Overview

overview

10

Static

static

3

c7df36eb37...18.exe

windows7-x64

10

c7df36eb37...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    28-08-2024 23:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c7df36eb377bc1d7965c5168b261ec5d_JaffaCakes118.exe

  • Size

    191KB

  • MD5

    c7df36eb377bc1d7965c5168b261ec5d

  • SHA1

    5f046f37524868a8213d9b86f83ee57ed5140598

  • SHA256

    0771142a235814ff46baa6de400da78a31a7fb77fd3919e1978fad59edf03c20

  • SHA512

    f3f7ea21fff12888f9451185039052f330a724707688ac8e3791f28eddf4a8b00ee5a8c0bb30c8d96749c9e9e643bff51b6ee335f8f36915722e7ba9f3540b6e

  • SSDEEP

    3072:MyAaQqe90u5DdXJ745v+fxqGM1CKnXWE2J/ENGNTHO8TsgqVLZERioMCxrPY3KFC:MyAge9RVwAa0KXWlENkDTyV1ERioM0bq

Score
10/10
cerberdiscoveryevasionpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.sims6n.win/83F5-2203-2253-0042-F7C4 | | 2. http://cerberhhyed5frqa.adevf4.win/83F5-2203-2253-0042-F7C4 | | 3. http://cerberhhyed5frqa.fkri48.win/83F5-2203-2253-0042-F7C4 | | 4. http://cerberhhyed5frqa.xtrvb4.win/83F5-2203-2253-0042-F7C4 | | 5. http://cerberhhyed5frqa.cmfhty.win/83F5-2203-2253-0042-F7C4 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.sims6n.win/83F5-2203-2253-0042-F7C4); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.sims6n.win/83F5-2203-2253-0042-F7C4 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.sims6n.win/83F5-2203-2253-0042-F7C4); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/83F5-2203-2253-0042-F7C4 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.sims6n.win/83F5-2203-2253-0042-F7C4

