cerber | 82358cfce8922a6d09b9c3ccb7867ce65556040592f238fd2939ba9507156d7b

Analysis

max time kernel
140s
max time network
145s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
Size

208KB
MD5

9d8c90e3c00d723f8167d9e579b2eff1
SHA1

86f82bb7da52240469a520a1c4f166aa7beef579
SHA256

82358cfce8922a6d09b9c3ccb7867ce65556040592f238fd2939ba9507156d7b
SHA512

3bfedc755703b626c47a549ffe955433bc30ad10cdea7f0feb2d848e6a2d720f5cf973115b6d454549a86a83557dafdda67fec65a938353d1e12de947d5348e7
SSDEEP

6144:awHysFR5ERM05WQ8qpo0Qcs7ukLptsa6y/xG:RFR5KM63i0Y1d6OG

Score

10^/10

cerber discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community #Cerber+Rans0mware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://52uo5k3t73ypjije.xmfru5.top/16B6-410E-9F57-006D-F8B0 | | 2. http://52uo5k3t73ypjije.vrid8l.top/16B6-410E-9F57-006D-F8B0 | | 3. http://52uo5k3t73ypjije.thyx30.top/16B6-410E-9F57-006D-F8B0 | | 4. http://52uo5k3t73ypjije.o08a6d.top/16B6-410E-9F57-006D-F8B0 | | 5. http://52uo5k3t73ypjije.onion.to/16B6-410E-9F57-006D-F8B0 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://52uo5k3t73ypjije.xmfru5.top/16B6-410E-9F57-006D-F8B0); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://52uo5k3t73ypjije.xmfru5.top/16B6-410E-9F57-006D-F8B0 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://52uo5k3t73ypjije.xmfru5.top/16B6-410E-9F57-006D-F8B0); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://52uo5k3t73ypjije.onion/16B6-410E-9F57-006D-F8B0 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://52uo5k3t73ypjije.xmfru5.top/16B6-410E-9F57-006D-F8B0

http://52uo5k3t73ypjije.vrid8l.top/16B6-410E-9F57-006D-F8B0

http://52uo5k3t73ypjije.thyx30.top/16B6-410E-9F57-006D-F8B0

http://52uo5k3t73ypjije.o08a6d.top/16B6-410E-9F57-006D-F8B0

http://52uo5k3t73ypjije.onion.to/16B6-410E-9F57-006D-F8B0

http://52uo5k3t73ypjije.onion/16B6-410E-9F57-006D-F8B0

Extracted

Path

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://52uo5k3t73ypjije.xmfru5.top/16B6-410E-9F57-006D-F8B0" target="_blank">http://52uo5k3t73ypjije.xmfru5.top/16B6-410E-9F57-006D-F8B0</a></li> <li><a href="http://52uo5k3t73ypjije.vrid8l.top/16B6-410E-9F57-006D-F8B0" target="_blank">http://52uo5k3t73ypjije.vrid8l.top/16B6-410E-9F57-006D-F8B0</a></li> <li><a href="http://52uo5k3t73ypjije.thyx30.top/16B6-410E-9F57-006D-F8B0" target="_blank">http://52uo5k3t73ypjije.thyx30.top/16B6-410E-9F57-006D-F8B0</a></li> <li><a href="http://52uo5k3t73ypjije.o08a6d.top/16B6-410E-9F57-006D-F8B0" target="_blank">http://52uo5k3t73ypjije.o08a6d.top/16B6-410E-9F57-006D-F8B0</a></li> <li><a href="http://52uo5k3t73ypjije.onion.to/16B6-410E-9F57-006D-F8B0" target="_blank">http://52uo5k3t73ypjije.onion.to/16B6-410E-9F57-006D-F8B0</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://52uo5k3t73ypjije.xmfru5.top/16B6-410E-9F57-006D-F8B0" target="_blank">http://52uo5k3t73ypjije.xmfru5.top/16B6-410E-9F57-006D-F8B0</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://52uo5k3t73ypjije.xmfru5.top/16B6-410E-9F57-006D-F8B0" target="_blank">http://52uo5k3t73ypjije.xmfru5.top/16B6-410E-9F57-006D-F8B0</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://52uo5k3t73ypjije.xmfru5.top/16B6-410E-9F57-006D-F8B0" target="_blank">http://52uo5k3t73ypjije.xmfru5.top/16B6-410E-9F57-006D-F8B0</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://52uo5k3t73ypjije.onion/16B6-410E-9F57-006D-F8B0 in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{04E11A53-556B-582E-C494-323BC9541A7E}\\cmdkey.exe\""	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{04E11A53-556B-582E-C494-323BC9541A7E}\\cmdkey.exe\""	cmdkey.exe

Contacts a large (517) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Deletes itself 1 IoCs

pid	Process
1720	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\cmdkey.lnk	cmdkey.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\cmdkey.lnk	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
2476	cmdkey.exe
1208	cmdkey.exe
1760	cmdkey.exe
2400	cmdkey.exe

Loads dropped DLL 7 IoCs

pid	Process
1928	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
1928	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
2712	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
2476	cmdkey.exe
2476	cmdkey.exe
1760	cmdkey.exe
1760	cmdkey.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmdkey = "\"C:\\Users\\Admin\\AppData\\Roaming\\{04E11A53-556B-582E-C494-323BC9541A7E}\\cmdkey.exe\""	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cmdkey = "\"C:\\Users\\Admin\\AppData\\Roaming\\{04E11A53-556B-582E-C494-323BC9541A7E}\\cmdkey.exe\""	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmdkey = "\"C:\\Users\\Admin\\AppData\\Roaming\\{04E11A53-556B-582E-C494-323BC9541A7E}\\cmdkey.exe\""	cmdkey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cmdkey = "\"C:\\Users\\Admin\\AppData\\Roaming\\{04E11A53-556B-582E-C494-323BC9541A7E}\\cmdkey.exe\""	cmdkey.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmdkey.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp452B.bmp"	cmdkey.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1928 set thread context of 2712	1928	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	28
PID 2476 set thread context of 1208	2476	cmdkey.exe	35
PID 1760 set thread context of 2400	1760	cmdkey.exe	51

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\indults	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
File opened for modification	C:\Windows\	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
File opened for modification	C:\Windows\indults	cmdkey.exe
File opened for modification	C:\Windows\	cmdkey.exe
File opened for modification	C:\Windows\indults	cmdkey.exe
File opened for modification	C:\Windows\	cmdkey.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0005000000019270-65.dat	nsis_installer_1
behavioral1/files/0x0005000000019270-65.dat	nsis_installer_2

