Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    27/10/2024, 22:40

General

  • Target

    764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe

  • Size

    317KB

  • MD5

    764dde3f1fd9259e60c40b148db70637

  • SHA1

    0594e04536101063361d903e7db109a6dfaef85f

  • SHA256

    403736515e661b6b36e18644a1e4aaa8b64f3d2597cf260300c815f9326d669a

  • SHA512

    cbc6bc71698f75ebf23b2991476dabc895b23fd16af84967a2197aacc77b243e27ac143cdcc787549019492481bef63c847d79489eb3a8d672e8c8b5d0be157a

  • SSDEEP

    6144:J6tiiYyUYE+I6TdpIg+aLUvPOfE2sg4qJLfG7zWBMvKvGB77Z:J60iYyo+JT/+f282sGtw/77Z

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_wgjny.txt

Ransom Note
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen ? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://nasdki39dawk.oj998fh4txkjh.com/257D37F36DFFE8 2. http://awoeinf832as.wo49i277rnw.com/257D37F36DFFE8 3. https://zpr5huq4bgmutfnf.onion.to/257D37F36DFFE8 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: zpr5huq4bgmutfnf.onion/257D37F36DFFE8 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal pages: http://nasdki39dawk.oj998fh4txkjh.com/257D37F36DFFE8 http://awoeinf832as.wo49i277rnw.com/257D37F36DFFE8 https://zpr5huq4bgmutfnf.onion.to/257D37F36DFFE8 Your personal page (using TOR): zpr5huq4bgmutfnf.onion/257D37F36DFFE8 Your personal identification number (if you open the site (or TOR 's) directly): 257D37F36DFFE8
URLs

