Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

18/04/2024, 11:18

240418-ned1xsbd66 10

18/04/2024, 11:18

240418-nea92abd64 10

18/04/2024, 11:18

240418-neay9scf7z 10

18/04/2024, 11:18

240418-neacqscf7y 7

18/04/2024, 11:18

240418-nd92zacf7x 7

18/04/2024, 09:59

240418-lz5chaba8t 7

Analysis

  • max time kernel
    595s
  • max time network
    602s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/04/2024, 11:18

General

  • Target

    0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe

  • Size

    371KB

  • MD5

    eafe645b56c3f5cb746fb5f8504f6035

  • SHA1

    f539987de9fe59bff20483ac7a124afafc27036b

  • SHA256

    0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94

  • SHA512

    61af2cfa960a72b66d54d0ee121acb5c54d455b05eb85fb2d7df2958d3134d348c87a5aef2aa46319532407f7ebf01eaedfb8dd889bb0f67ce5edc067445e806

  • SSDEEP

    6144:hnzQnu/cmM1oSigOQT2F8U92Iu7DMVQZhWLv3RXdYX9ji+uhi2PsrhY:dzQnkM1oSiBGI8bxn5W6i+uo20tY

Score
10/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3ae54cee-4e53-4f2c-ba02-98fdc815aead}\_DECRYPT_INFO_hpfqkh.html

Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'> <!-- saved from url=(0014)about:internet --> <html xmlns='http://www.w3.org/1999/xhtml'> <head> <meta http-equiv='Content-Type' content='text/html; charset=UTF-8' /> <title>hpfqkh decrypt</title> <style type='text/css'> <!-- html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px; background-color: #bfbfbf; height: 100%;} a {color:426BBD; font-family:Tahoma, Verdana, Arial, Helvetica; font-size:12px;} td { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #f0f0f0; font-size: 14px; } .style1 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #d7001e; font-size: 48px; } .style3 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #f5e700; font-size: 60px; } .style4 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #28caf9; font-size: 14px; } .style5 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #f5e700; font-size: 14px; } .style6 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #d7001e; font-size: 14px; } .style7 { width:685px; height:120px; background-color:#393838; border:1px solid #565656; font-family: Courier New; font-weight: bold; color: #f0f0f0; font-size: 13px; } .styled-select select { background-color:#393838; font-weight: bold; color: #f0f0f0; width: 178px; padding: 5px; font-size: 16px; line-height: 1; border: 0; border-radius: 0; height: 34px; -webkit-appearance: none; } --> </style> <script type='text/javascript'> function init() { var xtime; document.getElementById('fe_text').innerHTML = '00:00:00'; var language = window.navigator.userLanguage || window.navigator.language; if (language.indexOf('-') !== -1) language = language.split('-')[0]; if (language.indexOf('_') !== -1) language = language.split('_')[0]; change_lang(language); var ua = window.navigator.userAgent; var msie = ua.indexOf('MSIE '); xtime = Math.floor( (1713440139+(12*60*60)) - (Date.now()/1000)); if (msie == 0) window.setTimeout('update_timestamp('+xtime+')',1000); else update_timestamp(xtime); } function component(x, y, z) { var res if (z == 1) res = Math.floor(x / y); else res = Math.floor(x / y) % z; if (res < 10) res = '0'+res; return res; } function update_timestamp(tstamp) { if (tstamp < 1) { document.getElementById('fe_text').innerHTML = '00:00:00'; } else { var hours = component(tstamp, 60*60, 1), minutes = component(tstamp, 60, 60), seconds = component(tstamp, 1, 60); document.getElementById('fe_text').innerHTML = hours+':'+minutes+':'+seconds; tstamp-=1; window.setTimeout('update_timestamp('+tstamp+')',1000); } } function change_lang(lang) { if (lang == "de") show_de(); else if (lang == "es") show_es(); else if (lang == "fr") show_fr(); else if (lang == "it") show_it(); else if (lang == "nl") show_nl(); else show_en(); } function show_en() { document.getElementById('text_01').innerHTML = 'WARNING!'; document.getElementById('text_02').innerHTML = 'Your personal files are encrypted.'; document.getElementById('text_03').innerHTML = 'Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.'; document.getElementById('text_09').innerHTML = 'Download TOR Browser from'; document.getElementById('text_10').innerHTML = 'In the Tor Browser open the'; document.getElementById('text_11').innerHTML = '(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).'; document.getElementById('text_12').innerHTML = 'Write in the following public key in the input from on server:'; } function show_de() { document.getElementById('text_01').innerHTML = 'WARNUNG!'; document.getElementById('text_02').innerHTML = 'Ihre persönlichen Dateien sind verschlüsselt!'; document.getElementById('text_03').innerHTML = 'Ihre Dokumente, Fotos, Datenbanken und andere wichtige Dateien wurden mit der stärkste Verschlüsselung und einem einzigartigen Schlüssel verschlüsselt, der für diesen Computer generiert wurde. Der Dechiffrierschlüssel ist auf einem geheimen Internet-Server gespeichert und niemand kann Ihre Dateien entschlüsseln, bis Sie bezahlen und den privaten Schlüssel erhalten. Der Server wird den Schlüssel nach einer bestimmten Zeit löschen, die in diesem Fenster angezeigt wird.'; document.getElementById('text_09').innerHTML = 'Laden Sie TOR-Browser von'; document.getElementById('text_10').innerHTML = 'Im Tor-Browser öffnen Sie'; document.getElementById('text_11').innerHTML = '(Beachten Sie, dass dieser Server nur über den Tor-Browser verfügbar ist. Wiederholen Sie den Vorgang nach 1 Stunde, wenn die Website nicht erreichbar ist).'; document.getElementById('text_12').innerHTML = 'Schreiben Sie den folgenden öffentlichen Schlüssel in die Eingabemaske auf dem Server:'; } function show_es() { document.getElementById('text_01').innerHTML = '¡PELIGRO!'; document.getElementById('text_02').innerHTML = '¡Tus archivos personales han sido encriptados!'; document.getElementById('text_03').innerHTML = 'Tus documentos, fotos, bases de datos y otros archivos importantes han sido encriptados con una encriptación extremadamente fuerte y una clave única, generada para este computador. La clave de desencriptación privada está almacenada en un servidor de internet secreto. El servidor eliminará la clave luego del tiempo especificado en esta ventana.'; document.getElementById('text_09').innerHTML = 'Descarga el navegador TOR desde'; document.getElementById('text_10').innerHTML = 'En el navegador TOR abre'; document.getElementById('text_11').innerHTML = '(Nota que este servidor solo es accesible desde el navegador TOR. Intenta nuevamente en 1 hora si no puedes acceder).'; document.getElementById('text_12').innerHTML = 'Escribe la siguiente clave publica en la forma de ingreso del servidor:'; } function show_fr() { document.getElementById('text_01').innerHTML = 'ATTENTION!'; document.getElementById('text_02').innerHTML = 'Vos fichiers