935a780cd6da40ea7f565208caae1957ffa1428267dc954970b78017cd46de71

Analysis

max time kernel
120s
max time network
130s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe
Size

396KB
MD5

725b613fb1b3162839c7ade694ba9d76
SHA1

f7c2b1ac86b076967a5e166153ce569992a9ca4c
SHA256

935a780cd6da40ea7f565208caae1957ffa1428267dc954970b78017cd46de71
SHA512

90b4789c4039dcfd95c6254b1c12d5a3348c7a85afef04a96967bb6d685028313a2d8f58bd142dacea547b608f7e437663200985c400201e6baeb6bb0868caa9
SSDEEP

12288:Zyhk4guPKtNE2E3URVPUF8K0ea20/lXJ+YwCi4dOy:MPKtNE2EklTN20a2d

Score

10^/10

defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+nujer.txt

Ransom Note

__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://p57gest54celltraf743knjf.mottesapo.com/1857996B99FD11E5 2. http://k4restportgonst34d23r.oftpony.at/1857996B99FD11E5 3. http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/1857996B99FD11E5 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization 3. Type in the address bar: fwgrhsao3aoml7ej.onion/1857996B99FD11E5 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *** Your personal pages: http://p57gest54celltraf743knjf.mottesapo.com/1857996B99FD11E5 http://k4restportgonst34d23r.oftpony.at/1857996B99FD11E5 http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/1857996B99FD11E5 *** Your personal page Tor-Browser: fwgrhsao3aoml7ej.ONION/1857996B99FD11E5 *** Your personal identification ID: 1857996B99FD11E5

URLs

http://p57gest54celltraf743knjf.mottesapo.com/1857996B99FD11E5

http://k4restportgonst34d23r.oftpony.at/1857996B99FD11E5

http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/1857996B99FD11E5

http://fwgrhsao3aoml7ej.onion/1857996B99FD11E5

http://fwgrhsao3aoml7ej.ONION/1857996B99FD11E5

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (408) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2728 cmd.exe

pid	process
2728	cmd.exe

Drops startup file 3 IoCs

Processes:

cfutijwkmbum.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+nujer.png	cfutijwkmbum.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+nujer.txt	cfutijwkmbum.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+nujer.html	cfutijwkmbum.exe

Executes dropped EXE 2 IoCs

Processes:

cfutijwkmbum.execfutijwkmbum.exe

pid process

2456 cfutijwkmbum.exe
2520 cfutijwkmbum.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2456	cfutijwkmbum.exe
2520	cfutijwkmbum.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cfutijwkmbum.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\12_23-dst = "C:\\Windows\\cfutijwkmbum.exe"	cfutijwkmbum.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.execfutijwkmbum.exe

description	pid	process	target process
PID 2364 set thread context of 2256	2364	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe
PID 2456 set thread context of 2520	2456	cfutijwkmbum.exe	cfutijwkmbum.exe

Drops file in Program Files directory 64 IoCs

Processes:

cfutijwkmbum.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\Recovery+nujer.txt	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\navBack.png	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter.png	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\Recovery+nujer.png	cfutijwkmbum.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\Recovery+nujer.png	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Recovery+nujer.html	cfutijwkmbum.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\Recovery+nujer.txt	cfutijwkmbum.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\Recovery+nujer.txt	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\Recovery+nujer.png	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\Recovery+nujer.txt	cfutijwkmbum.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management\Recovery+nujer.png	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full.png	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\Recovery+nujer.html	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\Recovery+nujer.txt	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\Recovery+nujer.txt	cfutijwkmbum.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\Recovery+nujer.png	cfutijwkmbum.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\Recovery+nujer.png	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_m.png	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\7.png	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\Recovery+nujer.html	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\Recovery+nujer.png	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\Recovery+nujer.png	cfutijwkmbum.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\Recovery+nujer.png	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_down.png	cfutijwkmbum.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Recovery+nujer.html	cfutijwkmbum.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\Recovery+nujer.html	cfutijwkmbum.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\Recovery+nujer.txt	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\Recovery+nujer.html	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\Recovery+nujer.html	cfutijwkmbum.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\Recovery+nujer.txt	cfutijwkmbum.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\Recovery+nujer.txt	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\Recovery+nujer.png	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\Recovery+nujer.html	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\Recovery+nujer.html	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\Recovery+nujer.txt	cfutijwkmbum.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Internet Explorer\Recovery+nujer.txt	cfutijwkmbum.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\Recovery+nujer.txt	cfutijwkmbum.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\Recovery+nujer.png	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lt.pak	cfutijwkmbum.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\Recovery+nujer.html	cfutijwkmbum.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\7.png	cfutijwkmbum.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\Recovery+nujer.png	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\clock.css	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\it-IT\Recovery+nujer.html	cfutijwkmbum.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\Recovery+nujer.txt	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Recovery+nujer.html	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\Recovery+nujer.html	cfutijwkmbum.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\Recovery+nujer.txt	cfutijwkmbum.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\Recovery+nujer.html	cfutijwkmbum.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Recovery+nujer.html	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\Recovery+nujer.txt	cfutijwkmbum.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\Recovery+nujer.png	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\weather.css	cfutijwkmbum.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png	cfutijwkmbum.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_notes-txt-background.png	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\Recovery+nujer.html	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\Recovery+nujer.html	cfutijwkmbum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\Recovery+nujer.png	cfutijwkmbum.exe

