210223de4b6b3fb33d879ffb7df1e6b6cc7223f24603b2296852066ee3db3f43

Analysis

max time kernel
130s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
18-05-2024 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
Size

616KB
MD5

56574c4691f454ea2c19454b7fc40905
SHA1

cbbfd3d72456c071ceef8ff4bf84106ca1062c6f
SHA256

210223de4b6b3fb33d879ffb7df1e6b6cc7223f24603b2296852066ee3db3f43
SHA512

81f0de49b8e96d6422fb0f92f0799cac469d840b35e5f1ff48f9b2ae56104983ab4a17633def840868cd3c5db7b729d2f72d9f65590dfa0efcc95ba0b8980cdb
SSDEEP

12288:5v/fMH3Mu7vOlM7CjCkczgmziP+1RTwu7vOlM7CjCkczg:5v/fMfvQjCM+3vQj

Score

10^/10

defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ctkhx.txt

Ransom Note

__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://p57gest54celltraf743knjf.mottesapo.com/BFA31C3555DE9BA 2. http://k4restportgonst34d23r.oftpony.at/BFA31C3555DE9BA 3. http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/BFA31C3555DE9BA If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization 3. Type in the address bar: fwgrhsao3aoml7ej.onion/BFA31C3555DE9BA 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *** Your personal pages: http://p57gest54celltraf743knjf.mottesapo.com/BFA31C3555DE9BA http://k4restportgonst34d23r.oftpony.at/BFA31C3555DE9BA http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/BFA31C3555DE9BA *** Your personal page Tor-Browser: fwgrhsao3aoml7ej.ONION/BFA31C3555DE9BA *** Your personal identification ID: BFA31C3555DE9BA

URLs

http://p57gest54celltraf743knjf.mottesapo.com/BFA31C3555DE9BA

http://k4restportgonst34d23r.oftpony.at/BFA31C3555DE9BA

http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/BFA31C3555DE9BA

http://fwgrhsao3aoml7ej.onion/BFA31C3555DE9BA

http://fwgrhsao3aoml7ej.ONION/BFA31C3555DE9BA

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (418) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2544 cmd.exe

pid	process
2544	cmd.exe

Drops startup file 3 IoCs

Processes:

gvveqmkcobvk.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ctkhx.png	gvveqmkcobvk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ctkhx.txt	gvveqmkcobvk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ctkhx.html	gvveqmkcobvk.exe

Executes dropped EXE 4 IoCs

Processes:

gvveqmkcobvk.exegvveqmkcobvk.exehslds.exeuqdum.exe

pid process

2804 gvveqmkcobvk.exe
2892 gvveqmkcobvk.exe
352 hslds.exe
2352 uqdum.exe
Loads dropped DLL 2 IoCs

Processes:

gvveqmkcobvk.exe

pid process

2892 gvveqmkcobvk.exe
2892 gvveqmkcobvk.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2804	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
352	hslds.exe
2352	uqdum.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

gvveqmkcobvk.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\12_23-dst = "C:\\Windows\\gvveqmkcobvk.exe"	gvveqmkcobvk.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exegvveqmkcobvk.exe

description	pid	process	target process
PID 2984 set thread context of 2652	2984	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
PID 2804 set thread context of 2892	2804	gvveqmkcobvk.exe	gvveqmkcobvk.exe

Drops file in Program Files directory 64 IoCs

Processes:

