cerber | f1790d16765d15529243d326719330b7d0ad989f6fa452108e11646cc9328873

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14-10-2024 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe
Size

211KB
MD5

445ccd39adf264dd422cd181f7bfa915
SHA1

85f9e892fd3a6b396868d2f06f33fcd7ffbe9eab
SHA256

f1790d16765d15529243d326719330b7d0ad989f6fa452108e11646cc9328873
SHA512

9ce007c002a25dd6b0261cf2def6c3b1c486c72324d952c74754c2785d7273d23bc5ae8cb1097a482b2d4496e0ce97f7c2df03b4691a7cda04899a1e093069de
SSDEEP

3072:uyAaQqe90u5DdXJP45JxrpjTo2/G08XcK+fQM8X7Y79eUHnXALNODNvOz55E:uyAge9RNOxrF/GBXcKUQYMUHXLD52E

Score

10^/10

cerber defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.xmfir0.win/4CB7-24E1-F495-0063-7AFA | | 2. http://cerberhhyed5frqa.gkfit9.win/4CB7-24E1-F495-0063-7AFA | | 3. http://cerberhhyed5frqa.305iot.win/4CB7-24E1-F495-0063-7AFA | | 4. http://cerberhhyed5frqa.dkrti5.win/4CB7-24E1-F495-0063-7AFA | | 5. http://cerberhhyed5frqa.vmfu48.win/4CB7-24E1-F495-0063-7AFA |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.xmfir0.win/4CB7-24E1-F495-0063-7AFA); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.xmfir0.win/4CB7-24E1-F495-0063-7AFA appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.xmfir0.win/4CB7-24E1-F495-0063-7AFA); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/4CB7-24E1-F495-0063-7AFA | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.xmfir0.win/4CB7-24E1-F495-0063-7AFA

http://cerberhhyed5frqa.gkfit9.win/4CB7-24E1-F495-0063-7AFA

http://cerberhhyed5frqa.305iot.win/4CB7-24E1-F495-0063-7AFA

http://cerberhhyed5frqa.dkrti5.win/4CB7-24E1-F495-0063-7AFA

http://cerberhhyed5frqa.vmfu48.win/4CB7-24E1-F495-0063-7AFA

http://cerberhhyed5frqa.onion/4CB7-24E1-F495-0063-7AFA

Extracted

Path

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.xmfir0.win/4CB7-24E1-F495-0063-7AFA" target="_blank">http://cerberhhyed5frqa.xmfir0.win/4CB7-24E1-F495-0063-7AFA</a></li> <li><a href="http://cerberhhyed5frqa.gkfit9.win/4CB7-24E1-F495-0063-7AFA" target="_blank">http://cerberhhyed5frqa.gkfit9.win/4CB7-24E1-F495-0063-7AFA</a></li> <li><a href="http://cerberhhyed5frqa.305iot.win/4CB7-24E1-F495-0063-7AFA" target="_blank">http://cerberhhyed5frqa.305iot.win/4CB7-24E1-F495-0063-7AFA</a></li> <li><a href="http://cerberhhyed5frqa.dkrti5.win/4CB7-24E1-F495-0063-7AFA" target="_blank">http://cerberhhyed5frqa.dkrti5.win/4CB7-24E1-F495-0063-7AFA</a></li> <li><a href="http://cerberhhyed5frqa.vmfu48.win/4CB7-24E1-F495-0063-7AFA" target="_blank">http://cerberhhyed5frqa.vmfu48.win/4CB7-24E1-F495-0063-7AFA</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfir0.win/4CB7-24E1-F495-0063-7AFA" target="_blank">http://cerberhhyed5frqa.xmfir0.win/4CB7-24E1-F495-0063-7AFA</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.xmfir0.win/4CB7-24E1-F495-0063-7AFA" target="_blank">http://cerberhhyed5frqa.xmfir0.win/4CB7-24E1-F495-0063-7AFA</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfir0.win/4CB7-24E1-F495-0063-7AFA" target="_blank">http://cerberhhyed5frqa.xmfir0.win/4CB7-24E1-F495-0063-7AFA</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/4CB7-24E1-F495-0063-7AFA in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (16389) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2428	bcdedit.exe
988	bcdedit.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\\netbtugc.exe\""	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\\netbtugc.exe\""	netbtugc.exe

Deletes itself 1 IoCs

pid	Process
1968	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\netbtugc.lnk	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\netbtugc.lnk	netbtugc.exe

Executes dropped EXE 2 IoCs

pid	Process
1896	netbtugc.exe
1876	netbtugc.exe

Loads dropped DLL 6 IoCs

pid	Process
2488	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe
2488	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe
1252	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe
1896	netbtugc.exe
1896	netbtugc.exe
1876	netbtugc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\netbtugc = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\\netbtugc.exe\""	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\netbtugc = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\\netbtugc.exe\""	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\netbtugc = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\\netbtugc.exe\""	netbtugc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\netbtugc = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\\netbtugc.exe\""	netbtugc.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	netbtugc.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpE466.bmp"	netbtugc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2488 set thread context of 1252	2488	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe	30
PID 1896 set thread context of 1876	1896	netbtugc.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netbtugc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netbtugc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3016	cmd.exe
784	PING.EXE
1968	cmd.exe
3008	PING.EXE

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x00050000000196ed-70.dat	nsis_installer_1
behavioral1/files/0x00050000000196ed-70.dat	nsis_installer_2

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1908	vssadmin.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2404	taskkill.exe
1036	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\\netbtugc.exe\""	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop	netbtugc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\\netbtugc.exe\""	netbtugc.exe