Kills process with taskkill 2 IoCs

evasion

pid	Process
2500	taskkill.exe
2940	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{04E11A53-556B-582E-C494-323BC9541A7E}\\cmdkey.exe\""	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop	cmdkey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{04E11A53-556B-582E-C494-323BC9541A7E}\\cmdkey.exe\""	cmdkey.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{20104EB1-27CC-11EF-825B-FA5112F1BCBF} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029f1e38aa7aa5b4f95d585ccc535f4ca00000000020000000000106600000001000020000000669e0ac244db0412bd505dcd756c56a7c7307b8bdb7e17866d27c4cc721bc2d1000000000e800000000200002000000093247be09e56c49589da8e203615394ae6ff13816e985b2c397ebc0bb4a3771a200000007e1f851cf6a24cd255e5fda6f5b5d286d2f78fa553d2a69075aa412601fe5812400000008a602cb0ea08eb079a7bc3fcf3374f0ac496b02a99e88bbe232374c7297b97c0e479485072e85a44d3d5a0f4f6f3044378145a62f2eaf9db4e579df9e2b43b12	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80ee59e4d8bbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424256182"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2076A9D1-27CC-11EF-825B-FA5112F1BCBF} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029f1e38aa7aa5b4f95d585ccc535f4ca00000000020000000000106600000001000020000000f99e2dca594165967ec4f454cd8f19b9c00819abcc7f6424c9d20ae65b18bf5f000000000e800000000200002000000088ea28506d1aa135d32d9e8ddbfd8a4cc0c5863f59a6f31ae027ee3ac35409f19000000010f5f565f292d2cf434ab8bfe7b07241dbca090ccdfe1fef1f5be04cdd58c874f45e70af412d900f4e68cfd064629c790b601b554b091ce247ffc4098a895c0e652f29b6ad36447b230818e5d902ce0cb86303f431eb77bb6dcc053d4f955b9633d8adcffa35662779cdbc6e747946bb2d0fbe08008d5527e3efbd07cfbba3ba1f1edeb49635ba6f1e442f497eb2bafd40000000c34dcb90770f4ae48570e1773cb025d38e0a0f3b99d62860ea2f8065ad68025986da16bc23ec39fdb8724ddcb4c39e214069150567aa84f852f8fbfbc88800ba	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2860	PING.EXE
2980	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe
1208	cmdkey.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
Token: SeDebugPrivilege	2500	taskkill.exe
Token: SeDebugPrivilege	1208	cmdkey.exe
Token: SeDebugPrivilege	2940	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
868	iexplore.exe
868	iexplore.exe
536	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
868	iexplore.exe
868	iexplore.exe
868	iexplore.exe
868	iexplore.exe
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
2068	IEXPLORE.EXE
2068	IEXPLORE.EXE
536	iexplore.exe
536	iexplore.exe
612	IEXPLORE.EXE
612	IEXPLORE.EXE
2068	IEXPLORE.EXE
2068	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2712	1928	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	28
PID 1928 wrote to memory of 2712	1928	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	28
PID 1928 wrote to memory of 2712	1928	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	28
PID 1928 wrote to memory of 2712	1928	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	28
PID 1928 wrote to memory of 2712	1928	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	28
PID 1928 wrote to memory of 2712	1928	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	28
PID 1928 wrote to memory of 2712	1928	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	28
PID 1928 wrote to memory of 2712	1928	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	28
PID 1928 wrote to memory of 2712	1928	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	28
PID 1928 wrote to memory of 2712	1928	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	28
PID 2712 wrote to memory of 2476	2712	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	29
PID 2712 wrote to memory of 2476	2712	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	29
PID 2712 wrote to memory of 2476	2712	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	29
PID 2712 wrote to memory of 2476	2712	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	29
PID 2712 wrote to memory of 1720	2712	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	30
PID 2712 wrote to memory of 1720	2712	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	30
PID 2712 wrote to memory of 1720	2712	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	30
PID 2712 wrote to memory of 1720	2712	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	30
PID 1720 wrote to memory of 2500	1720	cmd.exe	32
PID 1720 wrote to memory of 2500	1720	cmd.exe	32
PID 1720 wrote to memory of 2500	1720	cmd.exe	32
PID 1720 wrote to memory of 2500	1720	cmd.exe	32
PID 1720 wrote to memory of 2980	1720	cmd.exe	34
PID 1720 wrote to memory of 2980	1720	cmd.exe	34
PID 1720 wrote to memory of 2980	1720	cmd.exe	34
PID 1720 wrote to memory of 2980	1720	cmd.exe	34
PID 2476 wrote to memory of 1208	2476	cmdkey.exe	35
PID 2476 wrote to memory of 1208	2476	cmdkey.exe	35
PID 2476 wrote to memory of 1208	2476	cmdkey.exe	35
PID 2476 wrote to memory of 1208	2476	cmdkey.exe	35
PID 2476 wrote to memory of 1208	2476	cmdkey.exe	35
PID 2476 wrote to memory of 1208	2476	cmdkey.exe	35
PID 2476 wrote to memory of 1208	2476	cmdkey.exe	35
PID 2476 wrote to memory of 1208	2476	cmdkey.exe	35
PID 2476 wrote to memory of 1208	2476	cmdkey.exe	35
PID 2476 wrote to memory of 1208	2476	cmdkey.exe	35
PID 1288 wrote to memory of 1760	1288	taskeng.exe	41
PID 1288 wrote to memory of 1760	1288	taskeng.exe	41
PID 1288 wrote to memory of 1760	1288	taskeng.exe	41
PID 1288 wrote to memory of 1760	1288	taskeng.exe	41
PID 1208 wrote to memory of 868	1208	cmdkey.exe	42
PID 1208 wrote to memory of 868	1208	cmdkey.exe	42
PID 1208 wrote to memory of 868	1208	cmdkey.exe	42
PID 1208 wrote to memory of 868	1208	cmdkey.exe	42
PID 1208 wrote to memory of 696	1208	cmdkey.exe	43
PID 1208 wrote to memory of 696	1208	cmdkey.exe	43
PID 1208 wrote to memory of 696	1208	cmdkey.exe	43
PID 1208 wrote to memory of 696	1208	cmdkey.exe	43
PID 868 wrote to memory of 2616	868	iexplore.exe	44
PID 868 wrote to memory of 2616	868	iexplore.exe	44
PID 868 wrote to memory of 2616	868	iexplore.exe	44
PID 868 wrote to memory of 2616	868	iexplore.exe	44
PID 868 wrote to memory of 2068	868	iexplore.exe	47
PID 868 wrote to memory of 2068	868	iexplore.exe	47
PID 868 wrote to memory of 2068	868	iexplore.exe	47
PID 868 wrote to memory of 2068	868	iexplore.exe	47
PID 536 wrote to memory of 612	536	iexplore.exe	48
PID 536 wrote to memory of 612	536	iexplore.exe	48
PID 536 wrote to memory of 612	536	iexplore.exe	48
PID 536 wrote to memory of 612	536	iexplore.exe	48
PID 1208 wrote to memory of 1328	1208	cmdkey.exe	49
PID 1208 wrote to memory of 1328	1208	cmdkey.exe	49
PID 1208 wrote to memory of 1328	1208	cmdkey.exe	49
PID 1208 wrote to memory of 1328	1208	cmdkey.exe	49