gvveqmkcobvk.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Google\Recovery+ctkhx.html	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\Recovery+ctkhx.html	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG_PAL.wmv	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrome.7z	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\Recovery+ctkhx.html	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\de-DE\Recovery+ctkhx.png	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\Recovery+ctkhx.txt	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\Recovery+ctkhx.html	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_foggy.png	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\localizedStrings.js	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\Recovery+ctkhx.txt	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\Recovery+ctkhx.txt	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\Recovery+ctkhx.html	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\Recovery+ctkhx.png	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\Recovery+ctkhx.png	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\Recovery+ctkhx.txt	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous.png	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\currency.css	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\Recovery+ctkhx.txt	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\settings.js	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\Recovery+ctkhx.png	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\Recovery+ctkhx.txt	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\Recovery+ctkhx.png	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\Recovery+ctkhx.png	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Uninstall Information\Recovery+ctkhx.txt	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\Recovery+ctkhx.png	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\Recovery+ctkhx.html	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\Recovery+ctkhx.txt	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\flyout.css	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_ButtonGraphic.png	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\Recovery+ctkhx.txt	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\es-ES\Recovery+ctkhx.txt	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Recovery+ctkhx.png	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\Recovery+ctkhx.txt	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\Recovery+ctkhx.txt	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\Recovery+ctkhx.txt	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\Recovery+ctkhx.png	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\Recovery+ctkhx.txt	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\Recovery+ctkhx.html	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\Recovery+ctkhx.html	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\clock.js	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\Recovery+ctkhx.png	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\Recovery+ctkhx.html	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\es-ES\Recovery+ctkhx.html	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\Recovery+ctkhx.png	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Recovery+ctkhx.png	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\Recovery+ctkhx.txt	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\Recovery+ctkhx.txt	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\cpu.js	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\19.png	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\Recovery+ctkhx.txt	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\Recovery+ctkhx.html	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\picturePuzzle.css	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\Recovery+ctkhx.html	gvveqmkcobvk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\el.pak	gvveqmkcobvk.exe

Drops file in Windows directory 2 IoCs

Processes:

56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\gvveqmkcobvk.exe	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
File opened for modification	C:\Windows\gvveqmkcobvk.exe	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1952 vssadmin.exe
2360 vssadmin.exe

pid	process
1952	vssadmin.exe
2360	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 804474b856a9da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a23000000000200000000001066000000010000200000008d523d879c03b67a9843124fd74425afed501311316fdeeee8277d3741177537000000000e8000000002000020000000d5523cc6ba268ff3b12f8cad4b16a868c05496737d3a0fa7583b1a48c4dc482090000000427a4f764450ec20369ed47295362e4c35db7a7fa7482a9a6b3ef48ae18cc5a7079bab2f149a2035a5c386af0fba2648ad48f6ed164a3c9be2aea1ce2b8e3df5855119c6c0d2aba3241f77c0de93a9472c03b724916bc6da17a57bd172ad0c638b14d2cc6e58e2770e3613e828e28e5e7592571592a06c94be0323500697645a2bbc28b483958b5b14c7bfafa0104536400000001db8ca285414d111258b634e30161bbe7de70f5c064f056f7563bf400c88ffae1214f23b7c054c997b9ab26c2d1fd151eae7fb6e24ed34dc5dfcdcacec289be1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a23000000000200000000001066000000010000200000004c4485a0bbf4364c472b35750a0c76c90d1f0ef5f9f41d5bab81a998fec67323000000000e800000000200002000000056934d723cd7e3763bc8a08833e74b22435131a81b6992d65dab2214ab0b1fd42000000012be4bdd3bb9e5faa491013798cf1bf293b737301778790cecbbe92ef62acfb7400000001838a706c1235b183eb154dec8c9136c7b9cd87a63d48c787da00baf053a8f32150f9e91c4e77648c85bb7b511ad22fe355f8afc8357cf7f4f8fd244d243c41d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E3F80971-1549-11EF-B8F6-D6B84878A518} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1100 NOTEPAD.EXE

pid	process
1100	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

gvveqmkcobvk.exe

pid	process
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe
2892	gvveqmkcobvk.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exegvveqmkcobvk.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2652	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
Token: SeDebugPrivilege	2892	gvveqmkcobvk.exe
Token: SeBackupPrivilege	2496	vssvc.exe
Token: SeRestorePrivilege	2496	vssvc.exe
Token: SeAuditPrivilege	2496	vssvc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

