93b91360c51ab11e9ba349cfa48fdf44a356c2c28bd9d988a500c98e29dd0b40

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-10-2024 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe
Size

384KB
MD5

2714dcb562108786d363129ba91aaeb2
SHA1

fbe0353bc336d0e6645ea543113dc626c6d69818
SHA256

93b91360c51ab11e9ba349cfa48fdf44a356c2c28bd9d988a500c98e29dd0b40
SHA512

ad2bdbd6ff19388ec2f8c9e233948b8f71998a6f1cd82d3cf79fef011dee3c97c7789db27aed93b3f20d7703d9eb94900a04727be2ac8922aee37b0c4b0041db
SSDEEP

6144:CGJQSv0GhSHcF8BYmZROmg2WoitHdy+n0wCdSz/lhUl2YLNSxEVXq3tu0bpO9w4Y:Ci0GhgcF8B5ZROthZ/EJaCX90lOi4zUH

Score

10^/10

defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ihbiq.txt

Ransom Note

__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/57EEDFF8C1A4554B 2. http://b4youfred5485jgsa3453f.italazudda.com/57EEDFF8C1A4554B 3. http://5rport45vcdef345adfkksawe.bematvocal.at/57EEDFF8C1A4554B If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization 3. Type in the address bar: fwgrhsao3aoml7ej.onion/57EEDFF8C1A4554B 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/57EEDFF8C1A4554B http://b4youfred5485jgsa3453f.italazudda.com/57EEDFF8C1A4554B http://5rport45vcdef345adfkksawe.bematvocal.at/57EEDFF8C1A4554B *-*-* Your personal page Tor-Browser: fwgrhsao3aoml7ej.ONION/57EEDFF8C1A4554B *-*-* Your personal identification ID: 57EEDFF8C1A4554B

URLs

http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/57EEDFF8C1A4554B

http://b4youfred5485jgsa3453f.italazudda.com/57EEDFF8C1A4554B

http://5rport45vcdef345adfkksawe.bematvocal.at/57EEDFF8C1A4554B

http://fwgrhsao3aoml7ej.onion/57EEDFF8C1A4554B

http://fwgrhsao3aoml7ej.ONION/57EEDFF8C1A4554B

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (409) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2648	cmd.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ihbiq.png	bolojlmiduoy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ihbiq.txt	bolojlmiduoy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ihbiq.html	bolojlmiduoy.exe

Executes dropped EXE 2 IoCs

pid	Process
2692	bolojlmiduoy.exe
2512	bolojlmiduoy.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\neberndkbqdh = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\bolojlmiduoy.exe\""	bolojlmiduoy.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2868 set thread context of 1756	2868	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	30
PID 2692 set thread context of 2512	2692	bolojlmiduoy.exe	34

