Analysis

  • max time kernel
    144s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2024 13:46

General

  • Target

    a81ffcb94c5726d6ffe4deb5fe4e3710_JaffaCakes118.exe

  • Size

    204KB

  • MD5

    a81ffcb94c5726d6ffe4deb5fe4e3710

  • SHA1

    1a591e00a93298be98678d32b69ca99f14e03e9e

  • SHA256

    557890aa4632ea29e35e2ca9eb41bd1136913c167c9e4f3d17483f1431563b14

  • SHA512

    81ed860e7e1548336ce41a098a3713a388e1885ab3a0e740e8074b802b00d520c836adf39ec7a97dd36076f9b9d41bd286a5bcd481e207435a3d434830d1e87b

  • SSDEEP

    6144:0W+7+eMgWNsT9UpVlNca430rIYqc1jqP+JZm0q:0RXWmT9UVN83fc1GmJZU

Malware Config

Extracted

Path

C:\Users\Admin\Music\@[email protected]

Ransom Note
C_E_R_B_E_R R_A_N_S_O_M_W_A_R_E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable??? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#Cerb3r Ransomware". ######################################################################### !!! If you are reading this message it means the software "Cerber" has !!! been removed from your computer. !!! HTML instruction ("# DECRYPT MY FILES #.html") always contains a !!! working domain of your personal page! ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to return your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://52uo5k3t73ypjije.wf9li1.bid/6CBE-95FA-BFC2-0446-82E0 | | 2. http://52uo5k3t73ypjije.zk95b8.bid/6CBE-95FA-BFC2-0446-82E0 | | 3. http://52uo5k3t73ypjije.zp9i1l.bid/6CBE-95FA-BFC2-0446-82E0 | | 4. http://52uo5k3t73ypjije.4c71wg.bid/6CBE-95FA-BFC2-0446-82E0 | | 5. http://52uo5k3t73ypjije.onion.to/6CBE-95FA-BFC2-0446-82E0 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://52uo5k3t73ypjije.wf9li1.bid/6CBE-95FA-BFC2-0446-82E0); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://52uo5k3t73ypjije.wf9li1.bid/6CBE-95FA-BFC2-0446-82E0 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://52uo5k3t73ypjije.wf9li1.bid/6CBE-95FA-BFC2-0446-82E0); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://52uo5k3t73ypjije.onion/6CBE-95FA-BFC2-0446-82E0 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://52uo5k3t73ypjije.wf9li1.bid/6CBE-95FA-BFC2-0446-82E0

http://52uo5k3t73ypjije.zk95b8.bid/6CBE-95FA-BFC2-0446-82E0

http://52uo5k3t73ypjije.zp9i1l.bid/6CBE-95FA-BFC2-0446-82E0

http://52uo5k3t73ypjije.4c71wg.bid/6CBE-95FA-BFC2-0446-82E0

http://52uo5k3t73ypjije.onion.to/6CBE-95FA-BFC2-0446-82E0

http://52uo5k3t73ypjije.onion/6CBE-95FA-BFC2-0446-82E0

Extracted

Path

C:\Users\Admin\Music\@[email protected]