personnels ont été cryptés !'; document.getElementById('text_03').innerHTML = 'Vos documents, photos, bases de données, et autres fichiers importants ont été cryptées avec le meilleur processus de cryptage et une clé unique générée pour cet ordinateur. La clé privée de cryptage est accessible sur un serveur Internet secret et personne ne peut décrypter vos fichiers à moins que vous ne payiez et obtenez cette clé. Le serveur éliminera la clé après le compte à rebours affiché sur cette fenêtre.'; document.getElementById('text_09').innerHTML = 'Télécharger le navigateur TOR de'; document.getElementById('text_10').innerHTML = 'Dans le navigateur, ouvrez '; document.getElementById('text_11').innerHTML = '(Veuillez noter que ce serveur est disponible via le navigateur Tor uniquement. Réessayez dans 1 heure si le site n’est pas accessible).'; document.getElementById('text_12').innerHTML = 'Ecrivez les clés publiques suivantes sur le portail d’entrée du serveur :'; } function show_it() { document.getElementById('text_01').innerHTML = 'ATTENZIONE!'; document.getElementById('text_02').innerHTML = 'I tuoi file personali sono criptati!'; document.getElementById('text_03').innerHTML = 'I tuoi documenti, le tue foto, database e altri file importanti sono stati criptati con forte codificazione ed una chiave unica, generata appositamente per questo computer. La chiave segreta di decriptazione è conservata su un server Internet segreto e nessuno può decriptare i tuoi file finché non paghi per ottenere la chiave. Il server eliminerà la chiave dopo il tempo indicato in questa finestra.'; document.getElementById('text_09').innerHTML = 'Scarica il Browser TOR da'; document.getElementById('text_10').innerHTML = 'Nel Browser TOR apri il link'; document.getElementById('text_11').innerHTML = '(Nota che questo server è disponibile solo tramite il Browser TOR. Riprova tra un’ora se il sito non è raggiungibile).'; document.getElementById('text_12').innerHTML = 'Scrivi la seguente chiave pubblica nel modulo di input sul server:'; } function show_nl() { document.getElementById('text_01').innerHTML = 'WAARSCHUWING!'; document.getElementById('text_02').innerHTML = 'Uw persoonlijke bestanden zijn gecodeerd!'; document.getElementById('text_03').innerHTML = 'Uw documenten, foto’s, databases en andere belangrijke bestanden zijn gecodeerd met de sterkste encryptie en een unieke sleutel, gegenereerd voor deze computer. De persoonlijke decoderingssleutel is te vinden op een geheime Internet server en niemand kan uw bestanden decoderen totdat u betaalt en de persoonlijke sleutel heeft. De server zal de sleutel elimineren na de tijdsperiode genoemd in dit venster.'; document.getElementById('text_09').innerHTML = 'Download de TOR Browser van'; document.getElementById('text_10').innerHTML = 'In de Tor Browser, open'; document.getElementById('text_11').innerHTML = '(Let op dat deze server alleen via de Tor Browser te bereiken is. Probeer het na een uur weer als de site niet werkt).'; document.getElementById('text_12').innerHTML = 'Schrijf in de volgende openbare sleutel in het invoerformulier op de server:'; } //var language = window.navigator.userLanguage || window.navigator.language; //alert(language); </script> </head> <body onload='init();'> <div align='center'> <table width='700' height='100%' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'> <tr> <td width='225' align='left'><img src='file:///C:/Users/Admin/AppData/Local/Temp/hpfqkh.gif' width='225' height='221' /></td> <td width='415' valign='top'><div align='center' class='style1' id='text_01'>WARNING!</div><br /> <div align='center' id='text_02'>Your personal files are encrypted.<br /> <br /> <br /> </div> <div align='center' class='style3' id='fe_text'></div></p> <div class="styled-select" align='center'> <select id ="ddl" name="ddl" onmousedown="this.value='';" onchange="change_lang(this.value);"> <option selected disabled value="" style="display:none;">Select language</option> <option value='en'>&nbsp;&nbsp;&nbsp;ENGLISH</option> <option value='de'>&nbsp;&nbsp;&nbsp;GERMAN</option> <option value='es'>&nbsp;&nbsp;&nbsp;SPANISH</option> <option value='fr'>&nbsp;&nbsp;&nbsp;FRENCH</option> <option value='it'>&nbsp;&nbsp;&nbsp;ITALIAN</option> <option value='nl'>&nbsp;&nbsp;&nbsp;DUTCH</option> </select> </div> </td> </tr> <tr> <td colspan='2' align='center'><table width='97%' border='0' cellpadding='0' cellspacing='0'> <tr> <td colspan='2' align='left'> <br /> <div id='text_03'>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.</div><br /> <br /> </td> </tr> <tr> <td colspan='2' align='left'> 1) <span id='text_09'>Download TOR Browser from</span> <a href='http://torproject.org' class='style4'>http://torproject.org</a><br /> 2) <span id='text_10'>In the Tor Browser open the</span> <span class='style6'>http://maktubmvgn22y2ns.onion</span><br /><br /> <span id='text_11'>(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).</span><br /> <br /> <span class='style5' id='text_12'>Write in the following public key in the input from on server:</span><br /><br /> <div align='center'><textarea class='style7'> 1E0JE-FNF8Y-8MHZE-6ZBFC-GUHRR-DSUGN-3P1QA-ZT4KN-Z2XTH-457ND-D2VXF-1UCKS-8FHX8-MXZTX KUSQ3-THAN1-3WKD7-PTMY0-ZWJ6G-3K1TJ-VE062-7TAA4-KU8HJ-NJYF5-Q6GXZ-2CVSG-1HPAQ-WPJEJ KV100-UEXZ2-PS31Q-746HH-VFK8K-K66WH-TBETC-PCZX8-HE23W-6XXAM-6DXM3-1HMK7-BE30J-KXWB3 E32MC-E1HQJ-5JMBU-KYYTH-75MG7-45F88-BYQZF-BVNJV-QS6RS-PW542-KMR2V-H273X-VUNBU-1VBYK 440HC-TR8UE-FMAYS-213FB-7DFQF-YVBYQ-R0EGE-HYVQ2-AQDV1-QCZKG-DASPC-M5AMV-7HNXA-PK4G8 4B7T0-7SJPW-8RGGM-CF13B-V45M2-EGFZT-XHK4C-72CDJ-4HQPP-AFM6Y-W3XJ0-EDYVB </textarea> <br /> </div> <br /> <br /> <br /> </div> </td> </tr> </table></td> </tr> </table> </div> </body> </html>
URLs