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EA5AFBE1-8A76-11EF-AB0A-FE373C151053} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b96000000000200000000001066000000010000200000003d7e9bca6a3ed9b9c3596440ea6ba96aeb800baa7ba546e5475684740bc8d0c3000000000e80000000020000200000008e95a2fd530050b1b6c8ef748a20ff44b5dc878269852e0e3908246e4bce96f420000000a9e912a76e16c17ed24da10d70aa2133698ef59ef30d128ebcc59322b602ffaf4000000013e4725eb83212838fa520d5bcdef35b9e1289960d0e01e7a4bf7a94bff69fbd4068296c0e068a898ce5ef7e928f0e531e9808bdfc640ad7cbfa5f1a9b0a7ae4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EA6E06E1-8A76-11EF-AB0A-FE373C151053} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a09052ad831edb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b960000000002000000000010660000000100002000000091d07f93e3dc2015f2f15026a04a58c9840f0aeda27a44270c2658e7a1fa049b000000000e8000000002000020000000377ae12b5a4145f9353565b59add54d16149c4c7d5a577d77045e91cd797b6d790000000a0d61bc3c812bd0901347e3b900990b3e43b52a9baad9f330898d9c17274b6d84e77dff2e9c5eb4afe1fff0a332cccaf4f3d7cdb188945137115d9cc2d569c92310aac3cde6c7624b10a4efd2150f8ea5535cdf1e6ff134d9bd16b9433e0cce2058f9f65597303f37d81a7330ab7f418e535375d41ddbbffada792f7cf85c404054e794c2e05b74940a2a060ca10ba254000000042c31694604e4eeb880fa1e0023ad9eae0d0e3f025adca352a24182ca9f24c8261027b9ea4b84f7b00d141696cd9bf39b1d1037586d44fa7c0ae801149eb6484	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3008	PING.EXE
784	PING.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe
1876	netbtugc.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	1252	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe
Token: SeDebugPrivilege	2404	taskkill.exe
Token: SeDebugPrivilege	1876	netbtugc.exe
Token: SeBackupPrivilege	1452	vssvc.exe
Token: SeRestorePrivilege	1452	vssvc.exe
Token: SeAuditPrivilege	1452	vssvc.exe
Token: SeIncreaseQuotaPrivilege	864	wmic.exe
Token: SeSecurityPrivilege	864	wmic.exe
Token: SeTakeOwnershipPrivilege	864	wmic.exe
Token: SeLoadDriverPrivilege	864	wmic.exe
Token: SeSystemProfilePrivilege	864	wmic.exe
Token: SeSystemtimePrivilege	864	wmic.exe
Token: SeProfSingleProcessPrivilege	864	wmic.exe
Token: SeIncBasePriorityPrivilege	864	wmic.exe
Token: SeCreatePagefilePrivilege	864	wmic.exe
Token: SeBackupPrivilege	864	wmic.exe
Token: SeRestorePrivilege	864	wmic.exe
Token: SeShutdownPrivilege	864	wmic.exe
Token: SeDebugPrivilege	864	wmic.exe
Token: SeSystemEnvironmentPrivilege	864	wmic.exe
Token: SeRemoteShutdownPrivilege	864	wmic.exe
Token: SeUndockPrivilege	864	wmic.exe
Token: SeManageVolumePrivilege	864	wmic.exe
Token: 33	864	wmic.exe
Token: 34	864	wmic.exe
Token: 35	864	wmic.exe
Token: SeIncreaseQuotaPrivilege	864	wmic.exe
Token: SeSecurityPrivilege	864	wmic.exe
Token: SeTakeOwnershipPrivilege	864	wmic.exe
Token: SeLoadDriverPrivilege	864	wmic.exe
Token: SeSystemProfilePrivilege	864	wmic.exe
Token: SeSystemtimePrivilege	864	wmic.exe
Token: SeProfSingleProcessPrivilege	864	wmic.exe
Token: SeIncBasePriorityPrivilege	864	wmic.exe
Token: SeCreatePagefilePrivilege	864	wmic.exe
Token: SeBackupPrivilege	864	wmic.exe
Token: SeRestorePrivilege	864	wmic.exe
Token: SeShutdownPrivilege	864	wmic.exe
Token: SeDebugPrivilege	864	wmic.exe
Token: SeSystemEnvironmentPrivilege	864	wmic.exe
Token: SeRemoteShutdownPrivilege	864	wmic.exe
Token: SeUndockPrivilege	864	wmic.exe
Token: SeManageVolumePrivilege	864	wmic.exe
Token: 33	864	wmic.exe
Token: 34	864	wmic.exe
Token: 35	864	wmic.exe
Token: 33	2416	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2416	AUDIODG.EXE
Token: 33	2416	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2416	AUDIODG.EXE
Token: SeDebugPrivilege	1036	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
232	iexplore.exe
232	iexplore.exe
1952	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
232	iexplore.exe
232	iexplore.exe
232	iexplore.exe
232	iexplore.exe
2776	IEXPLORE.EXE
2776	IEXPLORE.EXE
1952	iexplore.exe
1952	iexplore.exe
2180	IEXPLORE.EXE
2180	IEXPLORE.EXE
2576	IEXPLORE.EXE
2576	IEXPLORE.EXE
2180	IEXPLORE.EXE
2180	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 1252	2488	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe	30
PID 2488 wrote to memory of 1252	2488	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe	30
PID 2488 wrote to memory of 1252	2488	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe	30
PID 2488 wrote to memory of 1252	2488	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe	30
PID 2488 wrote to memory of 1252	2488	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe	30
PID 2488 wrote to memory of 1252	2488	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe	30
PID 2488 wrote to memory of 1252	2488	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe	30
PID 2488 wrote to memory of 1252	2488	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe	30
PID 2488 wrote to memory of 1252	2488	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe	30
PID 2488 wrote to memory of 1252	2488	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe	30
PID 1252 wrote to memory of 1896	1252	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe	31
PID 1252 wrote to memory of 1896	1252	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe	31
PID 1252 wrote to memory of 1896	1252	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe	31
PID 1252 wrote to memory of 1896	1252	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe	31
PID 1252 wrote to memory of 1968	1252	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe	32
PID 1252 wrote to memory of 1968	1252	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe	32
PID 1252 wrote to memory of 1968	1252	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe	32
PID 1252 wrote to memory of 1968	1252	445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe	32
PID 1968 wrote to memory of 2404	1968	cmd.exe	34
PID 1968 wrote to memory of 2404	1968	cmd.exe	34
PID 1968 wrote to memory of 2404	1968	cmd.exe	34
PID 1968 wrote to memory of 2404	1968	cmd.exe	34
PID 1968 wrote to memory of 3008	1968	cmd.exe	36
PID 1968 wrote to memory of 3008	1968	cmd.exe	36
PID 1968 wrote to memory of 3008	1968	cmd.exe	36
PID 1968 wrote to memory of 3008	1968	cmd.exe	36
PID 1896 wrote to memory of 1876	1896	netbtugc.exe	37
PID 1896 wrote to memory of 1876	1896	netbtugc.exe	37
PID 1896 wrote to memory of 1876	1896	netbtugc.exe	37
PID 1896 wrote to memory of 1876	1896	netbtugc.exe	37
PID 1896 wrote to memory of 1876	1896	netbtugc.exe	37
PID 1896 wrote to memory of 1876	1896	netbtugc.exe	37
PID 1896 wrote to memory of 1876	1896	netbtugc.exe	37
PID 1896 wrote to memory of 1876	1896	netbtugc.exe	37
PID 1896 wrote to memory of 1876	1896	netbtugc.exe	37
PID 1896 wrote to memory of 1876	1896	netbtugc.exe	37
PID 1876 wrote to memory of 1908	1876	netbtugc.exe	39
PID 1876 wrote to memory of 1908	1876	netbtugc.exe	39
PID 1876 wrote to memory of 1908	1876	netbtugc.exe	39
PID 1876 wrote to memory of 1908	1876	netbtugc.exe	39
PID 1876 wrote to memory of 864	1876	netbtugc.exe	43
PID 1876 wrote to memory of 864	1876	netbtugc.exe	43
PID 1876 wrote to memory of 864	1876	netbtugc.exe	43
PID 1876 wrote to memory of 864	1876	netbtugc.exe	43
PID 1876 wrote to memory of 2428	1876	netbtugc.exe	45
PID 1876 wrote to memory of 2428	1876	netbtugc.exe	45
PID 1876 wrote to memory of 2428	1876	netbtugc.exe	45
PID 1876 wrote to memory of 2428	1876	netbtugc.exe	45
PID 1876 wrote to memory of 988	1876	netbtugc.exe	47
PID 1876 wrote to memory of 988	1876	netbtugc.exe	47
PID 1876 wrote to memory of 988	1876	netbtugc.exe	47
PID 1876 wrote to memory of 988	1876	netbtugc.exe	47
PID 1876 wrote to memory of 232	1876	netbtugc.exe	50
PID 1876 wrote to memory of 232	1876	netbtugc.exe	50
PID 1876 wrote to memory of 232	1876	netbtugc.exe	50
PID 1876 wrote to memory of 232	1876	netbtugc.exe	50
PID 1876 wrote to memory of 1812	1876	netbtugc.exe	51
PID 1876 wrote to memory of 1812	1876	netbtugc.exe	51
PID 1876 wrote to memory of 1812	1876	netbtugc.exe	51
PID 1876 wrote to memory of 1812	1876	netbtugc.exe	51
PID 232 wrote to memory of 2776	232	iexplore.exe	52
PID 232 wrote to memory of 2776	232	iexplore.exe	52
PID 232 wrote to memory of 2776	232	iexplore.exe	52
PID 232 wrote to memory of 2776	232	iexplore.exe	52