Drops file in Windows directory 2 IoCs

Processes:

725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\cfutijwkmbum.exe	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe
File opened for modification	C:\Windows\cfutijwkmbum.exe	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a03fd31eb7aeda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4757c9a7b4c464db77b25195dc451590000000002000000000010660000000100002000000054e57984874c6aac42137cc31cc5a33cfc5585802e2cfbb79ccdc30f8a21fbff000000000e8000000002000020000000dbc3b151e897c84288b3d38f9e6f61397636d3b3046155412586f67eb75a96b020000000441ffcb80a9f6e7492ad171eab845845776cd3bdf05024a5cd94411f7cbb3dfe400000006c47c36b217373a49b629b32e42c9fdb0e01ef9811043354f6e97b1995c1605f2813654f7916653df345e31b8eaaaf01830b6536da862bde0f647a5f55a31e3d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4A69FFF1-1AAA-11EF-9E06-5628A0CAC84B} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4757c9a7b4c464db77b25195dc451590000000002000000000010660000000100002000000036d7861dc71da656fc526f7f8312c9b58c6ae82211d28177bd30b2fb4482c2ca000000000e80000000020000200000003d4763d6472c1fa307cfc4091377c732397e7d0c93d88470dc5713f7ef7419d190000000757bd374bb9552cb2aba68be9c5e6168f489c65099caf4190fad21500adb3b4410f21caa5d364f18041e2ac80aaea4462ea493a83146742c0b72c6deeebbe23e6c69f46c5fda2b1fcf781c6250aa40aa8a1f90c4530d593e8e4f8ddf97f2a949e73674fc97c82e9e21884f906c5ae3560867b6acd75a20c4b2c52e1edd7e6c833a507866751e7b7fe2d3edeb14efd8a340000000cc1ba9c92ca767dc25d68e81e7595096c5acf6e2073df339da31d40891939bf3d5004ea75e9cf5cddf938dfe1526156748ae0ee4dce36899a6d8b005ac9aedf3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1568 NOTEPAD.EXE

pid	process
1568	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cfutijwkmbum.exe