http://nasdki39dawk.oj998fh4txkjh.com/257D37F36DFFE8

http://awoeinf832as.wo49i277rnw.com/257D37F36DFFE8

https://zpr5huq4bgmutfnf.onion.to/257D37F36DFFE8

http://zpr5huq4bgmutfnf.onion/257D37F36DFFE8

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_wgjny.html

Ransom Note
<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; } .ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center> <div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"> <b><font class="ttl">What happened <!------sfg2gdfstw5ey3345 --> to your files?</b></font><br> <font style="font-size:13px;">All of your files were<!------sfg2gdfstw5ey3345 --> protected by a strong<!------sfg2gdfstw5ey3345 --> encryption with<!------sfg2gdfstw5ey3345 --> RSA-2048 <br> More information about the <!------sfg2gdfstw5ey3345 -->encryption RSA-2048 can be<!------sfg2gdfstw5ey3345 --> found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font> <br><b><font class="ttl">What <!------sfg2gdfstw5ey3345 --> does this mean?</b></font><br><font style="font-size:13px;"> This<!------sfg2gdfstw5ey3345 --> means that the <!------sfg2gdfstw5ey3345 --> structure and data within your files have been irrevocably <!------sfg2gdfstw5ey3345 -->changed, you will not be able to work<br> with them, read<!------sfg2gdfstw5ey3345 --> them or see them, it is the same thing <!------sfg2gdfstw5ey3345 -->as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. <br>All your <!------sdkfg3265436456hdfskjghfdg --> files were encrypted with the public key, <!------sdkfghd456334565436fskjghfdg --> which has been <!------sdkfghd45363456fskjghfdg --> transferred to <!------sdkfghdfskjghfdg -->your computer via <!------sdkfghd4356345643564356fskjghfdg -->the Internet.<br> <!------sdkfghd34563456fskjghfdg --> Decrypting of <!------sdkf45363456ghdfskjghfdg -->YOUR FILES is <!------sdkfghdfs4563456kjghfdg -->only possible <!------sdkfgh45364356dfskjghfdg -->with the help of the <!------sdkfghd4563456fskjghfdg -->private key and <!------sdkfghd43563456fskjghfdg -->decrypt program, <!------sdkfghdf43564356tyretyskjghfdg -->which is on our <!------sdkfgh34565346dfskjghfdg -->SECRET SERVER!!!. </font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br> <!------23452345dgtwertwre --><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr> <!------sadfs32452345gfdsgsdfgdfsafasdfasdfsadf --><b>1.<a href="http://nasdki39dawk.oj998fh4txkjh.com/257D37F36DFFE8" target="_blank">http://nasdki39dawk.oj998fh4txkjh.com/257D37F36DFFE8</a></b><br> <!------ds234523452345fgwert --><b>2.<a href="http://awoeinf832as.wo49i277rnw.com/257D37F36DFFE8" target="_blank">http://awoeinf832as.wo49i277rnw.com/257D37F36DFFE8</a></b><br> <!------wer234524353245terwtewrt --><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/257D37F36DFFE8" target="_blank">https://zpr5huq4bgmutfnf.onion.to/257D37F36DFFE8</a></b><br> <!------sfg2gdfstw5ey3345 --></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installation, run the browser and wait for initialization.<br>3. Type in the address bar: <font style="font-weight:bold; color:#009977;">zpr5huq4bgmutfnf.onion/257D37F36DFFE8</font><br>4. Follow the instructions on the site.</div><br><br><b>IMPORTANT INFORMATION:</b><br><div class="tb" style="width:790px;"> Your Personal PAGES: <b><br> <a href="http://nasdki39dawk.oj998fh4txkjh.com/257D37F36DFFE8" target="_blank">http://nasdki39dawk.oj998fh4txkjh.com/257D37F36DFFE8</a> <br> <a href="http://awoeinf832as.wo49i277rnw.com/257D37F36DFFE8" target="_blank">http://awoeinf832as.wo49i277rnw.com/257D37F36DFFE8</a> <br> <a href="https://zpr5huq4bgmutfnf.onion.to/257D37F36DFFE8" target="_blank"> https://zpr5huq4bgmutfnf.onion.to/257D37F36DFFE8</a> </b> <br> Your Personal PAGE (using TOR): <font style="font-weight:bold; color:#009977;">zpr5huq4bgmutfnf.onion/257D37F36DFFE8</font><br> Your personal code (if you open the site (or TOR 's) directly): <font style="font-weight:bold; color:#770000;">257D37F36DFFE8</font><br> </div></div></center></body></html>
URLs

https://zpr5huq4bgmutfnf.onion.to/257D37F36DFFE8</a>

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (374) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Drops startup file 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Users\Admin\AppData\Roaming\vcwgel.exe
      C:\Users\Admin\AppData\Roaming\vcwgel.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:856
      • C:\Windows\System32\vssadmin.exe
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        3⤵
        • Interacts with shadow copies
        PID:2728
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT
        3⤵
        • System Location Discovery: System Language Discovery
        • Opens file in notepad (likely ransom note)
        PID:1748
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RESTORE_FILES.HTML
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:880
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:880 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1600
      • C:\Windows\System32\vssadmin.exe
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        3⤵
        • Interacts with shadow copies
        PID:2796
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwgel.exe >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2416
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\764DDE~1.EXE >> NUL
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2476
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2616
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1104

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_wgjny.html

    Filesize

    4KB

    MD5

    ec8d28083308e33e7f725a85db34af22

    SHA1

    0b8f542c9e6282c4918eb9470768d6a491254d5b

    SHA256

    cbe1751f442cf202680c8bb6d9d69799fe1a8d34efc55a2de44355c2e9379cd8

    SHA512

    7f1f9c2f5984d97e272761ab8f432531f86bacdf71074e39e8cc89caa4d8cee9e94301e67ec7bf36ffc626a0c3557436fd142ca260528414ae319d57ba72eb11

