8d1386773be9c28c6b3a5b5aa6838cf575189cedf17544105b95500c156b8f7e

Analysis

max time kernel
150s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe
Size

327KB
MD5

09e28e9a94fee8af07007497677976fc
SHA1

383a448b39b3eb8917cf36661996ca2c933ae53e
SHA256

8d1386773be9c28c6b3a5b5aa6838cf575189cedf17544105b95500c156b8f7e
SHA512

a7a705bfa8cec58de945e86e82f2dcdb658b8f0b1d8aa606caf35e1d6860e2d3ea890c6d974dd8c692ae260d1d342f2ff875880a04f247290089c477cc9d4c02
SSDEEP

6144:UpLp0syTnvooi3umGCJ1aynXgtGF0bo8ZZma/PC4yUYS5xCKszrQZ9:UpLesyNiVRJ1a6Xgtf3ZFPRY1zrU

Score

10^/10

defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+jefsj.txt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled , or start obtaining BITCOIN NOW !!!!! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files , except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below * http://t54ndnku456ngkwsudqer.wallymac.com/494B6C35229EE09B * http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/494B6C35229EE09B * http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/494B6C35229EE09B If for some reasons the addresses are not available, follow these steps * Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en * After a successful installation, run the browser * Type in the address bar: xlowfznrg4wf7dli.onion/494B6C35229EE09B * Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://t54ndnku456ngkwsudqer.wallymac.com/494B6C35229EE09B http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/494B6C35229EE09B http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/494B6C35229EE09B

URLs

http://t54ndnku456ngkwsudqer.wallymac.com/494B6C35229EE09B

http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/494B6C35229EE09B

http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/494B6C35229EE09B

http://xlowfznrg4wf7dli.onion/494B6C35229EE09B

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (426) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

316 cmd.exe

pid	process
316	cmd.exe

Drops startup file 3 IoCs

Processes:

uwpbifuwmovi.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+jefsj.png	uwpbifuwmovi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+jefsj.txt	uwpbifuwmovi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+jefsj.html	uwpbifuwmovi.exe

Executes dropped EXE 1 IoCs

Processes:

uwpbifuwmovi.exe

pid process

1224 uwpbifuwmovi.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

uwpbifuwmovi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\aroinics_svc = "C:\\Windows\\SYSTEM32\\CMD.EXE /C START C:\\Windows\\uwpbifuwmovi.exe"	uwpbifuwmovi.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

Processes:

uwpbifuwmovi.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\_ReCoVeRy_+jefsj.html	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\_ReCoVeRy_+jefsj.txt	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_ReCoVeRy_+jefsj.png	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\_ReCoVeRy_+jefsj.html	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_ReCoVeRy_+jefsj.html	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask_PAL.wmv	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\_ReCoVeRy_+jefsj.png	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\_ReCoVeRy_+jefsj.txt	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_On.png	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Java\jre7\README.txt	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\_ReCoVeRy_+jefsj.html	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\en-US\_ReCoVeRy_+jefsj.txt	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\_ReCoVeRy_+jefsj.html	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\_ReCoVeRy_+jefsj.html	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\_ReCoVeRy_+jefsj.png	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fil.pak	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_h.png	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider.png	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_scene.wmv	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask.wmv	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_ReCoVeRy_+jefsj.png	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\_ReCoVeRy_+jefsj.txt	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sm\_ReCoVeRy_+jefsj.html	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\reader\_ReCoVeRy_+jefsj.html	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\_ReCoVeRy_+jefsj.png	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_ReCoVeRy_+jefsj.html	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_ReCoVeRy_+jefsj.html	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\_ReCoVeRy_+jefsj.txt	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Common Files\System\_ReCoVeRy_+jefsj.html	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_ReCoVeRy_+jefsj.html	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev.png	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_ReCoVeRy_+jefsj.txt	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\flyout.css	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_ReCoVeRy_+jefsj.png	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\_ReCoVeRy_+jefsj.png	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\_ReCoVeRy_+jefsj.png	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\_ReCoVeRy_+jefsj.png	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\clock.css	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_ReCoVeRy_+jefsj.png	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_preferencestyle.css	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_ReCoVeRy_+jefsj.png	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_ReCoVeRy_+jefsj.html	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-desk.png	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\_ReCoVeRy_+jefsj.txt	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_ReCoVeRy_+jefsj.png	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_ReCoVeRy_+jefsj.txt	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\library.js	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\24.png	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\25.png	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_left.png	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\46.png	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\GetRevoke.ods	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\_ReCoVeRy_+jefsj.png	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\_ReCoVeRy_+jefsj.html	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\_ReCoVeRy_+jefsj.html	uwpbifuwmovi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\_ReCoVeRy_+jefsj.png	uwpbifuwmovi.exe