C:\Users\Admin\AppData\Local\Temp\9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies Control Panel
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\cmdkey.exe
    "C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\cmdkey.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\cmdkey.exe
      "C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\cmdkey.exe"
      4⤵
      Adds policy Run key to start application
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Sets desktop wallpaper using registry
      Modifies Control Panel
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1208
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:868
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:868 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2616
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:868 CREDAT:537601 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2068
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        5⤵
        
        PID:696
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
        5⤵
        
        PID:1328
    - - C:\Windows\system32\cmd.exe
        
        /d /c taskkill /t /f /im "cmdkey.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\cmdkey.exe" > NUL
        5⤵
        
        PID:2936
      - C:\Windows\system32\taskkill.exe
        
        taskkill /t /f /im "cmdkey.exe"
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
      - C:\Windows\system32\PING.EXE
        
        ping -n 1 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    /d /c taskkill /t /f /im "9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe" > NUL
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /t /f /im "9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2500
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2980

C:\Windows\system32\taskeng.exe
taskeng.exe {A683EEF5-8F83-4A6E-B33D-E4929F857DD4} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\cmdkey.exe
  C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\cmdkey.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  PID:1760
- - C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\cmdkey.exe
    C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\cmdkey.exe
    3⤵
    - Executes dropped EXE
    PID:2400

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:536
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:536 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:612

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
eb984a3a932f079134889569f53207a2

SHA1
a198f09cec6b32635d72153f4a61f70143311d62

SHA256
b5646be0b2d2fc39b011361a8fbfc2de3f6a1d98ae89773c1b2c169d0e82c130

SHA512
b43216f6f37981c089d7279353892773c00dce0c2d3e3b5eeaef485a11231dfeb380871bbd780aef78154f3fa0b65a9f463b6a6ffb9917110204acadecb83f65

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
a626cb253e101352f427010b7a036eea

SHA1
bcef1b9417b7a2b81d30fae2515e967e37f252a1

SHA256
3dfdbf8174b3024741c690e9e42c0e1ac7eff32cd48b7ac5dd4f7c17648ca413

SHA512
e0de8e697c0a9813e9fab95b063be84e7b42496718f4f11cb50e17b150c2c349f8745d36a3c668617ebae7b7e3c3b374971010c85ba8e9c96ea901e6be922eeb

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url

Filesize
90B

MD5
03474cb64e06e012132ceffe1e7eb8dd

SHA1
95e9247b815bc6ffa2d018006e6477e6240dbf67

SHA256
233be286a3e92bc4c75fe78e12dd2898fccda4faa5f66e01b47c6733fc9f949f

SHA512
a8701c4b248f518ba31de569b149821dc4dbfb03b9e53294369ad435f36f77a6b35824b2b2d50f62113a80c135f5b0e5bfdcb4354f4857f6bbdc25c859d8a1ce

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs

Filesize
234B

MD5
6f84dbf74ef41dc3d861f5fb3e0f45ff

SHA1
3e5f17e9b9589f33ce6add7f2518a666ff2253a4

SHA256
df5f432d7e0d2bd1c4dddb1fabbf1e77bd1065b9020f71abaf1a45fbb950bbb8

SHA512
9f9ec25b815be7b20df26244d31848c9a4896b130241b63636d63511a290eaad78d289a9bb04592c0ba31492064671351b4c7359310f03469e27764132a20a5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d268e226a26316f304a570af3f0b9bba

SHA1
4e5a4c66bf8a61310677f32d6ae7fc9c4968f9af

SHA256
a6a376c9de43016be714b0cf11bbe39085677ee754a8d293572c640526af52be

SHA512
085ba5cf02ab3788dc9e8e7059f207f28490861f72e56c5589b741f669deeb360fa0ceabee4188df6d31aacc07335a48352751bf266eeedc79debeff46cc5b20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
469324a6d6f442632a481319859e75da

SHA1
9b189c09a4e45765c07ae8f7dc161c6b27d35c52

SHA256
45389062d9a9e7388f8418a7bdb2425f6196d9c33adb86b18f5678f11914bfd3

SHA512
3293ac78e4be21e1ec7d7eb9c0a0a2ac4e49ddb6438a1031dcd574b0ab02f5be6cfcee126d221a80d8660dd0cf9f9d822ecf8ce62bf41089c8e9e8a181825307

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
929c08c747dc274268d2d4b78de037d1

SHA1
b50b3fe33df7bada0a0ecc04fd7a53e542cd1e72

SHA256
5fce9081a41a25391c014eb6e338c69cc7b67044069a00b562be7bbb39cedefe

SHA512
df09f0a423dbcbb4c330994257be5eff792f305149d407051b1e70c2df7ee8ec199c8d81cd0ef4175fd4fb12a19a787310a2b956901ebb0bdb234e6dc5561759

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ce14157767a9bd2277b4d2053f8d917

SHA1
9cf43b2b7eaf171d8c203361134a9824f2d693a2

SHA256
2b353bf5180306703112cff4b0709b01f6b3bc7d8d2c138a199524ddccea7a54

SHA512
2fb08290b65e82cee034e2f21e91736ec1429cf20a961e7b1bb91f1edac553e6d3e6368a1ba347c5726b2511a20e91cb9aed48617ad8d0026a72b5475b61b649

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3587a049dca961e4dba5728a62a9ab6f

SHA1
7bfe9c5f21fb1a0d32e9cc7a7c13a9e885c9c085

SHA256
711df4545c1dc8226311046dae9448d1ac7eee7e899883e5491d4278fa962aa6

SHA512
67669c8e7fc943a891075f309a2464c16ed2d3810e31579053e71204ae0f8b5dc3a20795c27bb8e59f9dc53757ede2dcd373afec579e1683ecd525443ca1fee9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f0684b21caa925e148f6bff8ef50ca9

SHA1
6eeb2151bee94b7f5bf3e12c07fbe605aa78adb5

SHA256
de5a6f8635ee6364eb60d72095ae768eeb9d7a685bafa27cb499123b95a8daa7

SHA512
b746d343d55f3cfce4ab68df7a884d96817c701a14450c2703dc865e730bc6054fb7b7df8b136a2694c2b063629b377df260ca47a1cfddf7291a19e69fd7b537

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a60b4c7809e2f9d8c0202ce46a40990f

SHA1
0d9977f48ab21d5a29515c68d45f02f6fcdc6a60

SHA256
50bbbd9e453a7f5766a80eb158dd2380697e024774d0c76b4366c60242c42117

SHA512
7d1d7f5770e8d198c566b6c2e0b449386d6a35dd644741cbde73a088bd68822c9ee434b5fec6399d7335b12301b2999e4b9b7e30a87f6454cf8c4a168758c4dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
975963a97580842beb1555a7e7c34768