http://cerberhhyed5frqa.adevf4.win/83F5-2203-2253-0042-F7C4

http://cerberhhyed5frqa.fkri48.win/83F5-2203-2253-0042-F7C4

http://cerberhhyed5frqa.xtrvb4.win/83F5-2203-2253-0042-F7C4

http://cerberhhyed5frqa.cmfhty.win/83F5-2203-2253-0042-F7C4

http://cerberhhyed5frqa.onion/83F5-2203-2253-0042-F7C4

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://cerberhhyed5frqa.sims6n.win/83F5-2203-2253-0042-F7C4" target="_blank">http://cerberhhyed5frqa.sims6n.win/83F5-2203-2253-0042-F7C4</a></li> <li><a href="http://cerberhhyed5frqa.adevf4.win/83F5-2203-2253-0042-F7C4" target="_blank">http://cerberhhyed5frqa.adevf4.win/83F5-2203-2253-0042-F7C4</a></li> <li><a href="http://cerberhhyed5frqa.fkri48.win/83F5-2203-2253-0042-F7C4" target="_blank">http://cerberhhyed5frqa.fkri48.win/83F5-2203-2253-0042-F7C4</a></li> <li><a href="http://cerberhhyed5frqa.xtrvb4.win/83F5-2203-2253-0042-F7C4" target="_blank">http://cerberhhyed5frqa.xtrvb4.win/83F5-2203-2253-0042-F7C4</a></li> <li><a href="http://cerberhhyed5frqa.cmfhty.win/83F5-2203-2253-0042-F7C4" target="_blank">http://cerberhhyed5frqa.cmfhty.win/83F5-2203-2253-0042-F7C4</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.sims6n.win/83F5-2203-2253-0042-F7C4" target="_blank">http://cerberhhyed5frqa.sims6n.win/83F5-2203-2253-0042-F7C4</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.sims6n.win/83F5-2203-2253-0042-F7C4" target="_blank">http://cerberhhyed5frqa.sims6n.win/83F5-2203-2253-0042-F7C4</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.sims6n.win/83F5-2203-2253-0042-F7C4" target="_blank">http://cerberhhyed5frqa.sims6n.win/83F5-2203-2253-0042-F7C4</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/83F5-2203-2253-0042-F7C4</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Contacts a large (16389) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 59 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c7df36eb377bc1d7965c5168b261ec5d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c7df36eb377bc1d7965c5168b261ec5d_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Users\Admin\AppData\Local\Temp\c7df36eb377bc1d7965c5168b261ec5d_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\c7df36eb377bc1d7965c5168b261ec5d_JaffaCakes118.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1028
      • C:\Users\Admin\AppData\Roaming\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\raserver.exe
        "C:\Users\Admin\AppData\Roaming\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\raserver.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2920
        • C:\Users\Admin\AppData\Roaming\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\raserver.exe
          "C:\Users\Admin\AppData\Roaming\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\raserver.exe"
          4⤵
          • Adds policy Run key to start application
          • Drops startup file
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Sets desktop wallpaper using registry
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2936
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2412
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2412 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:632
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2412 CREDAT:537601 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1520
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
            5⤵
              PID:2428
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
              5⤵
                PID:2308
              • C:\Windows\system32\cmd.exe
                /d /c taskkill /t /f /im "raserver.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\raserver.exe" > NUL
                5⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                PID:956
                • C:\Windows\system32\taskkill.exe
                  taskkill /t /f /im "raserver.exe"
                  6⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2264
                • C:\Windows\system32\PING.EXE
                  ping -n 1 127.0.0.1
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:588
          • C:\Windows\SysWOW64\cmd.exe
            /d /c taskkill /t /f /im "c7df36eb377bc1d7965c5168b261ec5d_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\c7df36eb377bc1d7965c5168b261ec5d_JaffaCakes118.exe" > NUL
            3⤵
            • Deletes itself
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Suspicious use of WriteProcessMemory
            PID:2696
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /t /f /im "c7df36eb377bc1d7965c5168b261ec5d_JaffaCakes118.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2612
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 1 127.0.0.1
              4⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2596
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {BCCC3EFD-D5B3-48C4-875F-02B1F3885055} S-1-5-21-3450744190-3404161390-554719085-1000:PDIZKVQX\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1556
        • C:\Users\Admin\AppData\Roaming\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\raserver.exe
          C:\Users\Admin\AppData\Roaming\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\raserver.exe
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1336
          • C:\Users\Admin\AppData\Roaming\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\raserver.exe
            C:\Users\Admin\AppData\Roaming\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\raserver.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1736
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:992
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:992 CREDAT:275457 /prefetch:2
          2⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:964
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
        1⤵
        • System Location Discovery: System Language Discovery
        PID:1260
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x4f0
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3068

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.html
        Filesize

        12KB

        MD5

        bb2c0d5cfdd620b7018afa185b5f7432

        SHA1

        3a2138722e18d4c529e4a6ebdb9784348a776bd6

        SHA256

        e255aa43302ea6a07e4044439ad7b891654c63dfe593d9091117bd73631a2ef6

        SHA512

        5f2cb107bd191b048c6358ff12da6a92204c2af29e113b7d229e31c2eddcc1bf803d55db7dbcbc5282d5307bef69802e09c5507d8c1e66b36392eb7f99d3ca85

        Download Submit

      • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.txt
        Filesize

        10KB

        MD5

        1d3f9429c3b6c5f0ba9581f1a10c5ba0

        SHA1

        3b96960e639c474402c160620d44bb845b78ef80

        SHA256

        2a34a6f830b8a98c9c241851bf146a8ba4245f90adbdab5323fe9036100de640

        SHA512

        ad119ae49a923714e1c699083d3cdd61f3dd5992bd2adcb388d7d4715e45af7be8641e3e0a7add1c65abcfa193426cf297e7c433a522cc50e2b97b82a2eb904b

        Download Submit

      • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.url
        Filesize

        85B

        MD5

        b650670a23a808a909fe5f42b6c24537

        SHA1

        4afce8a8f02590efe40b43214f76a31af0856d51

        SHA256

        5e079afb25f97861c13fcc78eb218da76316c2cdf501d5535f28ac142d6b1b2a

        SHA512

        3e0981aca7440aa93d75515f136d63d85f1c949067d4e4e0c919a9137e4dc2653d8de0af499527240622433cc67f58a41a9abb2fa7ca6ba39c8c16917a06e357