Drops file in Windows directory 2 IoCs

Processes:

09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\uwpbifuwmovi.exe	09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe
File opened for modification	C:\Windows\uwpbifuwmovi.exe	09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeNOTEPAD.EXEDllHost.exeIEXPLORE.EXE09e28e9a94fee8af07007497677976fc_JaffaCakes118.exeuwpbifuwmovi.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uwpbifuwmovi.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434021348"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50141942a914db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f5420000000002000000000010660000000100002000000013b1c6a5cf6ee253c5a749c4b0a2a6aeb282fc843863b61adfcc05d987e9554c000000000e8000000002000020000000994e1d3470b62bd5eac15b3bdb861cba917eb1b31b9a8c15521d5b10227cc2ea900000004fd3b694a27a7530a8172ca80b48fe84087a19b93fd5366c913adf8439d49d9eef7900b1d7e0013e3f0f46fce9f277ca4927c466be85ea06f0ac5e4c32e77bb8b3403483b1ae0d60bdc1e63a9e0663b51fba1e12429d6edf19d68e54ed4d2957ebbe877a425565260773be68d1b0d41551276451fb924c5a07ba142c4e0cc22c4eea0bf6604b91ac19e44093c48199ae40000000a5f77634f8fef7946ef3ed23cae5a8d945535d4719ce1126ea0f1a3b1129720df80c2968fac9577d3d4cc62567a1e22cfce82c05778e2ffe17101adfecda8350	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000e4beaecc9fbc697fac3277f6a1472cc00a06099d0eccc29c386f8a4391b39866000000000e8000000002000020000000859c295427707801e8596ae27586135e50502c175c0f208f0e1df2cf72f06920200000005a68bc1cd3360306d22a42c731782d20b1f64f354692f19c2951122d2741ca7940000000222bde3739de7817604304d04ddcc8edb30ffceb8bf9231f2e9a148f5878efa1dd86b2ab587d57e86386154dcb6eb5ddd4673cc0caa442fefd5cd4d37ee2cda7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6D9353C1-809C-11EF-A3C4-46BBF83CD43C} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

uwpbifuwmovi.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	uwpbifuwmovi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	uwpbifuwmovi.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2196 NOTEPAD.EXE

pid	process
2196	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

uwpbifuwmovi.exe

pid	process
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe
1224	uwpbifuwmovi.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