SHA1
ae3f5f06097c1108b420af83c9ed875f88141412

SHA256
0a3cee60f5ce91ada3f6dbf0e28cb8261a0d07fcfc98c707634bc885147b99d4

SHA512
656d8a88e2f33bcf098da255565d2a3022b0b4f024f2571305a26f3ab52e2b80bc2cb212273a5374caa87899750032dde0e8ff3c56a4677c2194ba4a1a2fde56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f1356bbba24b01603e8604663dad81c

SHA1
ca66b13301dddd01bb4f848866da55234664e493

SHA256
515ecc73673cac7f4a19661180fd05d6fed1e4fb879044f899f5fa45d3166c07

SHA512
5823a83343dffbea0c46572d73c916a97c5aefdddf4536408b4193fb32aaf452db46a7654b6ef363599bbff40e0803584543083db5a5e3b4967222a315830b9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c3f7bbecad3d38ffa1aa2a8820d73df

SHA1
15eef0035b6e047de76e7b61ca2f605894c32156

SHA256
1fa14dd2a776cfde2ce2485dacc63930cfc5e733e2415f222d8a4d7d6d9dd888

SHA512
19c238760a643e5035ad6dfbceb64a501bdd7fe66a835874abb1bfe0fdea70f0fcc06390ca1b23253cfc01a3ba6abf8829ce6b1416eef9e60a4004eb008c3057

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ee74c9b1c6965fa618664ba6b9c5805

SHA1
aa0c9db9d4ee6fc833651a72c15035ab9d3220af

SHA256
69a3b1bafc3dc5cc8285f3e61741d4b726399c05db94747aa78150377db58005

SHA512
73ef4e012948c1b277b059e533fddd4a89e2ffc1876a1927c1d60113c0ebc74e5e80a29c6017244b5958e641f3bca7efccf12bc3c2a63b64df1d79e04432b5a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b07653cd374c9e1b17a83f9af06ddb58

SHA1
4b39f9baa140cbeeaf428d84f7f7208d0491cf61

SHA256
99bed8862f422b1e1a23033370dd10270863c5cfd51662dc3350c7653e539032

SHA512
db43446adba761b76a0eccc37092ca681f332f39c2b3945a46dc99e9810082350b833664864fdb77b3820bdbec2bdac685802de4bd6af9f9c5374e45f0721b1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1eb05978be6e302afc93ce1f412411c1

SHA1
95b635f2c244b9348653e688af6b5a3124629daf

SHA256
a30aab262d935b2e9e23c25d98068d7032f8b9a53fe57133d0e31d166c4b6f87

SHA512
8c9c04ced13cd12dc69350ccd737ce20f62c17f6b1425ca5e46a8897d5af38e5071baaa1ee6b2db3b6551b280e8576c84c51458927f4e61ad486d05ea6ba8f61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2572b2202d4d20384ab1d6bcd0f32f48

SHA1
f5a8f50b018aee4ebc6b816393b937b61e970e9f

SHA256
f3fe91c7f21768b0ebf0ddb374f4e81b234440251250274b5f1859aa4edb3e53

SHA512
b804235e1f2aa3960044b7cf27c3f53ea7e7107d53670da5ba4dab250845b7a4fb46737214cd2fc9c0d45fb821d6ce0f694ec1d98cfe3ef229ce762f7c1f8f91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
caed4faab48c068a2f3addf292fd083b

SHA1
64e26c67ba93850ba5a9c7ace676e78991e664e1

SHA256
0fd3a91a1e335ca848c2d4a2a6db140795f4b2fc8445595bfbd17fc286a4044b

SHA512
19e2291db529b0181fa17d4d3d4451d73e4d33db18b0b14d21d5a02ddfe3abc107076b6fba3bb86e704386b5a659874f0dc2e25aabeb19c4ce4374eb60bf81dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33dde448ed2718e59c7171aaa43737e8

SHA1
5bc00dee30b4cdb93f366a89e66eca114c8b2580

SHA256
dee81dad811734952f423df3bd76d6504e3004eb1b4ddc89da7b40234cea7e53

SHA512
5cd9c04506aea24c1f7a491b24b5d2b2700c878c16392a6599a8528491daa68905c46c3bb4179361045bfa643c3b607e3c561dc4f6d6c02bfec473b42bca13b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
727de28f519016c2caf3eca9b944d359

SHA1
489a8ef7f34dce8ec1d9fd559f19af2e8ad9b10f

SHA256
ce6102c326ad513c73b17d76accedb4cb003cc3ddec432baa9d8d03e1b3a71d0

SHA512
4c4d3e579ff920acc57cfc10c42898d1a50524a0461f9f0a0eafaf19e2bd926b8260f80b680f46789d2c39e308c320549d6273b9c9c9ab27ed2530910fef369c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a13a02e5f16f6b51a14352448820be4e

SHA1
0fe52bdf13f716edf2c055ba01ef1e360f03fef6

SHA256
2316bb5dedcbdae52239748a5f900e99a5210115465ba8b357fefce3349be67e

SHA512
9f31250324df4b976ec4fbd86bc9bdadbf882d3a1169f10b228ea0f057cc6a47a9f53669ce41a7cfba1c03fb6d96b4263117448cfd322b4b8b98cd17bff7857a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2297d3baed66ae3355db35bcccdbfc3

SHA1
9a9bd08d8d7e0d364c06c97ac4d892eaa0596acb

SHA256
6c01f5660e07a92221bdd84855b52b47229c81bab0c4c42c9ae973b5f2ffa350

SHA512
625f4aa494b785dfb34f1017fca8219a7b378b6f871d4195873acbf559ab793b89562ac38cf1a826415b21fd70913d3c87628f9a3ea59db144676639505128b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{20104EB1-27CC-11EF-825B-FA5112F1BCBF}.dat

Filesize
6KB

MD5
20c3fdc6a7823c48e8a7b10a2a627438

SHA1
38086bd2ede5d789fdc75411fd4ea6d7da780a00

SHA256
09120fdb2da61bccb3094804b4a5ea2393060aba2e17dc6acf0a4a12b60bb9c7

SHA512
818d2795369cc2e5ab4a47cf49ff9f9f786387745cb1af7d42dc223ba884fc2571d7be59ebdabcf5ffe8539870472832a3dcff9f2e3807aa9b51993ce4c0490f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab647E.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6552.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\.gitignore

Filesize
44B

MD5
095927e02e3f4d31c7a0d402d954eeb0

SHA1
803e7a7f8eb4eb6220e9edc57743ade2ecd8f38b

SHA256
f0cd807dcd8825ce23b4897a3f3a436c1174c8a4e7431a6547bb3399699f429d

SHA512
7eed3a7147f13e6a46ea8abaa0eed8a985fbd42f83f11da14fffd38c850fe52202cd00b23d3b0f063255cbcc5896266b02f892ec49e3990b7d7c332f08536f77

