Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 15:51
Static task
static1
Behavioral task
behavioral1
Sample
878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe
-
Size
261KB
-
MD5
878a47f7dd1e1a6409debe922daaca1a
-
SHA1
87d2a81c575dc2494fe26e5d883f66155ff4a847
-
SHA256
e6455cb52653e906492659ee0624ac089690ea3ad2e91a761746eb9baab47489
-
SHA512
692c790e0487f2af5cf020f03656939a1a3a8b2257b1f0e6ffd8260139a88e5348ccaa11c1d24664480f644d1e412102aadf73614d5bf239ca128a09c1636b4a
-
SSDEEP
6144:fwHysdQpdJ3hP3GmPDI8GciVatKlzxSWjrXQdUqZ+iuBK:EdQp4mPDSU8II8EiuBK
Malware Config
Extracted
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.txt
cerber
http://52uo5k3t73ypjije.vrid8l.top/6894-3DB4-F2B0-006D-FE93
http://52uo5k3t73ypjije.hlu8yz.top/6894-3DB4-F2B0-006D-FE93
http://52uo5k3t73ypjije.xmfru5.top/6894-3DB4-F2B0-006D-FE93
http://52uo5k3t73ypjije.5b1s82.top/6894-3DB4-F2B0-006D-FE93
http://52uo5k3t73ypjije.onion.to/6894-3DB4-F2B0-006D-FE93
http://52uo5k3t73ypjije.onion/6894-3DB4-F2B0-006D-FE93
Extracted
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exeOposHost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{75F6D708-221F-6073-7B3A-46D783DB8929}\\OposHost.exe\"" 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{75F6D708-221F-6073-7B3A-46D783DB8929}\\OposHost.exe\"" OposHost.exe -
Contacts a large (528) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
OposHost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation OposHost.exe -
Drops startup file 2 IoCs
Processes:
878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exeOposHost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\OposHost.lnk 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\OposHost.lnk OposHost.exe -
Executes dropped EXE 4 IoCs
Processes:
OposHost.exeOposHost.exeOposHost.exeOposHost.exepid process 2160 OposHost.exe 736 OposHost.exe 3932 OposHost.exe 1440 OposHost.exe -
Loads dropped DLL 9 IoCs
Processes:
878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exeOposHost.exeOposHost.exepid process 316 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe 316 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe 316 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe 2160 OposHost.exe 2160 OposHost.exe 2160 OposHost.exe 3932 OposHost.exe 3932 OposHost.exe 3932 OposHost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exeOposHost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OposHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\{75F6D708-221F-6073-7B3A-46D783DB8929}\\OposHost.exe\"" 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OposHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\{75F6D708-221F-6073-7B3A-46D783DB8929}\\OposHost.exe\"" 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OposHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\{75F6D708-221F-6073-7B3A-46D783DB8929}\\OposHost.exe\"" OposHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OposHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\{75F6D708-221F-6073-7B3A-46D783DB8929}\\OposHost.exe\"" OposHost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 35 ipinfo.io -
Drops file in System32 directory 1 IoCs
Processes:
OposHost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\barrow OposHost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
OposHost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpAC39.bmp" OposHost.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exeOposHost.exeOposHost.exedescription pid process target process PID 316 set thread context of 2448 316 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe PID 2160 set thread context of 736 2160 OposHost.exe OposHost.exe PID 3932 set thread context of 1440 3932 OposHost.exe OposHost.exe -