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber &#082;ansomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .upd_on { color: red; display: block; } .upd_off { display: none; float: left; } .tor { padding: 10px 0; text-align: center; } .url { margin-right: 5px; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!<br>You have turned to be a part of a big community "#C3rber Ransomware".</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">!Any attempts to get back your files with the third-party tools can be fatal for your encrypted files!</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files!</p> <p>When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><span class="upd_off" id="upd_1">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.wf9li1.bid/6CBE-95FA-BFC2-0446-82E0" id="url_1" target="_blank">http://52uo5k3t73ypjije.wf9li1.bid/6CBE-95FA-BFC2-0446-82E0</a>(<a href="#updateUrl" onClick="return updateUrl();" style="color: red;">Get a NEW address!</a>)</li> <li><a href="http://52uo5k3t73ypjije.zk95b8.bid/6CBE-95FA-BFC2-0446-82E0" target="_blank">http://52uo5k3t73ypjije.zk95b8.bid/6CBE-95FA-BFC2-0446-82E0</a></li> <li><a href="http://52uo5k3t73ypjije.zp9i1l.bid/6CBE-95FA-BFC2-0446-82E0" target="_blank">http://52uo5k3t73ypjije.zp9i1l.bid/6CBE-95FA-BFC2-0446-82E0</a></li> <li><a href="http://52uo5k3t73ypjije.4c71wg.bid/6CBE-95FA-BFC2-0446-82E0" target="_blank">http://52uo5k3t73ypjije.4c71wg.bid/6CBE-95FA-BFC2-0446-82E0</a></li> <li><a href="http://52uo5k3t73ypjije.onion.to/6CBE-95FA-BFC2-0446-82E0" target="_blank">http://52uo5k3t73ypjije.onion.to/6CBE-95FA-BFC2-0446-82E0</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <span class="upd_off" id="upd_2">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.wf9li1.bid/6CBE-95FA-BFC2-0446-82E0" id="url_2" target="_blank">http://52uo5k3t73ypjije.wf9li1.bid/6CBE-95FA-BFC2-0446-82E0</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <span class="upd_off" id="upd_3">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.wf9li1.bid/6CBE-95FA-BFC2-0446-82E0" id="url_3" target="_blank">http://52uo5k3t73ypjije.wf9li1.bid/6CBE-95FA-BFC2-0446-82E0</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <span class="upd_off" id="upd_4">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.wf9li1.bid/6CBE-95FA-BFC2-0446-82E0" id="url_4" target="_blank">http://52uo5k3t73ypjije.wf9li1.bid/6CBE-95FA-BFC2-0446-82E0</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://52uo5k3t73ypjije.onion/6CBE-95FA-BFC2-0446-82E0</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> <script> function getXMLHttpRequest() { if (window.XMLHttpRequest) { return new window.XMLHttpRequest; } else { try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } } function getUrlContent(url, callback) { var xhttp = getXMLHttpRequest(); if (xhttp) { xhttp.onreadystatechange = function() { if (xhttp.readyState == 4) { if (xhttp.status == 200) { return callback(xhttp.responseText.replace(/[\s ]+/gm, ""), null); } else { return callback(null, true); } } }; xhttp.open("GET", url + '?_=' + new Date().getTime(), true); xhttp.send(); } else { return callback(null, true); } } function server1(address, callback) { getUrlContent("http://btc.blockr.io/api/v1/address/txs/" + address, function(result, error) { if (!error) { var tx = /"tx":"([\w]+)","time_utc":"[\w-:]+","confirmations":[\d]+,"amount":-/.exec(result); if (tx) { getUrlContent("http://btc.blockr.io/api/v1/tx/info/" + tx[1], function(result, error) { if (!error) { var address = /"vouts":\[{"address":"([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true); } }); } function server2(address, callback) { getUrlContent("http://api.blockcypher.com/v1/btc/main/addrs/" + address, function(result, error) { if (!error) { var tx = /"tx_hash":"([\w]+)","block_height":[\d]+,"tx_input_n":[\d-]+,"tx_output_n":-/.exec(result); if (tx) { getUrlContent("http://api.blockcypher.com/v1/btc/main/txs/" + tx[1], function(result, error) { if (!error) { var address = /"outputs":\[{"value":[\d]+,"script":"[\w]+","spent_by":"[\w]+","addresses":\["([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true);

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Cerber family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Contacts a large (523) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 61 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\a81ffcb94c5726d6ffe4deb5fe4e3710_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a81ffcb94c5726d6ffe4deb5fe4e3710_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1544
    • C:\Users\Admin\AppData\Local\Temp\a81ffcb94c5726d6ffe4deb5fe4e3710_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\a81ffcb94c5726d6ffe4deb5fe4e3710_JaffaCakes118.exe"
      2⤵
      • Checks whether UAC is enabled
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic.exe shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2528
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\@[email protected]
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1504
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1504 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2520
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1504 CREDAT:537601 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:200
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\@[email protected]
        3⤵
          PID:1700
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:1952
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "a81ffcb94c5726d6ffe4deb5fe4e3710_JaffaCakes118.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1808
          • C:\Windows\system32\PING.EXE
            ping -n 1 127.0.0.1
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2308
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1728
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
      1⤵
      • System Location Discovery: System Language Discovery
      PID:2772
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3040
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3040 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2532