928 iexplore.exe
1492 DllHost.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exegvveqmkcobvk.exeiexplore.exeIEXPLORE.EXE

pid process

2984 56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
2804 gvveqmkcobvk.exe
928 iexplore.exe
928 iexplore.exe
688 IEXPLORE.EXE
688 IEXPLORE.EXE

pid	process
928	iexplore.exe
1492	DllHost.exe

pid	process
2984	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
2804	gvveqmkcobvk.exe
928	iexplore.exe
928	iexplore.exe
688	IEXPLORE.EXE
688	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exegvveqmkcobvk.exegvveqmkcobvk.exehslds.exeiexplore.exeuqdum.exe

description	pid	process	target process
PID 2984 wrote to memory of 2652	2984	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
PID 2984 wrote to memory of 2652	2984	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
PID 2984 wrote to memory of 2652	2984	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
PID 2984 wrote to memory of 2652	2984	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
PID 2984 wrote to memory of 2652	2984	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
PID 2984 wrote to memory of 2652	2984	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
PID 2984 wrote to memory of 2652	2984	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
PID 2984 wrote to memory of 2652	2984	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
PID 2984 wrote to memory of 2652	2984	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
PID 2984 wrote to memory of 2652	2984	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
PID 2984 wrote to memory of 2652	2984	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
PID 2652 wrote to memory of 2804	2652	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	gvveqmkcobvk.exe
PID 2652 wrote to memory of 2804	2652	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	gvveqmkcobvk.exe
PID 2652 wrote to memory of 2804	2652	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	gvveqmkcobvk.exe
PID 2652 wrote to memory of 2804	2652	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	gvveqmkcobvk.exe
PID 2652 wrote to memory of 2544	2652	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	cmd.exe
PID 2652 wrote to memory of 2544	2652	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	cmd.exe
PID 2652 wrote to memory of 2544	2652	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	cmd.exe
PID 2652 wrote to memory of 2544	2652	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	cmd.exe
PID 2804 wrote to memory of 2892	2804	gvveqmkcobvk.exe	gvveqmkcobvk.exe
PID 2804 wrote to memory of 2892	2804	gvveqmkcobvk.exe	gvveqmkcobvk.exe
PID 2804 wrote to memory of 2892	2804	gvveqmkcobvk.exe	gvveqmkcobvk.exe
PID 2804 wrote to memory of 2892	2804	gvveqmkcobvk.exe	gvveqmkcobvk.exe
PID 2804 wrote to memory of 2892	2804	gvveqmkcobvk.exe	gvveqmkcobvk.exe
PID 2804 wrote to memory of 2892	2804	gvveqmkcobvk.exe	gvveqmkcobvk.exe
PID 2804 wrote to memory of 2892	2804	gvveqmkcobvk.exe	gvveqmkcobvk.exe
PID 2804 wrote to memory of 2892	2804	gvveqmkcobvk.exe	gvveqmkcobvk.exe
PID 2804 wrote to memory of 2892	2804	gvveqmkcobvk.exe	gvveqmkcobvk.exe
PID 2804 wrote to memory of 2892	2804	gvveqmkcobvk.exe	gvveqmkcobvk.exe
PID 2804 wrote to memory of 2892	2804	gvveqmkcobvk.exe	gvveqmkcobvk.exe
PID 2892 wrote to memory of 352	2892	gvveqmkcobvk.exe	hslds.exe
PID 2892 wrote to memory of 352	2892	gvveqmkcobvk.exe	hslds.exe
PID 2892 wrote to memory of 352	2892	gvveqmkcobvk.exe	hslds.exe
PID 2892 wrote to memory of 352	2892	gvveqmkcobvk.exe	hslds.exe
PID 352 wrote to memory of 1952	352	hslds.exe	vssadmin.exe
PID 352 wrote to memory of 1952	352	hslds.exe	vssadmin.exe
PID 352 wrote to memory of 1952	352	hslds.exe	vssadmin.exe
PID 352 wrote to memory of 1952	352	hslds.exe	vssadmin.exe
PID 2892 wrote to memory of 1100	2892	gvveqmkcobvk.exe	NOTEPAD.EXE
PID 2892 wrote to memory of 1100	2892	gvveqmkcobvk.exe	NOTEPAD.EXE
PID 2892 wrote to memory of 1100	2892	gvveqmkcobvk.exe	NOTEPAD.EXE
PID 2892 wrote to memory of 1100	2892	gvveqmkcobvk.exe	NOTEPAD.EXE
PID 2892 wrote to memory of 928	2892	gvveqmkcobvk.exe	iexplore.exe
PID 2892 wrote to memory of 928	2892	gvveqmkcobvk.exe	iexplore.exe
PID 2892 wrote to memory of 928	2892	gvveqmkcobvk.exe	iexplore.exe
PID 2892 wrote to memory of 928	2892	gvveqmkcobvk.exe	iexplore.exe
PID 928 wrote to memory of 688	928	iexplore.exe	IEXPLORE.EXE
PID 928 wrote to memory of 688	928	iexplore.exe	IEXPLORE.EXE
PID 928 wrote to memory of 688	928	iexplore.exe	IEXPLORE.EXE
PID 928 wrote to memory of 688	928	iexplore.exe	IEXPLORE.EXE
PID 2892 wrote to memory of 2352	2892	gvveqmkcobvk.exe	uqdum.exe
PID 2892 wrote to memory of 2352	2892	gvveqmkcobvk.exe	uqdum.exe
PID 2892 wrote to memory of 2352	2892	gvveqmkcobvk.exe	uqdum.exe
PID 2892 wrote to memory of 2352	2892	gvveqmkcobvk.exe	uqdum.exe
PID 2352 wrote to memory of 2360	2352	uqdum.exe	vssadmin.exe
PID 2352 wrote to memory of 2360	2352	uqdum.exe	vssadmin.exe
PID 2352 wrote to memory of 2360	2352	uqdum.exe	vssadmin.exe
PID 2352 wrote to memory of 2360	2352	uqdum.exe	vssadmin.exe
PID 2892 wrote to memory of 1056	2892	gvveqmkcobvk.exe	cmd.exe
PID 2892 wrote to memory of 1056	2892	gvveqmkcobvk.exe	cmd.exe
PID 2892 wrote to memory of 1056	2892	gvveqmkcobvk.exe	cmd.exe
PID 2892 wrote to memory of 1056	2892	gvveqmkcobvk.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