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_wgjny.txt

    Filesize

    2KB

    MD5

    d32ef9d9b1b541f8d72b0af47e8f13ff

    SHA1

    c01748cd525a22ead396b1a619b98da3ee9368f8

    SHA256

    3178ae48133fc4ced39f84912bcfa719e1cde87c8c00e2e1cc528efc2435d67a

    SHA512

    f7aea41e1bf671cdde6077f2a657c21c8ba8311c1a5b5ba4b02aead9a2e2cc081e5eceba3daa1a5657e993d448ffc7bafc7f87be39a577b418eb984c01c22fd6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8b5af1e0cd4924093c67b4ee7623d375

    SHA1

    e8abf0b1488e96918ab89e51f3cb781c4122eed9

    SHA256

    fcb07295bf3b633b95a57fdfa0490d3c8afd366e4a19a0572a1287b989a6b44d

    SHA512

    b38f32381c859683ae56e389aff4da6c5ae9ae9c820fc4a1ac1395cda2578f0c67a9852b9cf21a9cf6b8b8017e7837b8550d131e247515d1388028850e38ba23

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    838bd13eb172126734e326e6e3d30af9

    SHA1

    ea9c163a480967ab0ab773b3ddaf76fbd95781cc

    SHA256

    7da945b21b2614b9e1b54235701a4312f33a8e6263c19334cbde671b514fbef8

    SHA512

    d474a685872e749b3f4d7ea756f0daeaf059a2facb90e0bc58d1fd77b50ea009a937c4b42d32880acb988dcbb999ca917859050499fa34d5623ce59d86af7a75

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7479bbff0591f3ff210f20d774a671b8

    SHA1

    72c8c77e3f18080e78da7612b151c5a786a68773

    SHA256

    33751ebc0395b36ac15dee4f96a0b1ee07e26d942861fdc2ad55e2c3a89a8266

    SHA512

    bfb6b4eb3e66436d49f5e9cab885dd9a93b8793cc8383c0212a0a516a0a991fed268e13f2dc0ce85941b7c65c6f7772a5faa43d4c3ea9f452759bc8d22fc71d0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8e5a660fbdc84de122fa2516adac1aaf

    SHA1

    19eae5eca0c968b487ec1651838c7ef94c7009b0

    SHA256

    3e593f87374e12919264d473095942b7d4bc47f9ecc7bef1aa0aaaaf7d02374e

    SHA512

    5d170f774f566152ff8bce9638c99fce7a63b2ada5dc7194a4110dd673975c599c93a4377128f1f9cd9d74572273a38d306726e7da0776648acb9585d3356840

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5179cabde433326e734b42f32faa56b4

    SHA1

    05a3894b2d4d02a6a8c24b2b338d8f8fed751e46

    SHA256

    64885b8b41b0c1009875382f7b0d8de219df4e3eca862e09f94afaee7a276f4c

    SHA512

    b4f56f62f51cca5c4b71e04185952347fc294a68a69d594a601f8e38746cd50fdd37ee75f9f336a3d117152ba8011205a8bf65bb15fb55b4acd1345403a49e1e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    bc85e1f7869383d30d6f0a2bf382d200

    SHA1

    ae24a4279427157b5e5498fc2c16f2b1156b8cf8

    SHA256

    2d72e3b9c3d9f9a7c5ec76ef0323a7cfba2105c27dbbbbe12e343e1ec9a89275

    SHA512

    bb7b7139ea2b4d39f3fe52077db965d63e17916085d64d311f7cf0d74e3828f054321d9f0947350d106c0a3ea67dc5856c871d336bc2130a55d2aa8af4c409f6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    023ec209280fcf5dbc2410b491848261

    SHA1

    43014e9f2135ba5fc90db266821821f453b60b7e

    SHA256

    576fd10ae2f9351211919db4407a07a099fdb891ce5bd4193b24729bc00cb4cf

    SHA512

    84c8b0fae30243fab40c211c3ba23909a4c52cd0b3771fa732ceb3f6bd8aab06450fe5b6d48b6a481ee258814a307f7c66ac1855e9eaf987f8613d726cc56b89

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8f843d3062a8bb4ef2bb2c589f9dfc22

