quantum | 10d72db6bc2e2f94c7ac2a6a4a791948c37c0d256eea920e4f0615bb55cdde62

Analysis

max time kernel
32s
max time network
35s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22/02/2023, 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10d72db6bc2e2f94c7ac2a6a4a791948c37c0d256eea920e4f0615bb55cdde62.dll
Size

76KB
MD5

87940b01f02d85d033dae35f8d01348f
SHA1

152dd7098b2b7409669b1a5ba1e997ddeb622734
SHA256

10d72db6bc2e2f94c7ac2a6a4a791948c37c0d256eea920e4f0615bb55cdde62
SHA512

1f57d21ec355f13e59184bf58b1231efd5448f9e935711236885d47f4387fc1d9216dc61613dbc403312136026103c064b07779f2d9d909991a2bd2dca7c5e5c
SSDEEP

1536:PaX1IbkVQJih8Ls2WZYbz+n26HNmAC6UsO:0KntKmzK2736Us

Score

10^/10

quantum ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Family

quantum

Ransom Note

<html> <head> <title>Quantum</title> </head> <body> <h1>Your ID:</h1> <pre> 7da6ecd9fd391e42701bcb976c4d742963d3b963c0b40cc0dd41b4edde43b760 </pre> <hr/> This message contains an information how to fix the troubles you've got with your network. Files on the workstations in your network were encrypted and any your attempt to change, decrypt or rename them could destroy the content. The only way to get files back is a decryption with Key, provided by the Quantum Locker. During the period your network was under our control, we downloaded a huge volume of information. Now it is stored on our servers with high-secure access. This information contains a lot of sensitive, private and personal data. Publishing of such data will cause serious consequences and even business disruption. It's not a threat, on the contrary - it's a manual how to get a way out. Quantum team doesn't aim to damage your company, our goals are only financial. After a payment you'll get network decryption, full destruction of downloaded data, information about your network vulnerabilities and penetration points. If you decide not to negotiate, in 48 hours the fact of the attack and all your information will be posted on our site and will be promoted among dozens of cyber forums, news agencies, websites etc. To contact our support and start the negotiations, please visit our support chat. It is simple, secure and you can set a password to avoid intervention of unauthorised persons. <a href="http://kcbyz2zmg3kmtmoyrleznkcypippxn2pvknunqdytr5wi6io7pzwleid.onion/?cid=7da6ecd9fd391e42701bcb976c4d742963d3b963c0b40cc0dd41b4edde43b760">http://kcbyz2zmg3kmtmoyrleznkcypippxn2pvknunqdytr5wi6io7pzwleid.onion/?cid=7da6ecd9fd391e42701bcb976c4d742963d3b963c0b40cc0dd41b4edde43b760</a> <ul> <li>Password field should be blank for the first login. <li>Note that this server is available via Tor browser only. </ul> P.S. How to get TOR browser - see at https://www.torproject.org </body> </html>

Extracted

Path

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Family

quantum

Ransom Note

Your ID: This message contains an information how to fix the troubles you've got with your network. Files on the workstations in your network were encrypted and any your attempt to change, decrypt or rename them could destroy the content. The only way to get files back is a decryption with Key, provided by the Quantum Locker. During the period your network was under our control, we downloaded a huge volume of information. Now it is stored on our servers with high-secure access. This information contains a lot of sensitive, private and personal data. Publishing of such data will cause serious consequences and even business disruption. It's not a threat, on the contrary - it's a manual how to get a way out. Quantum team doesn't aim to damage your company, our goals are only financial. After a payment you'll get network decryption, full destruction of downloaded data, information about your network vulnerabilities and penetration points. If you decide not to negotiate, in 48 hours the fact of the attack and all your information will be posted on our site and will be promoted among dozens of cyber forums, news agencies, websites etc. To contact our support and start the negotiations, please visit our support chat. It is simple, secure and you can set a password to avoid intervention of unauthorised persons. http://kcbyz2zmg3kmtmoyrleznkcypippxn2pvknunqdytr5wi6io7pzwleid.onion/?cid=7da6ecd9fd391e42701bcb976c4d742963d3b963c0b40cc0dd41b4edde43b760 Password field should be blank for the first login. Note that this server is available via Tor browser only. P.S. How to get TOR browser - see at https://www.torproject.org