gvveqmkcobvk.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	gvveqmkcobvk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gvveqmkcobvk.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Temp\56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\gvveqmkcobvk.exe
    C:\Windows\gvveqmkcobvk.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\gvveqmkcobvk.exe
      C:\Windows\gvveqmkcobvk.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2892
    - - C:\Users\Admin\Documents\hslds.exe
        
        C:\Users\Admin\Documents\hslds.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:352
      - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        6⤵
        Interacts with shadow copies
        
        PID:1952
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:1100
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:928
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:928 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:688
    - - C:\Users\Admin\Documents\uqdum.exe
        
        C:\Users\Admin\Documents\uqdum.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2352
      - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        6⤵
        Interacts with shadow copies
        
        PID:2360
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\GVVEQM~1.EXE
        5⤵
        
        PID:1056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\56574C~1.EXE
    3⤵
    - Deletes itself
    PID:2544

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ctkhx.html

Filesize
8KB

MD5
bd3b795080af465826165dfa5a7b9ab9

SHA1
9d5a30dea4f4e8fc7b01c3d6ec5b21ba22c2533e

SHA256
244b7d5c8a24d744dd0123961c65f3ecd3e2d23a8de5afc7eba77cffc3c78658

SHA512
106dfc1a5a8c205202b5aee1ff6bec2488ae6b1cfbb46c05793defdd92c812b0a8c18658db4db70930d7fea7ee8f2a35ba2084b0199fbf588b4da38c6792728a