    SHA1

    49bf6bd4f9fedc387d7132c96c8b8bd24a329d18

    SHA256

    d5d5725885c390125ed2047671869a6398c2d5aad79d0a7cf9834b4c450d38f2

    SHA512

    520f92519a0f6bb37490ac568a298a3c62646cd2c9ab4410608b0736ac3aacf9d965fe1af0a3316145827ea97b675c56c44ad00f20d057dd7b3292bfd4be4416

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    081eb611b3c92ff08ac54fe4c08e785b

    SHA1

    74b96e24744e419c9705e04c9298c80519fdeae5

    SHA256

    8918bd36f9fc097fffbc65c9392851eb45482dfb0478a552055fa89b5e8915b3

    SHA512

    8d75eedcce53f769c2463d78f883dbf32dfb3c9193b35c6b210fd7c21a1b8cc0684cd3f9eb928e9d39292b1e28d97f3da0a02f1fc757db00449212cc7d8b3d01

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    bcb80063717cb14b6670fb17f26f82b8

    SHA1

    c94f298ae51189e3c0c27cd23861e06be5db91f3

    SHA256

    8b6e1ca28a49b071265803dccda8e8b63509e6ceca970aa36cbe4942c3b42253

    SHA512

    a4a6dbb9ca2d142a882bc5fe81231219fe4fcc52a1408378bd67b5330165deed257b0e10d808b4523bc200a2bad69111ad0881bde8fad3c223ba84e9fce396ca

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b9a32d585b25ede72fa465701aa5508e

    SHA1

    959581e79262a60604c9f5b47c6f2ab5cff46d59

    SHA256

    34319fa018d872cbcc2d02cf44f55f50bb60cd679ee8d96deb4ad76e530c4e80

    SHA512

    a46cdfce4b13c52685e28077a3bee729ca740b2ac4078447a94a8b39a94bfa428720940745a05fbc99e7510d3a1a8f23c7b4228fc899e86cc33a3954091e8c75

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6201ff5378953383e5c92e688ea9b688

    SHA1

    7dabc651b858a275142bb34d32bd6cc0406b8ee9

    SHA256

    e0e85452f745cbb925f35c3c2863642c08940a79dad41f2bb73d923044949667

    SHA512

    2415ab528945f31252148d5305c14d217e731201a0d04dc841658bf99e71169513b010eda501779d77f0e5030460dd1fadd5cce9670622e7f8bb5c1a593be77d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7cdb242026a768495ac0e251bf00ddc6

    SHA1

    55c197f07a971999ebad6a836715a50d5732ef3a

    SHA256

    cd92c83afb17f8acf42328300651b9c929a090bed7fb1c5ce05df96c91645ccc

    SHA512

    c38886c515822e6ac20d70039a1519428e41ca45d78233b5a04ee242d6cff92fb05da73aaf6bcd4910f23a55666908a809cf54f064c8065702f3221c12c5434e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8d36736a8b3c5b888903509a59e653d4

    SHA1

    6aad1c109ef53e83e54f7e44201c0a802a1f8d63

    SHA256

    aa818e6d9608a2fd2abbf3d74a0eadefda695f08d58b635844d5d6798b1fc21b

    SHA512

    6169c8d7d589c0ef7e975b0bc0f8e6eb69c73972942fb12657f22a44a7c036cac9ae64dcf4e0c893e8f4980b97ddd070b9f4d9bf1457d464de3d5c19b1cb9fce

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a367a5e6eb1a1addfc91a6b923383433

    SHA1

    2c08c59cab903f2817c531a89f55a83075e31b71

    SHA256

    714f64b7afccc810f00b4a0e8eb951d766ef57fb3398a3614ef991369e7b2b60

    SHA512

    f7c7c6ca6831c1c1965b5199afa4569e7ffa6d5e36109d282fbcdc5e8722583b431eac09198e2bfd70a6f660afe26460351d3aee54e601ff58a970c93363ce48

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    84808b849a9a51a8197757203dc8db9d