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Users\Admin\AppData\Roaming\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\netbtugc.exe
    "C:\Users\Admin\AppData\Roaming\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\netbtugc.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Users\Admin\AppData\Roaming\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\netbtugc.exe
      "C:\Users\Admin\AppData\Roaming\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\netbtugc.exe"
      4⤵
      Adds policy Run key to start application
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Sets desktop wallpaper using registry
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1876
    - - C:\Windows\system32\vssadmin.exe
        
        "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:1908
    - - C:\Windows\system32\wbem\wmic.exe
        
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
    - - C:\Windows\System32\bcdedit.exe
        
        "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2428
    - - C:\Windows\System32\bcdedit.exe
        
        "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:988
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:232
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:232 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2776
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:232 CREDAT:406530 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2180
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        5⤵
        
        PID:1812
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
        5⤵
        
        PID:2892
    - - C:\Windows\system32\cmd.exe
        
        /d /c taskkill /t /f /im "netbtugc.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\netbtugc.exe" > NUL
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3016
      - C:\Windows\system32\taskkill.exe
        
        taskkill /t /f /im "netbtugc.exe"
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
      - C:\Windows\system32\PING.EXE
        
        ping -n 1 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:784
- - C:\Windows\SysWOW64\cmd.exe
    /d /c taskkill /t /f /im "445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe" > NUL
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /t /f /im "445ccd39adf264dd422cd181f7bfa915_JaffaCakes118.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2404
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1952
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1952 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2576

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:2940

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5a8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
b0f8daafb1b970e71273d8c1ec0e624f

SHA1
c140784c64e6528997f427efd075c0cf2a1912e7

SHA256
9dce7a8ec70915e8d2ca12ad5507f5f222289add65bd09b9ee0c7b4aa223c7de

SHA512
c61b4a387d1f9446e79bc288f9547c615054c3938e55f78dc694074abf1f2e0d4d30243abe76dd624bf20a2c828cb9d0c425a850e5377bef0c594cb6eab2a280

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
826482523002d63a7f7389bc9b807f98

SHA1
9ebfe3233c878b960c0d8eb977b1bed877abce61

SHA256
af6fca9ff3595b986330a34f542b235141d66283997c4ca9563c5d4fefe57522

SHA512
03d4ffccc3e80e5da0958320c6c93dda1098bafa709d5096a5842f6fd11767535c00b1c91b2433b64e86a54e0c5795ca501a009ceabe55a586a1a855f4060511

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url

Filesize
85B

MD5
7b4c696d2474f2e6fe98c9f92a98f596

SHA1
a6ac066ab3500b3c979a931697f61cebfcfd4d58

SHA256
96c7f21850f08ada7ffbd1c7b087c2613e7fdf0521545bbc4dcb6510e6ee4396

SHA512
b9c7d3fe05ae945b20f0d25b74b84f5ee4ca23f4d4b04984d127bd118b9cac4008e1539fcb2c1426fe8dd4465989952f54be0f03c9f5304b2e77024a8c1d9194

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs

Filesize
225B

MD5
f6d629f2a4c0815f005230185bd892fe

SHA1
1572070cf8773883a6fd5f5d1eb51ec724bbf708

SHA256
ff1de66f8a5386adc3363ee5e5f5ead298104d47de1db67941dcbfc0c4e7781f

SHA512
b63ecf71f48394df16ef117750ed8608cc6fd45a621796478390a5d8e614255d12c96881811de1fd687985839d7401efb89b956bb4ea7c8af00c406d51afbc7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9248e07671d4920142b80e5888d1b3d2

SHA1
f791d3e0dd463b5c531b275d1139d6e35ad51a25

SHA256
a87378bc30e65a4834a1b3bb1c115fef2812f0f823cd7e35be4174e604398923

SHA512
67848ba0cb87a40dc721c95ff0af12db2bfa900e14520be3ba0978da75e12a16314eeca727ca7e926be40ff190e24424d5056ff449cddc8eb3fb856aa1e0b49e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35ef0ce0a11fe075e86faac1b7514b9e

SHA1
55a98ad949f89680780cfafe16e9c2fa70bcda08

SHA256
5f6de6570d674541a807bee4503b3179208074dd5d5a5caa9a914ac2e20844d8

SHA512
58caec8c63bc531f21ea9a18acc1a2313892a063be50f8df3c91457bdb1021ce241300af7cd2ca290dc7af8cc8644ef4f7056b908f65ca11411ae1620c144a5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2de6dbaac0a83a8697314dd728d64095

SHA1
e331e31ee9d7eaea7c97aee89ee37f18fdecff80

SHA256
5fb31f912554d6f73c1e70678f65310c89d847ad5d51786c0cd54da5cba9003b

SHA512
aa8a99cbdf672ff0ffc0b03ad342588ad1fca5b182267a2934b3abd0eba322ed7d59afdc748207bcff5ec4ff9c687fa866bb2dff008c48276760ceb90ab42694

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea8d241f6982daf9ac26997302f993d3

SHA1
a6503f2b2db706890b9b6ee6098cd0e8b58c302f

SHA256
408ce00693a5b8ec7fa0172ff6ffe27850591d00fd6909d13d11dedb9f619289

SHA512
3ea45e235327a3abfd4abab89397519a96a2550d2ca99bf9323defd70bd54844328b3ecbfcf356c31acb8082b1af5d36454d268ca2518a9cc32a08a70ffec52f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a197b309fb8a8bc8b15b1ea5c403b2fe

SHA1
24622eda717c97e2d23039ab4a74ff19a33a9ddc

SHA256
1a65e87430998caeef4cecf2be551f994204476368cb12dbfdf3bc82ffd36ad8

SHA512
0b97ba4408d5dd2b15167e22432dae428f9936620e788278dd982e125ba8bd93dc422822bc3634838b6a65901ea0831459a8cdc23a3683049072e8179d4eae23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2ab6235017473df6982520de6bfb7f2