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ctkhx.png

Filesize
66KB

MD5
9645626b4900caa2c55c998271c7c016

SHA1
7fc78d2887da62af6ea2172e13b7b00372e41de9

SHA256
0229f90adb47b045d9a9192e698f03e658449c07e7addf9379ac69542a7570af

SHA512
43afdbf0848e868f958cd51147c7e3fa7f64a92541e87985c46314e744fcf88ead04068cd23b4091f203404fc89aaf8f9a119cba93c1ba40da45f60937ae9df3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ctkhx.txt

Filesize
2KB

MD5
d65ef751c6095862f7a333a65e207edb

SHA1
b526315912cd5d4707bedc449b3c2e18d612b5df

SHA256
0cd64d4f6ea5f07c406b93e023af7a36521a553d02e9ff7ba7c1586761e9b02a

SHA512
6dabf3dbddf21eaab531e63250b30d0b0d8b20f4cac99b42cb13330f727a648d71f01bcd9d8ee8eda3bbecd6b109204a2b0cec9723179121394525c1388f5a2c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
2baa66372572a838342caea518d5607d

SHA1
9203b171091eb7871fc5b3b36a202d4a03dd7541

SHA256
51de1e923158ee39ed0dc2acf2cbcbd4e4e1bb2ebcd972076fb3487091fd8e78

SHA512
4e0e63703dce62382d827e3b17376a75a9f129a2c69e592208d8fa7461bbbdb39c545afc84a68b0d4e07d9d55a22527d8a6d8d56945af0ffa193c910221a9821

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
f95396257c11fe9aae8dde8e7d20c616

SHA1
f5742133a8266ce7fb2da44e596aa5ad2a88116d

SHA256
51b70422609d74fb8bc9f6a7e8aa7bcbe321b003c36cf7efe41659b7408b0e31

SHA512
508da0d68e9165b6ab4e85df1a6240af29e0f0e47310e27e6ca97add725b74de8dd3b5c0e28992eb2e38dfb2f065864b7ff9c6a4d23b7aba6ac7b3031648f3d7

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
66263c72542df9a9ebfaab7100659706

SHA1
14af22afc33a1062e88876d91e7f2cbaa4c7d21f

SHA256
c6fe42046cbaaf25a7f864abe368285b0c06e5917686dfcfc3ad06c4e3d9c14d

SHA512
db32bda73cceb2e39d40cc84d45c00e65f04d4882d42cbfcb2e6d3eed83cc0e3b7076afc1cef83582304b5f89c1d7bdc325835e875ceb7c8530ac2c654ac91dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
caf65b529625d5864037803c04c7059a

SHA1
deec237a344841708ee6d44b1f708274906ca66c

SHA256
d08e1ad1308fcb744d2a1803edf1d4f4fc3fe734ff45a304dd75168c4673335a

SHA512
f360b565e7fca05706ecabdec16a77c72cae82ab665be8e0a7117b844526e71ffd52b03106f4cae1541eb3ac97a8134ad9417677f541f1f38230906e8a511204

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9e404b052d48bda5fcca3eb43a69a703

SHA1
0966237ac8d2c7c5a326cc7e08e167c48fd59d39

SHA256
df2c43c68d0a534e7ccd02f0405b690ebb05eeecb2564a663a5547d73fa082a8

SHA512
008e1df55d779dc50b90cec39cbe36d2319baab6665281b6e5972d2cf150c30028962f7a70099861bdbedc28de34b434a3042d26a0665929f6b8c5361a788cf1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
57c8340e33e2751096c56ae4329b5712

SHA1
cac0ab93bcd4538c19679eccc14cbf6c2f7df2ec

SHA256
f13c680ad46d7654a466419912b0602ede24b02a48686155c150aa3fdcb210f9

SHA512
8efa9b8e90828784aac8301761cd01d8b68d0a913b9f7c89fd968a29b27a0d487fb7b8e87860ed66d664be9ab1d2eff3dcd4a3f971ac387a74c7aabfbf721d56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e2468bc745f5ab7e60ec8525ff23c516