pid	process
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe
2520	cfutijwkmbum.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.execfutijwkmbum.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2256	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe
Token: SeDebugPrivilege	2520	cfutijwkmbum.exe
Token: SeIncreaseQuotaPrivilege	2696	WMIC.exe
Token: SeSecurityPrivilege	2696	WMIC.exe
Token: SeTakeOwnershipPrivilege	2696	WMIC.exe
Token: SeLoadDriverPrivilege	2696	WMIC.exe
Token: SeSystemProfilePrivilege	2696	WMIC.exe
Token: SeSystemtimePrivilege	2696	WMIC.exe
Token: SeProfSingleProcessPrivilege	2696	WMIC.exe
Token: SeIncBasePriorityPrivilege	2696	WMIC.exe
Token: SeCreatePagefilePrivilege	2696	WMIC.exe
Token: SeBackupPrivilege	2696	WMIC.exe
Token: SeRestorePrivilege	2696	WMIC.exe
Token: SeShutdownPrivilege	2696	WMIC.exe
Token: SeDebugPrivilege	2696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2696	WMIC.exe
Token: SeRemoteShutdownPrivilege	2696	WMIC.exe
Token: SeUndockPrivilege	2696	WMIC.exe
Token: SeManageVolumePrivilege	2696	WMIC.exe
Token: 33	2696	WMIC.exe
Token: 34	2696	WMIC.exe
Token: 35	2696	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2696	WMIC.exe
Token: SeSecurityPrivilege	2696	WMIC.exe
Token: SeTakeOwnershipPrivilege	2696	WMIC.exe
Token: SeLoadDriverPrivilege	2696	WMIC.exe
Token: SeSystemProfilePrivilege	2696	WMIC.exe
Token: SeSystemtimePrivilege	2696	WMIC.exe
Token: SeProfSingleProcessPrivilege	2696	WMIC.exe
Token: SeIncBasePriorityPrivilege	2696	WMIC.exe
Token: SeCreatePagefilePrivilege	2696	WMIC.exe
Token: SeBackupPrivilege	2696	WMIC.exe
Token: SeRestorePrivilege	2696	WMIC.exe
Token: SeShutdownPrivilege	2696	WMIC.exe
Token: SeDebugPrivilege	2696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2696	WMIC.exe
Token: SeRemoteShutdownPrivilege	2696	WMIC.exe
Token: SeUndockPrivilege	2696	WMIC.exe
Token: SeManageVolumePrivilege	2696	WMIC.exe
Token: 33	2696	WMIC.exe
Token: 34	2696	WMIC.exe
Token: 35	2696	WMIC.exe
Token: SeBackupPrivilege	2252	vssvc.exe
Token: SeRestorePrivilege	2252	vssvc.exe
Token: SeAuditPrivilege	2252	vssvc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

1824 iexplore.exe
2644 DllHost.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.execfutijwkmbum.exeiexplore.exeIEXPLORE.EXE

pid process

2364 725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe
2456 cfutijwkmbum.exe
1824 iexplore.exe
1824 iexplore.exe
2652 IEXPLORE.EXE
2652 IEXPLORE.EXE

pid	process
1824	iexplore.exe
2644	DllHost.exe

pid	process
2364	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe
2456	cfutijwkmbum.exe
1824	iexplore.exe
1824	iexplore.exe
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.execfutijwkmbum.execfutijwkmbum.exeiexplore.exe