09e28e9a94fee8af07007497677976fc_JaffaCakes118.exeuwpbifuwmovi.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1016	09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe
Token: SeDebugPrivilege	1224	uwpbifuwmovi.exe
Token: SeIncreaseQuotaPrivilege	3028	WMIC.exe
Token: SeSecurityPrivilege	3028	WMIC.exe
Token: SeTakeOwnershipPrivilege	3028	WMIC.exe
Token: SeLoadDriverPrivilege	3028	WMIC.exe
Token: SeSystemProfilePrivilege	3028	WMIC.exe
Token: SeSystemtimePrivilege	3028	WMIC.exe
Token: SeProfSingleProcessPrivilege	3028	WMIC.exe
Token: SeIncBasePriorityPrivilege	3028	WMIC.exe
Token: SeCreatePagefilePrivilege	3028	WMIC.exe
Token: SeBackupPrivilege	3028	WMIC.exe
Token: SeRestorePrivilege	3028	WMIC.exe
Token: SeShutdownPrivilege	3028	WMIC.exe
Token: SeDebugPrivilege	3028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3028	WMIC.exe
Token: SeRemoteShutdownPrivilege	3028	WMIC.exe
Token: SeUndockPrivilege	3028	WMIC.exe
Token: SeManageVolumePrivilege	3028	WMIC.exe
Token: 33	3028	WMIC.exe
Token: 34	3028	WMIC.exe
Token: 35	3028	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3028	WMIC.exe
Token: SeSecurityPrivilege	3028	WMIC.exe
Token: SeTakeOwnershipPrivilege	3028	WMIC.exe
Token: SeLoadDriverPrivilege	3028	WMIC.exe
Token: SeSystemProfilePrivilege	3028	WMIC.exe
Token: SeSystemtimePrivilege	3028	WMIC.exe
Token: SeProfSingleProcessPrivilege	3028	WMIC.exe
Token: SeIncBasePriorityPrivilege	3028	WMIC.exe
Token: SeCreatePagefilePrivilege	3028	WMIC.exe
Token: SeBackupPrivilege	3028	WMIC.exe
Token: SeRestorePrivilege	3028	WMIC.exe
Token: SeShutdownPrivilege	3028	WMIC.exe
Token: SeDebugPrivilege	3028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3028	WMIC.exe
Token: SeRemoteShutdownPrivilege	3028	WMIC.exe
Token: SeUndockPrivilege	3028	WMIC.exe
Token: SeManageVolumePrivilege	3028	WMIC.exe
Token: 33	3028	WMIC.exe
Token: 34	3028	WMIC.exe
Token: 35	3028	WMIC.exe
Token: SeBackupPrivilege	2720	vssvc.exe
Token: SeRestorePrivilege	2720	vssvc.exe
Token: SeAuditPrivilege	2720	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2756	WMIC.exe
Token: SeSecurityPrivilege	2756	WMIC.exe
Token: SeTakeOwnershipPrivilege	2756	WMIC.exe
Token: SeLoadDriverPrivilege	2756	WMIC.exe
Token: SeSystemProfilePrivilege	2756	WMIC.exe
Token: SeSystemtimePrivilege	2756	WMIC.exe
Token: SeProfSingleProcessPrivilege	2756	WMIC.exe
Token: SeIncBasePriorityPrivilege	2756	WMIC.exe
Token: SeCreatePagefilePrivilege	2756	WMIC.exe
Token: SeBackupPrivilege	2756	WMIC.exe
Token: SeRestorePrivilege	2756	WMIC.exe
Token: SeShutdownPrivilege	2756	WMIC.exe
Token: SeDebugPrivilege	2756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2756	WMIC.exe
Token: SeRemoteShutdownPrivilege	2756	WMIC.exe
Token: SeUndockPrivilege	2756	WMIC.exe
Token: SeManageVolumePrivilege	2756	WMIC.exe
Token: 33	2756	WMIC.exe
Token: 34	2756	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

1244 iexplore.exe
204 DllHost.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXEDllHost.exe

pid process

1244 iexplore.exe
1244 iexplore.exe
3044 IEXPLORE.EXE
3044 IEXPLORE.EXE
204 DllHost.exe
204 DllHost.exe

pid	process
1244	iexplore.exe
204	DllHost.exe

pid	process
1244	iexplore.exe
1244	iexplore.exe
3044	IEXPLORE.EXE
3044	IEXPLORE.EXE
204	DllHost.exe
204	DllHost.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