        Download Submit

      • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.vbs
        Filesize

        225B

        MD5

        f6d629f2a4c0815f005230185bd892fe

        SHA1

        1572070cf8773883a6fd5f5d1eb51ec724bbf708

        SHA256

        ff1de66f8a5386adc3363ee5e5f5ead298104d47de1db67941dcbfc0c4e7781f

        SHA512

        b63ecf71f48394df16ef117750ed8608cc6fd45a621796478390a5d8e614255d12c96881811de1fd687985839d7401efb89b956bb4ea7c8af00c406d51afbc7c

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        304B

        MD5

        d3c4098d7ab9df9df1174ffce1145ba9

        SHA1

        53457079316964aba5dfdfd8d304b18f1821793f

        SHA256

        d3ec2084fbbffaf34dda9c155ae330d99044a05712745245ad0fa62f2ebfbd2e

        SHA512

        53c7762ce159f14eb2164723a0d2c68bd97d4295eb7a1bef5c906fc4fb7e1ed1041a873a27145827dd73e0483806ab681af132e21bf2f7f9177f998d037b3d2a

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        304B

        MD5

        3c81ca5cd2fd0be188a53b21429314bb

        SHA1

        f5b0bbe35510ae43f3c89aa7859ce5c0d720d3da

        SHA256

        83e63e986473882cba8115481fb563628e4abb1941c088a6d91428700a4f3280

        SHA512

        ce38a22af7d8111f3c1510416114a1e3f17ddb10dff98869612f5dc6c31ca5bee4a99d54c3c9ecfee3b68f4cdb4624d9ea62a184514087f25b42ea43286b617f

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        304B

        MD5

        c664e777a584d0c2020b5a8b155dad4c

        SHA1

        41cb3130475af9eed30b4b730159eb47545e9e46

        SHA256

        e6e54c96da576c0c63321cb5c390ca4f8dea1082cd389aa8f43475d618042b5f

        SHA512

        76bd309e963067c044b9983f1605ad3ed59cd1e936e9450c956ab0bcf4b2519fb8e00f01ecee83dc534aa7b4a0d6bd2b173e2c7387953b795f791e3660797292

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        304B

        MD5

        86123b5875f0c8f4d27aeac386197d1e

        SHA1

        5f6340e4786c62ad948d841bbab5397a1dcbaf24

        SHA256

        1bc7c7422aab885570170197632834cc50bca1306cd67227caf754430ed4f6d6

        SHA512

        1a4f44afa7110274e1c60e409775daaf1b7df391ee0b36ffe47b8237b0506ecb52b99b6c08dfdda8acb600a350e0412acb1fe14d64e1cc541b8c6a6a5ba16366

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        304B

        MD5

        69318ac01051f01541a5bff6ebefa00e

        SHA1

        3cfa155aaa21051e3c89af041a99c077e3ee590e

        SHA256

        aa6cace6a5b5d263db88401725614d12258bcee0f28e45d73b375a2ecac3bd3c

        SHA512

        8b21cb23f184cfd3674346d7596ae9e7e704c76acdf963ba13872639eb045d8cfa1a5336d66b928ac03fac20e8a3e73466913c6a60b9f2b45152120344c1d47b

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        304B

        MD5

        60b113d42bee89a77c7af26b97f2bd42

        SHA1

        1300b2cc3a5c7ba94a7ebb6c5f8edaef09081acb

        SHA256

        d034734c02a03d72b8d07045510c8cb7a5669a17dec9f5c60a3f8ec506530509

        SHA512

        c6b62e5fef281057b389b16ff40baf5082b8b53c7a4da888560cc2517f0c39794519cce28d7624bea32386ce732593890d3ffce0d2239d9ba21d1f3bb1e8f28f

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        304B

        MD5

        c1c6a722c2b2de1f78d74b9286a18f4c

        SHA1

        6dc17e48a27fee1430910f8df62343f381f0c92d

        SHA256

        abf2d02674844c694c4405f76f42bd9f7b2264f9b470bf3c92588ae455e9a207

        SHA512

        d41fe6da071863001840b2734b97a3215483481a45879b6ffa4afeee3cc16050dc0b78318a70b3f7b0051314d8be7706892d315b69ce203112f3a1db6fee61d0