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

      Filesize

      914B

      MD5

      e4a68ac854ac5242460afd72481b2a44

      SHA1

      df3c24f9bfd666761b268073fe06d1cc8d4f82a4

      SHA256

      cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

      SHA512

      5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

      Filesize

      252B

      MD5

      fbcef0a15a695bf567974fa8fc261f6e

      SHA1

      161088bebb91afa58366acd86236b542d85d0e29

      SHA256

      5c48c616894a110efe2f4c8a9fc801410e25cb0da7a8c45406dae9c5736ebf65

      SHA512

      eeb4be76a2c5c3589916c94b95e7c30255e28e31938e570b7af0ec31a76c813476182dc5310c38822216f749c4082a4b85f38c3f381e9eb4ff9e61d71a3c672b

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      182f2782c0783b0095a1cf00b702c7e2

      SHA1

      e990b28a1b8bcca9d7aef7d3ca230d61f5d4b2e2

      SHA256

      3f44dd628078ae86665f2bff3046d906d1066aad2300adfb03ee8b04f538500a

      SHA512

      43131badfa5901ca14f8d730ecba55d0f0bf104ad142bf8a14e566d47fad3f7d04d8c3436799605278bf4e770c370d4c3bf2c3f4b082ee58a063326a0bdde196

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      188de21af4d2f162383c483fec345b80

      SHA1

      4c22101087c50a41abe3fcafaa1d857cdb89d618

      SHA256

      207a25af5179cf0f6856aa535ab8d635e9e6be0385d29eccc7259c50a320cbda

      SHA512

      2e7d2b172ec12646ab3696fcb99c5a7306ae5cf8c85bdf826a4ff978a03fd290412c5edf0345e80d75c26f23717c62a449dca6862a4cc55dcdb8551ae3e8972d

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      d0e31365db7fc41589483b3d20ac8cff

      SHA1

      6d5af60583ed8eec99875e1719490909927269db

      SHA256

      e15d894643b2a2755597c0699abd0920375496a113c5e8a43064e0f386937bc7

      SHA512

      12dbe4c520a55f08c19f430b7a52f7699b3014793ce58d782f2e962638434ef196a718e028752a788f9eddbc4c51efac3e049f281f34118852041cabd885e468

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      5b748a1ce9d8673426a2580827db5bbd

      SHA1

      cf564483ab34d8e07bc4767e6927690340b7698b

      SHA256

      cebcfab4f43a8003a02e8da2d397f0e5e95d12b59ca86ef7771ccc5f0b9cc369

      SHA512

      acea7a096f474e9e7afbcb0c353ee3f893aa9349ec5cc738667a30ebdd79e88256f7019a0a5ef6153ff69eb28f88789590ab85b05b9756ee840bad3ba0263e5f

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      4c26f5b81c4b4570c7dbf05ed5498816

      SHA1

      4605b08413c6df271412d7114976bedc21dd0622

      SHA256

      41a6229ef177a4b781c2338ccacb83a70a7db81bb6e5fbea15b8c17494bceb2e

      SHA512

      640e9f087297f9cf2f609243f81503927c371f1b91beda98d82c4d24bc913339866bd01f9b490366e9663e5d050e6fea05b8ca8c7580201479cfcf7d4d9896e2

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      0fc78c9a9b4be1ad0c3fb45262dcc753

      SHA1

      60b0e26669e40d5bb592ab56351610a0ba7941b4

      SHA256

      8d8725749fd2572765e9a30c703b8885576a111c3fdd5d15a155bfe24df16ab7

      SHA512

      db995fc6c1596e5ba7d7795ebca552f4184eda711057dfd1678e55001a0911aee151510f3f884f6d4c891c557420f64537568f1721cb2dccd9c685885d29fe01

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      ff47c5e6593c8f03f54c5f08b359de2a

      SHA1

      485e6fb2dee36bf2a2e9d8b32d2d639c083b517f

      SHA256

      3827d8fa534c575bec157a44a0c3b66e0469b69322f9771c28af19c1d075978c

      SHA512

      bc32dd6ed3fd886a7aecf2ff82ae8b2c03717c7f93b4079d3764899eabdf483e8a63518e1cc2677d4660c28bc4e2011e465371d9644f24651570c38e24d809be

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      357e961f97bab5226da110c0fad56e25

