic.exe
Token: SeManageVolumePrivilege	1784	wmic.exe
Token: 33	1784	wmic.exe
Token: 34	1784	wmic.exe
Token: 35	1784	wmic.exe
Token: SeIncreaseQuotaPrivilege	1784	wmic.exe
Token: SeSecurityPrivilege	1784	wmic.exe
Token: SeTakeOwnershipPrivilege	1784	wmic.exe
Token: SeLoadDriverPrivilege	1784	wmic.exe
Token: SeSystemProfilePrivilege	1784	wmic.exe
Token: SeSystemtimePrivilege	1784	wmic.exe
Token: SeProfSingleProcessPrivilege	1784	wmic.exe
Token: SeIncBasePriorityPrivilege	1784	wmic.exe
Token: SeCreatePagefilePrivilege	1784	wmic.exe
Token: SeBackupPrivilege	1784	wmic.exe
Token: SeRestorePrivilege	1784	wmic.exe
Token: SeShutdownPrivilege	1784	wmic.exe
Token: SeDebugPrivilege	1784	wmic.exe
Token: SeSystemEnvironmentPrivilege	1784	wmic.exe
Token: SeRemoteShutdownPrivilege	1784	wmic.exe
Token: SeUndockPrivilege	1784	wmic.exe
Token: SeManageVolumePrivilege	1784	wmic.exe
Token: 33	1784	wmic.exe
Token: 34	1784	wmic.exe
Token: 35	1784	wmic.exe
Token: SeDebugPrivilege	2156	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

1052 iexplore.exe
1052 iexplore.exe
1376 iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1052	iexplore.exe
1052	iexplore.exe
1376	iexplore.exe
1376	iexplore.exe
1052	iexplore.exe
1052	iexplore.exe
2104	IEXPLORE.EXE
2104	IEXPLORE.EXE
2104	IEXPLORE.EXE
2104	IEXPLORE.EXE
232	IEXPLORE.EXE
232	IEXPLORE.EXE
2104	IEXPLORE.EXE
2104	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.execmd.exetakeown.exetakeown.exeiexplore.exe

description	pid	process	target process
PID 1796 wrote to memory of 2672	1796	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe
PID 1796 wrote to memory of 2672	1796	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe
PID 1796 wrote to memory of 2672	1796	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe
PID 1796 wrote to memory of 2672	1796	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe
PID 1796 wrote to memory of 2672	1796	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe
PID 1796 wrote to memory of 2672	1796	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe
PID 1796 wrote to memory of 2672	1796	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe
PID 1796 wrote to memory of 2672	1796	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe
PID 1796 wrote to memory of 2672	1796	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe
PID 1796 wrote to memory of 2672	1796	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe
PID 2672 wrote to memory of 2416	2672	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe	takeown.exe
PID 2672 wrote to memory of 2416	2672	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe	takeown.exe
PID 2672 wrote to memory of 2416	2672	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe	takeown.exe
PID 2672 wrote to memory of 2416	2672	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe	takeown.exe
PID 2672 wrote to memory of 3020	2672	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe	cmd.exe
PID 2672 wrote to memory of 3020	2672	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe	cmd.exe
PID 2672 wrote to memory of 3020	2672	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe	cmd.exe
PID 2672 wrote to memory of 3020	2672	692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe	cmd.exe
PID 3020 wrote to memory of 2876	3020	cmd.exe	taskkill.exe
PID 3020 wrote to memory of 2876	3020	cmd.exe	taskkill.exe
PID 3020 wrote to memory of 2876	3020	cmd.exe	taskkill.exe
PID 3020 wrote to memory of 2876	3020	cmd.exe	taskkill.exe
PID 3020 wrote to memory of 1924	3020	cmd.exe	PING.EXE
PID 3020 wrote to memory of 1924	3020	cmd.exe	PING.EXE
PID 3020 wrote to memory of 1924	3020	cmd.exe	PING.EXE
PID 3020 wrote to memory of 1924	3020	cmd.exe	PING.EXE
PID 2416 wrote to memory of 2244	2416	takeown.exe	takeown.exe
PID 2416 wrote to memory of 2244	2416	takeown.exe	takeown.exe
PID 2416 wrote to memory of 2244	2416	takeown.exe	takeown.exe
PID 2416 wrote to memory of 2244	2416	takeown.exe	takeown.exe
PID 2416 wrote to memory of 2244	2416	takeown.exe	takeown.exe
PID 2416 wrote to memory of 2244	2416	takeown.exe	takeown.exe
PID 2416 wrote to memory of 2244	2416	takeown.exe	takeown.exe
PID 2416 wrote to memory of 2244	2416	takeown.exe	takeown.exe
PID 2416 wrote to memory of 2244	2416	takeown.exe	takeown.exe
PID 2416 wrote to memory of 2244	2416	takeown.exe	takeown.exe
PID 2244 wrote to memory of 696	2244	takeown.exe	vssadmin.exe
PID 2244 wrote to memory of 696	2244	takeown.exe	vssadmin.exe
PID 2244 wrote to memory of 696	2244	takeown.exe	vssadmin.exe
PID 2244 wrote to memory of 696	2244	takeown.exe	vssadmin.exe
PID 2244 wrote to memory of 1784	2244	takeown.exe	wmic.exe
PID 2244 wrote to memory of 1784	2244	takeown.exe	wmic.exe
PID 2244 wrote to memory of 1784	2244	takeown.exe	wmic.exe
PID 2244 wrote to memory of 1784	2244	takeown.exe	wmic.exe
PID 2244 wrote to memory of 344	2244	takeown.exe	bcdedit.exe
PID 2244 wrote to memory of 344	2244	takeown.exe	bcdedit.exe
PID 2244 wrote to memory of 344	2244	takeown.exe	bcdedit.exe
PID 2244 wrote to memory of 344	2244	takeown.exe	bcdedit.exe
PID 2244 wrote to memory of 920	2244	takeown.exe	bcdedit.exe
PID 2244 wrote to memory of 920	2244	takeown.exe	bcdedit.exe
PID 2244 wrote to memory of 920	2244	takeown.exe	bcdedit.exe
PID 2244 wrote to memory of 920	2244	takeown.exe	bcdedit.exe
PID 2244 wrote to memory of 1052	2244	takeown.exe	iexplore.exe
PID 2244 wrote to memory of 1052	2244	takeown.exe	iexplore.exe
PID 2244 wrote to memory of 1052	2244	takeown.exe	iexplore.exe
PID 2244 wrote to memory of 1052	2244	takeown.exe	iexplore.exe
PID 2244 wrote to memory of 2344	2244	takeown.exe	NOTEPAD.EXE
PID 2244 wrote to memory of 2344	2244	takeown.exe	NOTEPAD.EXE
PID 2244 wrote to memory of 2344	2244	takeown.exe	NOTEPAD.EXE
PID 2244 wrote to memory of 2344	2244	takeown.exe	NOTEPAD.EXE
PID 1052 wrote to memory of 2104	1052	iexplore.exe	IEXPLORE.EXE
PID 1052 wrote to memory of 2104	1052	iexplore.exe	IEXPLORE.EXE
PID 1052 wrote to memory of 2104	1052	iexplore.exe	IEXPLORE.EXE
PID 1052 wrote to memory of 2104	1052	iexplore.exe	IEXPLORE.EXE