SHA1
45ece28b4347d2e556ab411c313f91ebb86eb70f

SHA256
fd931ced534026534f786dcae81e8f954418588bd83cb7a3393e664e31bdf77e

SHA512
0e5c4d290b8140dbda551a837432a2ec4240b57d6b2c0df82fced5e80978d122b44f7daaf819453d08c48007b33f72f9d3155aeae114b1dc5da8eb141e4d6b44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8cb8573e68856c2983bb33e1329896b2

SHA1
ea93dd56c4a167966a1e3f84b177d03b90053984

SHA256
93dfec86d2a37d1844a284139d01fa51600911f00dcc41102e6600e2914980b8

SHA512
6f1d8dabf5cd07a033dae27a810caf248645c584c3725041ac7885003fb35f13543df6e65b01ff1a08b48423f0296c6cf5741d30a172c1063b9565b568df5a57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b3377d7f5555ff5f609bd4348296da7

SHA1
79bf6b86cc7cb5d998a5e0a2e17dbf08293976db

SHA256
b554fa7ffac397f05957876e7ba2d242dd0664a27672a6084ba6d4745d99a4c7

SHA512
5621fa4d41b9ac6cf5874c29dc8be795c51b86baf3dd9eaaf74f5de357682b07996c536c4c4c42a0ee03d9024f340e79bc85c284488c1d3cdc588b6043d81634

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae5ed6196acb6d499299aa540b1cd007

SHA1
ed7f16f636793328c9a0aaeec98d9a7d5ba0b5e1

SHA256
ca0050e87892362ef174e2b6880e5e252baf60e1c2bf8594270612e713afb36c

SHA512
8d6c5bab7c50083b3374f68b42db928ae20e6324489c7d766dbc14913d448293c58762354ff1eb3845da12273e5ddcb25d91cb4f66162a49787897238aab7141

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFBAE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFC8E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\403-6.htm

Filesize
1KB

MD5
0867f716af23d31be71dfae15132e9f7

SHA1
5c6bcc7c2ec90563aecab3d5ae9be796ec711667

SHA256
fd3a370b8f2b85902afed937a0e5b562c0aa978850cf21fa1269279162721859

SHA512
419f771cdc80f86a1682c14ed60ed5c22a31b141e88f456b74b52f830642e4ed220c0c59d725dc1d9e69f8f68831d441c802a47b180bd5404768c2d9eb80aa4d

Download Submit
C:\Users\Admin\AppData\Roaming\404-14.htm

Filesize
1KB

MD5
6d07737bfe629f02f13c37ddeeb4773a

SHA1
4ac6fcf803cfe6d07fc1f709e73783674a87091e

SHA256
eeb7eabec03ac23cf799cd60514ec95b4f853cef2a260e9873c4f597b5733f66

SHA512
6bdbd84daa09f9c919437ea4aee239652af230ec6b07b16b6e3f901313d59278d2bb0eeeb5c1ecbc18d529dfe71f63f875c95246e9c441b0b891fad86950bc53

Download Submit
C:\Users\Admin\AppData\Roaming\7.png

Filesize
344B

MD5
0def94f52c5e45256232320aaffeb1ce

SHA1
81508ec66d4305d2f291c666943fa19629fa67f3

SHA256
959986b33f56465e2acfe85004c168e0c0988b69ec726bf7f18f0936dacefa1f

SHA512
3400a02c438896d2a76b8e4c42e875b93d5806f9d8ebab0d9650359e89db8a891b873ec988031a08eadc3e686251cb5bfae5b59aff4e5105bb8a53e888b97f09

Download Submit
C:\Users\Admin\AppData\Roaming\7.png

Filesize
716B

MD5
70b4fc41cbd24ff88f2ec8444b18e7be

SHA1
4497553729db79d05f18298429a485d824bdb20e

SHA256
3ae6c3d7e3b6325e3fa25ee4b94ff6e69c883688e70735dce8c4d0435d2f223c

SHA512
722fe69c91d4675ce7a0fb80769dd3030e63167cefb9040c6d8c942d8449bcf0ef71e0bbc1c3721ae591edc6983ea5139ddb6f991428841d1c28a1a8ea63ed67

Download Submit
C:\Users\Admin\AppData\Roaming\Almaty

Filesize
453B

MD5
6ee80d47909884474a149de238fd366f

SHA1
76880a7d4afb20d51b0eead05ef5d1a16b86d615

SHA256
fed08d02e1f70abeb3e85207c8aca77404c3d4a5e067782a92fcf84763b5cfb1

SHA512
d1a2adb50239615616a76ed75f7607cff723e8d6979aa67244ee17031e2bb73629a44d10228e215d9beeee4e0d628b20978bdd5b025a69a20d80a4205e7afc7b

Download Submit
C:\Users\Admin\AppData\Roaming\Attributions.txt

Filesize
3KB

MD5
19ad62300dd66d6f479b13c40bae58e4

SHA1
c2393e348c48f9f3e6644f08473dfe22f889f9b2

SHA256
6505cb7369eb363a6dca90fd9dccfcb98bfd9eb9a1aaf586652f6e2950ff719d

SHA512
2bca333525c9892bd0cf13ec58d1786b67b1c63f1e7cfe688383fdba366ae8dede26f4bcaebce2b5c393987a9a2fef6c9cabf150ac0d0bc3f7d332c09aa3029d

Download Submit
C:\Users\Admin\AppData\Roaming\Attributions.txt

Filesize
3KB

MD5
0b5b07fd526fbdfa00e5880a08f9de48

SHA1
8b273965e4f5aa3430853773d2fe222b339646a2

SHA256
fa4eb36f8d166be52ee4b53540bd675d37c6cea8c703691a4cb8448901ece7f3

SHA512
4d1e6f454d6830b263bee6962f43beb26b361df329bf603ac8fa65696b8f49234562b98c30e76ae3884099190d2f0a42391e2eaf0c3498cb082c7fcb5c71404b

Download Submit
C:\Users\Admin\AppData\Roaming\BMC blue 3.ADO

Filesize
524B

MD5
b69b3adad4d6eb984ab4b597486038ee

SHA1
024a44587667fa1419d3f3aa8ce6b6111169e09b

SHA256
16b36fc550ca223fe6f35dadbdcd9746e84ad32b1880b9bf80ddbdabef7db156

SHA512
1b534f8675d75bc5aad72135c82ab107a1f59a755d86b32e0d5b4d7498ce0ee72394bbb872930f5841d6d70879d903e7bb861261b52937f3b036afd8cc804058

Download Submit
C:\Users\Admin\AppData\Roaming\BMY brown 2.ADO

Filesize
524B

MD5
8d63f0f3af0cd205c4051221f3fbbe3e

SHA1
e214a245412a2db759ce11457de927a81252463c

SHA256
3b5723d413242c064941312f3e94c1910d1f7bacd8ebf9fe79350312b26869db

SHA512
1deda57d4cb87a8893bd7604847b4cf9be2f17facab5e906f29d1764afa0b51469d5859bd11c1ec498fd578c8a6b8104721bf07d148f12b80cf709581e24d3a4