      SHA1

      9c9e8f9db47ab2b04f6418a25bbdaa7047e4fbd0

      SHA256

      77c25ddd82332095e58921e497702d06b62aa3a39118fec4da8b64897741c51d

      SHA512

      212cafe76bb5926586fa5b4628855f4735589bb1be8a9a5eb62a0b49426cfac3a7efff4cef56c84e5dbc9f6827d70f5927e09d568b20091fd6119a5cbcfbb156

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      bff4b50539714542d3491ee9c287a62e

      SHA1

      26b4e47a574c782dc2346d09017045b7b21d2ec5

      SHA256

      b5fcb50e8e53e823c400a53ad7b82166e0b23046bd42ce642520ac4c34cdda6c

      SHA512

      b20c3378f762d9a7ffc36ebfcaca2d9c44917f93e2d8cab24d9927cb6c75ceb91b6d7a8ac1fa1d3a733b8916f4891de6f61aaa4332b8b73a0167d6fd7507f198

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      8872998fce7af557f95ebce906c22432

      SHA1

      c92f8d1a5f98b4e914b1568f307d454a2ab8d42a

      SHA256

      ff1c9f686eecc583b7b6b5d2c942d2aa279dc68cb6b155510536efa7fb3c5ba1

      SHA512

      580b0ace41994a05f76062beb9b67115321948293fed3fd83f083484dca50f5703b62afdafd9463444b92516426770863d1ded8aef450789e1e1e1408183a62c

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      e6d1ec7608019640a808635e9c7a0920

      SHA1

      5f0221474f36708dabbc429fded523752f629356

      SHA256

      4f13f17782ace86e17cba9709adce5533355d53abeb08be9277fd7765265957e

      SHA512

      7c8ec1cf9f4cf75f3cbc4ffaa499826a0de423f8430bc2ffa68f0a11af9064e330a71b881227bf2be02d8320f693a88ebe89a7e1b726170ca386eb66a72f08d8

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      1455af9d062034435c498ead1aa9fbbc

      SHA1

      751c912c175a3d400d5bd530f72b9d88d535d436

      SHA256

      23a2c8070c1fb2061f47538647c0776a234d656bdafe3ac27c7488d2b46be8c3

      SHA512

      5729967208ef3c63f8a859458cc9cc2a62c9dd997402590ef3d749e78f43c04a3e957d58449275adc173d69ae443bef960bedb32fd019fcd7e74270fe587c597

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      ee8a3d5d059bb3b022f7fc9d0184bacc

      SHA1

      2ec7fc5a5d9baf5a48ad3e626622105d5b62528d

      SHA256

      4a1539b91a58d1e18d1aa35f82666b4f0f54074ae4b5c60358b8fa33bbad816d

      SHA512

      d3dad20c263a10d0a6d6ee3b796cebe266f27bf4bf46e9768a0e12ca2ddc316af4fec9f9029fcb563176b867ba336e2dbc504fd9b9920ac647e1578af2f0bca4

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      be9ee5195bc21e73dfce75794ea69a3e

      SHA1

      486090ec588287ac06934a5b913153fb7e0fc9f0

      SHA256

      923155ce34c36c22fbdd3954ff4f1fe85c6b981182ee291c0ee9ed8dce0f8cec

      SHA512

      117664c0a59b83dcdd6f913fbbf40621d63556c7e3ed6bed23df6188830c878dc40d27067a8a9b5079366db74ca1e061f1245a0fd1be2dfefac1aba0c18fac81

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      8ea47308261696552db5e7b7b2fffba7

      SHA1

      7b04366a294622877b8619daf275ca78c583f514

      SHA256

      46386ab6d4f5d4b8a356cdfb7fb500c07e1856e053ad7288f4783b7ad08e6aba

      SHA512

      141563e5af0ad036b7d55270c0cc33be049a68acf4a40cf487fe310d2e5e4832ff1fa3d51fcca4fe615e9542e58514e2a067daf174c1de7b4292a402abb87f10

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      bcea2ae8932ba81efd2f5c037caf7968

      SHA1

      720df121eb19facde9080c4628d7a3e17ab4bbbc

      SHA256

      85115ba0c21ffcd82351d2caa0dd4b62452bcd429e07d14e12911036eab9f79b

      SHA512

      0f0690875ad74163cd67aa21fcd98e22e6a3d76bfd11f8e39882e1f35034c774f907e2cf6285096299fc1a6b607c2ce2d627b11311b807d92caedb4c2c142cd3