Drops file in Windows directory 6 IoCs
Processes:
OposHost.exeOposHost.exe878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\reassurers OposHost.exe File opened for modification C:\Windows\piscators OposHost.exe File opened for modification C:\Windows\reassurers OposHost.exe File opened for modification C:\Windows\piscators OposHost.exe File opened for modification C:\Windows\reassurers 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe File opened for modification C:\Windows\piscators 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\{75F6D708-221F-6073-7B3A-46D783DB8929}\OposHost.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\{75F6D708-221F-6073-7B3A-46D783DB8929}\OposHost.exe nsis_installer_2 -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1860 taskkill.exe 3412 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exeOposHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{75F6D708-221F-6073-7B3A-46D783DB8929}\\OposHost.exe\"" 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop OposHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{75F6D708-221F-6073-7B3A-46D783DB8929}\\OposHost.exe\"" OposHost.exe -
Modifies registry class 1 IoCs
Processes:
OposHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings OposHost.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
OposHost.exepid process 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe 736 OposHost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exetaskkill.exeOposHost.exeOposHost.exeAUDIODG.EXEtaskkill.exedescription pid process Token: SeDebugPrivilege 2448 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe Token: SeDebugPrivilege 3412 taskkill.exe Token: SeDebugPrivilege 736 OposHost.exe Token: SeDebugPrivilege 1440 OposHost.exe Token: 33 4184 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4184 AUDIODG.EXE Token: SeDebugPrivilege 1860 taskkill.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.execmd.exeOposHost.exeOposHost.exeOposHost.exemsedge.exedescription pid process target process PID 316 wrote to memory of 2448 316 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe PID 316 wrote to memory of 2448 316 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe PID 316 wrote to memory of 2448 316 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe PID 316 wrote to memory of 2448 316 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe PID 316 wrote to memory of 2448 316 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe PID 316 wrote to memory of 2448 316 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe PID 316 wrote to memory of 2448 316 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe PID 316 wrote to memory of 2448 316 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe PID 316 wrote to memory of 2448 316 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe PID 316 wrote to memory of 2448 316 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe PID 2448 wrote to memory of 2160 2448 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe OposHost.exe PID 2448 wrote to memory of 2160 2448 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe OposHost.exe PID 2448 wrote to memory of 2160 2448 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe OposHost.exe PID 2448 wrote to memory of 3892 2448 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe cmd.exe PID 2448 wrote to memory of 3892 2448 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe cmd.exe PID 2448 wrote to memory of 3892 2448 