Download Submit
C:\Users\Admin\AppData\Roaming\Bl WmG9 CG6 CG3.ADO

Filesize
524B

MD5
01530c78ad082b812f0666d1be154bb7

SHA1
a1004c03b9f0428ea8ad12ee56563b601469eadf

SHA256
d380af43b5904bde5c53957f51627472f4186086b3124015b9854e91324244e5

SHA512
18655104239779a14ba03fa98ad02ed9f9750f954f7d1258b2bc4fa367d8291a13d0567dc075a5032f5fd4fdec615cf7e79e8714818b68f420688eab4e89e467

Download Submit
C:\Users\Admin\AppData\Roaming\BlackRectangle.bmp

Filesize
4KB

MD5
a59552f1c776a3745ca8391aff8bcca6

SHA1
be8e062d1fec7eed2ab33177019069798fde07ff

SHA256
4adb9b44ae64eee08d87750ba2cd2ddb1e88da5ff7e90c63d813755d73a92005

SHA512
1ee933756e08f71219753f5921ccbc8c307541ce4bfc15a654cbea075d7c28071b627779cec9d2146d8263e37dc8005bd333275058dc0de9a62c74391bd24595

Download Submit
C:\Users\Admin\AppData\Roaming\Ceuta

Filesize
1KB

MD5
ffcdcb20bd0798d3a424d11cb66cb889

SHA1
dc6a7ab6705b3dc39ac17f789b618fcf778fc33e

SHA256
d46d741412eedb69a13f292affbfb9b6cd1c5d18cee9bae789f5198cc766800b

SHA512
89d18ed4f271db9d9e42c7138e668fbca50f98b9b83865a5293882195f2289aeadd4c09dc64b01f1d794aa25a27d46674e6d349df4aabdfe264e982346425e59

Download Submit
C:\Users\Admin\AppData\Roaming\City Twilight.hdt

Filesize
127B

MD5
28d9887b962ab59d294eae376d61e315

SHA1
b93371861f6ee888be1fb2b26a6a0bca7214d9c9

SHA256
4c152354148193159c8e7de1f7d0a6ce921ef4c2b82c519e9a213aceb09b068c

SHA512
010d32d5d3bdeae824e9d797e669d3752a1b24d33d68d9b119ad1457b527d05e4f17b2b41c92ea35fd7d82929ae1ffefac253d6be5d38186c360f509676dbd2e

Download Submit
C:\Users\Admin\AppData\Roaming\Earth.F

Filesize
123KB

MD5
45f0acce40593a69a9a9938278aa3ebb

SHA1
b1527ff839fe5f8f60f9f0873134bdde96e0185f

SHA256
84ea3b5bc418eedf2088b0e1ce2ff4e943694df0f366c323daa541e041a3d1db

SHA512
63bb4b010b2dbb175e00001eed512500d978a5511bb1790dd251b8ba8f1f835ed591b37963488c554e7161eb12430ef1713008f46febd5048dc466d75c753b8d

Download Submit
C:\Users\Admin\AppData\Roaming\GMT-14

Filesize
27B

MD5
50acae087c7cadcbea89084d596e0ce1

SHA1
5d3b809185cbb2f7bcb9eaf019c28e9f60ff7672

SHA256
473ce905ead8fdc35cd9a60dec506b6ed2462dd176d44a7e412601d1e8a725b3

SHA512
4af6081e8a4b19b0fb9f82f67182f0c9d9b4c03d54df38a92e90e01a911189bd90171d5b5675dd450f6de478c137eb04852e13e87716bd19faf4150ab1747971

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\netbtugc.lnk

Filesize
1KB

MD5
d1db1c4037713203b4e17f06023ba47c

SHA1
f802317918f0c30462a8991c59dcb098063a4aa1

SHA256
d144ad62b35430ab8a50e560d0a7a8229192b509a727be42cf411add902b9182

SHA512
8e5ef01ec5e26cf27d32857eaf765a256280dacbdb65e9188c18e0ec9f54b166c683fda24c3f0fb9abd8e352f5b5e926a790db78a9446e82c205e51e19f966f3

Download Submit
C:\Users\Admin\AppData\Roaming\Parenchyma.z

Filesize
1KB

MD5
857267961ea1d474c6f4eafa8a963ad1

SHA1
c2c219e79844ef2444a03d8ed443fa17d8784593

SHA256
de26a311ddbb8e30acec416ba66b71c0bdf6dc3369b9b51e2d2947c643c442f3

SHA512
5f426015386785dd21e3a4f1c675c3b4eb10523c6cbe2228908ce244e0776d208d756464c86cfd4701585b1ba137d7726eaf6c8c159661c294ea78ec3204e71f

Download Submit
C:\Users\Admin\AppData\Roaming\admonition.title.properties.xml

Filesize
1KB

MD5
66c966605830cb94d10fc95415ca9cec

SHA1
0f0bf09b6c04039cfd3c7e837ef073b48dd50f69

SHA256
f6940a3a972c99fa34d755fd91e3f733e192d591851b76a56fbc181fa0262245

SHA512
a04554662680e5cd6b5d748266e528b5fec7fb16b998c077e4f1bc06b85749716110840e01e5702dfd0fab5018d58999bb4eb02756a77bd18c1e4237544f0ae8

Download Submit
C:\Users\Admin\AppData\Roaming\admonition.title.properties.xml

Filesize
1KB

MD5
a8b832d290f0a63b74a177fcdfde4ca4

SHA1
e5d0baa6f7d9a14c27cc9c482159a25448356b5a

SHA256
ce16ac3542ef37a99beca7e950e860c8da2793af3bf3a7b9d36a5ef89fba0903

SHA512
ab5a6e8cf65de2d5009314a7a4069af6d3db1cab4349ed6443a96c1eebd786691647ec4ed921458adb34e2b67a9811722b0910f14a7f8ce4720eeab80af0c061

Download Submit
C:\Users\Admin\AppData\Roaming\aepath.txt

Filesize
53B

MD5
1f4b75f76c2f4f47cc4d09ad69c9ddb9

SHA1
ad667b272ad8c36f21f330c3fc5cdf463f27ab24

SHA256
cabdd5f56d8321156f29249d4e10c450670728495975b553eeba49031c8e47ee

SHA512
b7a5c6e0e14271897d49003037b8d105525ce11b2765c8f295acc38c1b5031fcc549a2dca3484528dfbd4df8ece203e617e2b8d7f226f5b623f571c30e4fa709

Download Submit
C:\Users\Admin\AppData\Roaming\aepath.txt

Filesize
435B

MD5
7538c20683fa77bf37a3258d2792f5a4

SHA1
43ae01dd372f4b87f5504785605a2a4b84a21862

SHA256
387ac40bdee4d1c51fdb9ac719d8267bf6af15b699147c8f9ef7d5c17b62260f

SHA512
a42028e7b171563ece72825360105f5e7a7f72982e27262347452704d64e1be5ca7408fa433178c0e36d30c828a3a55255c321c157e2d562f9d121caf8b80712