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      3c55095de458459f3cfdfe511b90614e

      SHA1

      251d080f9542b26775c2a8f802fa584ae1366417

      SHA256

      7e649a3d511d8119b754e612145ba287f905b08f24b709b5634a8cfa5506f9ec

      SHA512

      6a835cc668f5b8406f2e40ebf108bec38d3648c514c28d38ecface89de83747b232d47e4b93339c7dc5f08416fd4ec4886486908931a7f81c593e882c5cc80b2

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      a73e08807af9155e4fb5233875741cdb

      SHA1

      8d682b6e17e705af49d8e2343a949a7faabad7f2

      SHA256

      4d5dfbed6f4ee84cea2267c6467b04f3cc79c34e1b31844fd0730465249e015d

      SHA512

      d0cc8a363518eaa95808947973308d0dbe2eee3ab9abdef81cf424b22b14c5ce641c34b728ef680f71ebf35c6e9b9786bc3fd59ccf446d6caba054431c42ffdc

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      e056e52ac248d47ed22286ea2d57badc

      SHA1

      1e67f065e64b1a0217d211bed1f16895e083f1d2

      SHA256

      97bce4c1b0f1a6549841b329747942eeb614687decec64b467a487999c7acc60

      SHA512

      0bc018cfd2fa4e85ffcc1bfc7e5498ae2168fbf2ac9d01a4010d28407e187c3545b2c0c951178c9c67f3a3c1b0d6abe82c0f67c90bab26452e58250898a6210b

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      472140b0d6e3afabb3149b49955c2130

      SHA1

      d8490c7b138ab354bcf928b5a1fe27fc7e80355b

      SHA256

      922f3b3c41cc04136219ed6398b705b960eafad775e09e500c8e6e057ef006fa

      SHA512

      8a77e62fd331b798b0288c2496a53de90ca34de37d396c5b54f83da82150bb12a04eccac679096d7c4a6ec3a1f3511027fc8b4ac920c53e03fdbbdf6eac2e192

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      e3b15e0619fbaecc51a3fba1c0c239b9

      SHA1

      19f8a721b3351ad3ed1c05cc32d40aac3263d107

      SHA256

      97c4ee9faab87b66deff90c368935c0f0c98f3a349016ffe4ad8afde35e7265e

      SHA512

      cf805b7b536621e219f7e159fc7561ba5d2c3750baffe3ea3be9876ca796d30a7e16e45fa231a94f46f51de88262a75864f7a99ab41b79ff38a6d35e3cd0d5f8

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      53810fb7149419bc9edf21f766799ed5

      SHA1

      eeee606529a8e460cfe4ad8fef2c408270949b30

      SHA256

      c4e44d3c142bc8f168bed43b5ddf6125d2fce37b01ab8d88ae22afc994a22cd2

      SHA512

      8219f45fa639217a4c6b59fbb19e3363143240498892d1e1b4ca80308c1bf74e1b32289c25a2260bb613d70a4d9a890638dbdbb99aa28c394647ff78061bdd77

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      5dd9cbb569ef6c3d6536a046f3f086c5

      SHA1

      4ca9eb7e98ebe44aa33f70341fe6f1708f5cbfa6

      SHA256

      35fecfd2445b0a18e9c456e9247b85bdcca27206e79917408b7d1e3c109dd593

      SHA512

      35741fcc6ed5fc4a029adf2bf49cd60ecebb0b4df08fd6f042d0b4a40e395c44d43ca2651e6b4a47a85f74224e83028b8116305428ccc9044bb5fcc76675d6d2

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      242B

      MD5

      ed599c0694cb2fe1760e05b73207a03c

      SHA1

      d1180de0c9915bbe30c4f2f2bd5fb663b4a24a93

      SHA256

      96a30e761cec678770b3cb7e49697ca8a2813e2442b7bb3eab5527e9cdd9a56a

      SHA512

      b5cb0517916ce7f94aa245da7092effb0b0f4bfe56a940002e96780b8c815ba8336bb0fd36b4065d444a45b482b1bbf88ea5cb4ef370867f065275ea6f3faf1e