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        304B

        MD5

        a5816fa04edd28521f25035270833fea

        SHA1

        9a0e94bdd59e6b3bca6e0306cc8053592d4963f0

        SHA256

        adf4fd3c9e0a27f9c363cea10a435f5e5c6aef65ebc259ba952af4fa7b3a347d

        SHA512

        8554089cfdb5c985402e073665fa7480cdb67d8e2c4be5b39af5f9ec4cc4e125a9cd3530f02f7938a71d820c9b5884963fb8462f397bb3127c22d097639a06c7

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        304B

        MD5

        1f596926a5c01ac02b96361f9be4ab33

        SHA1

        52a796bc11bc5f416259f1d6ffb35fbb0a81aa42

        SHA256

        6cbcf912fffd2eea52dbfe3dfd426f549efbe67a1952dbfa66d64da409ab20f8

        SHA512

        23a0f3045ddd8b8784f31e29a98fb27c64b92068231e43bca2fd0b75a749b4dc2f2f6ee21c570ba1245a52086af2d7e7874aa1aa612aac52ea304e2771d49167

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Cab4221.tmp
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Tar42C1.tmp
        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\10.svg
        Filesize

        1KB

        MD5

        6d5f1f192e1e5dcb3feb43b9991f60ea

        SHA1

        0e65b9f9351483ddeb91f7a7b13584558df96616

        SHA256

        48dc83d59cc2968c4c80f453d6931a2ac36e7365003cfe6f07d86c211b973bd9

        SHA512

        87ed46419fc99f0299ac64adfa5abab5ef5a649a41249e1888b8311904b762895d50de52d65a6184c8608451a54de4b0b18552b39ab5826eba51836cd5002eec

        Download Submit

      • C:\Users\Admin\AppData\Roaming\15.png
        Filesize

        640B

        MD5

        c98123e95a83670c84ba0e3975ea7adf

        SHA1

        eead94e70f84f44b479f48e7bca718da105b9d22

        SHA256

        55a55277a99de117c73ce703de8b00da09bee122498a2b83776192b723a9cb1e

        SHA512

        b25f4089fb985e2f830ef9ebf59e8eb298cfccb6b3fb27328f9a915be52c19277b264a17254efe771db73e795d279c82fcff7ce87c5c423fdf81adc606317868

        Download Submit

      • C:\Users\Admin\AppData\Roaming\404-15.htm
        Filesize

        1KB

        MD5

        7682d2239c18a25040d9e78b0e139743

        SHA1

        f63cfad85a557169207b85aa644101c89f60f299

        SHA256

        eaf892b9c065b602c5d7e5a92349c756e2513838a51c1056f7267db428a3a0ef

        SHA512

        9149070ccffbeb37dd54d78eabdebc54dbbcbfc047f1617ab51ef5a5e62fdff1f92fd425e264543feec079bdfe9279b1f462f8d8d6904c0676263fb6d8ec366c

        Download Submit

      • C:\Users\Admin\AppData\Roaming\404-5.htm
        Filesize

        1KB

        MD5

        b32ee0da29e26569bd038838f1928528

        SHA1

        8d50ef0a8ed90ea61ff3393009e795b3cea4b590

        SHA256

        b560e11a6bb6d7585b216bf2139ab01f36636f9054d26a4179a5b6ca8080ccfc

        SHA512

        f1ef5377936a193465117ccce25e6c4b90628a32eeca1f2a40ae5ebe170389bd41462bca9684916d8809e74da3c208a5a5902e2908982fc52bdbca6618ac6679

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Anadyr
        Filesize

        585B

        MD5

        0b49103fe701234d0b1ea1ff208171c3

        SHA1

        ab271e83639fb2f9d35358ff0338d1790dd76fc1

        SHA256

        2998ad144e0794a54caeded2fd839d792bf311923a4f513124cee0f8bc6aed4e

        SHA512

        1b31edaeb6cd7ca6803376271d00d99080412bee18764ab28004a0d3dcccdef5b9cfefbaba59e3bb9bea9bfd448b3ac0ba143bd495ab5b164b1b644338e3fa9d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\BMY red 3.ADO
        Filesize