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1796

C:\Users\Admin\AppData\Local\Temp\692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe"
2⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672

C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\takeown.exe
"C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\takeown.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2416

C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\takeown.exe
"C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\takeown.exe"
4⤵
- Adds policy Run key to start application
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\system32\vssadmin.exe
"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:696

C:\Windows\system32\wbem\wmic.exe
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
5⤵
- Modifies boot configuration data using bcdedit
PID:344

C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
5⤵
- Modifies boot configuration data using bcdedit
PID:920

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1052

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1052 CREDAT:275457 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2104

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
5⤵
PID:2344

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
5⤵
PID:2696

C:\Windows\system32\cmd.exe
/d /c taskkill /t /f /im "takeown.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\takeown.exe" > NUL
5⤵
PID:696

C:\Windows\system32\taskkill.exe
taskkill /t /f /im "takeown.exe"
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\system32\PING.EXE
ping -n 1 127.0.0.1
6⤵
- Runs ping.exe
PID:1652

C:\Windows\SysWOW64\cmd.exe
/d /c taskkill /t /f /im "692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe" > NUL
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /im "692d49625c7262324ab1aa9d720c3d3b_JaffaCakes118.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\SysWOW64\PING.EXE
ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1924

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1376

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1376 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:232

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:1556

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

File and Directory Permissions Modification

T1222

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html
Filesize
12KB

MD5
c2eb562e06505a988f4fb73c122c340f

SHA1
b2c98e3527e93e09ca91839839c0fa16292dbb4f

SHA256
d09e39d47852068768997e12f37ed1c2486620320a9ac09966fd455af51c1890

SHA512
3d7eb69e5edf46ea55c40760d21a1acdfdcf8ca24498e4259ea8380071dc195cb2033db0efd446516ad684fb05d3e6ce77afddd190f07fe3cb4d65451fd62cb3

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
Filesize
10KB

MD5
766635c5dd758e74094b13d96ab8c923

SHA1
a9b07ee68c0689352a9ec45a12bb5ed583495225

SHA256
9852972e8a4c4e5a8307082527f2e0fe45719f1961d264f1d68b9faf5c752110

SHA512
71826b3b86645e5e6fa809bb6ee2cf9ebaf92d94ce66bad27332b4b5ddf68668417519ad2d0b85d2ec22d5438e478adba30aeef071b02dfb5e8d00ba61693a57

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url
Filesize
83B

MD5
f4396f4ab01ae0718e54e3bcacfb40c6

SHA1
c869219e5bac9ae909fffa559ad660df6a1142b5

SHA256
030655efdaec5625fa53f29a51ea8278cd9937736b4ac303eeba1683fc88ce0a

SHA512
bc76f1361f8e2448caeca4f590d7bfb2f8adb4d2158fb60fa1ec752d889bcc1e1f2c9e21e7e6b89645545eb9ed6f5e943e1312f9a47b43b94b205617c2e1de71

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs
Filesize
219B

MD5
35a3e3b45dcfc1e6c4fd4a160873a0d1

SHA1
a0bcc855f2b75d82cbaae3a8710f816956e94b37

SHA256
8ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934

SHA512
6d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
613b03ffff6c565f45e1582eff3476fe

SHA1
3511d2a0c1259040e512d93d14f636ec218279de

SHA256
1cca0c5213af3d8b13aba107b1eceebd6f0b20907d91cb90247ddd64c37f7123

SHA512
106fc58f09844ad6cdaebbdc4f9c5e19a55fcbbb98db6fda105d80a57b1192640f1206cb02518ca6bed2c7e968ec7ba324406854b26943b1ad137b8fe045e8be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1df8e9649dc75ece036ef18876600d6e

SHA1
9332bf2c601ec0553ea3153b9b5913f4af36f923

SHA256
a02460e3d698f721adf80fc6fc694b153f5f4cb1a08a03e238469b98492d02af

SHA512
1c834fa2900eb56edabb7744db483d5ce8f4ef421d4d33d37b0db1096cd9380a7fb0e416a58180962326dd9d7e66c6a29c164845c86555a0f8974cfed1baa33c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
056518de32db5033ee85b5db1fa883ee

SHA1
e1b17a4d9512cc4644c917a91482a3dc458f1802

SHA256
8f4cc3612c7be2eca5e292be852acf5c53114a50722d089be4ee8cab2a93eeb8

SHA512
092999c9ad8729634de8c1dad52302238de20370ae7297cee2e10efe7dce85784d9d2220dc2a82ce7c27ae5cc8516dc6c41a9de7863e21a8c3ae9cccae405ef6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
05ee5f9be1794d19d9ff735513513d3b

SHA1
66fe1477379167f24d73f9954271b43c220a6cb9

SHA256
ec20b138d8a0cc91b8ebc61337053307091a461b155d39bff24b0775fdca9b72

SHA512
26ce7c5b7c2642ebe6861e43199f5c1c44e54dabb51c1e7cc04b445bd5c5c61545f63ff712eab0ab7da1c1efcd0f48457606e4d44773210f4ec44e5db649aa98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4b7e8bf811d808f880327ccc3a1e3f3f