http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>

http-equiv='Content-Type

Extracted

Path

C:\_DECRYPT_INFO_hpfqkh.html

Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'> <!-- saved from url=(0014)about:internet --> <html xmlns='http://www.w3.org/1999/xhtml'> <head> <meta http-equiv='Content-Type' content='text/html; charset=UTF-8' /> <title>hpfqkh decrypt</title> <style type='text/css'> <!-- html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px; background-color: #bfbfbf; height: 100%;} a {color:426BBD; font-family:Tahoma, Verdana, Arial, Helvetica; font-size:12px;} td { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #f0f0f0; font-size: 14px; } .style1 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #d7001e; font-size: 48px; } .style3 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #f5e700; font-size: 60px; } .style4 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #28caf9; font-size: 14px; } .style5 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #f5e700; font-size: 14px; } .style6 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #d7001e; font-size: 14px; } .style7 { width:685px; height:120px; background-color:#393838; border:1px solid #565656; font-family: Courier New; font-weight: bold; color: #f0f0f0; font-size: 13px; } .styled-select select { background-color:#393838; font-weight: bold; color: #f0f0f0; width: 178px; padding: 5px; font-size: 16px; line-height: 1; border: 0; border-radius: 0; height: 34px; -webkit-appearance: none; } --> </style> <script type='text/javascript'> function init() { var xtime; document.getElementById('fe_text').innerHTML = '00:00:00'; var language = window.navigator.userLanguage || window.navigator.language; if (language.indexOf('-') !== -1) language = language.split('-')[0]; if (language.indexOf('_') !== -1) language = language.split('_')[0]; change_lang(language); var ua = window.navigator.userAgent; var msie = ua.indexOf('MSIE '); xtime = Math.floor( (1713440140+(12*60*60)) - (Date.now()/1000)); if (msie == 0) window.setTimeout('update_timestamp('+xtime+')',1000); else update_timestamp(xtime); } function component(x, y, z) { var res if (z == 1) res = Math.floor(x / y); else res = Math.floor(x / y) % z; if (res < 10) res = '0'+res; return res; } function update_timestamp(tstamp) { if (tstamp < 1) { document.getElementById('fe_text').innerHTML = '00:00:00'; } else { var hours = component(tstamp, 60*60, 1), minutes = component(tstamp, 60, 60), seconds = component(tstamp, 1, 60); document.getElementById('fe_text').innerHTML = hours+':'+minutes+':'+seconds; tstamp-=1; window.setTimeout('update_timestamp('+tstamp+')',1000); } } function change_lang(lang) { if (lang == "de") show_de(); else if (lang == "es") show_es(); else if (lang == "fr") show_fr(); else if (lang == "it") show_it(); else if (lang == "nl") show_nl(); else show_en(); } function show_en() { document.getElementById('text_01').innerHTML = 'WARNING!'; document.getElementById('text_02').innerHTML = 'Your personal files are encrypted.'; document.getElementById('text_03').innerHTML = 'Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.'; document.getElementById('text_09').innerHTML = 'Download TOR Browser from'; document.getElementById('text_10').innerHTML = 'In the Tor Browser open the'; document.getElementById('text_11').innerHTML = '(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).'; document.getElementById('text_12').innerHTML = 'Write in the following public key in the input from on server:'; } function show_de() { document.getElementById('text_01').innerHTML = 'WARNUNG!'; document.getElementById('text_02').innerHTML = 'Ihre persönlichen Dateien sind verschlüsselt!'; document.getElementById('text_03').innerHTML = 'Ihre Dokumente, Fotos, Datenbanken und andere wichtige Dateien wurden mit der stärkste Verschlüsselung und einem einzigartigen Schlüssel verschlüsselt, der für diesen Computer generiert wurde. Der Dechiffrierschlüssel ist auf einem geheimen Internet-Server gespeichert und niemand kann Ihre Dateien entschlüsseln, bis Sie bezahlen und den privaten Schlüssel erhalten. Der Server wird den Schlüssel nach einer bestimmten Zeit löschen, die in diesem Fenster angezeigt wird.'; document.getElementById('text_09').innerHTML = 'Laden Sie TOR-Browser von'; document.getElementById('text_10').innerHTML = 'Im Tor-Browser öffnen Sie'; document.getElementById('text_11').innerHTML = '(Beachten Sie, dass dieser Server nur über den Tor-Browser verfügbar ist. Wiederholen Sie den Vorgang nach 1 Stunde, wenn die Website nicht erreichbar ist).'; document.getElementById('text_12').innerHTML = 'Schreiben Sie den folgenden öffentlichen Schlüssel in die Eingabemaske auf dem Server:'; } function show_es() { document.getElementById('text_01').innerHTML = '¡PELIGRO!'; document.getElementById('text_02').innerHTML = '¡Tus archivos personales han sido encriptados!'; document.getElementById('text_03').innerHTML = 'Tus documentos, fotos, bases de datos y otros archivos importantes han sido encriptados con una encriptación extremadamente fuerte y una clave única, generada para este computador. La clave de desencriptación privada está almacenada en un servidor de internet secreto. El servidor eliminará la clave luego del tiempo especificado en esta ventana.'; document.getElementById('text_09').innerHTML = 'Descarga el navegador TOR desde'; document.getElementById('text_10').innerHTML = 'En el navegador TOR abre'; document.getElementById('text_11').innerHTML = '(Nota que este servidor solo es accesible desde el navegador TOR. Intenta nuevamente en 1 hora si no puedes acceder).'; document.getElementById('text_12').innerHTML = 'Escribe la siguiente clave publica en la forma de ingreso del servidor:'; } function show_fr() { document.getElementById('text_01').innerHTML = 