        524B

        MD5

        f603a2c217b5b63995d8c39730d35491

        SHA1

        bb25bbde47ecb5f2c40db35c9bd4f6621a403337

        SHA256

        bcda37996eadb7820490356c0f70c4f47811bea513b48de5e1566c6f365945e5

        SHA512

        c2ff6fe9761eaaf520678989d516819349aa585d872dce806aca137ae23e934fee8a1462eed68cfd4cca15db40ddd02e9d32f9c4f9b69f46c267162cfa2ceb8e

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Bamako
        Filesize

        85B

        MD5

        313a92eb9dc6f52cf9368d7bdb49f636

        SHA1

        119974836f996a58a14584497d853e3f24b68057

        SHA256

        cde9b6a758da6349dc02027cc178ff4dd2b51676844935d134456bc814b74bdc

        SHA512

        15a851200cea62c693f3ceb03d56e77147aaea7d1019da66ea8cafca627a1316115a523c8f4f2aba9f4869d7e2cceb1e72bd328b7cdb7a11aa3f3f9a7b336d21

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Bishkek
        Filesize

        485B

        MD5

        ad8baefe636e08b8d937ee4303d37231

        SHA1

        0f58d13ae045ea62f4f64dedd7de4bdfef7e985c

        SHA256

        b510a9f128b96f387a21d7b719fdc1d7ae81480a94620d11456699fd76271442

        SHA512

        31b60710c0c59c882d21dd9d4eb5449c62e4f1bb75366d2b006b68f28e49f7cf63058272c0e2f8621d4bc80ccde0cc1e4cfdb503f3a513f0e2123c97524cc485

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Default Menus.mnu
        Filesize

        39B

        MD5

        31296c038e3154364571e61b99f8579e

        SHA1

        3e1433612c2e7f61a1310ee47d6f4ce27a2e694e

        SHA256

        4443ae9d463bf4bdde7812237ab097327ec1d23a3f4e12b319899f2cf7a0dbb0

        SHA512

        42ae2ae55d5dbc85521cf5c4df9d510b610a62038ca6800682aa95e406b3ec9316f4c74782657f7a99e125b1a908b6ada7bb32b81a46a425f6a5de5bb88d33dc

        Download Submit

      • C:\Users\Admin\AppData\Roaming\ExampleXML2FO.java
        Filesize

        3KB

        MD5

        7cd4291588c932a60b8db4ca8d336b9c

        SHA1

        f5716cbcae64d72dcc622418587b125b832e943d

        SHA256

        9e51838001368de751bd0ab37da350d5d0d6f50016f6271807c0ee9be55ddf21

        SHA512

        d4bdb75c0dfdee9d39eecbce8a7f43895fb2031fa49c16567977821065fc7d5edf737c0dc8f3a91ee4a3d22b89ae7bb6b38c15f6b0238b956e5aa95098d0d290

        Download Submit

      • C:\Users\Admin\AppData\Roaming\GB-EUC-H
        Filesize

        4KB

        MD5

        15b9f0e2441fd17618d7a7fc6e9311d2

        SHA1

        446e32280d884e0fb9c8e804d8818636b0cf2cba

        SHA256

        7516789b109fc823443cb40dde8c6d5a4d81e7598123bea4c767de1eb7d1243d

        SHA512

        6ac1bd67b7cad14383c823680798f8cb36327a324bb99e8aa90598e1add9acab45ff371833bcca245a31018d941d059816de372966ee4312c5e875e0367c157f

        Download Submit

      • C:\Users\Admin\AppData\Roaming\GIF 64 Dithered.irs
        Filesize

        1KB

        MD5

        ef627124721490d26fecd2a106eb6862

        SHA1

        3b65c37c5942591609a816424bddbe91ccccfa73

        SHA256

        aa345a078107a81e8c52607fcdd938f944a6838d80c93a42183c4da08dc2e6c4

        SHA512

        fe1b70078d01737ffbab3d000bf81ee5cc5fe718c5a477c888714ada6638224f538eba7ecb542d1ebab5c39b2b9a8630875e14e540af96ab5b1369124103e9d9

        Download Submit

      • C:\Users\Admin\AppData\Roaming\GMT+7
        Filesize

        27B

        MD5

        11f8e73ad57571383afa5eaf6bc0456a

        SHA1

        65a736dddd8e9a3f1dd6fbe999b188910b5f7931

        SHA256

        0e6a7f1ab731ae6840eacc36b37cbe3277a991720a7c779e116ab488e0eeed4e

        SHA512

        578665a0897a2c05eda59fb6828f4a9f440fc784059a5f97c8484f164a5fcec95274159c6ff6336f4863b942129cb884110d14c9bd507a2d12d83a4e17f596d2