SHA1
5d352cc1f9cf7d5274f75fc6446d7a672574c8b0

SHA256
407f28f767fcd7f1aa550cd3e5d1ec02d56fd3c563c2f6f4a912039debe299cc

SHA512
3e75d2af8fde112a6fde1a35bd66f6f41fb69b7bca7fad3b6321aba984a6a28cc4b8f03286f78d7bdf4cde5ff756de4b5697a4275cfb22e404f989bf8bedc922

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a2be2ae1029ed6fa8ad675fb5541c170

SHA1
8f79e5d8aa9a8affcb82c73f6975c8395bd4e57a

SHA256
37abeba7c9d11d41365234de233ed670abaf81438cce8bfad076719065bbe501

SHA512
28f205668aa68c1402a362e8fcb7f6448fe2b064032363a6a3600a286f12118890ab2584af49d409764a7c837b142bd3a27811deb1976ec03ade1aacb4971947

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0162b80c132475113e71d6e6366412a5

SHA1
31fe84af92f8f477cf27b5912ff363b4466cc0b0

SHA256
399ecf0e3ec95026b8b59b843b5f233edeadb8abd1baae38d12c9047de16e223

SHA512
d4dfd05dfacd61aa8903b43246eb12d274dcbb781ed7c15991be0634b238f4f13f9ef8dd8b40cbd841d4c3cfca0985097b78a88aaaf1fd0adc4f8e6d31e7957c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
56d34a060f071e0743d131b8c9498040

SHA1
28b21777db48b89cc85f62f7091a99c913b35b49

SHA256
a5a99e2cf117981d5d627593a30c7f53734c2a706ae49c83784ad1b417eaf666

SHA512
5a577604215a41c8a3b3931cf366211e4b2a102a5e2345958441a2c907605e58b2d1fcf667e16007fbc72a99fc8970f5101fb0d88e2c253aaa75ae5af86433ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5a7d818e5a6dff002a79cf86743cc8d9

SHA1
9acbe9fdd9969b0b31e1184f6ba72c4446df6613

SHA256
4a2163b11fb60cd3171a65e62483e21c510ae96ec90735769f035c991d4ed585

SHA512
1d0611c3edef7451ed99adb3f0d17d81a8d44a0b766eae1efe34ebedac90b028587d90f267db4fc10f587f7f522b7da366cc8f2046df0905551c7a1c342416da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9956.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9997.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\20-unhint-small-vera.conf
Filesize
1KB

MD5
b975a96cc427cde633cbdedc4012aa22

SHA1
bcd30ed6edee417929d3ec6522398d846b8bc2c6

SHA256
d5b38cbe5917e14ee9a5f40e7af5cbcd9f8bad258e139b04ac8913c31df18cc7

SHA512
8fd3bcc244f5a0613921316cc076d6ea98532bff95c6bea3b5cb52d5f80bc8f17126b15e3b951f35cbcdc4eea8a7c816ba84d10f3c98f39d7bd49189ccee8abf

Download Submit
C:\Users\Admin\AppData\Roaming\AlienFX.Communication.Andromeda.tlb
Filesize
2KB

MD5
a8f15a3339682ca7980377defabd5daa

SHA1
e3801b2bde6e84aea9d06150508bdac7c898995e

SHA256
8844bb0d14ba7012615994d169f0ac333dde8f8920343765d15f9de867b3f0b4

SHA512
6dd0f99ffc594718f9f7a729bbf0ea3df3080e6b614cd54a50cf9714e7868f85b548ee5d43f1043f97c0875b23d4f03dfe323d9a8db89a2fc297b47b39c86b25

Download Submit
C:\Users\Admin\AppData\Roaming\Bl normal CG9 CG2.ADO
Filesize
524B

MD5
78a7847d2199fe20f20b9f74bc0da3e6

SHA1
22b536f65a15481f41a2a4da715e608f7d6adb2a

SHA256
137e25e3018879d470db96c595164e5c8e0833b68a0a3e81042a3fd95da4ae71

SHA512
c886d510c6452204e610b22acc98fe618e2cd1357f3a942cb8a1a818bb3374cfb43808831c97152be038bcb6dbbb0bfaa45a96ebc2f3230b3d2c78eee1854dc2

Download Submit
C:\Users\Admin\AppData\Roaming\CDRom.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Cayenne
Filesize
77B

MD5
f1bd84ec59b93938f701f9a9070d1bc8

SHA1
acc3fb90b023f10259f3b8facb4b0b56ac0931b9

SHA256
a574f938db008029983d67222319d8a65c6b859019853730fa662c90eec8466d

SHA512
409b37347c05d1e4d5902075ed3e4ed216a6f5c5d61e728dd6d8ddace14ed2cbb150e1e20d2bae6d43b00358c6ccb401001e59f3aeff8c54d2849d2fdd5171bc

Download Submit
C:\Users\Admin\AppData\Roaming\Ceramics - Satin Black.3PP
Filesize
1KB

MD5
fbc35af6af7262422b3a824d753cf87a

SHA1
67ff4b661a71e7cee887ad129c393c679434c0b6

SHA256
253ace0628e3b45d307cc6b042110dc162d9978e5ac9f57ab49f1a6d186c438b

SHA512
90bae02e07cad3389dbc69f74661b8f59f1c76e79c1ce5556d780df0383d9237d1e1514e7d34d7c057764c31324c2943dc30a680e3988567946d5c76ffdf86da

Download Submit
C:\Users\Admin\AppData\Roaming\DEU.zdct
Filesize
1KB

MD5
a0a1920cffb51a8ac629fe603a1769af

SHA1
7cab3cd12f20a6c76554a58eb70470446b7a63e1

SHA256
e2f92b3123f18a3445303862c16acdf82b133783ac52ed61094168f83935f7da

SHA512
089c78f98acf74217904b9709f33dabbca5e7f40419e24cfc5ca82492f353e4b5a090d764cd8ce842b06217edf34ba6d374b0bc5dafa6729b7d43c5e32a24b6c