    SHA1

    bc213de09f039d2fee1cfa1b1767b705a707477f

    SHA256

    7cd42cf3b9a15ca9432a60ccb7ced6271eb3b3dc7565df085f8421c5ebd32725

    SHA512

    c1a25412c5de7a6d08ac9d4bff9dc1609633f00820b7629ade61ee92c1124d84d6d00de13b96d40816567de08d7391231e7391038e4ffa70ddc8921a032c8ab4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    511fe68b19fd29aab0bedaddf620d645

    SHA1

    6d588a0c7fbb718f2260a58174c3276b7c12990a

    SHA256

    ac66c6dd2f33eb0da3221c1d8727ba2b668f83125ee59f804a021d6111ecc5f3

    SHA512

    200090ad054736bec2dc69776196836ea90b13bae2b8d0d8f865761a7599e1b3129bcbbf50c7546027197616b612118f9eb0908d34ec16f5103301e68dde6e86

  • C:\Users\Admin\AppData\Local\Temp\CabD971.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarD972.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\Desktop\RESTORE_FILES.BMP

    Filesize

    2.3MB

    MD5

    a787aaa6b67e4b5f9ee3d74af06d4d63

    SHA1

    3e4fe77c59ef60cc3a7abce20017bbe4cb3cff11

    SHA256

    a9804ac914b54558a1ffb386b5197d5040569c9713311f4bc95558cf120aecf0

    SHA512

    830850a677cec710df2dc32a1156d0e8491c62a5744df915f6e110b0ebea00387dc0f2afcb60479552fa2ac0bac3c9880412f3d6955f77cc789c5bcb560c6e21

  • \Users\Admin\AppData\Roaming\vcwgel.exe

    Filesize

    317KB

    MD5

    764dde3f1fd9259e60c40b148db70637

    SHA1

    0594e04536101063361d903e7db109a6dfaef85f

    SHA256

    403736515e661b6b36e18644a1e4aaa8b64f3d2597cf260300c815f9326d669a

    SHA512

    cbc6bc71698f75ebf23b2991476dabc895b23fd16af84967a2197aacc77b243e27ac143cdcc787549019492481bef63c847d79489eb3a8d672e8c8b5d0be157a

  • memory/856-374-0x0000000000400000-0x000000000076F000-memory.dmp

    Filesize

    3.4MB

  • memory/856-2485-0x0000000000400000-0x000000000076F000-memory.dmp

    Filesize

    3.4MB

  • memory/856-4206-0x0000000003AE0000-0x0000000003AE2000-memory.dmp

    Filesize

    8KB

  • memory/856-4646-0x0000000000400000-0x000000000076F000-memory.dmp

    Filesize

    3.4MB

  • memory/856-4654-0x0000000000400000-0x000000000076F000-memory.dmp

    Filesize

    3.4MB

  • memory/856-14-0x0000000000400000-0x000000000076F000-memory.dmp

    Filesize

    3.4MB

  • memory/856-3648-0x0000000000400000-0x000000000076F000-memory.dmp

    Filesize

    3.4MB

  • memory/856-4210-0x0000000000400000-0x000000000076F000-memory.dmp

    Filesize

    3.4MB

  • memory/856-1161-0x0000000000400000-0x000000000076F000-memory.dmp

    Filesize

    3.4MB

  • memory/856-17-0x00000000002F0000-0x00000000002F4000-memory.dmp

    Filesize

    16KB

  • memory/1104-4207-0x0000000000220000-0x0000000000222000-memory.dmp

    Filesize

    8KB

  • memory/2332-0-0x0000000000230000-0x0000000000233000-memory.dmp

    Filesize

    12KB

  • memory/2332-11-0x0000000000400000-0x000000000076F000-memory.dmp

    Filesize

    3.4MB

  • memory/2332-2-0x0000000000400000-0x000000000076F000-memory.dmp

    Filesize

    3.4MB

  • memory/2332-5-0x00000000003C0000-0x00000000003C4000-memory.dmp

    Filesize

    16KB