        Download Submit

      • C:\Users\Admin\AppData\Roaming\GMT-8
        Filesize

        27B

        MD5

        a5c7fa421ee9dc0d1d98f366aa9b4497

        SHA1

        ced1602fad5f086ab6a35b64c08816879790162a

        SHA256

        cd05c73a160de891afc73c2f6b313ac10551eb6d3a0b750b650367ad26b81884

        SHA512

        9277c33f587b47482b3855bbfd3a943d890eae9b85ab6be54339fde3201154e8e45b2725d633ac1ad41ae3be3239a769f19b3474c3b21cabe2531d12a03ab968

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Gaborone
        Filesize

        77B

        MD5

        c5212e7e40cfb0cd10d4cfc7012a22d1

        SHA1

        26b1ae1d8c1c75ead9d379ce76c37d33d367ab1b

        SHA256

        ac112db94e34658ccb71484b86b88904dc8687e2a09f7fd11debf436db89ed3b

        SHA512

        188a4a28e2defd7982233e39dd98b6954a37b0def69b6b99f1333f675654de1853eb51ad719330c669bc7a9a13c475a8b0394e4ab7dcb8d6b33c5e03f323c8a3

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Kolinsky.CYR
        Filesize

        125KB

        MD5

        0b298daf02c3cbad292d54184a9a76d0

        SHA1

        4cf348ddf9f67c7854202c60eed2d5ec1852dd53

        SHA256

        edaa99dc77883779efafe28b50364e6bbf8aeae95b71aadfe1f2503de413c1cd

        SHA512

        76423b8f0318740790f8bdff23b6678d6b5af8549b6c055aced53f76e73f38bc1b71dd1f3463369ba2f680acc8724d3e8e23ad2b22683e95d84b001482e37a47

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\raserver.lnk
        Filesize

        1KB

        MD5

        a4abe2800a7bb6adbb29d67e2421cf62

        SHA1

        b6a9d8371e9c5dec128a4eb33aaf31c5c3be839d

        SHA256

        6c4cf184443929b1766a84a0b6ec7b441227702c4ca5fa16dcd7b9c79e28e2ca

        SHA512

        e1c4e1e1810eedb6337f9e047357d9759ba887c6815e2b4c4e612f2122be9eb406270ee8471a34fe67e2abbb21d4ebd2903f6b9d93b11200adfb01c5bbed122a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\TipAppendectomy.f
        Filesize

        1KB

        MD5

        ca41559acc4b1b1f63bd262a588a31b7

        SHA1

        99946001f1fde3363384a77b04fd249ff99afdcc

        SHA256

        9f5bbe934510b03198858861e7f35085808a1c0a89ae7f9da8e3b9e9155cdb78

        SHA512

        9a2cc46381124b848e618f29192fe28d1792ff6b2054e7a9fcd9bf1bf8482b960a04fc5d4b2098499292ebf950d1d472aaadbfbff6919db066c292780c32c92d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\alert.png
        Filesize

        4KB

        MD5

        dd3b3d2e4b33573dc9314c195ec16ad2

        SHA1

        cff1a2cf0288e3941d47e3847daf3acd2ccab328

        SHA256

        d3866fb4241b3069a7d7bca80dcf0a4266c6bf08b1142df51c5b993abeacd0ce

        SHA512

        f5eed963ee7fb793d2f4944878a0cffd2d88de498a7a3cf58ddcf03daf7f2cc9a634f43124812a9e994411fb5bbaa8954b5d03b6ef3bd3dfac67c2706627bacb

        Download Submit

      • C:\Users\Admin\AppData\Roaming\atstamp.xsl
        Filesize

        2KB

        MD5

        ee1ea399056a74f3e90996b198b23533

        SHA1

        1bf06bc18cd19e769a23fb1c7dde3ac82d1dc05e

        SHA256

        0d5620c426c14276135373978f381b53dc5d0fd0b9c3ec0d07e597eb53f8c3ae

        SHA512

        497222110bb4698ef6034b166577c53c9c06b48c26bcbe2dfcb97299fee0aed7268e3733c171a019ddafe92cbea10795cf3ae2995bfed94e2127a9e83c09a0e4