URLs

http://kcbyz2zmg3kmtmoyrleznkcypippxn2pvknunqdytr5wi6io7pzwleid.onion/?cid=7da6ecd9fd391e42701bcb976c4d742963d3b963c0b40cc0dd41b4edde43b760

Signatures

Quantum Ransomware
A rebrand of the MountLocker ransomware first seen in August 2021.
ransomware quantum

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ConvertNew.crw => \??\c:\Users\Admin\Pictures\ConvertNew.crw.quantum	rundll32.exe
File renamed	C:\Users\Admin\Pictures\ConvertRegister.crw => \??\c:\Users\Admin\Pictures\ConvertRegister.crw.quantum	rundll32.exe
File renamed	C:\Users\Admin\Pictures\PublishStop.crw => \??\c:\Users\Admin\Pictures\PublishStop.crw.quantum	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\SetSend.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\SetSend.tiff => \??\c:\Users\Admin\Pictures\SetSend.tiff.quantum	rundll32.exe

Deletes itself 1 IoCs

pid	Process
1496	cmd.exe

Drops desktop.ini file(s) 26 IoCs

description	ioc	Process
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Music\Sample Music\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links for United States\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Libraries\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Documents\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Videos\Sample Videos\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\desktop.ini	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{107DB571-B26E-11ED-B88A-7AA90D5E5B0D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.quantum\shell\Open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.quantum	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.quantum\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.quantum\shell\Open	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1344	rundll32.exe
1344	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	1344	rundll32.exe
Token: SeDebugPrivilege	1344	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1684	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1684	iexplore.exe
1684	iexplore.exe
772	IEXPLORE.EXE
772	IEXPLORE.EXE
772	IEXPLORE.EXE
772	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 1496	1344	rundll32.exe	28
PID 1344 wrote to memory of 1496	1344	rundll32.exe	28
PID 1344 wrote to memory of 1496	1344	rundll32.exe	28
PID 1496 wrote to memory of 936	1496	cmd.exe	30
PID 1496 wrote to memory of 936	1496	cmd.exe	30
PID 1496 wrote to memory of 936	1496	cmd.exe	30
PID 1684 wrote to memory of 772	1684	iexplore.exe	33
PID 1684 wrote to memory of 772	1684	iexplore.exe	33
PID 1684 wrote to memory of 772	1684	iexplore.exe	33
PID 1684 wrote to memory of 772	1684	iexplore.exe	33

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
936	attrib.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\10d72db6bc2e2f94c7ac2a6a4a791948c37c0d256eea920e4f0615bb55cdde62.dll,#1
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\\006C3DDC.bat" "C:\Users\Admin\AppData\Local\Temp\10d72db6bc2e2f94c7ac2a6a4a791948c37c0d256eea920e4f0615bb55cdde62.dll""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\system32\attrib.exe
    attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\10d72db6bc2e2f94c7ac2a6a4a791948c37c0d256eea920e4f0615bb55cdde62.dll"
    3⤵
    - Views/modifies file attributes
    PID:936

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\README_TO_DECRYPT.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1684 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9acfe8dc588fb071326bc208a26fd8dc

SHA1
38bda1a2be79d479963b363f283ca065711112d9

SHA256
95d763fd5bd7624a6ebb774214c921ea29f6da6bf52fbe5f3e6152232c63ec42

SHA512
c24afb96f22bad0b1ea5f25324afd2eae799580695f6c846d2e1fd80db9a9e83e233e4f6661bfe77fbb480e4cf3cf1272f75d61d0e10ad0f3b1116b7d2663914

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78de5f17d34c7baa494ed00604ce45ed

SHA1
cfae44e1121b399774409f3fdd8f2f788b6bf96b

SHA256
bf653092ffe097109fd7a23d920ea928010ec7596ccee92461bf18cbb913b68b

SHA512
2e9a521e5950505054ce6041d4b6a14db6815792a17adddf6c803f42488c11ac81d3296b9368a1b7d710b6d9f6c7139f614b2ec79422c352bda109e9f442d1bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
528ffa1b7ca7b97ec614f175d6b7e811

SHA1
f5c8d17e31569cf8be31fe46faf08a08922b6130

SHA256
fd4ec311b5ae83da0cd6dbefd03e8fa31692ae671598df72c4d74bfdb96cb905

SHA512
75f488cb871729db7516a3f06724c45bb4f6c768a3039c98efece4c10714a0c2be225f429e47c6076e5d4a42269bc200acb652bab02f8d244f4547f863c8bf6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8dec88f137e487dd86491d0fc0295c6