'ATTENTION!'; document.getElementById('text_02').innerHTML = 'Vos fichiers personnels ont été cryptés !'; document.getElementById('text_03').innerHTML = 'Vos documents, photos, bases de données, et autres fichiers importants ont été cryptées avec le meilleur processus de cryptage et une clé unique générée pour cet ordinateur. La clé privée de cryptage est accessible sur un serveur Internet secret et personne ne peut décrypter vos fichiers à moins que vous ne payiez et obtenez cette clé. Le serveur éliminera la clé après le compte à rebours affiché sur cette fenêtre.'; document.getElementById('text_09').innerHTML = 'Télécharger le navigateur TOR de'; document.getElementById('text_10').innerHTML = 'Dans le navigateur, ouvrez '; document.getElementById('text_11').innerHTML = '(Veuillez noter que ce serveur est disponible via le navigateur Tor uniquement. Réessayez dans 1 heure si le site n’est pas accessible).'; document.getElementById('text_12').innerHTML = 'Ecrivez les clés publiques suivantes sur le portail d’entrée du serveur :'; } function show_it() { document.getElementById('text_01').innerHTML = 'ATTENZIONE!'; document.getElementById('text_02').innerHTML = 'I tuoi file personali sono criptati!'; document.getElementById('text_03').innerHTML = 'I tuoi documenti, le tue foto, database e altri file importanti sono stati criptati con forte codificazione ed una chiave unica, generata appositamente per questo computer. La chiave segreta di decriptazione è conservata su un server Internet segreto e nessuno può decriptare i tuoi file finché non paghi per ottenere la chiave. Il server eliminerà la chiave dopo il tempo indicato in questa finestra.'; document.getElementById('text_09').innerHTML = 'Scarica il Browser TOR da'; document.getElementById('text_10').innerHTML = 'Nel Browser TOR apri il link'; document.getElementById('text_11').innerHTML = '(Nota che questo server è disponibile solo tramite il Browser TOR. Riprova tra un’ora se il sito non è raggiungibile).'; document.getElementById('text_12').innerHTML = 'Scrivi la seguente chiave pubblica nel modulo di input sul server:'; } function show_nl() { document.getElementById('text_01').innerHTML = 'WAARSCHUWING!'; document.getElementById('text_02').innerHTML = 'Uw persoonlijke bestanden zijn gecodeerd!'; document.getElementById('text_03').innerHTML = 'Uw documenten, foto’s, databases en andere belangrijke bestanden zijn gecodeerd met de sterkste encryptie en een unieke sleutel, gegenereerd voor deze computer. De persoonlijke decoderingssleutel is te vinden op een geheime Internet server en niemand kan uw bestanden decoderen totdat u betaalt en de persoonlijke sleutel heeft. De server zal de sleutel elimineren na de tijdsperiode genoemd in dit venster.'; document.getElementById('text_09').innerHTML = 'Download de TOR Browser van'; document.getElementById('text_10').innerHTML = 'In de Tor Browser, open'; document.getElementById('text_11').innerHTML = '(Let op dat deze server alleen via de Tor Browser te bereiken is. Probeer het na een uur weer als de site niet werkt).'; document.getElementById('text_12').innerHTML = 'Schrijf in de volgende openbare sleutel in het invoerformulier op de server:'; } //var language = window.navigator.userLanguage || window.navigator.language; //alert(language); </script> </head> <body onload='init();'> <div align='center'> <table width='700' height='100%' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'> <tr> <td width='225' align='left'><img src='file:///C:/Users/Admin/AppData/Local/Temp/hpfqkh.gif' width='225' height='221' /></td> <td width='415' valign='top'><div align='center' class='style1' id='text_01'>WARNING!</div><br /> <div align='center' id='text_02'>Your personal files are encrypted.<br /> <br /> <br /> </div> <div align='center' class='style3' id='fe_text'></div></p> <div class="styled-select" align='center'> <select id ="ddl" name="ddl" onmousedown="this.value='';" onchange="change_lang(this.value);"> <option selected disabled value="" style="display:none;">Select language</option> <option value='en'>&nbsp;&nbsp;&nbsp;ENGLISH</option> <option value='de'>&nbsp;&nbsp;&nbsp;GERMAN</option> <option value='es'>&nbsp;&nbsp;&nbsp;SPANISH</option> <option value='fr'>&nbsp;&nbsp;&nbsp;FRENCH</option> <option value='it'>&nbsp;&nbsp;&nbsp;ITALIAN</option> <option value='nl'>&nbsp;&nbsp;&nbsp;DUTCH</option> </select> </div> </td> </tr> <tr> <td colspan='2' align='center'><table width='97%' border='0' cellpadding='0' cellspacing='0'> <tr> <td colspan='2' align='left'> <br /> <div id='text_03'>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.</div><br /> <br /> </td> </tr> <tr> <td colspan='2' align='left'> 1) <span id='text_09'>Download TOR Browser from</span> <a href='http://torproject.org' class='style4'>http://torproject.org</a><br /> 2) <span id='text_10'>In the Tor Browser open the</span> <span class='style6'>http://maktubmvgn22y2ns.onion</span><br /><br /> <span id='text_11'>(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).</span><br /> <br /> <span class='style5' id='text_12'>Write in the following public key in the input from on server:</span><br /><br /> <div align='center'><textarea class='style7'> 1E0JE-FNF8Y-8MHZE-6ZBFC-GUHRR-DSUGN-3P1QA-ZT4KN-Z2XTH-457ND-D2VXF-1UCKS-8FHX8-MXZTX KUSQ3-THAN1-3WKD7-PTMY0-ZWJ6G-3K1TJ-VE062-7TAA4-KU8HJ-NJYF5-Q6GXZ-2CVSG-1HPAQ-WPJEJ KV100-UEXZ2-PS31Q-746HH-VFK8K-K66WH-TBETC-PCZX8-HE23W-6XXAM-6DXM3-1HMK7-BE30J-KXWB3 E32MC-E1HQJ-5JMBU-KYYTH-75MG7-45F88-BYQZF-BVNJV-QS6RS-PW542-KMR2V-H273X-VUNBU-1VBYK 440HC-TR8UE-FMAYS-213FB-7DFQF-YVBYQ-R0EGE-HYVQ2-AQDV1-QCZKG-DASPC-M5AMV-7HNXA-PK4G8 4B7T0-7SJPW-8RGGM-CF13B-V45M2-EGFZT-XHK4C-72CDJ-4HQPP-AFM6Y-W3XJ0-EDYVB </textarea> <br /> </div> <br /> <br /> <br /> </div> </td> </tr> </table></td> </tr> </table> </div> </body> </html>
URLs