878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe cmd.exe PID 3892 wrote to memory of 3412 3892 cmd.exe taskkill.exe PID 3892 wrote to memory of 3412 3892 cmd.exe taskkill.exe PID 3892 wrote to memory of 3412 3892 cmd.exe taskkill.exe PID 3892 wrote to memory of 3972 3892 cmd.exe PING.EXE PID 3892 wrote to memory of 3972 3892 cmd.exe PING.EXE PID 3892 wrote to memory of 3972 3892 cmd.exe PING.EXE PID 2160 wrote to memory of 736 2160 OposHost.exe OposHost.exe PID 2160 wrote to memory of 736 2160 OposHost.exe OposHost.exe PID 2160 wrote to memory of 736 2160 OposHost.exe OposHost.exe PID 2160 wrote to memory of 736 2160 OposHost.exe OposHost.exe PID 2160 wrote to memory of 736 2160 OposHost.exe OposHost.exe PID 2160 wrote to memory of 736 2160 OposHost.exe OposHost.exe PID 2160 wrote to memory of 736 2160 OposHost.exe OposHost.exe PID 2160 wrote to memory of 736 2160 OposHost.exe OposHost.exe PID 2160 wrote to memory of 736 2160 OposHost.exe OposHost.exe PID 2160 wrote to memory of 736 2160 OposHost.exe OposHost.exe PID 3932 wrote to memory of 1440 3932 OposHost.exe OposHost.exe PID 3932 wrote to memory of 1440 3932 OposHost.exe OposHost.exe PID 3932 wrote to memory of 1440 3932 OposHost.exe OposHost.exe PID 3932 wrote to memory of 1440 3932 OposHost.exe OposHost.exe PID 3932 wrote to memory of 1440 3932 OposHost.exe OposHost.exe PID 3932 wrote to memory of 1440 3932 OposHost.exe OposHost.exe PID 3932 wrote to memory of 1440 3932 OposHost.exe OposHost.exe PID 3932 wrote to memory of 1440 3932 OposHost.exe OposHost.exe PID 3932 wrote to memory of 1440 3932 OposHost.exe OposHost.exe PID 3932 wrote to memory of 1440 3932 OposHost.exe OposHost.exe PID 736 wrote to memory of 4820 736 OposHost.exe msedge.exe PID 736 wrote to memory of 4820 736 OposHost.exe msedge.exe PID 4820 wrote to memory of 4568 4820 msedge.exe msedge.exe PID 4820 wrote to memory of 4568 4820 msedge.exe msedge.exe PID 736 wrote to memory of 4300 736 OposHost.exe NOTEPAD.EXE PID 736 wrote to memory of 4300 736 OposHost.exe NOTEPAD.EXE PID 736 wrote to memory of 5116 736 OposHost.exe msedge.exe PID 736 wrote to memory of 5116 736 OposHost.exe msedge.exe PID 4820 wrote to memory of 4524 4820 msedge.exe msedge.exe PID 4820 wrote to memory of 4524 4820 msedge.exe msedge.exe PID 4820 wrote to memory of 4524 4820 msedge.exe msedge.exe PID 4820 wrote to memory of 4524 4820 msedge.exe msedge.exe PID 4820 wrote to memory of 4524 4820 msedge.exe msedge.exe PID 4820 wrote to memory of 4524 4820 msedge.exe msedge.exe PID 4820 wrote to memory of 4524 4820 msedge.exe msedge.exe PID 4820 wrote to memory of 4524 4820 msedge.exe msedge.exe PID 4820 wrote to memory of 4524 4820 msedge.exe msedge.exe PID 4820 wrote to memory of 4524 4820 msedge.exe msedge.exe PID 4820 wrote to memory of 4524 4820 msedge.exe msedge.exe PID 4820 wrote to memory of 4524 4820 msedge.exe msedge.exe PID 4820 wrote to memory of 4524 4820 msedge.exe msedge.exe PID 4820 wrote to memory of 4524 4820 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{75F6D708-221F-6073-7B3A-46D783DB8929}\OposHost.exe"C:\Users\Admin\AppData\Roaming\{75F6D708-221F-6073-7B3A-46D783DB8929}\OposHost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{75F6D708-221F-6073-7B3A-46D783DB8929}\OposHost.exe"C:\Users\Admin\AppData\Roaming\{75F6D708-221F-6073-7B3A-46D783DB8929}\OposHost.exe"4⤵