Download Submit
C:\Users\Admin\AppData\Roaming\3BSYBS1-DCSA_Alerts_05152015040014.xml

Filesize
952B

MD5
b5784e05bafd21abd018929e5bfb891e

SHA1
3fb217a06e436f653da850cbf7589576b1f563fb

SHA256
b55c74b57d468f8412136ef4767e65785292749c1b962700db21e67941910c9c

SHA512
b8daf31ea15897b67bc44b3d06e3454926256c4916252a1b4bd46e363365331a57f93278f60dc8d80d8af5dfd6cec5369fe52a9b6e819502e122ab43bfefdd35

Download Submit
C:\Users\Admin\AppData\Roaming\3BSYBS1-DCSA_Alerts_05152015040014.xml

Filesize
514B

MD5
da7cbdc5f6821b87749e272c18f8f493

SHA1
ef8d741c8aa6226af657a35a53d45207c6ab5397

SHA256
3ae026844a141af506a4d96b8886a54a82954e331739630cd64ed2cd390f1c89

SHA512
c904a57ad128bb7efbdc2c773c130b42545daa6be2acf78be7df43761d80f3220b25146026a56f6d28d5dfca8aee071815077424c5a1b608c361c587d03d80c6

Download Submit
C:\Users\Admin\AppData\Roaming\403.htm

Filesize
1KB

MD5
394a5c0cee0392d04fad577c6766f06b

SHA1
16197acb33ddc2e8c5d1f7fc04aaa0cf1f26b95f

SHA256
ed1e1c39e647d0aa8b950c98ff6ba2e7d551927263e45d4ba86b8747ce5149ee

SHA512
9027e504499d057097c2b149ae3743519178cb570c48d4f0dd5cc735554199ad2525915af3b8e4ff1bafc471ebe3cefcd4760fc6c2c5a9e8f7bfde5805a89397

Download Submit
C:\Users\Admin\AppData\Roaming\AsteroidVertexInput.hlsli

Filesize
182B

MD5
b5b01ac30aabb5394aef7a5990ca6970

SHA1
bcf8aa98d01da8815b4c0326ea8b821fd9581135

SHA256
527beb88aae27bf244bcec8d7312a3a1da9d7ff3e64581919eb4563023c38b6e

SHA512
df2f5f55eb2f8409c975a09c72a48e353f1127432d2af5f4c4e917e317e0a748759e1dd75460b765d9edd8cb7d5df012db34fa2d3a4c7da2e1c644bf9777330a

Download Submit
C:\Users\Admin\AppData\Roaming\Bangui

Filesize
65B

MD5
6dfc97c20597bdd8f62955bf1ed3a6ed

SHA1
137177304be17a23b467db93935347a0b9996ab8

SHA256
885dec56791f6ddd711930b61b2ed390066ea3b676e26a7f42681cf52277660d

SHA512
8c82f0bd3a69a80131f5ab0cd4b6a7d2a3698687f1d34a04ad7615be8ec990911b23749d54c039d4dfebeb2880c05f1122e6fb43adcf33d9955926c23b58560a

Download Submit
C:\Users\Admin\AppData\Roaming\Barbados

Filesize
137B

MD5
363e53a22cdb004b03995cf78e815a8f

SHA1
d208a235652a1ef85b4a93b24e39fb149a85dc1a

SHA256
d49bcf72f9babb8d1ab2777a178befcdf98bd2f8deaccdbfac38142d6c66403b

SHA512
d727d389eac6d86dbb6423b299830ef1c090fa556cb42fb1605539165cd719b63cecb309182bef140c9b9f1974b729b18b60d3114feb344e3555f09c533efba4

Download Submit
C:\Users\Admin\AppData\Roaming\Bronze - Polished.3PP

Filesize
1KB

MD5
000f1aa3dde140d63ffb7c3a0bb9c3fa

SHA1
8897e631ed08248fbde270c7ce87cc2d2d078766

SHA256
27a661ab3534b748e9725a567628e8341c26f8fa1eb157eb9027c68a40c3146c

SHA512
a7bf610832e4412e65116eeebf279008834add76df92491c7aaed63669a465421e26d36febc3f3b846cd047b125550b3e70c5e6a9737a2eaa0e0347a1dd9ac62

Download Submit
C:\Users\Admin\AppData\Roaming\Burlington.ksd

Filesize
62KB

MD5
cfcc7cbe898a4dd7253abc4cc006a758

SHA1
7c4cd864fe923dd2e183b2a1703ca189b735dafb

SHA256
c940e7b49156e6ec0b9a9b02684676ac1c30691c2c229cb7e814904079ca5266

SHA512
1118e10e5dcb833e232e401bfd946416b5be251519291d392e12227228d79600f61ff742badc398b09ca8ec07f2b8bcaee3cff225396234bf9b974485de5af20

Download Submit
C:\Users\Admin\AppData\Roaming\Burlington.rmw

Filesize
63KB

MD5
d78e31e10c0b0c68765773608df893a0

SHA1
a67b4d1190699ec20106d91a3abaa02658740aa0

SHA256
2a2f12ddb70f5e4cf39e67163892820bc2f6297bfc5c4f17ca634fd287d87dc6

SHA512
385e9d2f7ad4066c2de373597c7ef914eada5f94bb340b1c112fe0c5f27ddade166d2a9ff52171bf30fe1ee1937a81b26a0d06962627179c7819644be3157624

Download Submit
C:\Users\Admin\AppData\Roaming\CHANGELOG.md

Filesize
4KB

MD5
54386edb860d145a3103714aad336359

SHA1
727ae39864f1122f221d40396f16468272bc09ab

SHA256
d49850a0b720d1b027090d2de3b7c426bc38a9c82eccc73e99c65efad53bafb5

SHA512
c0fc5003363802798ca2443e8a80cf279e6e7c2b63d9e880eb625908efe0d7a728b96c1d90e5dd0ea2883dc4a39e5c55669a2b926ca801a5e266239f3a3383ba

Download Submit
C:\Users\Admin\AppData\Roaming\CHANGELOG.md

Filesize
4KB

MD5
e6f2520cedb0df21cc115a52eb3f7758

SHA1
27d37567e0739177af8915ebfd1d3f17fe53d52d

SHA256
daf6ffb3678d5e74a87aa550af9bd34c6e049562a771b38fcc39d5f8ec1df45a

SHA512
ea91d35f654f1275dfd437ffd44ebe8b2ec5690f32ee78c2507ebb807570306f20b18b22085a4592c215458885fb9dfbff5919f93ca19fe8e0be94cd425d8060