Download Submit
C:\Users\Admin\AppData\Roaming\alignment.xml

Filesize
1KB

MD5
370c70320cdcba10bcfb8afd5267888c

SHA1
fe7d143794554dad4776c43066581d4fe094e6c8

SHA256
b0ec9d1769d4dd4aba3ab79593972e1326e8008798d39fcff8857283efca836d

SHA512
f5e44b869969619f0aac46054d10d1b75c915b4363cdb74ce3616867f48644e3f5508520b412b43e31a82767dcb925598a4653f7cfb3cf0e11f18ec6ed9ce39a

Download Submit
C:\Users\Admin\AppData\Roaming\alignment.xml

Filesize
1KB

MD5
7222a0fd1093861818fdf323d0f9ec55

SHA1
0a23d68bff6cdb68219e43bb8aeadab2afab3bbe

SHA256
1c69682aa4ca68696025074c8962388beee59a31a743154c97a7a2c15efafc44

SHA512
654def72d80aad919e7f682f2162a6fae6c1b20100a2af667a0704b3a709a7cadce85bc63077d2dbd0b36a8bd0e0f3324f3d6432e9c7d56dde4c4fe6bd94c626

Download Submit
C:\Users\Admin\AppData\Roaming\annot-open.png

Filesize
837B

MD5
8961808067af5253f333cdf0c8139004

SHA1
29adf64660e293b41583decab8a05df8edc93740

SHA256
96108677136e482951437c3b41e0f6aec42526cb065b8654ef5b81343f788be9

SHA512
ef88d7aa922ff6ce6b75f87c4b380a861db60dce94c4b0b958f5fdcd6685739a3a49ba5ff574a6df9e1f6673cd1d4b615a6327834dd53e25658e1c1e76be9c92

Download Submit
C:\Users\Admin\AppData\Roaming\annot-open.png

Filesize
1KB

MD5
ea01ce0e8f9a72a75f76eb3d9200689b

SHA1
06434d52fe82edcf8e4e3c03ec270a3248faa06e

SHA256
8e09f37ebc8d58a6324d3bee7863a9290bdf5681657c5ad6ad20fcef5fa499fe

SHA512
7cdea40b592436b641e6305ccb892337459e27a6822bb10167941351ef737b00cbe292f1745dafe05f7a49112552444acb1d059d4a1937c9f76cc34060d91fa4

Download Submit
C:\Users\Admin\AppData\Roaming\antenna_diversity.png

Filesize
5KB

MD5
89f4a76cb592beb8b6a780013ac7e474

SHA1
7e3b5c594fd34ca3855f19d65f0f53adb6fe1672

SHA256
47d5eff7fc996e01b3e34656092ed7cffebf09f78f715ed46c944c9586c2d8bc

SHA512
21df796b7bc0903158b04466e63c1c81dc4883b405f3894f80f9ef6453ea480928b4df2e9f952d7ab7ee02fc61d8689cd4a31b684b63c272bc35f551e26813cb

Download Submit
C:\Users\Admin\AppData\Roaming\antenna_diversity.png

Filesize
4KB

MD5
38acb815e1753df1c9ca12d791792f7f

SHA1
29e9de3f8a01893d85e712066dd6cb2df11d489f

SHA256
bf929fa402c7b68b3de876ad186fa7d5be524b83bf47d0ac8b2daf949f086ae8

SHA512
126178f9391171d19ac951a7ef3e54cd4391ed3214bb65ceee821a658b00eb369dc54578f339738dca9a5e907f3d66d1e5d62e7d15bac69f6ce29a9c42116fd9

Download Submit
C:\Users\Admin\AppData\Roaming\author.othername.in.middle.xml

Filesize
1KB

MD5
3f1d6a0faa879df8fa3202e131687ee1

SHA1
339812d5fad87c162d14e6aaf9c5a313382bf3d5

SHA256
b2dfd9fbddc8c041ff3243770174620c3c4716e2993f7ac4d2ca84474933b848

SHA512
1433abc7596037061c1128dc1ae3baae698ddd00dabcf41efd7e6ab0a22200ffb3d8a9ff8b8fc7639eeb9f2035b300e2c99bea2e3faef337d58fece719f29359

Download Submit
C:\Users\Admin\AppData\Roaming\author.othername.in.middle.xml

Filesize
1KB

MD5
a970285e140230df40613d1914098831

SHA1
2eedff4c44a591aa02bb6b867bdd6e0c4d594aef

SHA256
902b38363a9f7851efd2d21e323091b7501cd30106d784d913f812a1badf2f4e

SHA512
4661f888f2f09339da30eae2c41a952c898ea4065be1fc3ef1db928de327aac934e9961d86ca33156b0b6b0b1630a73994267a42b2b37e2f1d15a947fb2b0593

Download Submit
C:\Users\Admin\AppData\Roaming\bar.conf.xml

Filesize
2KB

MD5
178e152ee2e209d26786a745433ad712

SHA1
a4bbd2efef3aa9dc09a2d393f3cdcb23ffa467c3

SHA256
b5036788bb1d86da7263410892e70822e370302394a6c320124b973027d8b0ee

SHA512
1f1eda2806b08a1252a865089ec3746fe61e434194634cb75025739e2cd3aec5bb8c0ad7602df19b02140aca3dc620d8fee35d85f40e2d119dbc9ea692fe251c

Download Submit
C:\Users\Admin\AppData\Roaming\bar.conf.xml

Filesize
3KB

MD5
668370e9fe3ed5413428f1959b3a6c35

SHA1
d667aa8608b5f5a7efcba590cf49ec52bbd61684

SHA256
be59f4288521cef11da2285e036037a001e60969ae833b956eab6079fdcd2404

SHA512
7ec1fd89c9eeee45cffe9715a4fd22b7d1becb7ffcec03f87df4b88ac45f54a0a5da06f22f31eee74c07edf9fe98e33740e695e8f091693571b093e4c568a5f2

Download Submit
C:\Users\Admin\AppData\Roaming\baynote80.js

Filesize
775B

MD5
40c50b766e20fbf2fc6deab710f5aeb3

SHA1
bb83416bb7191a49d0bcd37a57e28b719afe354e

SHA256
f9d753b34a1bb5f1b8265c97c1b25d02269cd855ec9fc92e75bb690b44aebb75

SHA512
aeddb6f4db0e5910df75e3e18d97d4e72350c7e9c07597d6d83ebd7c332deaaf74c82dd96619727cca44b3b764ace57f89b83f040496a86f1827bde25d664d25

Download Submit
C:\Users\Admin\AppData\Roaming\baynote80.js

Filesize
1KB

MD5
1c33b9d8e53fbf92b0cca28ef5a32394

SHA1
e30b133e543115e3566cc689e7bf8e93d4582dca

SHA256
4d623183aaf56b4b464c4843caa1dbb0b91af7026fcbdc3da703981cca68a25d

SHA512
c68b6aefec3fa82dcdcf31b040b5c60f07d6e0dc2a8d563a2cdf428630515fef5ce7f555bbf5b003bc3a650146125a5c9a06a02efd250a41f119d24b07bc07d7