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8daf946f8,0x7ff8daf94708,0x7ff8daf947186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,15859502368022059768,14421174850556369028,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:26⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,15859502368022059768,14421174850556369028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:36⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15859502368022059768,14421174850556369028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2916 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15859502368022059768,14421174850556369028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2924 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,15859502368022059768,14421174850556369028,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15859502368022059768,14421174850556369028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15859502368022059768,14421174850556369028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15859502368022059768,14421174850556369028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,15859502368022059768,14421174850556369028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,15859502368022059768,14421174850556369028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15859502368022059768,14421174850556369028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15859502368022059768,14421174850556369028,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15859502368022059768,14421174850556369028,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15859502368022059768,14421174850556369028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15859502368022059768,14421174850556369028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2456 /prefetch:16⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://52uo5k3t73ypjije.vrid8l.top/6894-3DB4-F2B0-006D-FE93?auto5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8daf946f8,0x7ff8daf94708,0x7ff8daf947186⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"5⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "OposHost.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{75F6D708-221F-6073-7B3A-46D783DB8929}\OposHost.exe" > NUL5⤵
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "OposHost.exe"6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.16⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe" > NUL3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "878a47f7dd1e1a6409debe922daaca1a_JaffaCakes118.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\{75F6D708-221F-6073-7B3A-46D783DB8929}\OposHost.exeC:\Users\Admin\AppData\Roaming\{75F6D708-221F-6073-7B3A-46D783DB8929}\OposHost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{75F6D708-221F-6073-7B3A-46D783DB8929}\OposHost.exeC:\Users\Admin\AppData\Roaming\{75F6D708-221F-6073-7B3A-46D783DB8929}\OposHost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x518 0x50c1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f53207a5ca2ef5c7e976cbb3cb26d870
SHA149a8cc44f53da77bb3dfb36fc7676ed54675db43
SHA25619ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23
SHA512be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ae54e9db2e89f2c54da8cc0bfcbd26bd
SHA1a88af6c673609ecbc51a1a60dfbc8577830d2b5d
SHA2565009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af
SHA512e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD558f32141492b1d2d34679dab83dde383
SHA18695e9cac3a6931ed3788717a6436e5ea19249df
SHA2562220f6c97eaa03e837a1b4ccd8e695d0f6abb97a84fc8c9da9f8781f7b5a609d
SHA5127dcfb044ac751e48281ea8c5c6aa403096aac442976ac6191f1d5ea39893d85e59397588a3bfd8adde14e2be249f479e4bda855e498e77d486c11d62af1fa042
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5ea993d66838a4cef957dee174d9bacba
SHA1f5f9e1642efb190c577c0a8bbc5a019ad23ba0cc
SHA25633c688567319f52b91b79cf0a68405cf10e3665d39d561e16a27ff59d79ab346