09e28e9a94fee8af07007497677976fc_JaffaCakes118.exeuwpbifuwmovi.exeiexplore.exe

description	pid	process	target process
PID 1016 wrote to memory of 1224	1016	09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe	uwpbifuwmovi.exe
PID 1016 wrote to memory of 1224	1016	09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe	uwpbifuwmovi.exe
PID 1016 wrote to memory of 1224	1016	09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe	uwpbifuwmovi.exe
PID 1016 wrote to memory of 1224	1016	09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe	uwpbifuwmovi.exe
PID 1016 wrote to memory of 316	1016	09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe	cmd.exe
PID 1016 wrote to memory of 316	1016	09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe	cmd.exe
PID 1016 wrote to memory of 316	1016	09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe	cmd.exe
PID 1016 wrote to memory of 316	1016	09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe	cmd.exe
PID 1224 wrote to memory of 3028	1224	uwpbifuwmovi.exe	WMIC.exe
PID 1224 wrote to memory of 3028	1224	uwpbifuwmovi.exe	WMIC.exe
PID 1224 wrote to memory of 3028	1224	uwpbifuwmovi.exe	WMIC.exe
PID 1224 wrote to memory of 3028	1224	uwpbifuwmovi.exe	WMIC.exe
PID 1224 wrote to memory of 2196	1224	uwpbifuwmovi.exe	NOTEPAD.EXE
PID 1224 wrote to memory of 2196	1224	uwpbifuwmovi.exe	NOTEPAD.EXE
PID 1224 wrote to memory of 2196	1224	uwpbifuwmovi.exe	NOTEPAD.EXE
PID 1224 wrote to memory of 2196	1224	uwpbifuwmovi.exe	NOTEPAD.EXE
PID 1224 wrote to memory of 1244	1224	uwpbifuwmovi.exe	iexplore.exe
PID 1224 wrote to memory of 1244	1224	uwpbifuwmovi.exe	iexplore.exe
PID 1224 wrote to memory of 1244	1224	uwpbifuwmovi.exe	iexplore.exe
PID 1224 wrote to memory of 1244	1224	uwpbifuwmovi.exe	iexplore.exe
PID 1244 wrote to memory of 3044	1244	iexplore.exe	IEXPLORE.EXE
PID 1244 wrote to memory of 3044	1244	iexplore.exe	IEXPLORE.EXE
PID 1244 wrote to memory of 3044	1244	iexplore.exe	IEXPLORE.EXE
PID 1244 wrote to memory of 3044	1244	iexplore.exe	IEXPLORE.EXE
PID 1224 wrote to memory of 2756	1224	uwpbifuwmovi.exe	WMIC.exe
PID 1224 wrote to memory of 2756	1224	uwpbifuwmovi.exe	WMIC.exe
PID 1224 wrote to memory of 2756	1224	uwpbifuwmovi.exe	WMIC.exe
PID 1224 wrote to memory of 2756	1224	uwpbifuwmovi.exe	WMIC.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

uwpbifuwmovi.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uwpbifuwmovi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	uwpbifuwmovi.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\uwpbifuwmovi.exe
  C:\Windows\uwpbifuwmovi.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1224
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3028
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:2196
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1244 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3044
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\09E28E~1.EXE
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:316

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+jefsj.html

Filesize
11KB

MD5
d26aa13777022720060f2f0c00b493ad

SHA1
026ae34a035e5f9d01bb9b26ea7dadd880f558c2

SHA256
482eaf50cea13d123e8e68223cd817db450c93e8f4b34e861b08d6d4407b7216

SHA512
d83a1896aed9d32c1a71bf18e552a4db9c27adbdc7247c43e7b440d320842a740e6a5da403b4dd4fd960e673a5e91fba78a81570505f2481fd4ac8aeb8148a0c

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+jefsj.png

Filesize
61KB

MD5
cdda61a22e55f60b618745112a169210

SHA1
1a0767c246a185dadd2661708c7a205433365803

SHA256
c3f332e52e86fc6e3e637f8fd189e393224195de38b2e71ccdccb3ce4519f4a0

SHA512
d926db52e35a73a5024fa1567c913b87747ca6ca38e6b4b34a9c5f8c90c6a4fefcee830f04c40cf615630a0a95b2c7db1f96547d316a2708fb8812f530ffb72f

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+jefsj.txt

Filesize
1KB

MD5
53b10b785e7a046cc5abc2f8ca45d17c

SHA1
5865b3438b227a1a150e84e9b6cd8a805e90a5a0

SHA256
da764873007f8d6cd1afef6509ad1973a9b203b6b317955717029ea3753e8bf3

SHA512
611ed3d14478e7e79c5aa77b466adf3c6e7a91dc2f3961316ecfc7d34a88fadfe58e310769d8cc4029f8b5aecdec31c689eab1238ec800f0da29951baf97265d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
7dd97e1c32b4fd1c346f85e1fc87438d

SHA1
86e65d30886708e88336024e09ca58a6702f2f26

SHA256
fd6e92431d96dac6826861a1595fef115538bfd1705dacc0dcd64c1e955236e0

SHA512
ab6a3a14a63f2e2c6fa34e164352065112708493a6a840b832ab085f51a22a8b87bb62a2acaa6e2873c78f2866c688c269105ea6b7f3b6512c0a1bf63dd577ec