Download Submit
C:\Users\Admin\AppData\Roaming\DoggeryEnemy.4
Filesize
1KB

MD5
aae20ea43d67ce40bc6d866a70b5e47e

SHA1
1706fa7f2b1dca427cd145cb4c72f65e9cbbbc77

SHA256
cc7e657855cf4548330614937d3b54182cb53e10d9cec7fa34600c5ff9a35036

SHA512
e02d6fd638168c8ef62b080d483a0484ac8e118c21b4213a9a2339c814aeed115cd4693f997bd551cd6c342fee75cc91f4936260e6e3fe4311e111a40df4b49b

Download Submit
C:\Users\Admin\AppData\Roaming\Douala
Filesize
65B

MD5
507c5da74bb56ad6da2750faa3c8f64e

SHA1
7dce67486effab0a7345f1437ae6d82dcc05ff5d

SHA256
e3dc88b26f87c6821b90e355d1d3dde937c5f6a30a1336d9ba960b1fbfced686

SHA512
5897843a432ab8184fa51107f20831e3c434e1453da4a4e5da2062961ed550191ac97de90815026d218f663b2db3e88528ca5bc7c0638ad0b03d2d3d2b308315

Download Submit
C:\Users\Admin\AppData\Roaming\GMT-10
Filesize
27B

MD5
ab2fd12cd39fd03d4a2aef0378c5265c

SHA1
4a75ef59534203a4f19ea1e675b442c003d5b2f4

SHA256
df69a28476e88043eba1f893859d5ebf8a8d5f4f5a3696e0e0d3aa0fe6701720

SHA512
a82567f84dd4300733cd233d1b8fd781e73eaf62f2f6d5e33a4129418d9b0dfc1001e1fa3deeed9a8129acd0ecc0e1153bfb154f93f26a4ca484c04e753808bf

Download Submit
C:\Users\Admin\AppData\Roaming\Galapagos
Filesize
77B

MD5
7048a4d6c77facefcd38c7418d39126c

SHA1
357bc583b9afddbde17aedbc9b4d220fa0224aab

SHA256
d663435280539a288025947885bcb8d3b91d0100feed4d9432229a6256eefd70

SHA512
973a2ac14b49aaa96131267777abfac5e7e68a0f1ffaf1fc8bceb0c473c11d57dfcdd3d116436fdf5e729157b5ed6a836d3ac641442eb96a44b4f14d989e868d

Download Submit
C:\Users\Admin\AppData\Roaming\LollHydrozoa.C
Filesize
72KB

MD5
fd0e8728573a5a7fb1b8fa29a1257312

SHA1
3d2b763e337ae69e7051c83abd10b6feb1735ef6

SHA256
bcab1099e4a1bce2cfa8a473aa24ad708b92cee25bd177047b953591cd6a2d8c

SHA512
e7f467f4a80f7b1f1dcc35f1440590deb8e8a44ca55d6d1e060f7bcb728715cb99b8b57dd61b552b4435ba0601135e2345971c2a88221357608f857187d9bf09

Download Submit
C:\Users\Admin\AppData\Roaming\LollHydrozoa.C
Filesize
113KB

MD5
6fb6354584292ad46c8edfd5cf3438aa

SHA1
887738445e8de50efdcfde2156fc05e7d4f45c95

SHA256
c602af4dea2fe1e01974279adcd658e2b1d7b47ff180b772a562df42c24910b2

SHA512
344e89736574bd7c1aaf0a68b3e5f36914589cdb8cfb74fe97d6c2168642635adc9b99231eb42476bb83502d5c74c9911366903f9c9badf99d7dee9d4381c69e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\takeown.lnk
Filesize
1KB

MD5
a057aecfa2524a71c697463f4ab51343

SHA1
d4a5ec4d914f89d2060b80bc230e94ee6f376cb6

SHA256
0240f874a4366334c6be21232b3d9d09d4a700f18117c22e431014eea418175e

SHA512
0541b6fc655874eb709f38e09bd00f913283eb68918e72426df19c3d9e6f12ba8fa7b7476e48bfbc2552b75da19b77067e2f562f6393370dd72b330850df9fa1

Download Submit
C:\Users\Admin\AppData\Roaming\accelerometer.png
Filesize
3KB

MD5
1ba080b4e29e9827732eeaaf67c3fc22

SHA1
180161a0e0a6bed927560b783eef4fdec7d74b70

SHA256
82606606c5eb7b5978a76344576e7bfe245a611c44a7b9c45bc433e114292209

SHA512
c056df28116d5557cfeb0e7c1b77e48ec0235f3f55efb3e7b5efee2416ae9d081529e1db123b0895efc0ff4d2c2e196bdd916b984763c0c5281c3bae2aac0b6c

Download Submit
C:\Users\Admin\AppData\Roaming\accelerometer.png
Filesize
3KB

MD5
ee605850778b585f63c6382ab05e8112

SHA1
4463ca8edb3c221fd0bec825822d0f77b71d2e10

SHA256
583e9114740dd5e71aec0a4bab86d644c1856a3008d248f41502fc4368b62398

SHA512
ab521ba8d4b06b0d440d80a50b2439ec983a26df943021c82a9cabf931c352e11e6f8e12c5b97ffaed30ea60bf989c04fe5e96237cab6dc06241c19a4464e50b

Download Submit
C:\Users\Admin\AppData\Roaming\align2.fo
Filesize
4KB

MD5
6d15c389b1bfb4b7a17ef21caf24d6b9

SHA1
59c55d3ad5102c2c1e564b06d97f16f7ccc081f0

SHA256
c99d604ad00f822c02baf37c058191fc9469fddd02f5091381301a3fb03aaf84

SHA512
c4667982b0b04d8422262a95ea457072cfc12e59d509e17ab89aa86b3133254b1910a08fd348054bcc28e3928099d2a49fb86488e75f4bbfbfb746ab39249064

Download Submit
C:\Users\Admin\AppData\Roaming\api-doc.xml
Filesize
3KB

MD5
122a8a2fa7fcb0dd3fc16f837feac89c

SHA1
81abf451ed1adb6951d8c0b067bf53047cf59480

SHA256
ca3cc76ac417d68ac6fc56022e5c0225a54e04ed05ee66acb01be6eaacc8de57

SHA512
aa5c44fd4f596c5233b96eb7874b3cd7a395af61479ecb5c7bd5d4a84c3a104c06754dd718d4fe3b31efa0f506789523f7278ad77e355de7001583b50f4bc0a6