SHA512594dbf30749e29b4f6f019fb264b97fd59d4fca02ee138f314f6b12b178b026f01ea9a3b2cdf5e3202689a75529eda4beb10af0f36e05f099f535667cd437c24
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5dcd42118b1ab5ac3d3c1b31000a44727
SHA1c8acca2076503ac109e53b0bb4b6c9a9e0bdd357
SHA256c290b832e361199c52078672494304651d9c531fcd1d1a71184b922262c0e4a7
SHA512de6742694d22a48480fc097db66c022a95609a2222cdc74107161d64c61fb44b7eddcf1955c4aa3ce0cd6dec73b73f1a4aa5bc7c1b4744d70776ea60dac7fcbd
-
C:\Users\Admin\AppData\Local\Temp\nsj5092.tmp\System.dllFilesize
11KB
MD5a436db0c473a087eb61ff5c53c34ba27
SHA165ea67e424e75f5065132b539c8b2eda88aa0506
SHA25675ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
SHA512908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d
-
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.htmlFilesize
12KB
MD5240aa86751e9aa34374f99231a4a5f4d
SHA1327d4a26225a2a9de42dd081003f241b2c007012
SHA256f2ca1c224c8601d26682d7ed2e6a940d4f29fee9e35a4868c69d58034955514e
SHA512e5067811bf6a6f9d1d8ddc55f3d42a86bc2ad3c2edd523181054a4653ced1ef435aef8220c114fe597539442c516e4c0ca7c5dba010a8e4d165d166b3d290dc4
-
C:\Users\Admin\AppData\Roaming\20-fix-globaladvance.confFilesize
912B
MD5fbad2da072b8609477d89a59a167705a
SHA16abf7a770a5a46e0e4a463e03b6477a2aedd2df9
SHA2565930f65c5864754bdeea36362beb91f2756b46504508f1d381cb49784f52880f
SHA5122bda5a262a2832a17ba9d4ffc4aa4e8c4e45d46a877d2cb8702224f9d8904a1916fc2dea4a45e7ebec86d2adfc09609cc1860df5bcbf9680b19f78026b421e5b
-
C:\Users\Admin\AppData\Roaming\401-5.htmFilesize
1KB
MD5431b67e464486add8912ba19ba8dba03
SHA11e19d1844548c0aed8d9723dca02de0e500e7f4c
SHA256a8b19979f9011710e1a839690d109188eba8d4ba9890efcb1333b056bf0f831f
SHA512b2fc415ad7255f24a06c1f345edff3bb2059b4328f2a7f5cf78e6592baa59aaa88af7b0da533e0a59b4b58761b5bba07d7c0ee9cdec31af0df20e1fb28e3d9ff
-
C:\Users\Admin\AppData\Roaming\BCY green 3.ADOFilesize
524B
MD59a26cb6467c4c9ebb9113925df963ccd
SHA1ac5b505c30092191be86b79c5a09d87cdc6a9ca7
SHA256c9024465c4c4131a62e0c557453f9bd55ac79afc96e0ee8cf1138cbb0113056e
SHA512b248ddd375838ef0e4e07864d0f39a66c48e814bd54ec350664d0da84edee9e5e00b97b03769f36bd75659f53e4991aa42b73c479c328d1624b7d548db3b1a09
-
C:\Users\Admin\AppData\Roaming\BanjulFilesize
77B
MD5d8bf90c6c458e81d3fb17371cc1ab80e
SHA139843cd866b512e8dd4764c299068f025d2b96ff
SHA25618eba9d5e645204556fd02348e43728a82ab429ee4580fea323475d4ed021b19
SHA5121d688c68157b370ebdc3dfbdec6a11e38084b2df2f27fd706053a35ce466d841d7091ba7fe3d6cdedcf6222105ebfda225ac216d056e35086af173a1531f848d
-
C:\Users\Admin\AppData\Roaming\Bl normal CG9 CG2.ADOFilesize
524B
MD578a7847d2199fe20f20b9f74bc0da3e6
SHA122b536f65a15481f41a2a4da715e608f7d6adb2a
SHA256137e25e3018879d470db96c595164e5c8e0833b68a0a3e81042a3fd95da4ae71
SHA512c886d510c6452204e610b22acc98fe618e2cd1357f3a942cb8a1a818bb3374cfb43808831c97152be038bcb6dbbb0bfaa45a96ebc2f3230b3d2c78eee1854dc2
-
C:\Users\Admin\AppData\Roaming\ExampleXML2FO.javaFilesize
3KB
MD57cd4291588c932a60b8db4ca8d336b9c
SHA1f5716cbcae64d72dcc622418587b125b832e943d
SHA2569e51838001368de751bd0ab37da350d5d0d6f50016f6271807c0ee9be55ddf21
SHA512d4bdb75c0dfdee9d39eecbce8a7f43895fb2031fa49c16567977821065fc7d5edf737c0dc8f3a91ee4a3d22b89ae7bb6b38c15f6b0238b956e5aa95098d0d290
-
C:\Users\Admin\AppData\Roaming\GBK-EUC-VFilesize
3KB
MD5f7d4e3604733bccfc64a2cc3dfd4366b
SHA16d5d2e02a35238637cebc8854046859e9e3e3f3a
SHA256852f2d823b856778c7386b884d467e8e19bfe8d677c042c54a078221ab5bf50c
SHA5121d6d2dda9255fee9f338b31976b3b84976e713c2bd6b779e9f725d12d82d1068585b066d448c727cb95e72949f51577a76e623878dcf07f763f1ddb50d2c26ce
-
C:\Users\Admin\AppData\Roaming\GMT-4Filesize
27B
MD54bc6b6291a5e77acb663283b05cdbb02