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
075ca973d6feeeb25bb16ea1e15d4337

SHA1
37e26e1e4129f203f521a6f61c0adac98c3bf0ff

SHA256
fe87d9a363f6c6c21130baa5a7c46c189148aa4d3d2d3fbd686184c09318e170

SHA512
b3166701e34a5a9cd077805fc186f80790901cdfd5a5177fa880200cd79e1cafed51d12c6a312d435b60daec7d463f5f82a0b710f7927539caae8928ff36c360

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
f2d8d4cfce16ec2d27db4713a4b4b819

SHA1
426f40050b8901a997daa394573af30fdd18f4f8

SHA256
f5cc03cf75d29377fb3e005a8d236580e640dc9d0d8b0789b8060e41a5f3002d

SHA512
be65f85bd8acf43e849706c00e73d910a455838d2f1f98c480172db6a350740ee60ed2f34c771b3532adeafe02f4118c487d79e0c8cfce3acf0b57cd06952a99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
bcac397b9693e8965d82c29181ba2ce6

SHA1
7f0e29f1ca6cee5d11c80267bae145db4c57df92

SHA256
a414331ec994307e3ecf7ca4517b4f041201dd07c5402f8e4275b5ddbdd3a77d

SHA512
0767a0cb4c7c11190676dd2bdf1782b08f1cbe340192085f8cc05830b91cbfcb71d2dbe6058c7640e7aad54a08a54f261aa8d42e56452fc25ca238ef3a1aaa03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
729e77c01f32eba3f780e567d8aa1a90

SHA1
eb5947a3a174d4b5322c6f14bd8f65cf960de859

SHA256
0a32cc3957ab258fdb959f68b6d5e3be9e72bd6d2c60ca586d906e3ac17f455f

SHA512
e864d1ebb3ecdb516235eedcf2310c7b9a482cf628769a58ecf4a2559ed0f86202b581fdb4f97d603ae06b84ef1f5ed086a9973427448e5d524dfac08134ca6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d696588a4f4b96166fae7617590f1a89

SHA1
a9bc00bd1a2d0862c030719ebb12416dcf52b26f

SHA256
d4889b8df97b852a12429f8c1c7672d198d4d10de432380b8e5a52d2ba8d8066

SHA512
91f4d53cf2a8811b45d0194ad9b9274629ea3375baabc5859f2165fdf1ac13a264906a898d4e9a2dca0d3de3825c7a0d4eb629a2b043443cd53630a7dfdbc522

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7fe3b8d7a2fac1a430c23acc3839d3aa

SHA1
e9fd1b4aee3d52d4e68d0d30bb6e773f681aaec2

SHA256
fa63012b0be0188e4543226ef7329d8ba9d185270bfd36da2f9b1c2575db99d0

SHA512
5aea72ca2b0c21e8244ae8e3884a6385e4b7ad912183c1c30b9f9121babda41424a39274e78dd4e79135d3432be44f93001a50d9b57c6b2801613e38da4a1dad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3f21dfb9d636fe3db8156620ce258e7

SHA1
a2c1675c45e9fbf76832ca50ffd23af07bc5d755

SHA256
77b38afffdc392d6f06d012a5212268f53e34b6af437de8e8339846788b93cda

SHA512
f99c776a0a8e839552a9a96f94c86fcaef4b75859a2ce6646240388101cd4c16cd020d6197f40ed80e5ec8540c23b80240dbfc08e877c4c0c4df5952918d0244

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1bc277021b03ba8535f1198af35668cc

SHA1
94cc81b64af28835a01ba0c54ffe77013ad24997

SHA256
f122c961097316bd99a728a3db76a17330319ec8f6c444d9d0aea05155fba3a1

SHA512
046e7958e03fc8ab37f3250a0d977983ce1d5bbaafd9d3e677735d2f0b30a16757f7192a0ea3a00720e9558cba2f064b2ab3c044080560dd3bbf8668ce9fdc31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6feec13bc39f4a9c0047e225817ec9c2

SHA1
23cff1baa13a32d6e6096abb4bac17a8c709e49c

SHA256
b6e7facf9d6343c67db40d205e2e650916ad26301d6272c2c5bf8e93fb82046c

SHA512
73bc672d05fe9bae0033b060e14d0e95a4b8118e2e74e5ab7ee0cede1b9c3426a580072d280e243b7988ba3a4eddb6f6bd9888915df883a95b5d0e36291a33c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b77ecd0bdbae9dfd18e1cde5047dbfc