Download Submit
C:\Users\Admin\AppData\Roaming\api-doc.xml
Filesize
3KB

MD5
7f23a7c918f56472a67bc12a484666eb

SHA1
e5ba28ad8326693fa958fc6a6789b54ca2ff36f1

SHA256
134b942cc0bf9a2a8d8d45e6db47f0ddbec9fe4a6bd9f1662d2dcc5fa59e110e

SHA512
26fa8c8a603baa61af74d455d65a8edcdb64c9186e0fa36b7d9d88526aa88dea96fdf1a638afa1925de2fb3d0c770e01c22d2e13dd7d2731e8372e59ece4b0ea

Download Submit
C:\Users\Admin\AppData\Roaming\avalon-framework.NOTICE.TXT
Filesize
622B

MD5
141edc03b0f0c08bf8847a4d20a2d140

SHA1
8fb3d2fdebb7f5cf86e7d33b22b676f37a6a34eb

SHA256
c19de564c3d24b412a55e8d39cc4aaf4b226ad1d87e41f1dd676e82e6ad2f56a

SHA512
15ddc9e4cc13121c3687494753ce2a3341bfd1c9263150c32620000ca2a1839529f9c497f75c41783e647e49229eb518b382b3ac229cc08c134395b06614d1cf

Download Submit
C:\Users\Admin\AppData\Roaming\avalon-framework.NOTICE.TXT
Filesize
1KB

MD5
43371820d7a11745eeb6813d15fc94cd

SHA1
c41482683de11d1d9d27a5aa4141fb1aadb57494

SHA256
027de7287f9c3f732294e110cd2c6ef99718bc2ee9e4a3a0e7465598131d3e30

SHA512
a42a4d130fcd0fd7bb41dbb4550e0875d9279b5d128abdc69494d4f9a1b3f65c94f047256a0a6a391dfb211303163ae7c0f82ebe07a6cd0264121384be4c1c10

Download Submit
C:\Users\Admin\AppData\Roaming\blockquote.properties.xml
Filesize
1KB

MD5
845bc4c74a706d4fcc22654dcd817b77

SHA1
94ea635dbf17327dd4dc8f7ba3a4f408ee4c283e

SHA256
d9f6c4fbbbd234bc476183ebdda29ac7bcb9828e6c24ba486fa51010f09f9d0d

SHA512
de22092beb894c3608a2065e55b871d1173bf9946c90f6f2f63a6bcf7228c04b1a155d81ef6fae165ce223b973543e6fab266b0bb8b5681e9b2b2f524dd44efc

Download Submit
C:\Users\Admin\AppData\Roaming\blockquote.properties.xml
Filesize
1KB

MD5
f707c85cdc1c0a824de1f29fbdacd702

SHA1
d5c240fcb8b7c74520d0f7230c3ca5175b58bbfa

SHA256
b8ddd987485b30c962ba7deb9d1fcb8c9e2215e3b4dd17b3a29d9d60c856722d

SHA512
939d0cedf335caf940c075c76cfb3fe1bc7f71ca8eeb0e9f2d257a34c8689e3569e1bc4317aea0aa1d4df1c97217a67c277ddd8b29326e4ff7dd148b46c3d330

Download Submit
C:\Users\Admin\AppData\Roaming\cd.png
Filesize
528B

MD5
34e2a72a9cb9e873db413b020d7f1845

SHA1
33138bd1581d3179e66eb921e1f65b7e8766cb63

SHA256
d26464766b63c4c361821355ca7a36ef288ef72fd6bad23421c695e1dd527743

SHA512
8d9e5fec081bf5ac6e4a174afa13f3ee108d7a3e917151c6fa2e02d313d01c54f5c33693ae6e8113e51a192b9323ef469fe0fca5b4e149b2f736132eb73b73a1

Download Submit
C:\Users\Admin\AppData\Roaming\cd.png
Filesize
902B

MD5
5c118e2bf890a435458b013777f72a5c

SHA1
c65d965399deec873ca3d15befbb31241e6e5521

SHA256
5d34cdc7d5aa9e3548ecd8a47bf6ecf9a2b98492e538c6214f5667eb6bf067c5

SHA512
e8013f21abfe41f2a6ba031443d360418b9e4e1486b2f85f86f4894aa4a71a2d394b59cfa208474b10e4d2b18d29a1a04e6b298bcdf34293aca0b67fc8f3dee6

Download Submit
C:\Users\Admin\AppData\Roaming\chunker.output.standalone.xml
Filesize
1KB

MD5
e2354cd47591d74f5a61a19883fbdc2c

SHA1
d58a5cd7b4c5a079b9acb4e997abc4da2afa9689

SHA256
a2925342edbd48f4331e3aeef6ba1510d6d7b11491bb3018018f919b32004767

SHA512
c62d71ac866786cc3f53f7141d683fca1df423ce012c81360dcf4ce6382989a69c9e2f057201368d5b7f214cc1aad95b1cabe7afaf249216d440096fb91e9f57

Download Submit
C:\Users\Admin\AppData\Roaming\chunker.output.standalone.xml
Filesize
1KB

MD5
997b445d6e718cf3f406b0413d327eb0

SHA1
8098754fd685b3728035b112d60a8540e9546aa3

SHA256
81fe7675fc2ed75785d3969134ecdc162c7db64dcbc0a867fb58b99701afd7f7

SHA512
e8d55fb933b8987123b106a75fe0dd9862adf8a8549b87eb63494554b3523482e8701a614bb312045b7a44ef78b7b70e7141a5d6fd2fb9c9ca69824c029dbf06

Download Submit
C:\Users\Admin\AppData\Roaming\circle_grey.png
Filesize
3KB

MD5
693eec136696d302ebb4809c17eee379

SHA1
48c775da85fd3d8a16916ecd2a9f1c7e129d211d

SHA256
bc8265a277131cacce41e6eeed1af7ede2970dce0f3441f564d9cc6eae0c4253

SHA512
75190909435bd7780123bca64f6f0a15bff9b6185c39d360f2b3c43b7220d6953394ead1f8585a5eb8abad62e8b99ddff91ab778b410d73c4c36a145a49b24a4