SHA16ebebc4883fd74246e5f39d211a51d6ffe21e7b4
SHA256bd6b0557cdab100425a5d39783174e7ae4134cc59ebe6dd3ee837944eb76381e
SHA512ed98d7547a5aa0506253fd7f37c39ad323a57b8ff184ee7a88fd0031dcc210c91bb5c1c0266b5b528568425206dfd49faadd693ff8c61cd84023a18766fba335
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\OposHost.lnkFilesize
1KB
MD55747852cb3689a6061693776d7ed6657
SHA10b0d35d132c98db199ea369261433efc9785ca56
SHA2569a183cf2baa0a3453a0ff73a659768aa127dcafdf8fe24ce4720cd78d900a840
SHA512448c54788cd99627b6937bd46e4906c5ad685d122307687a4aa15b44baa8f9360074e9f73fb3c900e3c15f9987f70ebd214e54c58974662cbe3f9b4e6bde8301
-
C:\Users\Admin\AppData\Roaming\ProxySettings.dllFilesize
241KB
MD5ed431cc4cd9381bb561bcfde8d3fbc20
SHA194393c56423fc53430e8a759eef80034b6dd93de
SHA256810c908192654c74ee3816170fad05c8e61a3a31a0bb67ae7835de621d7951ba
SHA5125f3060c26a097bf82378e9ed8c61bf9e26733fc6611c444728df1e6a5b9e7088cc840fb94daf90f2cc79c4a8be18975fa0e85591ec9602bec7a6cbf388354174
-
C:\Users\Admin\AppData\Roaming\Secondo.HS8Filesize
128KB
MD593d90330e7eae33291fe3a1f0a0acbf6
SHA16650c43e8584eeec15fdc3d683dbe1b0a85d6718
SHA256caf1bd22f50cd080edce1fc6e56b115242a0fed02defe89070cb89f85526573e
SHA5120e9b41234e44976fec2c10c10b2bc03d5d20f52a549be6c9b446da9b3864aa4641ad0cfcb3ff89497a441974a4e56f3fe137de0ffc8784d36f6dfc40292224c4
-
C:\Users\Admin\AppData\Roaming\VerbidCollimator.yFilesize
5KB
MD5ef1f8418db7f8f4a081c2296c8ffa749
SHA122e98eb6b2a434479757e15c458c0a640ef12865
SHA2563dedfa73ae9aa3c9514d47f1521fe122a1132ed471de12abeba2b7077c506571
SHA512e46ac922d61e5f8f162a6567c7ef3c9b5b655de147be5848bf576d406edfd7bb1ea97a5bfae4e8ef423b67d97d99b847b98dcc078055a3f9a0debfd693339ef1
-
C:\Users\Admin\AppData\Roaming\add_licenses.pngFilesize
1KB
MD5e8a2b07854032ed884e15558d45cf227
SHA1733914f98c81adb9ca0e0c5e90a264e446c7308a
SHA256441d8eac3139cc3d28d7f3ca5f8412a99f0ef37466d1d578abfdc315b4840d7e
SHA512d13ea83232a9d76049e9b79ba70bea422e51fd113505082da81044d6ebfa10c1b4510507b960f2b6d4c66f82a819c586416645e5fc4171ae2d08b24a7bff3391
-
C:\Users\Admin\AppData\Roaming\additional_tools_drivers_downloads_icon.pngFilesize
3KB
MD5fcf5ffa7dc5b1c6a15080c471b0af12c
SHA11ffbbf1cb9f7693c8885bb3c49c131b2f28fafd6
SHA256b38509363359adc76bfa7ec26d925da303afd53bda018550d1f73694a76dd4f1
SHA512bcf14e77543d05de9635ea8a53b029df4dc504770ea79bcab535e19df14416699721e16f30a62312f34929ca75a06e8838b6e7516e087b7db6da48e898860983
-
C:\Users\Admin\AppData\Roaming\additional_tools_drivers_downloads_icon.pngMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\annot-open.pngFilesize
837B
MD58961808067af5253f333cdf0c8139004
SHA129adf64660e293b41583decab8a05df8edc93740
SHA25696108677136e482951437c3b41e0f6aec42526cb065b8654ef5b81343f788be9
SHA512ef88d7aa922ff6ce6b75f87c4b380a861db60dce94c4b0b958f5fdcd6685739a3a49ba5ff574a6df9e1f6673cd1d4b615a6327834dd53e25658e1c1e76be9c92
-
C:\Users\Admin\AppData\Roaming\archive_inactive_unhovered.pngFilesize
2KB
MD52706a9691f646f678220600f5a3da66d
SHA118aca6b122fb4eeb132ff80378a3ebc5c7e76acb
SHA2565709aef07360ffe1cc827e1f77d0c23d5eb97d5f328ac8293911aa888dcf4ba0
SHA5128263f29d2dc33e2060c8c4b5ca34abff26a3c79c08e019f9b3eb3d8cc6504f26786a65ea20ae968ae5f42dda9c6a446a4394ca0886003c50bfc068b9009609b6
-
C:\Users\Admin\AppData\Roaming\arrow_right.pngFilesize
4KB
MD5173e366fffd028392021ec476d4f9698
SHA1997275beeaca6e1faad125a7ec1b966d23cf8d3c
SHA25696c6c0233623cdf2993bfec1641e2374d5d83af2090fda8c20e41af7b94cec45
SHA512d06ac9de5b67395c6eb10b9d498d526e4c5d7a031dfce2a2c1b203fb73d750e1b4fb55c556af391810c0c996fa1e8a44029fea0e6f5396b2b9249a667c6c4aca
-
C:\Users\Admin\AppData\Roaming\brt.fcaFilesize
4KB
MD50ed71cc470bac3c2175010c85ce17f01