        Download Submit

      • C:\Users\Admin\AppData\Roaming\chrome.manifest
        Filesize

        108B

        MD5

        7b43d30d4ae41144de0bdf0dec1ca287

        SHA1

        b22140ddf86afd5ec099098b5f4282c62a14246c

        SHA256

        cde318a46a1b354eca6a1f02e7f0d8c1118abe4c032330d04f25d057d99281b4

        SHA512

        5d8b58167c8019c0e93a8eab5a48f9a04f5ec0b9d71c87931ce7c2280c8e58d3338a2698d4519ed0c5fb60a4287c6105965a3ebcf23d527d8c78eb78d1ebf0f5

        Download Submit

      • C:\Users\Admin\AppData\Roaming\cloud_Thumbnail.bmp
        Filesize

        4KB

        MD5

        7ef5e8f497d92a03e960c8c43cfb805c

        SHA1

        3ee56f16fafb757da51306c5a4710f096ca4cc32

        SHA256

        5d3e3207a2a1375c110ecd8296ed77972ab5a5d517ebad6c0533a11cbb646812

        SHA512

        83b329aeb3e893eaf422994495594aba0134044de39ae98f8966d20a50c28e100daad5e5f7bbb0dedd8983a1a9f62564cee4aa0822d684e38978db104a43b166

        Download Submit

      • C:\Users\Admin\AppData\Roaming\connection.png
        Filesize

        287B

        MD5

        c6ff2cbe837f7bb191a3dd17f855c7d4

        SHA1

        d8a837f474a2c432d60e02d8117ea1cb2a5a873b

        SHA256

        bc16225b3aab11c8f32020b76a330fc37eb0acff6ad21fe2f5d94fd4459288b1

        SHA512

        0f8b53824bc8447695d72ea948e6c404fef9e3950304b8ac8da2bb39d9d6073f951e4c587fefa4cc246599c259e04ecfc5370de13623eac008e66c3cfeb58263

        Download Submit

      • C:\Users\Admin\AppData\Roaming\cpu_cache.png
        Filesize

        3KB

        MD5

        d5ac73cc778c7f4047eac63c162a1996

        SHA1

        af275b4f656a5beda641c4fa5cbd5c9cc2622c5b

        SHA256

        0c63d814477288aed4e20c2b898cdc8e343d1b9d4b8991f4191e998a1652940d

        SHA512

        e2151b6c32e0d9d2ea9e64cfb74709271b4494867b029f6d7af7fb297d84a2204f66bf724785b667b5db237a6dd128af0842419c6da259bf2f90a890a431bcf5

        Download Submit

      • C:\Users\Admin\AppData\Roaming\dsfroot.inf
        Filesize

        1KB

        MD5

        a9525c72b61ca351d7adc155866f3331

        SHA1

        1acd90bbb46c2d8ede1018bb62e8fbf4b788326f

        SHA256

        44f7115e9c4a02f1a1d712ba719094c5e68f7850bd9247dc14d381ac53ad1c19

        SHA512

        15d2512ab113662728af610d2c9c2583043bf20b53433a2e1aa11590a3c61da6a48c0ba8bd7268abb7ca4e5bea9f54cb95bc397a004490b4efe134b2355d431a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\ehdrv.inf
        Filesize

        1KB

        MD5

        f7680db2f3ca203a38412d3fbd5a7df4

        SHA1

        f3789f83109ea8277428c5e5bbc624ba6b610ac4

        SHA256

        65fc65d02fc9a1ce34795bc08937f592df73602e8e19376c89d689a92fe002cb

        SHA512

        8489955f064421a07b20eb8d5a9da743aa5d860b6e475614b7523ac060e461a87320b4f49f166feebc85b03ed9fe9e330e5a3df2c5497d47134f3d396b84ef58