SHA1
6610ad3579edebf3ffa646bd3eba8ae45bb623cd

SHA256
9c1842ea6e0698b7c988c416c244594588d653195f59faf6195d07ab7e5ace30

SHA512
8b5dad00ad1ebe9a9794b39664fb6634d2578e73b1b5b188e590ba78ef63268e2aa8db4503bcbf68d6b0b977fbdb22e990029023d5f72ef84cd55f0501c8e7fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10cb63a571701ada47bfd3916309b631

SHA1
e7e01eaddb102f2c642baf24cbe8d4f92a61740a

SHA256
c2d81987638d7427f456faace95b4134af92d7a04519fa2111e74d8362124d18

SHA512
1f647fbff9a1778b565ce3523e64c7613279636d376a3bb52441e0951022c3786ea45be8c7ddd493641bf2fe104694067784b2fda3c7e451c24606d7434d3626

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ba261694d54fa8799017a855ef62f2c

SHA1
1b29d410d8c8df9ac5d3537a73f166873bfce60e

SHA256
a32aa615c5c7133bafb4b241bcaeee1acce6d25fcb655fd5de288c50c920cf8a

SHA512
67038a4765840cb976af3b389c550bc9e8b7bca82c4a68ada950818aa3524912acee148a19adb58ce60f51b0ec39b99d63379629d4d661a38d35f12056971466

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b9d73316a97b1413fd8d765fbf608e9

SHA1
9b12178fe6bd2401495f2867aa9188a46b7f87cd

SHA256
eeabf44501f7cb7315f080683eef97f520eb8510c7dc4ce51e1b94408d7f287a

SHA512
2ced03e2debdc5fca47303a3f8f6ef68e97c06eb0d9b82cf735bffe5be9c362f06985606be7754948a249259faaef90b71121bde37229c6bc370611e525b18b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13a6559a530d4598efb41b22a5ee5a25

SHA1
674c7621ce9939979e4b968d8b091402cb032145

SHA256
04e7f7df746f07a7c84f998c32a24919479af064803bb2467a8bc4a315c9796c

SHA512
d09ef559a015898c81876e91e34c4e2445070bad91c68f17991f67eab89aaa4c39f6c482e38e3a67a0f188f106861473d9882a0247dd18a79a6a0ba23849dfec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81472b0b262602a64538b6f27f32d87a

SHA1
04875171dcfd0d7d97d96f0627883f6a6f59d679

SHA256
d79c707ba680d8f973cb6d996d2821fe14cdb531049f7a6241c005f2561007de

SHA512
24c64be2ced4d3c477c69b3a54133baf5c99674327c41729ccfaf7577ff6507e9a837649c6b6a2d0e2fcb8aa6aff2ebb5c3821e07a4e136cd2b7a7ef1c780b29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5665802b43fafa9a4245535f494ba9b4

SHA1
e267126599fe7bda7fe950e23326537a50090dd5

SHA256
e0874e8999dea5c19df06a9f1c065a463ef186439471e1e7e7c029384fd656e5

SHA512
1f900f20ca22c24055d5b6cba06a62b1588787ef10f814ffdcc97ec524efe499a06e644074ee67573c6afb322d643b2468a66905ae7ee0ad0884e8cbb7df3edf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c08ad60ef2cd2d0e79fb37cfde0d7bb2

SHA1
93579a5997ec98f78c55c154bb3552a032edb044

SHA256
5cf13dcdb4a290c6bd323d006a3c11de2375b5ad677be5052475e74928ecde63

SHA512
5e8b6a20bc04b78c9dd6360f7548252930182c20d93f6cef31a2de19028ddca5bb8ba92e2f3b9125afec9e3766ff8dd52bde87475d95a8da20c7982b933d251c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfeb5822cbb8bc7507fdfcd3412d0c68