SHA1e3596b38a653f92d3a83e6398575d72df8e6ab55
SHA256b571de53b04684fdb90a3686ffaac3b301e58c5070467da60de59e14820579bd
SHA5121f6f0d351e27426759e97b4335d5b0064f3e4d1148cb3e2cef40dec81050fe7ce81ae1b5afe7ef9db09b084a4166905fb8f48da95150e0139333358e01f1f632
-
C:\Users\Admin\AppData\Roaming\buckoes.qfvFilesize
64KB
MD5b2b80f40e73df9d5f7400e6b0820dc46
SHA1dd5695e83a88c7a02c023a96f06102052e0e6f18
SHA256d5304a90b2058ce143957c8d1a9ebcb7e3638d2da35a5e8a87a0d0d5105cf795
SHA512eda9a817bc75c90137c6b8d4f4dea58f9973ec80a16ca2510628441eceabdc4d70daaef0a260346899866c6061b4702e6cc017ad720aa7dc048c00d12359f1c6
-
C:\Users\Admin\AppData\Roaming\chunk.toc.xmlFilesize
1017B
MD5d676d37a6291b4f2c52a9c009646b249
SHA1e9cc72d677d255c9a931704ceac14f06dae9c670
SHA2568c2b119b31c6ab582ef93f9f3788f149fdb59a56ba428bbaec05f9640de5b43c
SHA5120fd48ecf86eece84371a6aaeaa4f7a30e7cb5c2e17a182b802ec59c24f46da8309584b8c69a118ebf91be50f6dccbbc393c0ccbda9a16ecce6482cdc9d94c019
-
C:\Users\Admin\AppData\Roaming\citerefentry.link.xmlFilesize
1KB
MD5f5318e3b3e9ea56e31cbb672cfa327d8
SHA1bcd6758368b4583bf80066bc1284f5a96e558efe
SHA256e0f55229bebe71a2b94cdfb33060a28347ca69ee7480fb42bec2f2edfa464e1f
SHA5120735d6e8fe1f0aa1e8504a5ecf86c7f576f5a3c47388f895fbd82ada7d9a5b3abbed748f33f29aa6583ddde52a9f80465a12e1586a29a94205b4475ce476873e
-
C:\Users\Admin\AppData\Roaming\component.xmlFilesize
691B
MD5137d64c837e42916568685e05be6ca27
SHA13cc124359aa623bc4ca2511805e8f8e1f9fe5ff5
SHA256f9aa7c2759c4fc6b67add7710d6fa40750c2cf131fb576bad7c8f7fb008fa78a
SHA5128a8144c82b27163e3aba9fa5400f7eb7a4088c3822aa010bc6a8869ab1daf9a98d2ad483ff0f32727d8251ee23bd062a56f616b1f7cac98f79c0190b6abfdfa6
-
C:\Users\Admin\AppData\Roaming\computer_diagnostics.pngFilesize
3KB
MD5bd8078dcc074aaebdc63ba53082e75c2
SHA1a3887f75154e5de9921871a82fe3d6e33b7b5ba7
SHA2569e35270e3510c195a64635292dfcc6dc508e93dcb5715c3e30cf3ec15af6951e
SHA5129a0b6c67c52ba0a0c9175a62680e9e35793676e4e06dfc6b5bafbff3b50474c94c5434e700d19eff4c46ee84ef0a424e850a3e7fd78d6f62d1d19912a8a38e66
-
C:\Users\Admin\AppData\Roaming\error_1.pngFilesize
3KB
MD56f42ca6b4105204fcd946cc2ae17d9a1
SHA17d4a234e40ef4564943ece66d46d9e1417586887
SHA2567d4b3a73836005095e230d6d34297baa68f816b71cc6b78ced7a6f60b46c829c
SHA512724726aa1b898646522140872210fb4766d5c9998eed3192f112313081377e68077536f6589d98f3300909592584bf3b65820da253feea8eeb558153900cf97a
-
C:\Users\Admin\AppData\Roaming\f22.pngFilesize
1KB
MD5d8abf78e144e7521df20ceac8ee7810c
SHA1764b28f968978640ca24049a8a0eb322f3dcb734
SHA256be6934004ed9c71b7bda54bc4eed7f98bef46a7bcbe8463d03a7730116cfcd4e
SHA512c997a3ba1442200fef03a31435f2250d72e188c09e9497ed67adbb327c73ea6046be6a8197d798a958fbfbc793f554c31307859d64fa22a917f605309ddc56e0
-
C:\Users\Admin\AppData\Roaming\getLayerShape.jsxFilesize
521B
MD58d660544f0aa8fb4fcd9ff5e16eeae21
SHA182fc69814d602299c43f7fd18c5b9813cebd94aa
SHA2563ea5850570ea785ced2ad11acdb81ee69c875d355a3411c15ea1276b611c18a3
SHA512d314d3522f009d5f088a9c61e3515aa274d5ffa4a2a82c02484bfb8f4d5f862cf98e20f76b72c50e5e857957e05521ef458442c4437b2eefd4d895e5f3a97d1a
-
C:\Users\Admin\AppData\Roaming\slurs.bkaFilesize
63KB
MD589efba3dd01b85ce66489a11ec35d3fa
SHA1a3571e5687eea33512f7bb235fbc60448ca40660
SHA256d375e6922370e33875e13ebd58cd6804a01f5a7c01618096007e8ea1a3b380f5
SHA512f0684c0fc1cc40955bbca9da2297a94e950e12966be8128dcfc24aebc905f57fb19b3affadb7ac6c05449359dfac430be1f57ef790c29156c97a9ef9f26597a5
-
C:\Users\Admin\AppData\Roaming\{75F6D708-221F-6073-7B3A-46D783DB8929}\OposHost.exeFilesize
261KB
MD5878a47f7dd1e1a6409debe922daaca1a
SHA187d2a81c575dc2494fe26e5d883f66155ff4a847
SHA256e6455cb52653e906492659ee0624ac089690ea3ad2e91a761746eb9baab47489