Download Submit
C:\Users\Admin\AppData\Roaming\benchmark.png

Filesize
4KB

MD5
66774a13c8f3917bd188d164749e9637

SHA1
505452afdc8c064bd36d520e38f98a6c2b854348

SHA256
27fd5c0dff36fdceb96f8dceab5230010c86e94e295625e46f6ab12ba4b7e69f

SHA512
fc43cd5f3aaacdf5ee9749f467b9a86fb661340d3e4a47b8b5096b3dd0a69a4f43a7ccd751f451491b66b29bdf787578f6d29bc5a06aaaeff5a4cf862feede9b

Download Submit
C:\Users\Admin\AppData\Roaming\benchmark.png

Filesize
4KB

MD5
2cd1e8f2f127d7655f3328bfe464e2e6

SHA1
1a91d76ee8122ca815de280df87ca4c515d89d84

SHA256
bf7bddd85b3a492dc447d7af8eea9f8ecf6408a5f2a1a2828a96e8ce4ba0368a

SHA512
1b586a1598503cd8300149a79d3f4c2a5b7da6718869272f5969bbebe3f81a55b352b675600ca9610cf70ffbd16875fec2f730f2a71bb6ff61d35e8ea80fd269

Download Submit
C:\Users\Admin\AppData\Roaming\calendar2.png

Filesize
1KB

MD5
970d4ba9d2ff6fa6bb0be1185309d0ac

SHA1
7d0b05bbd14fbec1f83d466d1a57e019b300373f

SHA256
fa9aed53f4fb59fd5a16f49e3700d1feb50b351c904cd817f1cdf0f2e1cf0a3a

SHA512
6e174e75057e9edff5b1f78b19e3b9ca67edf54a8552b6f015e86f230add70f869fa4d15a72fa75e16b94b85f6d252f8063b6904a0ca235ff4388fb7cc19fd87

Download Submit
C:\Users\Admin\AppData\Roaming\callout.list.table.xml

Filesize
1KB

MD5
ba13484b2294780e6fb964b8dce37525

SHA1
bad6a9dabfc3a36e7a9eb87d35bb39a67ea67f8c

SHA256
85c350f206f60a4995621208b8b82c271deeb0f7a58f3366b62d010e1886bcad

SHA512
a5e3e1dcb28e2297b3bb37b92448f80d88cc2b263c3d07ec419326048c1a33980f0dcbeaaf037a5ba8400b7103f88738729216076f10fe54475351487801f29e

Download Submit
C:\Users\Admin\AppData\Roaming\chmod.js

Filesize
1KB

MD5
86b436eac80e09ab73167e1c19482f3f

SHA1
df618eaecc275ad751f3e45b71618655572e072f

SHA256
f317efe6072c7e4bab43485d3b2dcb2262323159d4a4fb4a41e3561f7d3c57c3

SHA512
7e5341acc76fdc0800c18b3879f9cf23e84c8291a15fbac53995cbcb353797dee26725633a45621c48c5303cb7174c92ca1ac9ec7f4067c22aa88a6d16f2a9d9

Download Submit
C:\Users\Admin\AppData\Roaming\chunk.sections.xml

Filesize
960B

MD5
fbaa353fc2559f142aea6250a505292b

SHA1
6b0712045722a8ac05d09d062266ac16e31bb3bf

SHA256
1271cb8f19f8d7c04937271a2037db928de5f4eb2ffa4067ae96816ba4c75a09

SHA512
e049808e913dea4f7f98d362c28a38894d6523add4bee31a73f3203b3a3a1cf6e7b8efea477c71507b1e823f1f780b61495cbd26264d068035fb908a5482bb8e

Download Submit
C:\Users\Admin\AppData\Roaming\circle_blue.png

Filesize
4KB

MD5
16bbbec98772193c3b712afa603265f2

SHA1
52c8f2fa55eaf32711b7b8b1721de603d9b45a99

SHA256
a527ce92781e80d9db05a09f3dc2339fc5d10942a7da5c08559b38e15e91ff85

SHA512
98e41474ef721545ce4e2fae14468be4d14953d5ef5bf708b8216dcb79df8e941e41c7a453409fca8f8f89350ffcfc6d17bb9175d12d106fed74f6cee8428f0f

Download Submit
C:\Users\Admin\AppData\Roaming\circle_orange.png

Filesize
3KB

MD5
559051954c06cda77ce071b4f054aa48

SHA1
ff8efb4e4e9709119dce2a551e71857cbe7edfc9

SHA256
a1158994e013285a15cd5bb648f21216c3fb6025b6f6e59c47e03e705f3662c6

SHA512
e952db9634a218affb422095645dd11c99079057be3129a56ec93896bbeeea245a0a940d78c61fdcdef4136caf5d4601d9ca06217f2c1bc872e028816225650b

Download Submit
C:\Users\Admin\AppData\Roaming\computer_diagnostics.png

Filesize
3KB

MD5
bd8078dcc074aaebdc63ba53082e75c2

SHA1
a3887f75154e5de9921871a82fe3d6e33b7b5ba7

SHA256
9e35270e3510c195a64635292dfcc6dc508e93dcb5715c3e30cf3ec15af6951e

SHA512
9a0b6c67c52ba0a0c9175a62680e9e35793676e4e06dfc6b5bafbff3b50474c94c5434e700d19eff4c46ee84ef0a424e850a3e7fd78d6f62d1d19912a8a38e66

Download Submit
C:\Users\Admin\AppData\Roaming\crop.mark.bleed.xml

Filesize
946B

MD5
698edf38b621162b47ecec4210df45ed

SHA1
d8765a302abe40e55ba29bd26497651a46756f62

SHA256
f5907f5e0a5ba15fa9a0878143f71ef4962f0a3a20eea324a526b0cac31b2b01

SHA512
08179156c0466572e497aeae7f464cfb34bb7172a6429de7d6e47c3dbb89e0b92a8e5448d5d95ae02ab76615e576218525b8004b63abc03877919accfee67de0

Download Submit
C:\Users\Admin\AppData\Roaming\css.stylesheet.dir.xml

Filesize
1KB

MD5
c29954f6f6a53c37aeb7ad23e37ff73b

SHA1
068a87dbd5d5277f0508845838644bd5cb933e9b

SHA256
045323cff6bd1afd75cd8fdb8c7f65569370fcbf6dcbbbc0e24f4c6d5754c45b

SHA512
1760bf9610ae6433b395f2345cf56a06617c64002e3883531e6854b468b2026982883a1a89b33907be3befbb8353aca650a6fbfb42bb543d0c24f2a9416bce35

Download Submit
C:\Users\Admin\AppData\Roaming\data_transfer.png

Filesize
1KB

MD5
6dcfd632eb0a8124ea05a92209e73bab

SHA1
094612b281c4d378ec3def211d60a259bcb41fca

SHA256
0b7e998b98af82bbf0e9f8916aa5e1614a3e42d7a79cd2877c7c72690a42272e

SHA512
581f7f73592c3cf0999a76a2400e0d385330d0594f12c1fe7e37cdef492fd2eafafaec2b6310000efac34c507a1bc660a7e9d38158c888e3869d19ca3f74acab