Download Submit
C:\Users\Admin\AppData\Roaming\Cocos

Filesize
27B

MD5
1938fcd1b8813ea5f8fe611478d4c1b5

SHA1
d87706b8193657bce53322e59b3c206533017d83

SHA256
461a256119989ebfb392a6a6afa560213254420b1d4f89d97fa3690fc5c0fc4e

SHA512
def3e9c92266a3af6be1753872286aa8dd624c4a76b8f3f180596a748f5bf6d7bdd965dd43b13120a4ed784f4628b5a1e6d7e9e12da15179d2b47e72994c323e

Download Submit
C:\Users\Admin\AppData\Roaming\CurveFitting.vbw

Filesize
181B

MD5
19e3e555a0bf6693f27ade2fcfa43102

SHA1
6828a357dad7c26383ece0bdbb515e5c4fecd684

SHA256
02bbe02800132003ce473ffbe9e602034651d4edf71df3dd3a11014c1edc9ec0

SHA512
a55f49380db70d26db07e54ed05597b060ffbcddf33f2e49c6479e27981df301460ab1ead6d895df5241593eb13d4b7379ce20acc07e5e9ccdc617ea3409d1aa

Download Submit
C:\Users\Admin\AppData\Roaming\Eirunepe

Filesize
321B

MD5
f3b291c8ac4ce814ff455a1dedb752e6

SHA1
3699971fcdad24b65695219e582b97de04bd06a5

SHA256
0b9971842c858a61f0749a18a06a795139ee9f55038d23b9826f6b579d560dc3

SHA512
8cece8f0b1ad2a6c93f17334fc130f913e6f3c0877d93d00e706ae2d9d9ce4077101522c1b540b4bc05924c0c5e0438e67ffea9647964cd73d193ae0f8c2b056

Download Submit
C:\Users\Admin\AppData\Roaming\ExampleAWTViewer.java

Filesize
4KB

MD5
88de7cdc32f29668b4d614c4df95459b

SHA1
478f8073d79a3fd6dff64d10074b1ef1b7f41ef4

SHA256
a399df5b24529f65783e4e4f477d1087582a9caea6ce373409c75ad05caef1c3

SHA512
66add86aa2847d8e4208a905309363d61ed61b287ebb57839b7121b327143cc68aa7389c177faf86e4b06a8395c326711e90920b94f957a25126d57c5258ae17

Download Submit
C:\Users\Admin\AppData\Roaming\ExampleAWTViewer.java

Filesize
3KB

MD5
c8534d0727f789f79ee8ed9a53f50eba

SHA1
9ab9d675826468231141ffa9a59d7d3d869aebad

SHA256
01fd53799d28cb81f81efc1330d268957e14d5eaf75f5dcf8c0136c573635901

SHA512
72a2837254562ec278bc147103809c572f0d9757ab98d86cd444d571764aa3ef2655f24a138512faee488583319455698887affda4cc40b3a4a1ca62864b78c7

Download Submit
C:\Users\Admin\AppData\Roaming\Frosted Detail Plastic - Frosted Detail.3PP

Filesize
1KB

MD5
8ec4b2cbba583fad1c9dbab95eadecdd

SHA1
5a9cc205daae7774b6b45cdcd984e056eb798e4a

SHA256
540c5bdb0518da9c9aa8ca10e3c90e1ed5c7f84183a681b412b6455fa7369333

SHA512
09d8babc7b08e4a884d44811372edc1a986b7aadad9584041ef07e8dd1c0e33ab38921b368b9b9a00de9dbdb3c8d9a3abfa263f2ccf0c58258399f7c0d856311

Download Submit
C:\Users\Admin\AppData\Roaming\Gonophore.V

Filesize
3KB

MD5
20d29eb0b3b8a16b89fb56f6630b8ce8

SHA1
0e18841b5b89ac09516d51fae248f9310bc62471

SHA256
629b46aa2ea449a091e38e0636b8e7904fa98a6ce79af2834509354f1b10f959

SHA512
703bb92267913b49ba3aaf1e629ecd4ba3ec5d85b525c4acceae1abebf7438e8dac5e769f1f545228c878507e011e1ae7dfd89667e5d04deb9dc541773257eb4

Download Submit
C:\Users\Admin\AppData\Roaming\Hawsehole.NPy

Filesize
126KB

MD5
e8eb25e0d58d365613e5118107f7eb32

SHA1
f252611d8da0c8c2f2eefc00a1990fe734e1c138

SHA256
dd4372b30ff4f96b2012f97fd58fc0252ea280dba543a39e764edc02c03af3cb

SHA512
249946e79033e0f7ad7efc1a95ed259653e1f4cd0dba441388c0ed99667f29aa07121752ef593b0b92ca848ed04d5e4e661d033834150d0ad83d695bd8ed56a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\cmdkey.lnk

Filesize
1KB

MD5
8c470b8df19ba5baacde9264d066a036

SHA1
269cfa076d2e2f4ba53fd58ba125f8273dba49bc

SHA256
a7f3aa4eb439ecad66dc8939c1a56889451d51fbbe3e933684dffdc94e0da5c3

SHA512
6f1cffd71754fcbc3c41f5eac736481ee47cb720911588820e98e82f0848cc320c93ab4df5db43a247f64e81cfd9b468406043baa7d6f7b57f5a716c6b76128c

Download Submit
C:\Users\Admin\AppData\Roaming\accelerometer.png

Filesize
3KB

MD5
6ad73c43d180cd1d26875a21debe18e7

SHA1
9e5f80f3c7aed51540753f562885e196cc0096d5

SHA256
d0eb2e5899b2252bbb32d63debfcbe20f97fd5a539fcda1c3fa3bd957dcba0c3

SHA512
12aab9c47daec342ce7e0c5e4a48519718c0ff2b31caaea4a588d9c696f5b8b63d6126e6211194ff58e35f39cf8c930abbbf1ad8048f2a8defc4eb76f931a3b8

Download Submit
C:\Users\Admin\AppData\Roaming\accelerometer.png

Filesize
3KB

MD5
ee605850778b585f63c6382ab05e8112

SHA1
4463ca8edb3c221fd0bec825822d0f77b71d2e10

SHA256
583e9114740dd5e71aec0a4bab86d644c1856a3008d248f41502fc4368b62398

SHA512
ab521ba8d4b06b0d440d80a50b2439ec983a26df943021c82a9cabf931c352e11e6f8e12c5b97ffaed30ea60bf989c04fe5e96237cab6dc06241c19a4464e50b

Download Submit
C:\Users\Admin\AppData\Roaming\archive_inactive_unhovered.png

Filesize
2KB

MD5
2706a9691f646f678220600f5a3da66d

SHA1
18aca6b122fb4eeb132ff80378a3ebc5c7e76acb

SHA256
5709aef07360ffe1cc827e1f77d0c23d5eb97d5f328ac8293911aa888dcf4ba0

SHA512
8263f29d2dc33e2060c8c4b5ca34abff26a3c79c08e019f9b3eb3d8cc6504f26786a65ea20ae968ae5f42dda9c6a446a4394ca0886003c50bfc068b9009609b6