SHA512692c790e0487f2af5cf020f03656939a1a3a8b2257b1f0e6ffd8260139a88e5348ccaa11c1d24664480f644d1e412102aadf73614d5bf239ca128a09c1636b4a
-
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.txtFilesize
10KB
MD5f6a76dd6def36b2534ad6ff5b4369bed
SHA100d3057fa04abac2dbd6c26a0f0663ceb9350e0f
SHA256625cd19f1617a5e25efb7f8aa88003fdf5135ec9a903cb26537874f6473abcae
SHA5127f45a01d10c4f3a9cc7117571f12c71d6a9ad90ae20798f13751bb2c33fd9d63c69ad4f4560cf9438795a2c57c338c7db9eec405c74d7453703f92ec7b5295f0
-
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.urlFilesize
90B
MD5d75a9374f7e15bd05fc3225d802496b4
SHA1d2379442f95507402af58195b02d2a923bcacf96
SHA256a7e3d29bc1e4c5145505db5eae30593b287a1d3d506b5b0699dfc73fc0aa12e4
SHA51274608b9f69a3ecb1f03cc1d89a6db2e90905520246ff56d7e026844d5ee5fe7524db3dd4a05f042b32290881b5133b1a4974d53c642fe2a3fd792c46208a56db
-
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.vbsFilesize
234B
MD56f84dbf74ef41dc3d861f5fb3e0f45ff
SHA13e5f17e9b9589f33ce6add7f2518a666ff2253a4
SHA256df5f432d7e0d2bd1c4dddb1fabbf1e77bd1065b9020f71abaf1a45fbb950bbb8
SHA5129f9ec25b815be7b20df26244d31848c9a4896b130241b63636d63511a290eaad78d289a9bb04592c0ba31492064671351b4c7359310f03469e27764132a20a5a
-
memory/316-40-0x0000000002F20000-0x0000000002F68000-memory.dmpFilesize
288KB
-
memory/316-36-0x0000000002F20000-0x0000000002F68000-memory.dmpFilesize
288KB
-
memory/736-208-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/736-535-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/736-182-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/736-516-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/736-519-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/736-197-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/736-521-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/736-523-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/736-205-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/736-207-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/736-131-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/736-129-0x0000000003780000-0x0000000003781000-memory.dmpFilesize
4KB
-
memory/736-126-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/736-127-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/736-527-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/736-525-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/736-534-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/736-540-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/736-537-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/736-530-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/736-546-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/736-549-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/736-543-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1440-201-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1440-200-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2160-123-0x0000000003040000-0x0000000003088000-memory.dmpFilesize
288KB
-
memory/2160-119-0x0000000003040000-0x0000000003088000-memory.dmpFilesize
288KB
-
memory/2448-54-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2448-46-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2448-44-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2448-45-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2448-43-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2448-39-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3932-196-0x0000000002F10000-0x0000000002F58000-memory.dmpFilesize
288KB
-
memory/3932-193-0x0000000002F10000-0x0000000002F58000-memory.dmpFilesize
288KB