Download Submit
C:\Users\Admin\AppData\Roaming\circle_grey.png
Filesize
4KB

MD5
a33863f06b375ef56fbb15e2ac4b1b01

SHA1
26c9c16949f7e705d81a226daa402e3d1fd5a9c3

SHA256
2e5c9f35a09c1adbbc4a9f569261657bb48bae37750c1bc73d9bf433db3223a6

SHA512
2cea8451db0d48d71c0e42abfce40c60e0fd5d33ae9ecba265d7aa6433ed3bb4b13e26d4b9b0d570638fdc423878075f31f1a41c8364662bda9aa242a94eee0d

Download Submit
C:\Users\Admin\AppData\Roaming\computer_server.png
Filesize
1KB

MD5
0d1e3dac895dca29ff395ba7d80d969b

SHA1
e8a09ec49a1810870aabf93f9979d344311d64cd

SHA256
0fbbbacddd6916a82ee1b426087bee5d1432dadf206e1a5107ca06b3b9c573bc

SHA512
240e57cc7284b9076b81ff538d9dc9230a7a3431cf949d38c4eaa089355b7d5f29aa64c84a4adbaf822ccd497478ff57cc3606e6759ef528038cf465be924bf4

Download Submit
C:\Users\Admin\AppData\Roaming\computer_server.png
Filesize
1KB

MD5
4dad62f21eaa41acad2be1be0c3e66e9

SHA1
15864c99b24ed9d49eb2bed44655e8fd156af031

SHA256
d063518e7085b342aef4a975b4e462c6f0c48a83e0503a5390700f62d405b32f

SHA512
d4c43e1033b020151a503c33dcc1c0cd232a7ed8d92504bccefd33781b43465aaf6060fcd5224e57aed1ab72094187c8b7de53af7d20ac061df1101917f84a9b

Download Submit
C:\Users\Admin\AppData\Roaming\computer_tower.png
Filesize
1KB

MD5
015376a5201dc25af8d663f552f31358

SHA1
8b9ddb51d7567a9d24b8871b860ec5d4a1477833

SHA256
698002fad457b5ed22614542e0444e7dc1fbf0f65f1b224370e0dc305535bb29

SHA512
173be5a8b2696787fc3103b7eba2c8435aff89bd648f368915fe5d6fed1d2927b0f09bb3b34ea3b28a6cebd3a357ed13511b44813ad4c596d61725eabd0ed853

Download Submit
C:\Users\Admin\AppData\Roaming\computer_tower.png
Filesize
1KB

MD5
33c026fbd548e7fc9fe92488d28ce5a6

SHA1
7e34466bc85fb0a189964f27f29f5c4316229997

SHA256
73fe2d2fc130808488a5fdbfc18b01ed87586a09b91a82f416abfe767f665510

SHA512
7b45f8e1f19fedd755d614844bf623ec87ad3bbf33e9603ef4eb08efcf6c144f0fadbcc0ec7eb7fecacc5bcfe7e8049c01c055236f0b4830fc3d7ade634be7fb

Download Submit
C:\Users\Admin\AppData\Roaming\current.docid.xml
Filesize
2KB

MD5
af2b618ab7544ac177b606d1f09d8ee5

SHA1
d0445fa7e1d756e9e71328c21a5d84d965aaf0e6

SHA256
2fabcbff86d1565f04451d59ac3db4bca606536f52624ec29e189bd0249d927a

SHA512
6b0a15682aa9ef58217599ff4e7a259e83d7f56d6fb22d38217cd25230870c2736cb688fa42b4d0510008bdc20eee8db3baf55df2d6c3b15fca45944b9a83044

Download Submit
C:\Users\Admin\AppData\Roaming\current.docid.xml
Filesize
1KB

MD5
a2d8e5f7b80864972a48122b656da14b

SHA1
82c117f350b1ba817786c1cb0d7bb386a96c0195

SHA256
47466d3066418122e25eeba2c9512b02494b86f1ce563c4aa969f18ef0a06087

SHA512
37f01aaf81fed0a7e9fee954aa87d09e10aee868293a3dc5fdad9e0d445b8c6f68dc8732be8723af01bb0c81b1778a83d9aaf074e8d7f2a0de6447d2e89a45be

Download Submit
C:\Users\Admin\AppData\Roaming\desc_da_DK.txt
Filesize
144B

MD5
44002cb7265d57c2efb2405ead505361

SHA1
21c2d1ce026d1986b3a7d7e794ac145876e961fc

SHA256
798a4ba9dd36f8ea4b273774f3e437db5de06d314199cb6a6264eca249bdae0a

SHA512
d815cbbcfc7f8238d2bc55c1a7b72a30081a9c976bc8726685c73460134df6ecb86876a74413a3926345989a7e9434b507e2d05e89221039538b8b9345aecbd8

Download Submit
C:\Users\Admin\AppData\Roaming\desc_da_DK.txt
Filesize
534B

MD5
8a879a3be8d3c4ae6c57aa1676e8206f

SHA1
efcfc5d38ed5464fe93a46845964804371fdd41e

SHA256
e8e9bcd28e20c84e62392bc9fb1ef370a1e66a12102b3fc77848ab79838bbc40

SHA512
ea46047492e28753393447583ee12c6c40bb1d1f49b43ed9ab3e6c17658e474df74bf00c19522638fd9eb16bf6a23ba87450715007953fabbebb8343042b3d0b

Download Submit
C:\Users\Admin\AppData\Roaming\doc_to_html.xsl
Filesize
423B

MD5
cb43650edd662a8f3db2032c0d55c3f3

SHA1
1544d7f37cf53169191c845187b1b02be0372479

SHA256
38187ff4172798fe3ca79b1119e1d7d64968bccd147105b937db86e5298d6a13

SHA512
dd7ff292f86ecac1ab859f1e9c3780dfeb2f5421738470d0e02a39a9b7e000956a915397b919438b215cd274a3e88d8141838f7a89f114dc97ddccc58f34fa53

Download Submit
C:\Users\Admin\AppData\Roaming\emphasis.propagates.style.xml
Filesize
1KB