description	pid	process	target process
PID 2364 wrote to memory of 2256	2364	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe
PID 2364 wrote to memory of 2256	2364	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe
PID 2364 wrote to memory of 2256	2364	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe
PID 2364 wrote to memory of 2256	2364	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe
PID 2364 wrote to memory of 2256	2364	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe
PID 2364 wrote to memory of 2256	2364	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe
PID 2364 wrote to memory of 2256	2364	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe
PID 2364 wrote to memory of 2256	2364	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe
PID 2364 wrote to memory of 2256	2364	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe
PID 2364 wrote to memory of 2256	2364	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe
PID 2364 wrote to memory of 2256	2364	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe
PID 2256 wrote to memory of 2456	2256	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe	cfutijwkmbum.exe
PID 2256 wrote to memory of 2456	2256	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe	cfutijwkmbum.exe
PID 2256 wrote to memory of 2456	2256	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe	cfutijwkmbum.exe
PID 2256 wrote to memory of 2456	2256	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe	cfutijwkmbum.exe
PID 2256 wrote to memory of 2728	2256	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe	cmd.exe
PID 2256 wrote to memory of 2728	2256	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe	cmd.exe
PID 2256 wrote to memory of 2728	2256	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe	cmd.exe
PID 2256 wrote to memory of 2728	2256	725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe	cmd.exe
PID 2456 wrote to memory of 2520	2456	cfutijwkmbum.exe	cfutijwkmbum.exe
PID 2456 wrote to memory of 2520	2456	cfutijwkmbum.exe	cfutijwkmbum.exe
PID 2456 wrote to memory of 2520	2456	cfutijwkmbum.exe	cfutijwkmbum.exe
PID 2456 wrote to memory of 2520	2456	cfutijwkmbum.exe	cfutijwkmbum.exe
PID 2456 wrote to memory of 2520	2456	cfutijwkmbum.exe	cfutijwkmbum.exe
PID 2456 wrote to memory of 2520	2456	cfutijwkmbum.exe	cfutijwkmbum.exe
PID 2456 wrote to memory of 2520	2456	cfutijwkmbum.exe	cfutijwkmbum.exe
PID 2456 wrote to memory of 2520	2456	cfutijwkmbum.exe	cfutijwkmbum.exe
PID 2456 wrote to memory of 2520	2456	cfutijwkmbum.exe	cfutijwkmbum.exe
PID 2456 wrote to memory of 2520	2456	cfutijwkmbum.exe	cfutijwkmbum.exe
PID 2456 wrote to memory of 2520	2456	cfutijwkmbum.exe	cfutijwkmbum.exe
PID 2520 wrote to memory of 2696	2520	cfutijwkmbum.exe	WMIC.exe
PID 2520 wrote to memory of 2696	2520	cfutijwkmbum.exe	WMIC.exe
PID 2520 wrote to memory of 2696	2520	cfutijwkmbum.exe	WMIC.exe
PID 2520 wrote to memory of 2696	2520	cfutijwkmbum.exe	WMIC.exe
PID 2520 wrote to memory of 1568	2520	cfutijwkmbum.exe	NOTEPAD.EXE
PID 2520 wrote to memory of 1568	2520	cfutijwkmbum.exe	NOTEPAD.EXE
PID 2520 wrote to memory of 1568	2520	cfutijwkmbum.exe	NOTEPAD.EXE
PID 2520 wrote to memory of 1568	2520	cfutijwkmbum.exe	NOTEPAD.EXE
PID 2520 wrote to memory of 1824	2520	cfutijwkmbum.exe	iexplore.exe
PID 2520 wrote to memory of 1824	2520	cfutijwkmbum.exe	iexplore.exe
PID 2520 wrote to memory of 1824	2520	cfutijwkmbum.exe	iexplore.exe
PID 2520 wrote to memory of 1824	2520	cfutijwkmbum.exe	iexplore.exe
PID 1824 wrote to memory of 2652	1824	iexplore.exe	IEXPLORE.EXE
PID 1824 wrote to memory of 2652	1824	iexplore.exe	IEXPLORE.EXE
PID 1824 wrote to memory of 2652	1824	iexplore.exe	IEXPLORE.EXE
PID 1824 wrote to memory of 2652	1824	iexplore.exe	IEXPLORE.EXE
PID 2520 wrote to memory of 2264	2520	cfutijwkmbum.exe	cmd.exe
PID 2520 wrote to memory of 2264	2520	cfutijwkmbum.exe	cmd.exe
PID 2520 wrote to memory of 2264	2520	cfutijwkmbum.exe	cmd.exe
PID 2520 wrote to memory of 2264	2520	cfutijwkmbum.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

cfutijwkmbum.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cfutijwkmbum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	cfutijwkmbum.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\725b613fb1b3162839c7ade694ba9d76_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\cfutijwkmbum.exe
    C:\Windows\cfutijwkmbum.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\cfutijwkmbum.exe
      C:\Windows\cfutijwkmbum.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2520
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:1568
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1824
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1824 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2652
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\CFUTIJ~1.EXE
        5⤵
        
        PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\725B61~1.EXE
    3⤵
    - Deletes itself
    PID:2728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+nujer.html

Filesize
8KB

MD5
78f093c03946bfb6044db3d03c1fc092

SHA1
e41f83179ed3ed9cf4e7471c893a475b921ae101

SHA256
d7af620a9b1914e72d1ecc9de4ad4332e353459407b14f7ecaf77559654f95a8

SHA512
3a3c465d692a75b1e434475fe85583997172df7972d6e26c10fc98c6fb69724db032aefcbbb3c3fdf44ed720953b73644e73797400a9091ce0b0cf28685ac852

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+nujer.png

Filesize
66KB

MD5
d0a1df8c7c3f2ccf21ca470f76c107e6

SHA1
62f83dddd3a8eabd473220ea2dd20668bdcc012b

SHA256
963fbac85342551a53162224a321f66f7d08dd8d5d53f07214b21a37ba121bea

SHA512
deae3a609878c00763eab3a2dcb2e65a5b1b99d40730f44e38b7aab49a985322a0064bf8f56543db991ebb8c330a0437014ac89d40a03a69ce2cf9e98ca89910

