quantum | 8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede

Analysis

max time kernel
47s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01-03-2023 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
Size

75KB
MD5

e6069bc78167d8da9639314064898331
SHA1

1bb64d0a37b671c39fff479939bf4f8f0fe0f8d2
SHA256

8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede
SHA512

7fdb2e0f4e89ad1ba09c4b08888cb1244a947916759929a730794b5b944d757eaf6880ef6b3553be7d35da0b360ae3819e8792a0db8c9594d6b156224ca0e2f7
SSDEEP

1536:9aX51pVH9hsgNGLs6BLM1frxz/HTfcKKBaJGtGB9NK/A:OfJGLs6BwNxnfTKsGtG9K/

Score

10^/10

quantum ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Ransom Note

ALL YOUR DATA IS ENCRYPTED by QUANTUM What happened? All your files are encrypted on all devices across the network Huge volume of your data including financial, customer, partner and employees data was downloaded to our internal servers What's next? If you don't get in touch with us next 48 hours, we'll start publishing your data to the Data Leaks Portal How do I recover? There is no way to decrypt your files manually unless we provide a special decryption tool Please download TOR browser and CONTACT US for further instructions Hours Minutes Seconds

Signatures

Quantum Ransomware
A rebrand of the MountLocker ransomware first seen in August 2021.
ransomware quantum

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\JoinUninstall.png => \??\c:\Users\Admin\Pictures\JoinUninstall.png.quantum	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File renamed	C:\Users\Admin\Pictures\LockCompress.raw => \??\c:\Users\Admin\Pictures\LockCompress.raw.quantum	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File renamed	C:\Users\Admin\Pictures\ReadConnect.tif => \??\c:\Users\Admin\Pictures\ReadConnect.tif.quantum	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File renamed	C:\Users\Admin\Pictures\SuspendMerge.png => \??\c:\Users\Admin\Pictures\SuspendMerge.png.quantum	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe

Deletes itself 1 IoCs

pid	Process
1732	cmd.exe

Drops desktop.ini file(s) 26 IoCs

description	ioc	Process
File opened for modification	\??\c:\Users\Admin\Documents\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Public\Libraries\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links for United States\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Public\Music\Sample Music\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Public\Videos\Sample Videos\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CF6E1391-B844-11ED-A0BE-C29C0423A1DF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a077eca5514cd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c8a3886e844ee04ca528537b5bc458990000000002000000000010660000000100002000000011571c686e5edbefdd17787711d9904120b842c9113dfaad154475453e07c076000000000e8000000002000020000000ab2651c41240d50c22bf1f1b7d4bfe73885ac8f77f738dd5407ff05c1ff46c9120000000a1c4f093f96fd1880cd9edda5e5c472aada2f2f33ba7be24d22024f98a94e60a40000000b899424bee17e447a1cf15bec8ba039f4f788f0b942bed2db4328d5f40ebe106bedc3b3900c8ccb2b868baf840b497280f2fc5b5f9853c434059c2d2a38c61a3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c8a3886e844ee04ca528537b5bc45899000000000200000000001066000000010000200000000d1edac89f8c947c5773905b3e785586bb5fff7969de44f75a6b5489bff5241f000000000e800000000200002000000089fcafe2c380eddfa77a2a7c9758301052dabae193be548180c8dfffc430874a90000000da155b5d14a579e3b624040ff263e1b68738f677f5020cfa7124d17407ca8487014bcbab0164241e3459b9486e9d25fd1b18869886121894b534add982e8e70eb4801361f239f8779a6a3b9a4173256effc2195e63b8c9c01f73261efd767c7036dc8873d93b0cb0bca24fa3950b86417ff1023fc9b9eb3096fc652357c352d158b9b39a3f648c157b2d5a7f0f068c52400000000447a0ad66aa580adbfce57f2f44014d81a86f30a1b9858065d7b49e0dadaeb42b37a88c1b17852c7a12489712d2fdbdad7a6531f576686b0a8c158513729dd5	iexplore.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.quantum\shell\Open\command	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.quantum	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.quantum\shell	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.quantum\shell\Open	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html"	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1060	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
1060	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	1060	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
Token: SeDebugPrivilege	1060	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1376	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1376	iexplore.exe
1376	iexplore.exe
572	IEXPLORE.EXE
572	IEXPLORE.EXE
572	IEXPLORE.EXE
572	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 1732	1060	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe	30
PID 1060 wrote to memory of 1732	1060	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe	30
PID 1060 wrote to memory of 1732	1060	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe	30
PID 1732 wrote to memory of 1448	1732	cmd.exe	32
PID 1732 wrote to memory of 1448	1732	cmd.exe	32
PID 1732 wrote to memory of 1448	1732	cmd.exe	32
PID 1376 wrote to memory of 572	1376	iexplore.exe	34
PID 1376 wrote to memory of 572	1376	iexplore.exe	34
PID 1376 wrote to memory of 572	1376	iexplore.exe	34
PID 1376 wrote to memory of 572	1376	iexplore.exe	34