http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>

http-equiv='Content-Type

Extracted

Path

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\_DECRYPT_INFO_hpfqkh.html

Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'> <!-- saved from url=(0014)about:internet --> <html xmlns='http://www.w3.org/1999/xhtml'> <head> <meta http-equiv='Content-Type' content='text/html; charset=UTF-8' /> <title>hpfqkh decrypt</title> <style type='text/css'> <!-- html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px; background-color: #bfbfbf; height: 100%;} a {color:426BBD; font-family:Tahoma, Verdana, Arial, Helvetica; font-size:12px;} td { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #f0f0f0; font-size: 14px; } .style1 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #d7001e; font-size: 48px; } .style3 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #f5e700; font-size: 60px; } .style4 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #28caf9; font-size: 14px; } .style5 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #f5e700; font-size: 14px; } .style6 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #d7001e; font-size: 14px; } .style7 { width:685px; height:120px; background-color:#393838; border:1px solid #565656; font-family: Courier New; font-weight: bold; color: #f0f0f0; font-size: 13px; } .styled-select select { background-color:#393838; font-weight: bold; color: #f0f0f0; width: 178px; padding: 5px; font-size: 16px; line-height: 1; border: 0; border-radius: 0; height: 34px; -webkit-appearance: none; } --> </style> <script type='text/javascript'> function init() { var xtime; document.getElementById('fe_text').innerHTML = '00:00:00'; var language = window.navigator.userLanguage || window.navigator.language; if (language.indexOf('-') !== -1) language = language.split('-')[0]; if (language.indexOf('_') !== -1) language = language.split('_')[0]; change_lang(language); var ua = window.navigator.userAgent; var msie = ua.indexOf('MSIE '); xtime = Math.floor( (1713440149+(12*60*60)) - (Date.now()/1000)); if (msie == 0) window.setTimeout('update_timestamp('+xtime+')',1000); else update_timestamp(xtime); } function component(x, y, z) { var res if (z == 1) res = Math.floor(x / y); else res = Math.floor(x / y) % z; if (res < 10) res = '0'+res; return res; } function update_timestamp(tstamp) { if (tstamp < 1) { document.getElementById('fe_text').innerHTML = '00:00:00'; } else { var hours = component(tstamp, 60*60, 1), minutes = component(tstamp, 60, 60), seconds = component(tstamp, 1, 60); document.getElementById('fe_text').innerHTML = hours+':'+minutes+':'+seconds; tstamp-=1; window.setTimeout('update_timestamp('+tstamp+')',1000); } } function change_lang(lang) { if (lang == "de") show_de(); else if (lang == "es") show_es(); else if (lang == "fr") show_fr(); else if (lang == "it") show_it(); else if (lang == "nl") show_nl(); else show_en(); } function show_en() { document.getElementById('text_01').innerHTML = 'WARNING!'; document.getElementById('text_02').innerHTML = 'Your personal files are encrypted.'; document.getElementById('text_03').innerHTML = 'Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.'; document.getElementById('text_09').innerHTML = 'Download TOR Browser from'; document.getElementById('text_10').innerHTML = 'In the Tor Browser open the'; document.getElementById('text_11').innerHTML = '(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).'; document.getElementById('text_12').innerHTML = 'Write in the following public key in the input from on server:'; } function show_de() { document.getElementById('text_01').innerHTML = 'WARNUNG!'; document.getElementById('text_02').innerHTML = 'Ihre persönlichen Dateien sind verschlüsselt!'; document.getElementById('text_03').innerHTML = 'Ihre Dokumente, Fotos, Datenbanken und andere wichtige Dateien wurden mit der stärkste Verschlüsselung und einem einzigartigen Schlüssel verschlüsselt, der für diesen Computer generiert wurde. Der Dechiffrierschlüssel ist auf einem geheimen Internet-Server gespeichert und niemand kann Ihre Dateien entschlüsseln, bis Sie bezahlen und den privaten Schlüssel erhalten. Der Server wird den Schlüssel nach einer bestimmten Zeit löschen, die in diesem Fenster angezeigt wird.'; document.getElementById('text_09').innerHTML = 'Laden Sie TOR-Browser von'; document.getElementById('text_10').innerHTML = 'Im Tor-Browser öffnen Sie'; document.getElementById('text_11').innerHTML = '(Beachten Sie, dass dieser Server nur über den Tor-Browser verfügbar ist. Wiederholen Sie den Vorgang nach 1 Stunde, wenn die Website nicht erreichbar ist).'; document.getElementById('text_12').innerHTML = 'Schreiben Sie den folgenden öffentlichen Schlüssel in die Eingabemaske auf dem Server:'; } function show_es() { document.getElementById('text_01').innerHTML = '¡PELIGRO!'; document.getElementById('text_02').innerHTML = '¡Tus archivos personales han sido encriptados!'; document.getElementById('text_03').innerHTML = 'Tus documentos, fotos, bases de datos y otros archivos importantes han sido encriptados con una encriptación extremadamente fuerte y una clave única, generada para este computador. La clave de desencriptación privada está almacenada en un servidor de internet secreto. El servidor eliminará la clave luego del tiempo especificado en esta ventana.'; document.getElementById('text_09').innerHTML = 'Descarga el navegador TOR desde'; document.getElementById('text_10').innerHTML = 'En el navegador TOR abre'; document.getElementById('text_11').innerHTML = '(Nota que este servidor solo es accesible desde el navegador TOR. Intenta nuevamente en 1 hora si no puedes acceder).'; document.getElementById('text_12').innerHTML = 'Escribe la siguiente clave publica en la forma de ingreso del servidor:'; } function show_fr() { document.getElementById('text_01').innerHTML = 'ATTENTION!'; document.getElementById('text_02').innerHTML = 'Vos fichiers personnels ont été cryptés !'; document.getElementById('text_03').innerHTML = 'Vos documents, photos, bases de données, et autres fichiers importants ont été cryptées avec le meilleur processus de cryptage et une clé unique générée pour cet ordinateur. La clé privée de cryptage est accessible sur un serveur Internet secret et personne ne peut décrypter vos fichiers à moins que vous ne payiez et obtenez cette clé. Le serveur éliminera la clé après le compte à rebours affiché sur cette fenêtre.'; document.getElementById('text_09').innerHTML = 'Télécharger le navigateur TOR de'; document.getElementById('text_10').innerHTML = 'Dans le navigateur, ouvrez '; document.getElementById('text_11').innerHTML = '(Veuillez noter que ce serveur est disponible via le navigateur Tor uniquement. Réessayez dans 1 heure si le site n’est pas accessible).'; document.getElementById('text_12').innerHTML = 'Ecrivez les clés publiques suivantes sur le portail d’entrée du serveur :'; } function show_it() { document.getElementById('text_01').innerHTML = 'ATTENZIONE!'; document.getElementById('text_02').innerHTML = 'I tuoi file personali sono criptati!'; document.getElementById('text_03').innerHTML = 'I tuoi documenti, le tue foto, database e altri file importanti sono stati criptati con forte codificazione ed una chiave unica, generata appositamente per questo computer. La chiave segreta di decriptazione è conservata su un server Internet segreto e nessuno può decriptare i tuoi file finché non paghi per ottenere la chiave. Il server eliminerà la chiave dopo il tempo indicato in questa finestra.'; document.getElementById('text_09').innerHTML = 'Scarica il Browser TOR da'; document.getElementById('text_10').innerHTML = 'Nel Browser TOR apri il link'; document.getElementById('text_11').innerHTML = '(Nota che questo server è disponibile solo tramite il Browser TOR. Riprova tra un’ora se il sito non è raggiungibile).'; document.getElementById('text_12').innerHTML = 'Scrivi la seguente chiave pubblica nel modulo di input sul server:'; } function show_nl() { document.getElementById('text_01').innerHTML = 'WAARSCHUWING!'; document.getElementById('text_02').innerHTML = 'Uw persoonlijke bestanden zijn gecodeerd!'; document.getElementById('text_03').innerHTML = 'Uw documenten, foto’s, databases en andere belangrijke bestanden zijn gecodeerd met de sterkste encryptie en een unieke sleutel, gegenereerd voor deze computer. De persoonlijke decoderingssleutel is te vinden op een geheime Internet server en niemand kan uw bestanden decoderen totdat u betaalt en de persoonlijke sleutel heeft. De server zal de sleutel elimineren na de tijdsperiode genoemd in dit venster.'; document.getElementById('text_09').innerHTML = 'Download de TOR Browser van'; document.getElementById('text_10').innerHTML = 'In de Tor Browser, open'; document.getElementById('text_11').innerHTML = '(Let op dat deze server alleen via de Tor Browser te bereiken is. Probeer het na een uur weer als de site niet werkt).'; document.getElementById('text_12').innerHTML = 'Schrijf in de volgende openbare sleutel in het invoerformulier op de server:'; } //var language = window.navigator.userLanguage || window.navigator.language; //alert(language); </script> </head> <body onload='init();'> <div align='center'> <table width='700' height='100%' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'> <tr> <td width='225' align='left'><img src='file:///C:/Users/Admin/AppData/Local/Temp/hpfqkh.gif' width='225' height='221' /></td> <td width='415' valign='top'><div align='center' class='style1' id='text_01'>WARNING!</div><br /> <div align='center' id='text_02'>Your personal files are encrypted.<br /> <br /> <br /> </div> <div align='center' class='style3' id='fe_text'></div></p> <div class="styled-select" align='center'> <select id ="ddl" name="ddl" onmousedown="this.value='';" onchange="change_lang(this.value);"> <option selected disabled value="" style="display:none;">Select language</option> <option value='en'>&nbsp;&nbsp;&nbsp;ENGLISH</option> <option value='de'>&nbsp;&nbsp;&nbsp;GERMAN</option> <option value='es'>&nbsp;&nbsp;&nbsp;SPANISH</option> <option value='fr'>&nbsp;&nbsp;&nbsp;FRENCH</option> <option value='it'>&nbsp;&nbsp;&nbsp;ITALIAN</option> <option value='nl'>&nbsp;&nbsp;&nbsp;DUTCH</option> </select> </div> </td> </tr> <tr> <td colspan='2' align='center'><table width='97%' border='0' cellpadding='0' cellspacing='0'> <tr> <td colspan='2' align='left'> <br /> <div id='text_03'>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.</div><br /> <br /> </td> </tr> <tr> <td colspan='2' align='left'> 1) <span id='text_09'>Download TOR Browser from</span> <a href='http://torproject.org' class='style4'>http://torproject.org</a><br /> 2) <span id='text_10'>In the Tor Browser open the</span> <span class='style6'>http://maktubmvgn22y2ns.onion</span><br /><br /> <span id='text_11'>(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).</span><br /> <br /> <span class='style5' id='text_12'>Write in the following public key in the input from on server:</span><br /><br /> <div align='center'><textarea class='style7'> 1E0JE-FNF8Y-8MHZE-6ZBFC-GUHRR-DSUGN-3P1QA-ZT4KN-Z2XTH-457ND-D2VXF-1UCKS-8FHX8-MXZTX KUSQ3-THAN1-3WKD7-PTMY0-ZWJ6G-3K1TJ-VE062-7TAA4-KU8HJ-NJYF5-Q6GXZ-2CVSG-1HPAQ-WPJEJ KV100-UEXZ2-PS31Q-746HH-VFK8K-K66WH-TBETC-PCZX8-HE23W-6XXAM-6DXM3-1HMK7-BE30J-KXWB3 E32MC-E1HQJ-5JMBU-KYYTH-75MG7-45F88-BYQZF-BVNJV-QS6RS-PW542-KMR2V-H273X-VUNBU-1VBYK 440HC-TR8UE-FMAYS-213FB-7DFQF-YVBYQ-R0EGE-HYVQ2-AQDV1-QCZKG-DASPC-M5AMV-7HNXA-PK4G8 4B7T0-7SJPW-8RGGM-CF13B-V45M2-EGFZT-XHK4C-72CDJ-4HQPP-AFM6Y-W3XJ0-EDYVB </textarea> <br /> </div> <br /> <br /> <br /> </div> </td> </tr> </table></td> </tr> </table> </div> </body> </html>
URLs