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+nujer.txt

Filesize
2KB

MD5
9bee1ca892e76e8ce8e8239ee1debede

SHA1
fa92237e27f241cc7c3241ad3eaab1c5775524cb

SHA256
6c92c0c2c27db3f4310091b5aefa20216cf9761c051ccc2977c68585e59a8ab0

SHA512
b270e7c9bc91a4c830b77a71262bdbc40f9bb366986175a27eacb0006db4b883593d639c4a82fc235096b7c991f31fff21cbc641abc11fe2ca4b3326fc5a4e8f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
bd03ad32d74c4d0fbe54741f4a13ff04

SHA1
6834a94276919e9629869b6b5737f7471919dbda

SHA256
152c55de58d57ba234e994f2ff3cf0f3f4044df559449716d0eef407878a03de

SHA512
692a0771c50fc7b72a922709ce9c8a224aa9badcc576cc0431eb5a7c4855baba80d29eb7b81ec279860feec46d0d7dda14a16329ad40d538cc9371b2b58b4f25

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
e7f63c24d0d81715dca68eede77608f0

SHA1
d5df63f7ad56791db3faab0f88ed70c188d4a373

SHA256
f243677472304bec3ad1ddb1b37919c283b49571c2346ff2c775f3f81bf40cc4

SHA512
e0c30702df14e4da5cbc63cc12727046a17f9fc7c625ea4cb40148edb31753c107d3595cfd956785f0e371d1183564797f8837c8e0b4928d63091e85ceae8550

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
92ad320bcd9515cca925e1f96b3d357b

SHA1
addc2e4a62450a3298b3d22b592054532bd4c0ea

SHA256
4f20dafc490807b6ca45f6951b36889b1210633c981ef22e18e718df1805dc02

SHA512
252e5f8663a36df80707b2f00c8b272c29c3eaaaa562da8023d6b95993ee596ac05f34a85388849aba34274f24f27e578424538896732c6cbdf591eaaafbc692

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
540d6c7124ed0db8f09eb30c69d8e395

SHA1
0acdf8bc1202d0382ca18bf63b2234b7fc3bff80

SHA256
87b99260b6d8bf2ef7dc4c7f6ff3b5346a60976ad94ae7375cc16fa130962e55

SHA512
b256321b83bf5b66cd6502ffdfbbedc632376855bd8a826a26cac2a517b0b9feb532313e270133811332b103ac4dcdc21b3252d0326f7ba970405346ed1b77ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4c9f34bcefa0852b8d778d4c369457d8

SHA1
03004120f289f39947557f0a2b4291f1c4b3ed47

SHA256
0d60f98bbe27101064b25c3f55dd32dd60288a756c2dfcc14e989808fe5b1018

SHA512
befd9a5a7ebff82ad30ce612b1277dcc07c85e13e212447cb05f4e43b64da58e8e8cbdcb5572a8aaccf5a6e612fd7bf0c894c59f0036dcbaeac195746640ea6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
30fbd7e5e3eb12111381ae522623b1dc

SHA1
f758971356f659c51e36f4f5ff58746b57643ae2

SHA256
b2ab3daf8bca25590781f68f77bb249dd7d20d29d2cbb69405416c50b867632e

SHA512
a569b102dddcb0f27d819c02da21a683298ffdc9697a6af60be5716efcbe09abbdc315985f95754c2e43985065a1285208d58dc97c04c17ef9371e20faed1eee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3afa246f7ad474b07e58d03e07e4905a

SHA1
817436b92372fe564328d8eace18b1e78f59ad5f

SHA256
ddd267951dd964047ddbe7cf7778a5c8b0edc38f22913753b6fe38d97bf26267

SHA512
9c53cab3001fd4308de6a03fc8bb7f72d5886882694593819b584e4b6aeae6f5cd53ad794fb869d9c2a2cb2707d554a481314eb24c3d0429ed719446a320a4ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7376caad024d64e42d1f2ddefcead02d

SHA1
c5a5e1bb5964813bb7c1a2f69e8fefa9cd819c5a

SHA256
b93418320b0517943d6fac7a02275fee881fdcfa229695c23299e7e3a4e4815d

SHA512
aede783cb9bcdca9b92e147b7435ebff4cc6457aa5b321c88b8675da0b34dff96d1676d0a55067b720497f2d25e242e40ea05852a6634a5d4961dadb95b96802