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\Recovery+ihbiq.html	bolojlmiduoy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Recovery+ihbiq.png	bolojlmiduoy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\Recovery+ihbiq.png	bolojlmiduoy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lo\Recovery+ihbiq.html	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\Recovery+ihbiq.html	bolojlmiduoy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\Recovery+ihbiq.png	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\Recovery+ihbiq.png	bolojlmiduoy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\Recovery+ihbiq.html	bolojlmiduoy.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	bolojlmiduoy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_ButtonGraphic.png	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\Recovery+ihbiq.txt	bolojlmiduoy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\mainimage-mask.png	bolojlmiduoy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\id\Recovery+ihbiq.png	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\Recovery+ihbiq.txt	bolojlmiduoy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\Recovery+ihbiq.html	bolojlmiduoy.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	bolojlmiduoy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Recovery+ihbiq.html	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\it-IT\Recovery+ihbiq.png	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\Recovery+ihbiq.txt	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\Recovery+ihbiq.html	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Recovery+ihbiq.html	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\Recovery+ihbiq.txt	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\Recovery+ihbiq.png	bolojlmiduoy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\Recovery+ihbiq.html	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\Recovery+ihbiq.txt	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\Recovery+ihbiq.txt	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\it-IT\Recovery+ihbiq.html	bolojlmiduoy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\Recovery+ihbiq.txt	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\Recovery+ihbiq.html	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\Recovery+ihbiq.txt	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\Recovery+ihbiq.png	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent.png	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\Recovery+ihbiq.html	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Google\Chrome\Recovery+ihbiq.txt	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\ja-JP\Recovery+ihbiq.png	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\Recovery+ihbiq.txt	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Recovery+ihbiq.txt	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Recovery+ihbiq.txt	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\calendar.css	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\Recovery+ihbiq.txt	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\Recovery+ihbiq.png	bolojlmiduoy.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\vi.pak	bolojlmiduoy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\Recovery+ihbiq.html	bolojlmiduoy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\Recovery+ihbiq.html	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\icon.png	bolojlmiduoy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\Recovery+ihbiq.txt	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\Recovery+ihbiq.png	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\43.png	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\timeZones.js	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\Recovery+ihbiq.html	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\es-ES\Recovery+ihbiq.txt	bolojlmiduoy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\Recovery+ihbiq.txt	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\Recovery+ihbiq.txt	bolojlmiduoy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\Recovery+ihbiq.txt	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\Recovery+ihbiq.html	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\fr-FR\Recovery+ihbiq.txt	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\Recovery+ihbiq.html	bolojlmiduoy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\Recovery+ihbiq.png	bolojlmiduoy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\common.js	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\Recovery+ihbiq.html	bolojlmiduoy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png	bolojlmiduoy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png	bolojlmiduoy.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\bolojlmiduoy.exe	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe
File opened for modification	C:\Windows\bolojlmiduoy.exe	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bolojlmiduoy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bolojlmiduoy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6239B1C1-8607-11EF-8B05-6E295C7D81A3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea220000000002000000000010660000000100002000000081702458293800b83f33f26cf367f08de680c7870349cc15baf681a43027bc57000000000e8000000002000020000000616bb73aa7711804e23914e20bb4d4ff29da33fcb09daec0bc3c11dd3fa9b9499000000075f1281124894e3de0979ea1c1154162eece211c9310bfed7bbb973b0b67a176f5a2ff713454b4142e2f89a05cb03c6e8fdaaa59a68bf37c6e95c250b5580ec0d8e032b9ccd094322fba925b774c2511c58f5e18cae52c2cf22a575bf7e25e5486d8e2a6961145db3cbf7ac9349ba3ca1ca997ef323d15a660f3e27cc58507ed3c93c7b305a45f88e4b98b6b4550baf34000000015f333f06fd1dd7e11f03a3e4205e37fd0f4d0f110d9d03fb12a3d56d42a9ed9d65f73a91cb0bdb45e50d0f6c41aa5de643932fa2cd52191c60ff9c49eb3b7bf	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30b4a736141adb01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea22000000000200000000001066000000010000200000008b4c7b792a4a72f07a2a80b5b7b047ad74ebe95ace37db56495c25b26b198813000000000e8000000002000020000000884f18615f23eeecf1ff505d4ebaa146975be11ce50ef56ff120a83aeaac004d20000000db2106341ed4f0e615ef3354b307b8bb22ac64893903020b5c1e3315485a1129400000005ca7e9d4cbd1afe9419fc8d83fcf1842b2324ed5a5bc279911b14af4a15712869bba1daa49a0a28fe4ab5d1eae0e9bdf6d1cc21935630ae7cae41f7e68598e5e	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1556	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe
2512	bolojlmiduoy.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe
Token: SeDebugPrivilege	2512	bolojlmiduoy.exe
Token: SeIncreaseQuotaPrivilege	664	WMIC.exe
Token: SeSecurityPrivilege	664	WMIC.exe
Token: SeTakeOwnershipPrivilege	664	WMIC.exe
Token: SeLoadDriverPrivilege	664	WMIC.exe
Token: SeSystemProfilePrivilege	664	WMIC.exe
Token: SeSystemtimePrivilege	664	WMIC.exe
Token: SeProfSingleProcessPrivilege	664	WMIC.exe
Token: SeIncBasePriorityPrivilege	664	WMIC.exe
Token: SeCreatePagefilePrivilege	664	WMIC.exe
Token: SeBackupPrivilege	664	WMIC.exe
Token: SeRestorePrivilege	664	WMIC.exe
Token: SeShutdownPrivilege	664	WMIC.exe
Token: SeDebugPrivilege	664	WMIC.exe
Token: SeSystemEnvironmentPrivilege	664	WMIC.exe
Token: SeRemoteShutdownPrivilege	664	WMIC.exe
Token: SeUndockPrivilege	664	WMIC.exe
Token: SeManageVolumePrivilege	664	WMIC.exe
Token: 33	664	WMIC.exe
Token: 34	664	WMIC.exe
Token: 35	664	WMIC.exe
Token: SeIncreaseQuotaPrivilege	664	WMIC.exe
Token: SeSecurityPrivilege	664	WMIC.exe
Token: SeTakeOwnershipPrivilege	664	WMIC.exe
Token: SeLoadDriverPrivilege	664	WMIC.exe
Token: SeSystemProfilePrivilege	664	WMIC.exe
Token: SeSystemtimePrivilege	664	WMIC.exe
Token: SeProfSingleProcessPrivilege	664	WMIC.exe
Token: SeIncBasePriorityPrivilege	664	WMIC.exe
Token: SeCreatePagefilePrivilege	664	WMIC.exe
Token: SeBackupPrivilege	664	WMIC.exe
Token: SeRestorePrivilege	664	WMIC.exe
Token: SeShutdownPrivilege	664	WMIC.exe
Token: SeDebugPrivilege	664	WMIC.exe
Token: SeSystemEnvironmentPrivilege	664	WMIC.exe
Token: SeRemoteShutdownPrivilege	664	WMIC.exe
Token: SeUndockPrivilege	664	WMIC.exe
Token: SeManageVolumePrivilege	664	WMIC.exe
Token: 33	664	WMIC.exe
Token: 34	664	WMIC.exe
Token: 35	664	WMIC.exe
Token: SeBackupPrivilege	748	vssvc.exe
Token: SeRestorePrivilege	748	vssvc.exe
Token: SeAuditPrivilege	748	vssvc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1676	iexplore.exe
3024	DllHost.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2868	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe
2692	bolojlmiduoy.exe
1676	iexplore.exe
1676	iexplore.exe
3052	IEXPLORE.EXE
3052	IEXPLORE.EXE
3024	DllHost.exe
3024	DllHost.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 1756	2868	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	30
PID 2868 wrote to memory of 1756	2868	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	30
PID 2868 wrote to memory of 1756	2868	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	30
PID 2868 wrote to memory of 1756	2868	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	30
PID 2868 wrote to memory of 1756	2868	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	30
PID 2868 wrote to memory of 1756	2868	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	30
PID 2868 wrote to memory of 1756	2868	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	30
PID 2868 wrote to memory of 1756	2868	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	30
PID 2868 wrote to memory of 1756	2868	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	30
PID 2868 wrote to memory of 1756	2868	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	30
PID 2868 wrote to memory of 1756	2868	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	30
PID 1756 wrote to memory of 2692	1756	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	31
PID 1756 wrote to memory of 2692	1756	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	31
PID 1756 wrote to memory of 2692	1756	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	31
PID 1756 wrote to memory of 2692	1756	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	31
PID 1756 wrote to memory of 2648	1756	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	32
PID 1756 wrote to memory of 2648	1756	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	32
PID 1756 wrote to memory of 2648	1756	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	32
PID 1756 wrote to memory of 2648	1756	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	32
PID 2692 wrote to memory of 2512	2692	bolojlmiduoy.exe	34
PID 2692 wrote to memory of 2512	2692	bolojlmiduoy.exe	34
PID 2692 wrote to memory of 2512	2692	bolojlmiduoy.exe	34
PID 2692 wrote to memory of 2512	2692	bolojlmiduoy.exe	34
PID 2692 wrote to memory of 2512	2692	bolojlmiduoy.exe	34
PID 2692 wrote to memory of 2512	2692	bolojlmiduoy.exe	34
PID 2692 wrote to memory of 2512	2692	bolojlmiduoy.exe	34
PID 2692 wrote to memory of 2512	2692	bolojlmiduoy.exe	34
PID 2692 wrote to memory of 2512	2692	bolojlmiduoy.exe	34
PID 2692 wrote to memory of 2512	2692	bolojlmiduoy.exe	34
PID 2692 wrote to memory of 2512	2692	bolojlmiduoy.exe	34
PID 2512 wrote to memory of 664	2512	bolojlmiduoy.exe	35
PID 2512 wrote to memory of 664	2512	bolojlmiduoy.exe	35
PID 2512 wrote to memory of 664	2512	bolojlmiduoy.exe	35
PID 2512 wrote to memory of 664	2512	bolojlmiduoy.exe	35
PID 2512 wrote to memory of 1556	2512	bolojlmiduoy.exe	43
PID 2512 wrote to memory of 1556	2512	bolojlmiduoy.exe	43
PID 2512 wrote to memory of 1556	2512	bolojlmiduoy.exe	43
PID 2512 wrote to memory of 1556	2512	bolojlmiduoy.exe	43
PID 2512 wrote to memory of 1676	2512	bolojlmiduoy.exe	44
PID 2512 wrote to memory of 1676	2512	bolojlmiduoy.exe	44
PID 2512 wrote to memory of 1676	2512	bolojlmiduoy.exe	44
PID 2512 wrote to memory of 1676	2512	bolojlmiduoy.exe	44
PID 1676 wrote to memory of 3052	1676	iexplore.exe	46
PID 1676 wrote to memory of 3052	1676	iexplore.exe	46
PID 1676 wrote to memory of 3052	1676	iexplore.exe	46
PID 1676 wrote to memory of 3052	1676	iexplore.exe	46
PID 2512 wrote to memory of 2556	2512	bolojlmiduoy.exe	48
PID 2512 wrote to memory of 2556	2512	bolojlmiduoy.exe	48
PID 2512 wrote to memory of 2556	2512	bolojlmiduoy.exe	48
PID 2512 wrote to memory of 2556	2512	bolojlmiduoy.exe	48

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bolojlmiduoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	bolojlmiduoy.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\bolojlmiduoy.exe
    C:\Windows\bolojlmiduoy.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\bolojlmiduoy.exe
      C:\Windows\bolojlmiduoy.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2512
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:1556
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1676
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1676 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3052
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\BOLOJL~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2714DC~1.EXE
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2648

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ihbiq.html

Filesize
9KB

MD5
39f2781da371bafd390c086afb1c6307

SHA1
e0607edc4ed312421cef25e97fcc55bfe62926f6

SHA256
a44e05ef78697bbf847d79ac1239dc12479d67f1d229ce0eec1619c0c3b8417e

SHA512
9f8367189b5677a5a9932d3fe2f5a503ed16faf76cab0a617c7bfd637c34b2cdca86ae77491019e9606c43d99c4a54b3abb80b9f6cf7a8571f2c0216c575f723

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ihbiq.png

Filesize
68KB

MD5
fdaacbf912f565a096ce1c5ef94a43e3

SHA1
c1166ae3bb2421fccb5314aaab0caae297a15897

SHA256
40102dc04f3b3006499ae6a81a3e601007d3e0223ebaa4ff357226900c99bf5d

SHA512
733ecc139e812aeece0fc5448f5d828f7fefc899aee8113cee48169b9d02fd72525aab834a416484d6e867d87df66d0a4eb98f3b54ae56c4176f2f2f7760fc57

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ihbiq.txt

Filesize
2KB

MD5
5264d566d0ce7c01fb05655f5a726e38

SHA1
2b730b0fee05e1e73012d1a7a800821747b3ba2e

SHA256
c3a370878657ea620e673952422af5d97468e0f26fb5935b645d66c29599d700

SHA512
e8d573bc2fed652a3210623c1898cc87d5bdf9a7bbe1b9c4da8d408d2a3b2b010ac0a07f86ab253e82bf99f2514cbaf6699d62c5e65f4d1faa5979a2781546a4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
f95362e7e9640f7b58021d89a4682fee

SHA1
99ccf6dc7d79b4ab640cf03350e35412101b2006

SHA256
200664a39a0120bea92927f11143926b4838bdd05cae26904b3677b0d529bdf7

SHA512
8ab04ffdbf08550c3a6b36b8ab0e631b1f5fdf17780a8f3189e5448a2b8eb5fa2440ad48f39ad3c53d95f4c42510e58de3983c0d8f0723fcdfc4181bb6d7164f

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
86bf6c0395418e51f76cdc8eefeee432

SHA1
1124c2fe59a6398e9bfd17b85c1f798b072462b8

SHA256
6664875de614613158b8d76271309afe4f595a6542b144d57e3f04c4c47cde61

SHA512
724824685fd16bc2f0d68d3e3805e5142d228cbe5947dff8ddb717196814e5a5d98c9d8332654613f007d844f92e445788bf58659a4c22a90aba9be5847ead38

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
65c8166292e6ff5431262077172b1688

SHA1
19fd841249086e4eba748af25b6432dcfd9c18e0

SHA256
ae732b63c203de7904c1cbeb724686494c8ab44fb1f854623aa6826c0af41363

SHA512
9cb4684e958905c5b63e7cb96b594434cda38e6dd600246aaa70272e1ea39f6f92ffc36da214eab3d522bbc7b5977558d14f7e0422796b00484fa73301a29a52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75ab6c6764ede0c2eaebcc3e4e0fb24f

SHA1
c221b112c1a3cb3601c782476061842eaf89ff01

SHA256
9c7bdca39d3493f875bb561e523f1e10c95553d4b7f42e89322e551a1d1728cd

SHA512
881415bf15b4bfaef56a16f6616c020fc3ffa390edd95a0ca03f4a9381d8013228457f09411f8e19648216f6649f43fb9a1dda7e0bd00ac8227cabcb833490d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
757d24f38382ff8d0a09fb2bc8efdd22

SHA1
a557326f367b562a1b8b60204697c94cc26b858c

SHA256
d2768725a244a3b3aae6ab11b877d74682c8a5cf9c47f6a7697a770bf4b6a9c8

SHA512
6c6a2e28a0894b38a2179c74eec185c40761d3fb8d8dd12841e204f6a87d785ac443711c6794097fe886874fba2e18679b333176a3f8a856aa7c3005aae4b5d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
813c9efca155953d10b9e78fd66d27b7

SHA1
96638183177b54c3dad9fbe1a84cef96af3b3477

SHA256
330fdf63f849964db1dbd9810325a67c357e689961455acee8192bf318cba5ab

SHA512
7ff889a84449dc12986882bf705df0592695300fd5fce025c4b38d180a932bfc29a93dfb6a660e54b66fe59937007f9b91dd918aaec467e488da5f32031e0199

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74929c143e69cf9ccb997122e99ba1d0

SHA1
c3f695e3c23d406eafd58a959d3ce5a4240054e8

SHA256
f1195514ef10cabd62c4ed52ed789887e829e2569bc75b01cbc467e5bf7c9ef4

SHA512
920ee2bef18ad168cc0ef3e7b9cddcff87a1dbfdffe31b0f035a939a08e764a42d6589b8f2f389f321894933991b77b53ab993a39379985bab4693d3de1c6310

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e13fd7816b6964ee6ad971f347f6c7a

SHA1
29dc00b119fbf986e10eaab0edd6969afde0e047

SHA256
d3fdb42d0d2c82620123a6646a3109a1e9c0f54d0c3d3ecee22ca9ee0802d0cc

SHA512
398a70b7c7d4b13db41f0867856ce915a9500d43d3ad2dc733caa0820de4378639930b13715248cd9caab0afcb582c57cc9a6b6691d471e35230fa58120f4e84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b25ae55d583919b5db8816135478d06e

SHA1
192e65ec80b0ecd723bcee93e6f99c8204b7d8b4

SHA256
9cc6c5369facddf0b90bd18b3030b214f61d79909dbd48c732b6e302649cc758

SHA512
5745303488393ddf86b4d0c4e711baf8155a5d8326ea0ad6847fd7b7aa0188b571b5ab6ed37d6a40c2e891d6092a9a02aa9387996f92fada9dcba46729670f38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b571fc2c4e7bcd5c1713c71f74959968

SHA1
7f779f686a36c55b4be7d0057ef9fba718f85367

SHA256
9ada426fa2010e30359af0cc486fb8b87e9c369a7fa41a85873592a3d7a103b7

SHA512
7cb89b65b7c3d3d0b66b7dc96e35732a3556338db603c0b32b5514a40dfe02825cd43077dfa6b173c50a75323acfba1b70888dd19511a83d3bfe6e051fd859b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39031670ac49abdace9dc3a4bf54accb

SHA1
12c5b7b21caf35455f6382819d450ad1cc9b6387

SHA256
50d0d50e23723cb593799e150655288b2e22107b6faa444067556a5f5370f40b

SHA512
8baad7be9b61038f07de11703bd9370b48b0727dd5fe8695319f0cb3fcb60c6a7c24d0f3e9e79617f00403718e49d11fcafbebbd47451bde7aa01147d46dac0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32f9f339275d571d0e4055254c147044

SHA1
d8740e14f100e4f0e236f557d4aa06849f6bf9d4

SHA256
13bce2c9c6e187930c7f3ed4bbc1b4a6e46a7e936e640383dd9ed57e4a227630

SHA512
7cae117903d5e680ffca3072170f7bba74e2086cd671c4617127a2cf48a3187c628ec948e7cc0154ed801222042cc86633728ff9d69cafff79d023a62c378f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFDE0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFDF2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\bolojlmiduoy.exe

Filesize
384KB

MD5
2714dcb562108786d363129ba91aaeb2

SHA1
fbe0353bc336d0e6645ea543113dc626c6d69818

SHA256
93b91360c51ab11e9ba349cfa48fdf44a356c2c28bd9d988a500c98e29dd0b40

SHA512
ad2bdbd6ff19388ec2f8c9e233948b8f71998a6f1cd82d3cf79fef011dee3c97c7789db27aed93b3f20d7703d9eb94900a04727be2ac8922aee37b0c4b0041db

Download Submit
memory/1756-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1756-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1756-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1756-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1756-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1756-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1756-30-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1756-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1756-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1756-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2512-6083-0x0000000002C10000-0x0000000002C12000-memory.dmp

Filesize
8KB

Download
memory/2512-50-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2512-4730-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2512-6077-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2512-52-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2512-6530-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2512-6086-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2512-6088-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2512-53-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2512-1662-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2512-1665-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2512-55-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2512-57-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2512-2301-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2692-31-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/2692-51-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/2868-18-0x0000000000360000-0x0000000000363000-memory.dmp

Filesize
12KB

Download
memory/2868-0-0x0000000000360000-0x0000000000363000-memory.dmp

Filesize
12KB

Download
memory/2868-1-0x0000000000360000-0x0000000000363000-memory.dmp

Filesize
12KB

Download
memory/3024-6084-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download