Download Submit
C:\Users\Admin\AppData\Roaming\archive_inactive_unhovered.png

Filesize
3KB

MD5
c9edd0f3c30eff25865557e96c485224

SHA1
12b375b4dbd9dc6943914f199a5319776879426b

SHA256
c053e43b553c912cc54200addfd200e9f9d2e365e8d8c1d823b3506273dd5d5c

SHA512
37d78ab744e5d3e6b270ecfb1ecdd4344d7c66145c2c655fb4f969cf653160063fddef8c8ef74d967efda2d4ed5bdc64a5f2825943613be7de7bb5e632ebd260

Download Submit
C:\Users\Admin\AppData\Roaming\bn_IN.aff

Filesize
197B

MD5
6c0fb6fd9810560e7b438cdf662c2734

SHA1
26304263ffc6724e5bd5a0dc440d74f233bc2fa2

SHA256
bff0a0f00c9adb0ac7bcc8421882b4bcd0fb5b47d278ed64cd661ec7dce51cde

SHA512
d85b9b780ef0ecac44e9af6ca0c766c04dcbc22cf3bf65efd23395806042d8cdadebbe088d21a0be75b37b2c6ddeb7aa726483c9b139d4284ef6b51101ca8c8b

Download Submit
C:\Users\Admin\AppData\Roaming\build.xml

Filesize
4KB

MD5
0675ddae39995e21081a699d62da24d5

SHA1
369166f6793892f2e6690e95dd68da65015ef07c

SHA256
40f8f3a3ae7dab8b8b00147ae9b4dbb0611cd15636a15dced3b90d21c14edf1f

SHA512
900015de142233f3bbe870a6c697d18d2f587a5c6d1e965daa0807d6a5cd311d2eb605ca3aa89f9e650913d476a18cf8b4a74afa84acda4cd63c4939ea284d94

Download Submit
C:\Users\Admin\AppData\Roaming\build.xml

Filesize
4KB

MD5
d71c20fbe6e7fe88c453c4de4158569b

SHA1
e9536ce1d847fe621dcb35ab2a88fa031a97e1d5

SHA256
80051670a85b20d61a0e8828f6e36aece06403720eca2b01da965a81683dfd63

SHA512
5b686b414c470ab67743fe35a4a055a8538c53e52db49024d860d836b8991ce17cad69a258a3558be76a8c7d132095b8038cc0ad43574c8a19d3e50a0839abd0

Download Submit
C:\Users\Admin\AppData\Roaming\chunker.output.indent.xml

Filesize
1KB

MD5
52c969a3814d887034bbd308839b39e6

SHA1
76990e9aba806f033c75af3e61c54f5aff35bba0

SHA256
de01f6b82723db2b995bd31ce510d27f55c699404330989b923662281e726e9e

SHA512
0f6fd0891432ab71a0f7358bd6cecd41d37ccf1450e0c56bb48ec058cb74e10cc680341b2ccd653449c83969873c5f217fc16d4831e3bf7123177e0584932309

Download Submit
C:\Users\Admin\AppData\Roaming\clock.png

Filesize
2KB

MD5
4cb40bdad1a43c4fb89f7b4400076efc

SHA1
ab2a3689957a412dbd3cd7f83e5aa35d44055941

SHA256
1bb2e1d63f0787ad9a0e0ad8b3987c42f74d873211f440e6338f78bfa62d4ee0

SHA512
0e444c130721fa155e28af88b21c0badced98ea2f1fd0df915cf07e4cf4b6d364e24a5babff81ad3246c5839595df520dc3e4d9a13635903f0e5ab4dc795a840

Download Submit
C:\Users\Admin\AppData\Roaming\clock.png

Filesize
3KB

MD5
8eeb5b020079d6fd4508591df893c5d0

SHA1
0ce3fe52689f4927b62e6c4994bae9e45fe0a777

SHA256
e9beb5eeb2bb75edcf2b5b008bfaac5182d920970b269128e3967e3b691ca0e6

SHA512
f17c47aff2c57bdb0924c745308cc2c5580101754d36a229f7ea62559ead0d6e1e4836a2526a6a4f826eb1de256e8ed1e4d1f950ef2ddfc6eb40453d797ba96a

Download Submit
C:\Users\Admin\AppData\Roaming\compact.list.item.spacing.xml

Filesize
1KB

MD5
223909ceffcf7dd92a90656a0a1eb1af

SHA1
72557996dce6cabab827b4e7d1bafc94574beafa

SHA256
c49d10ccada76693da2aeadadfff385359732ff5ef4f01bc662150564c892ff3

SHA512
2d5ed9519276d244b7e8c98c11a1e9c572a6d76a9caa4c71e8dac2a87ae1d338490682a7cf27f44965f26dda96b0fb033555328b1ab0394817074c2e12b21a83

Download Submit
C:\Users\Admin\AppData\Roaming\compact.list.item.spacing.xml

Filesize
1KB

MD5
efed3b24063421e8ce83e40abbc5860c

SHA1
a87cf2f5ee1784013e05bd102aa088b839df413a

SHA256
2ba360926547784df359d9a77e4d29a0ae46f36f6e987a924286be933e1e251b

SHA512
53748bacb36b4f806530fbb14794ec28489bf94fd50f359d104ca843fab4f0ee2f138324d1a28f637a64fccc84894523b48c7b480ef7264228f81dd77bd5836a

Download Submit
C:\Users\Admin\AppData\Roaming\cp_network.png

Filesize
2KB

MD5
5a7fb700d24dc20ca7e86ac88c7898ac

SHA1
50edfb37e364b1b1d22a3fc51d317d7ace27ccec

SHA256
42a28dd4821b43368002876179a593aee7a2eb4912074d84ac6d3f3dab4b7211

SHA512
144fda85daed37c7f43847abab93273d1b3114784def313c81ef165ed4ec85ff72c504c14005afb89e40ca863dbaa04dfe6fc74021d1592786415606122867df

Download Submit
C:\Users\Admin\AppData\Roaming\cpu_core.png

Filesize
3KB

MD5
823c348a508c32bc7d16d568126c34fb

SHA1
2b2f4bf49a7d8454474bf185e26b2c48cf43e461

SHA256
4f84fda6a4dc46d8577474025df6fead475e5ce750de8177ce51031b82b7221a

SHA512
c80ad925af22645a6ee1766036ff1841350387683db6210fff36c6f5fe321855e77aa50c765a3be4319b8a66032a14bb98655c31184ccc2dcf217a4e12df2842