MD5
60da2c6a3e10063de5912c28e01b9358

SHA1
6963cd1c8247cbff37af80f987778919cb564986

SHA256
14dcde80b73461aef532d23033422ce9f28f3ae626f673b541a1ed2d51c02d81

SHA512
158610b57935627aa2b6f5d94a9ec124d17147cbcc6c8edc27e2a1e5cf273b3f8ffa13a5101451ff2bef8966f1f375d1f1022513e7359620223c1f369d679766

Download Submit
C:\Users\Admin\AppData\Roaming\emphasis.propagates.style.xml
Filesize
1KB

MD5
86bde70f54a5203823187bbfd9ce825f

SHA1
41fb4ec4fbd65de6800968ac6dbee9cebe1eb789

SHA256
d01a84df59175aa56edb97ee304fd762f21f981eb59b10acf20de1e530532317

SHA512
6be16ae224aeee38c885b94fb0c2747ff83381baaded692ef1349686a36f42dfe401fd01db1e0c693709025328fb6e4c90907a5f59371cc2292ac3e0a3f2626e

Download Submit
C:\Users\Admin\AppData\Roaming\eulaver.xml
Filesize
2KB

MD5
4b530c9021b0ae3c1c2975abc97aa875

SHA1
0d1ee4a90f846b6f31baa0edf4761ace45990ba4

SHA256
49ed20b2dcc05781152a7309f66af98c64740288b2cea607ad7a18cfcc6b7363

SHA512
5160223bb5d566c21606e5e549548d2186f28536ac32909e53dc9c44685da802c79953cae9ff9d7ffb5d7780ef540df86ae3e0c419c464c310196f83f7336323

Download Submit
C:\Users\Admin\AppData\Roaming\eulaver.xml
Filesize
2KB

MD5
b8403bed485ab2bf409901580574bae2

SHA1
f1b17751d3f08b77ed8f0b1528ebefdc72081626

SHA256
bc2165aecccaa1d0ec5cb14f147a19d265d944f10ca7c69b9c61709a63c5b866

SHA512
2a0d9054f9ed885884122042ba065c84b833b12bdf0997ea5e8f1c1b16d422de36bde24d15910eb0a54513c31995bdeb1a8ab5ebbe479efb27e1070e72168aa8

Download Submit
C:\Users\Admin\AppData\Roaming\f23.png
Filesize
1KB

MD5
0f884e9388b6fffc5de9d324b4f95617

SHA1
cec9666ef356e6f0aca6c1ede0738d0f2a03607d

SHA256
3cc0220661f961c5b4d1ec34cc7ff992dda8e2c559e29982aa062310fe6b392a

SHA512
9c16136f1e9ca2e39c6b1bccfde2062a98b0600a5d3f420c12cd1d65ebf5b613bd1e09c3936e790ca444a32a81058e7e3cf7f2f11ce7f518812ea8c725fbdac3

Download Submit
C:\Users\Admin\AppData\Roaming\f23.png
Filesize
1KB

MD5
45420f4841725eca01c0c1aa0b50d929

SHA1
96a428409083c1ff82f4e96c059d46cb04e67248

SHA256
f4b071eda7c3cb79b5c24b6e06c0c7d92837c986ec8b2f3390fc4aa106a02bcb

SHA512
283f6beea617368464ef349e0130a7f94e1cf2f7ff372562c390a3781cecdde390b7ceca4f1f7826210c33f7930d8f630dcd9514161d3f1b9612c37d44c0d2a9

Download Submit
C:\Users\Admin\AppData\Roaming\fingerprint_reader.png
Filesize
4KB

MD5
6b176653c2fdc5292b800b53f432fef4

SHA1
2ede66a55fda142028e76fb242f1fbf054cfb809

SHA256
ed39cd849e431ac5088e5a9fbe69a60431e7c3ebf29c97390841f2dccd4a5d68

SHA512
248bb2887f4b960e0e488df963664133ee6d163088fa66b5eb9d4c2c0f38f508f8fa2d4cf4bfd25fb2b1fdd439a1062daf7952d44e860467fb5daf20339f34d6

Download Submit
C:\Users\Admin\AppData\Roaming\fingerprint_reader.png
Filesize
4KB

MD5
e11e50b6b0c100c5e33de2bf7e3bc1a9

SHA1
8998b22a7a6f09af17778498fb57be954d20615b

SHA256
bd3b6b08f0ccd51399e7b1264d420f9bb8dcaec91e2015251448faca6be638f0

SHA512
dfcadd649085d3278885b27be8f3d6ad0cc75b5f3f03c90671f04f9acba3b407a43e3fcf249aa03b265cf89e7e171912f5c8c9f732e3fa29b683ad458ded9a12

Download Submit
C:\Users\Admin\AppData\Roaming\foil.subtitle.properties.xml
Filesize
1KB

MD5
995f50d723abbbeb19a6834adf3bcb6f

SHA1
d77fac32ae23fb5516d5f1cf3b985168df35e307

SHA256
b40604c8ae4926d8544cfdcf6b4e273470b19e6eb6db73bced68831fca05b947

SHA512
2c466bd25596b3bd5924aefc8988aef5cdb1fcef18102a9905fd21258c08fd00ed398162497f40327f20ab40191f3a575b7bbea69df08f973d1d0bec9b0effb4

Download Submit
C:\Users\Admin\AppData\Roaming\foil.subtitle.properties.xml
Filesize
1KB

MD5
e4816f4b84080ffb674b9815de315a41

SHA1
5a24fac8c4539f5404f29b24e8c0f8043a0c68ab

SHA256
88493583c17e7d60892dc4b9d994d0eb2db18f74c1b5a07079010032f8df356b

SHA512
f2610922662a4589663a72a4f01629e276976bff2f4954af5fb0545f3f5952b84717b8a9e6dfcf0a42a8af0f556c6025d50573d8e2d58f892c72c18b8a6fa35f