SHA1
960740e5ea2652f157ed8f0130ab1ca6731b32fe

SHA256
414f1b2bd73dab926b49a661502f6b6af2774184257e474f41232e54a98b3c9a

SHA512
245654eafecdd30f64654c8e37e4375457d555d05acedf0ffe156ae3114c501cc4afc8723f3d1a76b90d714e725f79b83b8664170590eb320c3247690a06970a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
424d5e31d6412fc3868b5853bb3808e3

SHA1
71975c18fce10d2b7d7cddc5a87657c3ec556512

SHA256
ee5dc76cd41bb870b78c60938b702e6fff2df5286543f3fb7d8fc344e86023a0

SHA512
c4c8debffbff405d8848c0580688af7122a726dc752548c6ef513e8318550660a1c3181adc5c1c788e971eb0fb0d1e439514b62c538b0702755459fc5904891a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
15434672416aaa7ebbe18659b0e5f219

SHA1
bcbac933358dbec4fea27c90a98d8678e3ee8dc4

SHA256
4bbbd1941e9bfb5f27cb0778acdfd7e21e5be3571af8943181f552a214cc429a

SHA512
e62a0e8078402f6b0ac4806fe362619c268b5435719b194a82cfd58c4c43d1bf933f3e4c250da7bf178fc7d336f5227e7d61b9e0432dc7c8c4d0c5df43f63813

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3355e4460d9a1f2b988a1b699c9ab4f1

SHA1
b12b5537efde3d81ddaf3d6cfd6ac411e4d477b2

SHA256
c910d27cabf5741c24bfcac4332234b9cb03c637e2af69d684c368546b90d5be

SHA512
64519b711c65193fe8c0df405e66fed9cd5a159097630686db494553a60e931655dd71ff663e1f098f40f1403bce4faffd4abb889489a09d1b8de240868ae4a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9CFE.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9D10.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\gvveqmkcobvk.exe

Filesize
616KB

MD5
56574c4691f454ea2c19454b7fc40905

SHA1
cbbfd3d72456c071ceef8ff4bf84106ca1062c6f

SHA256
210223de4b6b3fb33d879ffb7df1e6b6cc7223f24603b2296852066ee3db3f43

SHA512
81f0de49b8e96d6422fb0f92f0799cac469d840b35e5f1ff48f9b2ae56104983ab4a17633def840868cd3c5db7b729d2f72d9f65590dfa0efcc95ba0b8980cdb

Download Submit
\Users\Admin\Documents\hslds.exe

Filesize
5KB

MD5
34d3f2e3fd92cd38a103d415dbb22936

SHA1
abdcf16a82cf8d3109ec39203181d839f2154a68

SHA256
5119839eaaf7dfc670c7d2c8a83e74f895e07fab5f22c379185769eed07ece25

SHA512
bc76ed0fe69ab38f66217f4b4aec79947e706136aecc5a42840ccd963799c8c175dc796d92be678b2b1e55d22c3a97fb4b9e00f6879958ae5a5bb2081ae7ad92

Download Submit
memory/1492-6068-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2652-19-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2652-2-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2652-6-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2652-8-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2652-16-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2652-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2652-31-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2652-20-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2652-12-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2652-10-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2652-4-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2804-28-0x0000000000400000-0x000000000078D000-memory.dmp

Filesize
3.6MB

Download
memory/2804-51-0x0000000000400000-0x000000000078D000-memory.dmp

Filesize
3.6MB

Download
memory/2892-1107-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2892-59-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2892-6067-0x0000000003A50000-0x0000000003A52000-memory.dmp

Filesize
8KB

Download
memory/2892-6077-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2892-6078-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2892-4532-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2892-1791-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2892-6061-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2892-50-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2892-52-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2892-6519-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2892-61-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2984-0-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/2984-1-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/2984-17-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download