Download Submit
C:\Users\Admin\AppData\Roaming\diagnostics_na.png

Filesize
410B

MD5
1b509acbb124eda9d7a1f722941096cc

SHA1
9ed8ce338f74a57365546c4e112cc25564b7c971

SHA256
b6eaa77c7f3cc6efa96fc6f7f555477d7ba9226206cc954212d52d2e2dd90ebc

SHA512
61ec6ef8e4697456261b9d49b883f40a75f50f5c4c6bcdd4a88809724608fa6645803ec30b687b7d8a07eb6ff088e3eeb5bd46b55e0d916ad4a2fcaeec173d2f

Download Submit
C:\Users\Admin\AppData\Roaming\diagnostics_queued.png

Filesize
250B

MD5
42d41cbebc9df064e55e06bf3bcc5a2c

SHA1
b037f0eef44b874aad0091b2c5e3b6bd12f219b1

SHA256
b8a3ce2bc7d65d8f2c18b570f14ba03a8729b460e2e6e9a7364308199efbdb40

SHA512
fff2355aa493f321eeba30417aa223fae2a57403b26bdc65ef67bdd5a943a32f62bf92c48f1db8fd2fca1f7efa0f8109ba89ee2d14215c663f758e7bed22e989

Download Submit
C:\Users\Admin\AppData\Roaming\eamonm.inf

Filesize
2KB

MD5
e8d4282400a1c4709ecb37b933269a98

SHA1
dc9febbb99924c761c77bf69286241efaa803f38

SHA256
cb1765e39a9bfde57e60683657257cdae7c84c88d55be43524168a4010be701e

SHA512
f51e18f1705fa4bcb5bd7f072095ee4f9c37ed1503b038854a4a147344f08deda036e000ac4bcfbbe4d688bc238434d18dea75db645c7648ca63e8c00a6b11ec

Download Submit
C:\Users\Admin\AppData\Roaming\embedding.xml

Filesize
4KB

MD5
7246ded2719a2ed3a5d325dbe15e4226

SHA1
d6f781dd2f3d9e3c4388ec7a07b20c9c490f9cef

SHA256
44db2977e5bb2422e73c63d4bd1a727779313c1acfe124b205325db391076f3c

SHA512
76855b922d4ecfd2caf708dd94a424853f03470f1d13a4ebccb3e56e8068dd36855ae529381f80817be576bd6d43f55e64ce8c1bec12e525a2ea16c090fe97ec

Download Submit
C:\Users\Admin\AppData\Roaming\f16.png

Filesize
1KB

MD5
04e342c4c897da1280973c56fdfa4017

SHA1
b035ecefbb20dbf906fe3dcee8bc39e8341f8346

SHA256
14130d579b728d41dddeead049bd96a1fa1b41a93bf0de5776164ce467e47790

SHA512
aaaaa5f84671de83a894bd5531a0f8dc842763023352db3a74dba9629beaa0020a1bcfd0d6a83752338a13b862cdb69dcf26c6ee4df0c26db0a99a61bf77ab39

Download Submit
C:\Users\Admin\AppData\Roaming\f8.png

Filesize
1KB

MD5
d9235deeacc7d331ccdc9d5bde06f32e

SHA1
b72d0fafe7d59f98ac26f03f2aba7c260be0ecf5

SHA256
63abc4a1a89822a59fd6ff22047a5020f37acbc8e35acb2a0dec5061807db943

SHA512
2d5006f2fd85ed1d7c8d759f4b562290d4971e690d4e896a13691e85d1ab53aa24c49a21351c69755e6d954ac9f99ab5df97667f128dd3aec87df099ed9f4918

Download Submit
C:\Users\Admin\AppData\Roaming\fi.pak

Filesize
4KB

MD5
ad8bd1d148df05a5e4466ad1aa235238

SHA1
a10d10f66ae7b761d52892bcae70ac24be183dd1

SHA256
0f8b07de44956f6187754946f127e23f64c646493721db6459367d61eeec9190

SHA512
ba291b0d95dc16e089de45f7e5966ccb465a45060f08c9a89403bd948b9f9c8a99d3320f83bbb49adc10ea80f3aa3835d6f541bdde8d9a680f6edd6e3d8b426f

Download Submit
C:\Users\Admin\AppData\Roaming\function.parens.xml

Filesize
922B

MD5
054b78215f249c0bdb4a66dc5194ff6b

SHA1
b7375a86ea0bc22a5a2033ea92eb0435e5a6c0d4

SHA256
4acce89219d39f8e1f024bd6e90f93936afc4899821cf0674548f96a80815fb9

SHA512
e59c92ff9198afa690a61d789379e6cc448156c20a673e948066dbf97446bf2f11533516d92deba0b865b8b6460b785646cab9970234aada7fda02fdac15fca8

Download Submit
C:\Users\Admin\AppData\Roaming\goURL_lr_photoshop_en.csv

Filesize
510B

MD5
72846352548853b375cd1966c5b25a3a

SHA1
c51c6d5641dfcabdb6569e071c502deacda8d2d1

SHA256
97f1d4f62e381f8f65d3e7d3da9f3c5d8194c73a2d30a2d08057d0d5ce30e130

SHA512
b4c5a4be9a676323e3f1df1eed60761def150a91e237d830c96413770397df3138176ffb1374580b10abb1466bebc8f8aef99d0a44be0fa29ac5edce3cf9874e

Download Submit
\Users\Admin\AppData\Local\Temp\nsy7D0E.tmp\System.dll

Filesize
11KB

MD5
6f5257c0b8c0ef4d440f4f4fce85fb1b

SHA1
b6ac111dfb0d1fc75ad09c56bde7830232395785

SHA256
b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

SHA512
a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

Download Submit
\Users\Admin\AppData\Roaming\Dialogs.dll

Filesize
40KB

MD5
52ae8f7762522c2c6bad92bb437aac2e

SHA1
323ab7cc3fdc285d9b19bcf3b1000227a0cf8f58

SHA256
6bfa771b9bdb75e44601044b4bbaec87583caca07839814c7afb241f783282b0

SHA512
a3cd9752e4576ed19fd57f24d562582ea1cd8ed775d96182b2fbc5de40d44f4e8a6b4ff1cda712748d2c98236a03b39d4b3d3fda69eca9fb4e59853b841fa398

Download Submit
\Users\Admin\AppData\Roaming\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\netbtugc.exe

Filesize
211KB

MD5
445ccd39adf264dd422cd181f7bfa915

SHA1
85f9e892fd3a6b396868d2f06f33fcd7ffbe9eab

SHA256
f1790d16765d15529243d326719330b7d0ad989f6fa452108e11646cc9328873

SHA512
9ce007c002a25dd6b0261cf2def6c3b1c486c72324d952c74754c2785d7273d23bc5ae8cb1097a482b2d4496e0ce97f7c2df03b4691a7cda04899a1e093069de

Download Submit
memory/1252-62-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1252-84-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1252-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1252-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1252-50-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1252-54-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1252-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1252-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1252-56-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1252-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1876-195-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1876-711-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1876-709-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1876-707-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1876-705-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1876-703-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1876-701-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1876-212-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1876-225-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1876-229-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1876-240-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1876-201-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1876-200-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1876-198-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1876-197-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1876-193-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1876-188-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1876-186-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download