SHA1
0633d658472beaa763404e49309702f1cb467ce8

SHA256
c556a47bc4bac4bfcf077f789aa245f5999aee8acd0fc2218b1e25d1c5f68830

SHA512
075a79ec7f23f63175e2998c0caff0546c170d9c02664af7b83174e2cd912d30a87283ebb6540095cb41fceaf2c1018daf85ee5b9ec887473a8ef2c4f065ee97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34d02b48b898bdca523a84a9e75d3534

SHA1
b1635685f4ea4db8106e5c97b779169651a79608

SHA256
22d2eb189f0858afdfd3d44088481f8dcbc4d30c9640a1955d2aed9c6b0b69dd

SHA512
681a2afbe12c324301a46bb7a2e48615f175bebc75487a4813b87af0de5c8809e5a93b10a5ccfd486df5921dec6dcccdbeff81e543388ef32fcecf48689ef50c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c8b63b021e05229d68a872764b89464

SHA1
16dda503b01efda1bf55799096ab82376a98b6ca

SHA256
b593e6075b24de5b744ac6a1c7535372e24b964affe16bd4b40011d0f324fa30

SHA512
ba5c6ae4856ff7047893c0f40595cce0d226bf111d1113bfda02446cc7a16a7c430a959b51ce13e081c6d50842751e8128cd7141f954e724d39e6257953233a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
885858130d0f61bd79992c91aa814efd

SHA1
1ea232e61cd6c28f21bf500a2a4e110df689966c

SHA256
1b88ce52ca7d8db7bf53200c4f26ebcb4ad11ce58eb72c6fe23928ef11d0bead

SHA512
da684eeca394aed84d2fe80c035eab0ee4cc4789339cadd5ecd8eba9f69e3f7b28880f3306088b32eca3a21b4ef36964c5a24397025b8f1dc21452cbb220e89a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90bcbeb58ed86704ed741f047f84d6fe

SHA1
d01b95e464b4ec3a1caca8a400baf57ae08ca54b

SHA256
ab75cb90e752552add26b060d7381abd5d4e6cd5d431d5f249d41b185b0d064d

SHA512
7beae601e9748ba93731c99a509875aeb7f8c2689a8123c290ad0ca646e8c1cc7bfb978094765b0173403f4dfcd95955155442d4e286e70b4da08dc7be2814cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d1be5485fe31152926cc66a954499f7

SHA1
518f7a62d413c750ee317b64310da739b096a3db

SHA256
ec9ed6fa60e154a4e29a9ac488e68e345ff59b831a66255d68017aecdf567c6f

SHA512
a4efb412626b1ca1286c900f7c25f527583ffdd049f42010cdeaf55cc7e9d1dc96f0379d501b9e380e62c50904af1afdcd78035e1638bc242736a74ad6f288d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
f550fc8fcd2762c49bb6526dbd4a77d9

SHA1
ef598ba0b81a6d02902aa930c9b9b5ef3bec6871

SHA256
3d9d97e764ed3b8cc0cd7f62a10852a325d56ba135e135c46f6e30a40a69d4df

SHA512
5ecd22f46f286d5983006226183a593c561236db82de3e98418e90b0aa09bc8a1b897ab81cb4e4d192e97934f924c9a151683baf09a35238dbd2d7fcd74f02ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFA2A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFA9A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\uwpbifuwmovi.exe

Filesize
327KB

MD5
09e28e9a94fee8af07007497677976fc

SHA1
383a448b39b3eb8917cf36661996ca2c933ae53e

SHA256
8d1386773be9c28c6b3a5b5aa6838cf575189cedf17544105b95500c156b8f7e

SHA512
a7a705bfa8cec58de945e86e82f2dcdb658b8f0b1d8aa606caf35e1d6860e2d3ea890c6d974dd8c692ae260d1d342f2ff875880a04f247290089c477cc9d4c02

Download Submit
memory/204-6057-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/1016-0-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/1016-3-0x0000000000580000-0x0000000000606000-memory.dmp

Filesize
536KB

Download
memory/1016-9-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/1224-6056-0x0000000004270000-0x0000000004272000-memory.dmp

Filesize
8KB

Download
memory/1224-6497-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/1224-2213-0x0000000000280000-0x0000000000306000-memory.dmp

Filesize
536KB

Download
memory/1224-5749-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/1224-10-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/1224-2212-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/1224-13-0x0000000000280000-0x0000000000306000-memory.dmp

Filesize
536KB

Download