Download Submit
C:\Users\Admin\AppData\Roaming\generate.toc.xml
Filesize
3KB

MD5
5fc0c8ac6cabc21967a723737bc87c78

SHA1
6c51102214d373bd9b8de58c85c061b8d2bf2c92

SHA256
255e2052a1946fd83121d825cb918ebad2e517667deeafd9c3917249e263ea77

SHA512
0508114186ca71a574b0fec9b8c255f2e673b5c3b8552293fc109c1388940127a62b194457bb0cf4309c187c85d4336b01e00255897367f2bb440f2649411dd6

Download Submit
C:\Users\Admin\AppData\Roaming\generate.toc.xml
Filesize
3KB

MD5
3b9b2c5f6604d641bc1a33c3c497e8aa

SHA1
05504abcac5925af35bd2314a5004af867be0263

SHA256
26f3d36b98a843ebd3e9cd26dffa200dd50bbda6812bf5c38fe509f8b513fd65

SHA512
d0afec6f20b93d21bdd978119b6c7b95a0468a3357a432389e64ce10ad707938b1aff4b475f72ef95bf08308d15dc4dd6168444f97ff60adce3b5ae7ff86d275

Download Submit
C:\Users\Admin\AppData\Roaming\getOpenDocumentIDs.jsx
Filesize
175B

MD5
a6b21e84cfffda8936b29e7c9a99be33

SHA1
52c8d102768228cf95165ce94482efe077250693

SHA256
16aebcb843ceb74d45a814c633c1f2fc2577bc8ab485da16d20700efca8b80b7

SHA512
f049f65179fd715123f193f18c201ee23b05589dc16f9c08d4d04b4deabde2b01fb63cb905e09ed3bae6ce17ef290b26d19b66fb3a724399f450b0ba8d2ca4af

Download Submit
C:\Users\Admin\AppData\Roaming\goURL_lr_photoshop_no.csv
Filesize
518B

MD5
e54f3471b7e6ae44caa1b0fb2a32325f

SHA1
5046d257620818cc3605ef367e40b2e001241cd0

SHA256
a30f37f7a171ed62ef468ada6402335fc68fe3595cbba75074c1abbdca150fea

SHA512
5b2b3aa8239bfb9e34e321dc77a11ab2fa99ad4c9d3ff1b74cc26c1d0daf8caf891b2e634bae936e4cefc98b9eafcc698ffefa94d4a6c90b4462ec02b1e28af3

Download Submit
C:\Users\Admin\AppData\Roaming\goURL_lr_photoshop_no.csv
Filesize
930B

MD5
a4d875abcce00327c3134c40b86b5905

SHA1
06e88972b9fad42b63e3df7f6081207aebb924bb

SHA256
c266d05600fa318b76b26b8d09c895ce3f384b9aa8a27b1e651c7f658ff12826

SHA512
224b1acbc46bd070cc014e1d5fd39468a9d03a4efe3a8fcb2254524d83d0b8a931d91f05de1d82e20c4477be85429cc1e158c9c16fd0c6e3f567caba9f417cf7

Download Submit
C:\Users\Admin\AppData\Roaming\graphic.default.extension.xml
Filesize
1KB

MD5
dce19c4ad3b7842c500c027db54e3148

SHA1
23b846660e86747dc5ee4d9dbd94c660a0cc6407

SHA256
a3d8ad61f0a626d863b656593638891211e68e94eee5b606f5445f7d8673799a

SHA512
5bf54e083038c9958b7f4cf74a2e3a49eb15878601edeacb3b062ab771f9d3ae50262164e5d65c076730f63a0065059aa7932cc5ba939c9459b28038b122307b

Download Submit
C:\Users\Admin\AppData\Roaming\graphic.default.extension.xml
Filesize
1KB

MD5
e4caaba9bf53b5b491fcba85640824cd

SHA1
895ae077063cc5975404598ab2255c99d99f03b0

SHA256
7ee2e7c658521f1045f6a2a45ed7705f9531418b26b56fac0a9c29b5e48ba403

SHA512
9e28381d70c53e65349bfa045cc24e5f38d4deb6c2b3931d4d2c02d308432b82a34b4f940e26806c5cd2b1688422fd3db91cdf3714cf641fbf27b71ab4f5e82d

Download Submit
C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\takeown.exe
Filesize
193KB

MD5
692d49625c7262324ab1aa9d720c3d3b

SHA1
75de252079b1f2d09fa93b5055334d8ca7f09627

SHA256
7cb371a5b42b54e45cb52e7b45092b5f129e3e77a045bebe01b72f1a82d08af6

SHA512
e4e8919b1373abcd3e4ac826a09a9135adfe63a489cb71db7f55dd20759cfd1356f467dbac896036bf0f1a3d18a39030e10b067a081637ec1e5a0e3b78ba86f3

Download Submit
\Users\Admin\AppData\Local\Temp\nsd21C4.tmp\System.dll
Filesize
11KB

MD5
6f5257c0b8c0ef4d440f4f4fce85fb1b

SHA1
b6ac111dfb0d1fc75ad09c56bde7830232395785

SHA256
b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

SHA512
a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

Download Submit
\Users\Admin\AppData\Roaming\CDRom.dll
Filesize
56KB

MD5
92a13582da4813aec5794923570e317d

SHA1
8a95e3b7b1183791bfbbfe180503628781772a23

SHA256
d8ffe6a076b98e5fbe727629a1e0e8fb700bfb17d42fd97be93073a85758ff36

SHA512
71fa245f672f0851cabcec6f6703201fdd1c305d2c2ef85efc61cea1f39ac06934190dc0c8d6b7bdb7544e9f66e57314b2e73d1f4c51525cdffcd3d5998b6217

Download Submit
memory/1796-57-0x0000000000480000-0x0000000000495000-memory.dmp

Filesize
84KB

Download
memory/1796-42-0x0000000000480000-0x0000000000495000-memory.dmp

Filesize
84KB

Download
memory/2244-178-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2244-180-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2244-185-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2244-177-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2244-173-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2244-171-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2244-170-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2244-184-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2244-200-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2416-153-0x00000000002F0000-0x0000000000305000-memory.dmp

Filesize
84KB

Download
memory/2416-167-0x00000000002F0000-0x0000000000305000-memory.dmp

Filesize
84KB

Download
memory/2672-50-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2672-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2672-76-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2672-48-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2672-46-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2672-61-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2672-52-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2672-54-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2672-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2672-44-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2672-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2672-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download