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{310EDB31-ACC6-11EF-86F5-E699F793024F}.dat

      Filesize

      5KB

      MD5

      017077a5c7776b0b10e0b3679cee172f

      SHA1

      4d833b2f23ee8191e971a6e4df8e198b9ca34554

      SHA256

      fcc45dc0733ab9d6bea0b6dc51d5b7807672c6acea9c6a28569fd476a05c9738

      SHA512

      61ba0dc79fb886bcbbd174f6a61fb37aa4446edc51ab54cfeb55003df9e9192bf0037382267a1e57830cb2487c4c010a9c245f8271c8be3ca18efa070cc916a3

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{311F84D1-ACC6-11EF-86F5-E699F793024F}.dat

      Filesize

      3KB

      MD5

      7303526ce4edf69154c8f3469e93219c

      SHA1

      a808cf589ab7fb5ab23909bb1ffd96477c0e2c46

      SHA256

      e1bde2435a4f7b14f1de042f314abd431aff9357ad7bdaefd7c94dd329f76aae

      SHA512

      9017c5c752851a3a26cf62b6346c7a551a3dfde925205eca5fd3c06a44e299f17bd2c181b66bcb4d7e65a83e8b7db4108389bd411d951f811d8e003f8e3026d6

    • C:\Users\Admin\AppData\Local\Temp\Cab3BBC.tmp

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\Local\Temp\Tar3C1C.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • C:\Users\Admin\Music\@[email protected]

      Filesize

      19KB

      MD5

      886bbec164c4c7b510feebf09887c476

      SHA1

      3e126669795d688992fbe7b2d3c0508f03c9cca9

      SHA256

      7857f4de97621aa1b062e0947144701605b3d9459a6774dfe0880ed9b9aff9b5

      SHA512

      f23a82aeab1778792b223b87992e854c66a3dbacac182e38ca63588c4c1949aaf9f1470891c91a619649f7e9f7c5750ddf85dc0a0c988896e730c485c9ac3d95

    • C:\Users\Admin\Music\@[email protected]

      Filesize

      10KB

      MD5

      a23e72af5cd3ba132bcbb13630483f0a

      SHA1

      5af7a50a98d1bb9183fe0dd25a4248919b4050c0

      SHA256

      6a4f8871fd051ed59f85e5f4f34a96b483ce1a826cb3a896f926ecc37f6797a4

      SHA512

      b11113b4c3b4820b09e93f76922bb066ea85e258baeb29b8d0023ca358a8cf61b842d07236be20f798098c036d429d374742f401f0b0aca508c4e94ebfcc83f9

    • C:\Users\Admin\Music\@[email protected]

      Filesize

      90B

      MD5

      fdf3c30aa9d05f50ee26ee1531a6fa76

      SHA1

      dfec778bf6ca09e9ac0f3602f055048167b953b7

      SHA256

      47cfb6b2f78d204cdd27d0ec532e903205590333151df267d09c2d5a69ff070e

      SHA512

      3f79eff03865e91133779a2fcf2d7ff7466f8145da598511f56d06e1db0c350ea165f9d7b8ba60c514fc83800fa504f4ec66d94d58d37fcb2e6c044ea6ea9ecf

    • \Users\Admin\AppData\Local\Temp\nsoF5C6.tmp\System.dll

      Filesize

      11KB

      MD5

      3e6bf00b3ac976122f982ae2aadb1c51

      SHA1

      caab188f7fdc84d3fdcb2922edeeb5ed576bd31d

      SHA256

      4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe

      SHA512

      1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

    • memory/1544-13-0x0000000000300000-0x0000000000304000-memory.dmp

      Filesize

      16KB

    • memory/1544-10-0x0000000000300000-0x0000000000304000-memory.dmp

      Filesize

      16KB

    • memory/2668-449-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2668-409-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2668-443-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2668-440-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2668-437-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2668-434-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2668-431-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2668-428-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2668-425-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2668-422-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2668-419-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2668-416-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2668-413-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2668-446-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2668-151-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2668-455-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2668-468-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2668-466-0x0000000003410000-0x0000000003412000-memory.dmp

      Filesize

      8KB

    • memory/2668-22-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2668-33-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2668-19-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2668-17-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2668-452-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2668-16-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2668-12-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2668-458-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2668-15-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB