Analysis

  • max time kernel
    121s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-10-2024 02:12

General

  • Target

    5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe

  • Size

    326KB

  • MD5

    5fddd166f5b5931b2ab328cfd40e420a

  • SHA1

    fa92f4074a2ee7166b9dc9081707ba7a4e8956c4

  • SHA256

    4f151f64c97aa09c5c99f25b63c503b91b54a99910daadb97762ad4f5dbb4910

  • SHA512

    57aa9f96d83a906b910b1d63f3e9fa694c302696a7d237be47cfb1efdf0b5f0d2c152daa2be628fca2cd007a71dbc60def81867ddbfefed81b740b6240079c8c

  • SSDEEP

    6144:kt8UOo3u1PmgxfxNJpXSDV76nu9Ni/n5s5ojFHf9BW:kt8Po3utmgxf3JRSDJ6u6SWlo

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_xcafi.txt

Ransom Note
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen ? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://nasdki39dawk.oj998fh4txkjh.com/60B995ED1F28B6F0 2. http://awoeinf832as.wo49i277rnw.com/60B995ED1F28B6F0 3. https://zpr5huq4bgmutfnf.onion.to/60B995ED1F28B6F0 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: zpr5huq4bgmutfnf.onion/60B995ED1F28B6F0 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal pages: http://nasdki39dawk.oj998fh4txkjh.com/60B995ED1F28B6F0 http://awoeinf832as.wo49i277rnw.com/60B995ED1F28B6F0 https://zpr5huq4bgmutfnf.onion.to/60B995ED1F28B6F0 Your personal page (using TOR): zpr5huq4bgmutfnf.onion/60B995ED1F28B6F0 Your personal identification number (if you open the site (or TOR 's) directly): 60B995ED1F28B6F0
URLs

http://nasdki39dawk.oj998fh4txkjh.com/60B995ED1F28B6F0

http://awoeinf832as.wo49i277rnw.com/60B995ED1F28B6F0

https://zpr5huq4bgmutfnf.onion.to/60B995ED1F28B6F0

http://zpr5huq4bgmutfnf.onion/60B995ED1F28B6F0

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_xcafi.html

Ransom Note
<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; } .ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center> <div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"> <b><font class="ttl">What happened <!------sfg2gdfstw5ey3345 --> to your files?</b></font><br> <font style="font-size:13px;">All of your files were<!------sfg2gdfstw5ey3345 --> protected by a strong<!------sfg2gdfstw5ey3345 --> encryption with<!------sfg2gdfstw5ey3345 --> RSA-2048 <br> More information about the <!------sfg2gdfstw5ey3345 -->encryption RSA-2048 can be<!------sfg2gdfstw5ey3345 --> found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font> <br><b><font class="ttl">What <!------sfg2gdfstw5ey3345 --> does this mean?</b></font><br><font style="font-size:13px;"> This<!------sfg2gdfstw5ey3345 --> means that the <!------sfg2gdfstw5ey3345 --> structure and data within your files have been irrevocably <!------sfg2gdfstw5ey3345 -->changed, you will not be able to work<br> with them, read<!------sfg2gdfstw5ey3345 --> them or see them, it is the same thing <!------sfg2gdfstw5ey3345 -->as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. <br>All your <!------sdkfg3265436456hdfskjghfdg --> files were encrypted with the public key, <!------sdkfghd456334565436fskjghfdg --> which has been <!------sdkfghd45363456fskjghfdg --> transferred to <!------sdkfghdfskjghfdg -->your computer via <!------sdkfghd4356345643564356fskjghfdg -->the Internet.<br> <!------sdkfghd34563456fskjghfdg --> Decrypting of <!------sdkf45363456ghdfskjghfdg -->YOUR FILES is <!------sdkfghdfs4563456kjghfdg -->only possible <!------sdkfgh45364356dfskjghfdg -->with the help of the <!------sdkfghd4563456fskjghfdg -->private key and <!------sdkfghd43563456fskjghfdg -->decrypt program, <!------sdkfghdf43564356tyretyskjghfdg -->which is on our <!------sdkfgh34565346dfskjghfdg -->SECRET SERVER!!!. </font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br> <!------23452345dgtwertwre --><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr> <!------sadfs32452345gfdsgsdfgdfsafasdfasdfsadf --><b>1.<a href="http://nasdki39dawk.oj998fh4txkjh.com/60B995ED1F28B6F0" target="_blank">http://nasdki39dawk.oj998fh4txkjh.com/60B995ED1F28B6F0</a></b><br> <!------ds234523452345fgwert --><b>2.<a href="http://awoeinf832as.wo49i277rnw.com/60B995ED1F28B6F0" target="_blank">http://awoeinf832as.wo49i277rnw.com/60B995ED1F28B6F0</a></b><br> <!------wer234524353245terwtewrt --><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/60B995ED1F28B6F0" target="_blank">https://zpr5huq4bgmutfnf.onion.to/60B995ED1F28B6F0</a></b><br> <!------sfg2gdfstw5ey3345 --></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installation, run the browser and wait for initialization.<br>3. Type in the address bar: <font style="font-weight:bold; color:#009977;">zpr5huq4bgmutfnf.onion/60B995ED1F28B6F0</font><br>4. Follow the instructions on the site.</div><br><br><b>IMPORTANT INFORMATION:</b><br><div class="tb" style="width:790px;"> Your Personal PAGES: <b><br> <a href="http://nasdki39dawk.oj998fh4txkjh.com/60B995ED1F28B6F0" target="_blank">http://nasdki39dawk.oj998fh4txkjh.com/60B995ED1F28B6F0</a> <br> <a href="http://awoeinf832as.wo49i277rnw.com/60B995ED1F28B6F0" target="_blank">http://awoeinf832as.wo49i277rnw.com/60B995ED1F28B6F0</a> <br> <a href="https://zpr5huq4bgmutfnf.onion.to/60B995ED1F28B6F0" target="_blank"> https://zpr5huq4bgmutfnf.onion.to/60B995ED1F28B6F0</a> </b> <br> Your Personal PAGE (using TOR): <font style="font-weight:bold; color:#009977;">zpr5huq4bgmutfnf.onion/60B995ED1F28B6F0</font><br> Your personal code (if you open the site (or TOR 's) directly): <font style="font-weight:bold; color:#770000;">60B995ED1F28B6F0</font><br> </div></div></center></body></html>
URLs

https://zpr5huq4bgmutfnf.onion.to/60B995ED1F28B6F0</a>

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (420) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Drops startup file 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Users\Admin\AppData\Roaming\vcwtij.exe
      C:\Users\Admin\AppData\Roaming\vcwtij.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1824
      • C:\Windows\System32\vssadmin.exe
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        3⤵
        • Interacts with shadow copies
        PID:2148
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT
        3⤵
        • System Location Discovery: System Language Discovery
        • Opens file in notepad (likely ransom note)
        PID:1588
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RESTORE_FILES.HTML
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1004
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1004 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          PID:1728
      • C:\Windows\System32\vssadmin.exe
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        3⤵
        • Interacts with shadow copies
        PID:2312
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwtij.exe >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2832
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\5FDDD1~1.EXE >> NUL
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2300
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2720
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2336

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_xcafi.html

    Filesize

    4KB

    MD5

    dfc1f99caeda9f1caed116c2cc0c0a6b

    SHA1

    3b20f1f199d99e56f3e2368a7db540f9a82d66a8

    SHA256

    e7780198231855b5c208850b68b1d60076e3fd8fda2526546c1bfdc9c27544d5

    SHA512

    b7bd69667448355bab83d7857e8bccef90fb257cf81fbe3ba57c33125745349537b15da3f3e2319329fcb83d3eca312bc0960446900475874eb8eb3e72fb0ce2

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_xcafi.txt

    Filesize

    2KB

    MD5

    daedfb359adbb7a56d7f476e83305399

    SHA1

    9a66b26bc81ef21590a7db9aae18c31dbddc70b4

    SHA256

    2c5a0fe75edbb387fad51dc0735af49a25013870e0febeb2a57d05b4fdfcae5e

    SHA512

    a4279552e7596c465304d60851ce250408778cd8df1c0e150b7a2bc3ffa288e7b7bbf0d97cbd7abed5b07392631d3d0f3ab90357bea7aea7d309712b3946ca64

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

    Filesize

    914B

    MD5

    e4a68ac854ac5242460afd72481b2a44

    SHA1

    df3c24f9bfd666761b268073fe06d1cc8d4f82a4

    SHA256

    cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

    SHA512

    5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

    Filesize

    252B

    MD5

    4cbe7c052971d018aaa583cc7065a6a3

    SHA1

    34d8bd86314b0bb4aaf46ac3592c836dd9a323a7

    SHA256

    a978d768a88cfbcab1549286b23223673c1391f7965a3444553dec561ba20f96

    SHA512

    069615a6927279256ca200c48283dbd0e7e942f79da1f38ea99a56ed5a92baa20f3210742f45f598278db4a5a5dd191a04fb7a27acead7d343f00972beebc72e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8624a484206006183aa06e5de9f29bf8

    SHA1

    21d0b56ba396f345ab6079a2cfaed37cc92453bf

    SHA256

    cd5af388df20d81efc2f3b2408ff28347290e022debdc5fea9b119d896aa7361

    SHA512

    a33c41a65b9dd3d11e65ef374329b28e2484dc6633cfeb541273fd629d5b74a9edcc626a73e49489e8f1b75a39e870a8a8c8d4ed2729328d8506d643c460882d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a77de13b4c8e16d3ec7f81e5f5f9a988

    SHA1

    3d7ccc370a47bf6911276eb466df39510740b19c

    SHA256

    dc2717c2aa3ea7dae0545cc485586869b48b73b92cdb5c173ad2121a85f7801c

    SHA512

    26bda65a745fd95404ba145416687474ef2c72c480289100afba13a6ff6ca3baf091859e2c39dde88107e94081ef9fdde20605469cb9c60686d4c01e2ec29553

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a8107179bd45b46fef5ff89583f7640e

    SHA1

    1ab6eebca3e72ae33efdfcfc915ed400102c9cd2

    SHA256

    3c59a424c91a5ecce77d22365c3c2f80e05d3bde519c127f160e509b8510b24f

    SHA512

    56564b8ebc343dd3c79adce6bd01c40319081ba82bb14e552ca56627bb6c9197add6a7224a34c6d005304b916f31dfd9eea020b4d29e377f3489b682d6050373

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3d3b70913d4f0c06245f6ff2fad9a45d

    SHA1

    f69026057cce773f147709f7ea08459a6bf7479f

    SHA256

    2d52ccef2877e5207bef8747861c45581e4e1f1dca909f212dd9b54c4bb3404c

    SHA512

    7fd546e35824dbe6f008dfa0a98d3fbdb44f28e5b56751d83430cf58690b369b1882312f607ef6933fa83e7ed24816cc39d8881480e651c63bd2b2a052e8d0e7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    423ba3d7188b7e45b73db8aa9598087f

    SHA1

    4868a3e33a5ea296b9b101ba829de390eeb121d3

    SHA256

    2eb6daa94224fcea30bf4607678e260edde219db74c62bac807586a356f14dc6

    SHA512

    1282b4a1db7ac08a7e884fc02915e6cbb02f37e72bea6088f5078898dd26535bfc2ed82a3468f9240cf80ea56e6b76d07194a11de31b8a23575cfa65f2d1d357

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    4400e9092d10cfafc68195f0db73c398

    SHA1

    bbd39dbf69462abe43f7d68b34c94914b3444a6d

    SHA256

    f52db401574e91cfd93fb0ae2c23063bf5c4ed756c06fd015a3ae8e1126f2592

    SHA512

    f34a8980f452374c537bb9d1f5496fa302f6cf737162d1be169604157164e3f5daa4758ec9aee427c09cb631d85e223aeb88975b8eb507b00a3840c03db167bc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e5fe829b76d39bb70c7bca573790f52a

    SHA1

    3b347e79b1b15ba560191b0b3923e11bb6eb3e7b

    SHA256

    72f03ecdb474e7c40ccde5e95bc339484a7e9cf3168bc34997d38a4ce4f2d886

    SHA512

    884be5a08b8280798f3194794269407e6be4592d9b148bdc772142a5133df6d95da973adce5d6d3c3e29d02ad4c0d852e87b40385152bd7639ec745328f4d64c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b74168ec93132896e3705b206bcc0b00

    SHA1

    edca686bc7c19fa3fbde5c10dd0a4af0a554a0a3

    SHA256

    5ebd696c59cd86ed775830c4b3226a9732a64bb07dee85021399fdd4564701d2

    SHA512

    0a0f21d9e1f4c9ba817601e177a2d010792a4a481a4df50adc78b8ce566500257271b55e7b92780a4b2a3c3186ea82a66060c7684b1167a5f2b973ba99b863a1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fa642a92ac80704afe123f935c357551

    SHA1

    e042de8c4bb533c116e9de704ab94a79bb26e8f2

    SHA256

    8c5c1b9eede70fff653431b81d0eb41d55b760eab12400a38fa8ad054d3a9fa1

    SHA512

    35696ec74b61ab4bc1ce36e2213ffce1382d88581c91b5966abf9432d60f5d2173ab468f4f80a7d9dd9791f366f54ae509057479b37b3978ad50240ecb1a0c17

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f28482fc857d07fc81d5f86cc78f507e

    SHA1

    f78cf3c7dbf8a0b1e896f6930bb53b0b2a9b2d33

    SHA256

    10de88dab129d024bb364f882a5c87e8be4105b0794551aedfdb80c1b6db4063

    SHA512

    3da0e0d6de00fbfa3ccc7ef4bee430637a39e6e62a8cebf7863fc202a154117ef0604a69abe55821b131cd939e11af24a5cfa13afc17f25c6502715e537c624a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e69011b70e7fcfdaa5e63fd9a74197b8

    SHA1

    0c9a1be230244d3c5a435646ccaf4554e7d1e07d

    SHA256

    337a80989da6508d7766b072c30fb883c396c130ea0e82a0722016d8d81fbf1c

    SHA512

    71185e76f52643253c1aec939a488a6c6b9870eefc232dadc114148395ff658320f9136d2059464cd0cde9a2206f24837b0d789e47c4c0f78e453f2683d89b09

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f73fdc65607f5ffe0093b404013b607d

    SHA1

    cb567032545ae3de466f681da86604b4fa0f067c

    SHA256

    46ad4a1c5cc477be05b7495a09d9eb92e905c9fd88fb4fe43ed56b3cfc98a5f7

    SHA512

    fc6a276c8c56cd821dec845600293e403ab8f2d35fc4b1445553f249cfb583beb4c9f08acf7d4fd1c3e024df35871b68f1af5e081c96c09d975800859934428a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9074e302b6fbe941c0d3c8cd089b4439

    SHA1

    5cfe47de4f804b8adc272ca40ca2a9b305e51ecc

    SHA256

    f9f6c30234ef7c01e072909c6b1041fba477806fedccdf205e2415f7d4ce6092

    SHA512

    3fa398fef18a18c7b7dbd53de01cece0ab8ff8c04bf5e9aab2369f1fde4c673822b051b9ea685ff07de05f7d8c0e343fc3952603c4e7435b64c2087c5f047f65

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6712c299c84481174451f1a7293fa0ea

    SHA1

    0cf944a03774bb74410c252f04c397c9d34996c7

    SHA256

    8508b3a8046d77b9bdf38a668ae0230ca7201a85bfb890dc962da187fa1f9570

    SHA512

    64a31944c72d9c81b9c1a44c49c66089d5172c605b623cea621108cf6554ae3fbe8e8ddc2279156e97b304d261b6f2d0a62a3033a0f2dbaf1924f8aee226c3b1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f3a0c73962909e9e353e8967850b75af

    SHA1

    13f765c818c7ef670e8c88e22b4d660ec19e2f9f

    SHA256

    71cd31172037209ba79738e141fc72e44b2247f80a470ae9336dd6ccc4f30428

    SHA512

    aa29b06703c7f393c3994152b9de6f91ce556ad5ac13591c3f42def92da35951b33a519702eb1b7ba470bcfdd10def353c4eb69931e48176de9827d4941531cf

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    242B

    MD5

    bf65e5f27e0c8de177d6a140c477cad3

    SHA1

    e9e876d5398d9be83a4aa92902f912e834ad5e6f

    SHA256

    ebac88ec42fa42b92355a616036db55d4541deaeab8733c8713067607181190c

    SHA512

    6e24a87376bcb9579b680c3c1e4c8cc7b987b103ef886d35c76c0cfc28e212504071f615e3771bbcd58f14a462dfb31cdb4bec8370718067e112ddad841b11b1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    242B

    MD5

    63d698c6ed3ada0fb04bdecc16b27810

    SHA1

    199f28eaf1a90967486a68a72d442a475d31813b

    SHA256

    5d6295f1e3d0b8fe61a8b8bd7d50ad890a0e6b54d0869702a387f0ee7fa82c2a

    SHA512

    dddfa233b78eb553afdf776cf018c1b1670a6b0531f360781817aa84f14e50e50e0edc9b12d90201ec7228ef67cb2cbc310cfe7a163d83ead258b0cd77a847c7

  • C:\Users\Admin\AppData\Local\Temp\CabD636.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarD6F4.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\Desktop\RESTORE_FILES.BMP

    Filesize

    2.3MB

    MD5

    83f953ede5aa47a9e3dcff1a69b55179

    SHA1

    d6ca8a94b5da3e5550d4d450019f06184bfc1a07

    SHA256

    714a8c262f2fc43ed8b56ebc0f107deedf3e86019815ae3774c09d5756f3f972

    SHA512

    d77110cb2fb958e36555e5ff2742a786f3c77a8b71833e58c5255a574f1cb21b6945be1dcb4257fb7aa8f01f1a38c8dfd93857065f057e2a0c062a470a918f0a

  • \Users\Admin\AppData\Roaming\vcwtij.exe

    Filesize

    326KB

    MD5

    5fddd166f5b5931b2ab328cfd40e420a

    SHA1

    fa92f4074a2ee7166b9dc9081707ba7a4e8956c4

    SHA256

    4f151f64c97aa09c5c99f25b63c503b91b54a99910daadb97762ad4f5dbb4910

    SHA512

    57aa9f96d83a906b910b1d63f3e9fa694c302696a7d237be47cfb1efdf0b5f0d2c152daa2be628fca2cd007a71dbc60def81867ddbfefed81b740b6240079c8c

  • memory/1824-2827-0x0000000000400000-0x0000000000714000-memory.dmp

    Filesize

    3.1MB

  • memory/1824-4810-0x0000000000400000-0x0000000000714000-memory.dmp

    Filesize

    3.1MB

  • memory/1824-13-0x0000000000400000-0x0000000000714000-memory.dmp

    Filesize

    3.1MB

  • memory/1824-17-0x0000000000300000-0x0000000000304000-memory.dmp

    Filesize

    16KB

  • memory/1824-4348-0x00000000034A0000-0x00000000034A2000-memory.dmp

    Filesize

    8KB

  • memory/1824-4351-0x0000000000400000-0x0000000000714000-memory.dmp

    Filesize

    3.1MB

  • memory/1824-5356-0x0000000000400000-0x0000000000714000-memory.dmp

    Filesize

    3.1MB

  • memory/2168-0-0x0000000000260000-0x0000000000263000-memory.dmp

    Filesize

    12KB

  • memory/2168-11-0x0000000000400000-0x0000000000714000-memory.dmp

    Filesize

    3.1MB

  • memory/2168-5-0x0000000000270000-0x0000000000274000-memory.dmp

    Filesize

    16KB

  • memory/2168-1-0x0000000000400000-0x0000000000714000-memory.dmp

    Filesize

    3.1MB

  • memory/2336-4349-0x0000000000120000-0x0000000000122000-memory.dmp

    Filesize

    8KB