SHA1
570ef652741606e9c4c3f1a3acd8bc6b103a3cf9

SHA256
1c3907c4e96691666bbb838b7f723bc178e7a5234cfa9691fe32d4d5a1f836eb

SHA512
58214a4e1d0a44bef8a5455dc590b1d90a1333afa0f3c7a7ac143e2fe88f0fa0820d4c87eff53860809f1d65fd26dd4d6b5de5fcd3b7db801996308b4276f43c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60571757d07570bfdb5a19bfc4b633b6

SHA1
7ff61195fc916fbc37baefec8eb6456c0cc3d99d

SHA256
a48b8ffe03d907596080f76e1639353f54c473fe8779c6d0c97742c2c0829776

SHA512
3c0346cd9dd4343cff86662f5d68582a5288d756c2bd8ddb1c6d9f75c005bec3af5bc31f8914c36213639340fb469d9e75553564b266bab2adf07e1418d43002

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4fbd6770ec977e89be43dc878b61455

SHA1
ad95567e84cda77e2fba72bbd63dfbd155ad434b

SHA256
497663b643ad71fe08c2dbb1ee5711e484ee0391ccda68ce517950c7ffced7ef

SHA512
1eb9e1e789f0144bebc870bf4613deb5ebee3c3a7a9f204db422992c8f71d1d96d03e235a94cc569879bd1e8fa108dc6e268767c8673c485720da160990082f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f5915f21ff94c024526fb778693f29c

SHA1
db68bcce0a768fb734556f08f3ad1997829f073c

SHA256
56e4ac41ec1f5ec54b92794061c3f78fc0542c6397e435ce504b06cc05f2e1ab

SHA512
b6cc880acd46cbcc5b4617ab374767c2ba183a3c4336f71083d07fbb16cffaa25a1b463221c764e089cc9b11c16e9701889a7fbe8bb16f8b08f0c437249d1965

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbab69352e3a9e7b51e4f7dde6cd48cf

SHA1
eb1ab60311882c0d36554e8d39c2082ff941d911

SHA256
a0f77e25c387ad2a72161cd2dcbe1cc8aacb079c33ab42b19e3164633bddf7da

SHA512
04ac9c727cbe3ca907f0ff2ef54ea1ee6d827e50209eccfe40d70f5bc672f923b623ed6c2a7a23d46416ee572997576bbd81d088cca7f75c17a0df5ae04b810b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
967e47643546d2357bedab7d864dbd1b

SHA1
f68265f7df37d220ecb20fc9019558e1c5ba9777

SHA256
c9c7873fdca017663eba6c01c19a2788195b2af46718ee2f90dc98b5072939bc

SHA512
4a83fbd36ccba13c7b5449027ec563ccc30b5c29a73ef309faed404aa3d8bf12860bf597d7eda45ab0d6146c510d804aa507f398222890d11e3354676daf5f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\006C3DDC.bat

Filesize
65B

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
C:\Users\Admin\AppData\Local\Temp\006C3DDC.bat

Filesize
65B

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab86EF.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar877F.tmp

Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Filesize
2KB

MD5
c1866c333eea072e81a986ca86b2c722

SHA1
b6e5057c99f22fee5eb4ff4ea5feeaadce6b9834

SHA256
6d00325e3bcac5473d6e726dc28e63477edc73a158b4722c0ca2e1d6e387d96f

SHA512
265c33426ca348ee0ad9e4c2fc9e5b2397c7a12b5b6b2fb901cf6fbf2b5e7532861ec9266f39c54141836c2da2b7aeb4e18ae0641632e609f9be410017fcacf4

Download Submit
C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Filesize
2KB

MD5
c1866c333eea072e81a986ca86b2c722

SHA1
b6e5057c99f22fee5eb4ff4ea5feeaadce6b9834

SHA256
6d00325e3bcac5473d6e726dc28e63477edc73a158b4722c0ca2e1d6e387d96f

SHA512
265c33426ca348ee0ad9e4c2fc9e5b2397c7a12b5b6b2fb901cf6fbf2b5e7532861ec9266f39c54141836c2da2b7aeb4e18ae0641632e609f9be410017fcacf4

Download Submit
memory/772-322-0x0000000002FB0000-0x0000000002FB2000-memory.dmp

Filesize
8KB

Download
memory/1684-321-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download