        Download Submit

      • C:\Users\Admin\AppData\Roaming\f11.png
        Filesize

        1KB

        MD5

        df3ab2210fccd0c5d8b4279fd4391417

        SHA1

        7dac476b07ed01ba6a971a6eaf764924cebcf339

        SHA256

        4c4cbcb81ee87fb708e52a0f22e85b2ba8331db31f5f853387c149c975c1fa8f

        SHA512

        04c07790f3b9d80da43b61ccc1186480b22b90f69e958a22afaffcdf2f2d2c55426cc64ec0efc3e7966cf05e2468c725e98df1b4590d1e88f541af74df3e8cb1

        Download Submit

      • C:\Users\Admin\AppData\Roaming\f26.png
        Filesize

        1KB

        MD5

        31a4f57993e8039d7bc4dbd31184c397

        SHA1

        cec7bb8a22245eb3c0277c50fcacd27d10ebe722

        SHA256

        8af5c3a634d4ec1ca556d442ca1fe3cbc41401a4739758adf6af0a8743d0e0dd

        SHA512

        aa09075a0b7f8717976450c11ac17cab24dcc1cc118b4521c53bdecc1ccf66f1febcae92e6b55936a60e278274f4b57408a15f090e460acf74769159aefd1822

        Download Submit

      • C:\Users\Admin\AppData\Roaming\fix.jpg
        Filesize

        932B

        MD5

        97ff50949348e378d3f177af3ddd68c4

        SHA1

        650b87565a7e1806eeabdddacf49840d72736791

        SHA256

        a23a733e4d6b2bd48d9b80d60c13f34f0ba8b0bc1d00d0cf33497e0d3f47a632

        SHA512

        25485dd166febeec416f6080daedba400f1738813269d94477e7d5630e2d3591842ec095f6561b3ba615a231d68c68b2b1bf1c1c8dee34a45a7eb991ea06d8db

        Download Submit

      • C:\Users\Admin\AppData\Roaming\globe.png
        Filesize

        2KB

        MD5

        eed8f97cfcee662001cc34f0ca382db1

        SHA1

        631106c6b1d5b6e70e670b2f4eee3757c072f13a

        SHA256

        8d330af6424df369cf4e383ff5dd374742cabce0fdc8473bb9e12ccb5ad7649f

        SHA512

        b5215164ef4a5169c6e1888031f98a0048ec9b00ffb85dfdfb572190e70afb4e080c94c7a514ed8beab2e2551ace99ab9f4b3deb556d011af2982fbb4d630fc6

        Download Submit

      • \Users\Admin\AppData\Local\Temp\nstC87F.tmp\System.dll
        Filesize

        11KB

        MD5

        6f5257c0b8c0ef4d440f4f4fce85fb1b

        SHA1

        b6ac111dfb0d1fc75ad09c56bde7830232395785

        SHA256

        b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

        SHA512

        a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

        Download Submit

      • \Users\Admin\AppData\Roaming\Perl.dll
        Filesize

        28KB

        MD5

        6a4ed02f66d624facceac22f19a3266a

        SHA1

        b1a7ccf40b3433bc0ea5ac4dc38f0afcff9da81a

        SHA256

        981c41a566327583e4335ce439004c9728e2a810a95735b990e97afd37d617c5

        SHA512

        bf722437bee1bc0a267d3fce0fb600ca2f2e9f1d4fc2c2a4f9c9b31d865c4ba1430e12f8cfa8db187035e583404021fcab214efa67b089648564d9504b30aff8

        Download Submit

      • \Users\Admin\AppData\Roaming\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\raserver.exe
        Filesize

        191KB

        MD5

        c7df36eb377bc1d7965c5168b261ec5d

        SHA1

        5f046f37524868a8213d9b86f83ee57ed5140598

        SHA256

        0771142a235814ff46baa6de400da78a31a7fb77fd3919e1978fad59edf03c20

        SHA512

        f3f7ea21fff12888f9451185039052f330a724707688ac8e3791f28eddf4a8b00ee5a8c0bb30c8d96749c9e9e643bff51b6ee335f8f36915722e7ba9f3540b6e

        Download Submit

      • memory/1028-46-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/1028-52-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/1028-48-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/1028-55-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/1028-44-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/1028-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1028-54-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/1028-56-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/1028-40-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/1028-72-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/1028-42-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/1028-57-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/1736-241-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/1736-240-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2936-245-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2936-244-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2936-168-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2936-161-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2936-160-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2936-159-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2936-155-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2936-154-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2936-153-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download