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1448	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
"C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\\006C3026.bat" "C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\system32\attrib.exe
    attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe"
    3⤵
    - Views/modifies file attributes
    PID:1448

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\README_TO_DECRYPT.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1376 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a664e185661e0f76f8fa3c11a3c3c8f2

SHA1
167e01fff6097b5b52f8c10450ed822194fb49b1

SHA256
542268efcdd81712487f1d2b687ed287e4f53db4f07bbc365ea2b62245129fcd

SHA512
6ff884b9cc1d08c954c0f8d521d290574b4a698383e854e4514b518822f1d262cc8c24a1e8e2063d49027bf71037610130c9007a88f8577f6a6f65bde69c92ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36af67076ba22c42ce205ce54be372f7

SHA1
5af4e6881e5654b29e4dcc00f5488c6598f31c40

SHA256
450afba24e22679b220254dd3d8759e2e785884b1b12614bc1133cc09e4a5961

SHA512
a1e70f81525081ac157dcce0f8836c4063ef775d2d85b080af7e7fecfc670ee7d81c2bf804201417aad41eb7a59a45efe94812d3c86fb295dd09efa308f981e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1442f9a34c432399831b35918863cf91

SHA1
a4227c9ede8bc10b278b441b88a6c22bafc210db

SHA256
28d1eba81fec81566b6b3f9672b23857a67dc9135ec754a0bfc043731192515b

SHA512
9573d700f0f82b4b5ea50ca3b970f41d61f2597d9ebde9f11118e99e24dcaafa31215ae63a8d7c0cfb508dbcd951cfb4247f57c2accad306e2a77db671520bff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2e54c8b6fb4424c8c29f6a96683bc24

SHA1
f7cad2fed67826c9d54140812fd6b87fe5a8b8f8

SHA256
daa1c009c15da89a5191c4cfea9f503824f24d1d6c1b79f010c4dc4a46423cf5

SHA512
66afbb7e83bae04a55ffe82e87e6197492100660f6d3c31ba72322887054c2a612577e82376696f54fc772c06511cb30139df6a6405f2c638fa17ac9d1ad64dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bedfc1f58ae37da9426e0557e69d7fa4

SHA1
9d0d526a9fc71768eb4263e9f05c607aae08457b

SHA256
5ea81687bf37c135f30def207927f2b9d5ce40daac9491fed029e0d1c4e7b0a4

SHA512
804d44e3db3496e4dfe5951045dc5eb514de7f7c89c0e17db71400f6bfabc3ec4a9f002b7014a80c899d197c8fb5556879b458da3b125411184b91f852fb71f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5fc33f4fe652481d4e22419fe78c0126

SHA1
374c30066328ec845fce3bb87eb83f7f47c3a1e5

SHA256
115aa60bfeda2a0c78a15bb38719abcbdc255568037fd1ff8e62c3dd13bc19fe

SHA512
0898e3bfac08345c8a8ac97870bd103f69975e9896003a3079a475fda26f619926b8d3bed8073b664c732af691ba8f06f9ccf10f6220c4cb755d0c1cc9da5bfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10e656ad11b7de16bc6b2c77ac7198d7

SHA1
285f61e415420a3cd842cb6b1ae926f9dc932a1f

SHA256
a4ec5ad6d46f5b677942827f8c53e69bcea13e1f58b2832e9159d6f4baaecc1d

SHA512
ce209aee27c8501ce7579ed1e1b60c645196409302673c18b4157050f662b91c9643186f3db4ff4cf390d9ff05b846daad7a0ab36f4b0df470de9f25091d885d

Download Submit
C:\Users\Admin\AppData\Local\Temp\006C3026.bat

Filesize
65B

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
C:\Users\Admin\AppData\Local\Temp\006C3026.bat

Filesize
65B

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7534.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar75D3.tmp

Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7655.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Filesize
7KB

MD5
f3dcfa4efb22e2572ba043df7f8b324e

SHA1
6e8a0d7cb7bcfed4252dc19f0940b297038f8feb

SHA256
37eed59e2b19bb813a295ceaf81f44d2d163c9a43846c87d632fa4743ea42d9c

SHA512
be46ee20f2935264fbfed07bb68dca3ac6c39a01c560357297d658f9b1d95f84d0164a0a16514b83a84b2b727dcbbc4bed6563548dc36165fdcc0477c6f7999c

Download Submit
C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Filesize
7KB

MD5
f3dcfa4efb22e2572ba043df7f8b324e

SHA1
6e8a0d7cb7bcfed4252dc19f0940b297038f8feb

SHA256
37eed59e2b19bb813a295ceaf81f44d2d163c9a43846c87d632fa4743ea42d9c

SHA512
be46ee20f2935264fbfed07bb68dca3ac6c39a01c560357297d658f9b1d95f84d0164a0a16514b83a84b2b727dcbbc4bed6563548dc36165fdcc0477c6f7999c

Download Submit
memory/572-305-0x0000000002AE0000-0x0000000002AE2000-memory.dmp

Filesize
8KB

Download
memory/1376-304-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download