Download Submit
C:\Users\Admin\AppData\Roaming\cpu_core.png

Filesize
4KB

MD5
bfac47ca0b15e5b35b06840d8c144cf2

SHA1
e0b104dfee01ab3788a187570d787360383785f9

SHA256
27fd3880249094ca5730a8b85d97e082eeb82e4593951c2386eeed9b46315442

SHA512
340a8cfb9d6dfca81b3fc31b27091357ab4629d28c626d409692d9e501681bdded03c5a383370526957e189cbb4d6f8fd29be2c8fcaa785c65867a34d112dae1

Download Submit
C:\Users\Admin\AppData\Roaming\download_11.ico

Filesize
2KB

MD5
5b6d410767b3f51805b65bd53047ddff

SHA1
7eae072adbc3b102a3e06873f643e5e11674d936

SHA256
c665dbded35fd10240134d7199cba83e69eedeb893fdffa73235e5f3ceaacaa3

SHA512
45a409739c6f7ef6444d0fd80134941a20806b7248336b5bc76f757107fd0637f292b2827c0b90c26c1bc5ee4fb6658a1a1d6c2a23b55b8b8bd550a2671c04f4

Download Submit
C:\Users\Admin\AppData\Roaming\dut.fca

Filesize
1KB

MD5
61bb87909569420e9d889bd076a11aef

SHA1
668909823ee96cd46b76ffb4aba97e2335dd65da

SHA256
386b26bffa39406bea409f57f8d332a590856554373b073b7b5b340d5e68eaca

SHA512
fc873eb58c1a25f830ff3571b863c0da371f751d75052d3e77d1b94bb5ccead606ca19aaa73621467bbbc86aef817cfb9c9150f04af18f1c87846fc31f81f03d

Download Submit
C:\Users\Admin\AppData\Roaming\f33.png

Filesize
1KB

MD5
0b0bd10b948251c2186bdca7dda03f1e

SHA1
fcf63a2d74423831658b0a8e796d5e4d68c9d75a

SHA256
be9f43ec0941da133967b83723d01290d74b08003d78126326d44198e7ab3682

SHA512
b9fa0e443ba306903650554c3851460d2622404b8053dda7244bbb56453d96e467bc50d3ba9988e18150d13deee13eb3d2bb06eea1cb0f25db2d1ca1b0a115c6

Download Submit
C:\Users\Admin\AppData\Roaming\f33.png

Filesize
1KB

MD5
2be2fa3d1cd7438ceac3bb0fabff57f0

SHA1
06566068deddd781890d3ecb5a9e9fe087f763c5

SHA256
3b0ff6b401c23a915b4dc05a8cf26f0825a93aa1f569da6bbc1a6195d4904ef5

SHA512
cc95871dddc3a7c241f1a919787035f32bd644e9a369a8af43673b9822ad7d9722888dde35a4eb725e152e0f351c1f639b6d0a867534673b93340bf37fb62668

Download Submit
C:\Users\Admin\AppData\Roaming\feed-icon-14x14.png

Filesize
689B

MD5
2168a573d0d45bd2f9a89b8236453d61

SHA1
30733f525b9d191ac4720041a49fc2d17f4c99a1

SHA256
8ee173565b2e771fecf3b471a79bdf072aaa1bd9dc27582cfda2b2a322beeba8

SHA512
1263589e12f587143ec1dd8ac87293a041f7d77439fcf91503e62be02e36d13e28560342deed86cf800c7bc01cd31837004d1ebe7ae53c670340040c68eb0e22

Download Submit
C:\Users\Admin\AppData\Roaming\function.parens.xml

Filesize
1KB

MD5
8373fc996674d9f880a4dc6d71bcbae0

SHA1
6febd5861bc5df650ae868873673d922705c3995

SHA256
6434ef6fb82aa4876627c76fbe8c145210a7529f5dedc36c4415861d5b32d12a

SHA512
b672e5087dea3b3a0ca22129196e89525f364825f85a081109c453834d14b37d871a79cfac06903d565006703c848444fdac51a3bce455125a8cf664febc7eb7

Download Submit
C:\Users\Admin\AppData\Roaming\function.parens.xml

Filesize
922B

MD5
054b78215f249c0bdb4a66dc5194ff6b

SHA1
b7375a86ea0bc22a5a2033ea92eb0435e5a6c0d4

SHA256
4acce89219d39f8e1f024bd6e90f93936afc4899821cf0674548f96a80815fb9

SHA512
e59c92ff9198afa690a61d789379e6cc448156c20a673e948066dbf97446bf2f11533516d92deba0b865b8b6460b785646cab9970234aada7fda02fdac15fca8

Download Submit
C:\Users\Admin\AppData\Roaming\g3_5 x 7 in 300 dpi.IMZ

Filesize
46B

MD5
4d86c60fba2c17060dc3ea905619a4f9

SHA1
1d7c6fb8779b9a6e18036d3fc20be4311be1e54a

SHA256
486162bd4d51d4ad263da28d8ffd288e75d5228e015f041702c9c295179689ba

SHA512
6af5f1f4a26f8eda819acf1af36758b83ed5fee5e58c67e4fb7cb4253b75c74aea36169231662f1aa746d85cd91e66951134958bed5e4812caa5aa4a397a39da

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3A53.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
\Users\Admin\AppData\Roaming\Registry.dll

Filesize
28KB

MD5
1e9011ed3232d3a7142d8896606f524e

SHA1
56370a185a5de3d9019a39d3f97226cb5fe1352f

SHA256
e9581869c22c1fdbf547b4356c1f399283d7c9d3244ca32862373b8b0f11e6c5

SHA512
39b13c932344d70cc54a6ee3843936a25373d77c2335e8f5e3d7d11f5a0b3b6d14989e13c0fc3809148cf4c8d0d91666130abfc1d3507e3c7c03c6e545a9cc5b

Download Submit
\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\cmdkey.exe

Filesize
208KB

MD5
9d8c90e3c00d723f8167d9e579b2eff1

SHA1
86f82bb7da52240469a520a1c4f166aa7beef579

SHA256
82358cfce8922a6d09b9c3ccb7867ce65556040592f238fd2939ba9507156d7b

SHA512
3bfedc755703b626c47a549ffe955433bc30ad10cdea7f0feb2d848e6a2d720f5cf973115b6d454549a86a83557dafdda67fec65a938353d1e12de947d5348e7

Download Submit
memory/1208-165-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1208-173-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1208-665-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1208-661-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1208-659-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1208-175-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1208-174-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1208-663-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1208-170-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1208-169-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1208-167-0x0000000001D00000-0x0000000001D01000-memory.dmp

Filesize
4KB

Download
memory/1208-164-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1928-55-0x00000000003C0000-0x00000000003CF000-memory.dmp

Filesize
60KB

Download
memory/2476-161-0x0000000000680000-0x000000000068F000-memory.dmp

Filesize
60KB

Download
memory/2712-71-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2712-59-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2712-60-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2712-58-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2712-61-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2712-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2712-46-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2712-48-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2712-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2712-52-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2712-54-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2712-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download