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f39c440eef53c244f3da626c1256a260

SHA1
6903bc28e394c62b73167eec863559544e141358

SHA256
102df2abad46f84dd84fbcf1cf3367316398924f53d4edbb050686e1eb065632

SHA512
b7633002f6eeaad5464fe3d4e1a1742a9aeeb2d702f24c2597dc26314b1f52ba60a69652bc610813cdad5bb3eacef31e9dd2fc34ac206367bc94a0e1fbe5a42a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d5e037f49a0f47ac16f306fd6e734ad7

SHA1
604d279f5f4840f2d02bfd1c68ae28d2e0d46a56

SHA256
567a4dbfa005ad4823268b179febec8f94cbdfd70174e2e1617ff3f726b89239

SHA512
7c7f7d74424e1110b197d3a6d7f6010622d8d8a431a300878ea95cedb94cbf25d7c3efd980d24c7f4a00b4e46d28847a938eb44638bb1565ca1a27ec551df2f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
00967433e5d6cacae3b5e2424f91e2a5

SHA1
6175e0f018cc57409fc6c0bcc3bca828649e6406

SHA256
faac5b8f14c6395167a2d35ca81e8c5bfdd02fe0445fa2053bc3e11ddb40f308

SHA512
c7465b9df652e835ca849d5ca190fef9e3bcf1392ce4522da23ae2de00a51729f27280e06d33481b9551780cf8b036730b2fca4a3e92d15bba368425b63d3d17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6c4f0806fc1931a59b4ea5b56b529287

SHA1
af0de9350fbbf94c77636706890821bc2a8d1379

SHA256
0aed3e7a792f4178beb732badf27c9606280e3b19710684d298f648af1f690da

SHA512
401cb3644b37f472cf843a34b5dbbc5f13d45aed4966748585fa76a4af73b1faab4e921b3df278873dee2b280daddcabdb291abbeb43c95db2eb2a78d427e292

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5b3d8ee5fddbc4366c7dee6d65eb6ef1

SHA1
3ea3f4af5d23a6beb79c8a9dc34baeb898fb8d6e

SHA256
cc6493b4d65a789dfc88d864bb2386cc1d2f9d567fe308fce560c7f2b6080f9e

SHA512
121397072910decae93c5ea668b2193a8434b4a5041ae060b49e69f67f0c03dae63d83a0d3e828a2281c0cb636393f23d33931a63412d470cc8baceb56641164

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
611859aea4003c866f70d376965d6411

SHA1
00cbcc5fbfc2304b4b4b003f503520611c793f34

SHA256
ea16f90a7dda9c31b1d44ce9150f73c35725636119b43070ce754c29a5b9633e

SHA512
b72f47c51afb4fd9d297ea1070892165bf8088d5954c62aa2f7885b44cbc5f5b4f0b1d1fc9c1101b4a19dcaf0180b53c96043e789b153e894e8534a763da6469

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7225.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7371.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\cfutijwkmbum.exe

Filesize
396KB

MD5
725b613fb1b3162839c7ade694ba9d76

SHA1
f7c2b1ac86b076967a5e166153ce569992a9ca4c

SHA256
935a780cd6da40ea7f565208caae1957ffa1428267dc954970b78017cd46de71

SHA512
90b4789c4039dcfd95c6254b1c12d5a3348c7a85afef04a96967bb6d685028313a2d8f58bd142dacea547b608f7e437663200985c400201e6baeb6bb0868caa9

Download Submit
memory/2256-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2256-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2256-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2256-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2256-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2256-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2256-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2256-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2256-30-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2256-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2256-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2364-1-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/2364-18-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/2364-0-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/2456-51-0x0000000000400000-0x0000000000765000-memory.dmp

Filesize
3.4MB

Download
memory/2456-31-0x0000000000400000-0x0000000000765000-memory.dmp

Filesize
3.4MB

Download
memory/2520-56-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2520-2539-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2520-5961-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2520-50-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2520-5959-0x0000000002F20000-0x0000000002F22000-memory.dmp

Filesize
8KB

Download
memory/2520-5953-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2520-5591-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2520-5973-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2520-1813-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2520-58-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2520-53-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2520-6395-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2520-52-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2644-5960-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download