http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>

http-equiv='Content-Type

Signatures

  • Maktub Locker

    Advanced ransomware family capable of offline decryption, generally distributed via .scr email attachments.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (272) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • ACProtect 1.3x - 1.4x DLL software 3 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe
    "C:\Users\Admin\AppData\Local\Temp\0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3076
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.rtf" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1356
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:5084
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3752 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4748
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4440 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:1384
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2712

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\_DECRYPT_INFO_hpfqkh.html

        Filesize

        12KB

        MD5

        22a4a216df4133e20dc08f2d3ea4502a

        SHA1

        2740d03ea4de64d0852bcff9642fd3bfa14a7fe1

        SHA256

        788738a0476c256f99a3bc341d79ce5a23b10959f066b39f1cdec7715ed8bb42

        SHA512

        4f04c11c21cd8cb9811ea04344decf115a6cfe51a37ab6e1ad3ca04feabf5347d6510d3b13b53f435c497d207d1daaebaa118f8c468a76411dd88327846b5a32

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{13e2622c-ee51-431b-b9da-2b7a5448ade0}\0.1.filtertrie.intermediate.txt.hpfqkh

        Filesize

        48B

        MD5

        b44a451048f514c889686321941785de

        SHA1

        6fc6756921d91682319e938e5948aeed77fc8b9b

        SHA256

        8f655a639555dc5b80e883ae5b078eb71c0e392847780715df64218edd4b68ed

        SHA512

        ca50cb9c82d9f049f07e1fc324cfd7926225aadca7d6f1a1e3fdd38e84bb02d00b8775c062497bfd350f59001d40e342c4bc0f6ac92ca158407991cb1a30d5d5

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3ae54cee-4e53-4f2c-ba02-98fdc815aead}\_DECRYPT_INFO_hpfqkh.html

        Filesize

        12KB

        MD5

        b86f43b2df9646e99f7075e97f5d9288

        SHA1

        852a39df1e0cab1dbfcf1563c101b576cb00c7db

        SHA256

        4c8e37a22750c0695a1c77d01ab4214c115ba3d4061b05601b14cc6547b22680

        SHA512

        9a8eba7d36d255a7fef8174a9f957da9bad77cc93445007e4b7e6033665af5ec6e18ffef71573cc7e005ac500eaac9407969c19140880c623e640caf56e67dc2

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fe1f2851-ffca-4750-ab86-7885527899b0}\0.2.filtertrie.intermediate.txt.hpfqkh

        Filesize

        48B

        MD5

        5fa58c41f4908f44397b28efd566e442

        SHA1

        a5227be37c47a58eee0a958947f43ed61392df72

        SHA256

        ad0537689da56d6fa71a34c198cc2a04163ba5dc7d85d8940bc272d9844c892b

        SHA512

        5e302ef46c5d3e4b64b5361874a7812ba995a5c89174631690eff20b92be8e4b9131c2d74121187d208a5c41e977a10b0d430801f51c45a8c76965fec3aa719c

      • C:\Users\Admin\AppData\Local\Temp\0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.rtf

        Filesize

        4KB

        MD5

        2d5020c82de674b48cfd17cc20fcbba2

        SHA1

        4e317eaeebd839ee5f6eb3925a9fbee819c5349c

        SHA256

        120becd55248f4a2ccbbc99ba9d3c2932223264a95cd72e9ae7568be61277e9a

        SHA512

        ffbbdda009237d6825f6cd6f751a41f4f9d716186901ffdbeed56c2d1410245771decd07f591cf56cafdd4bbebd4e4c74f009ff15736d5321635e34ff17d0d8d

      • C:\_DECRYPT_INFO_hpfqkh.html

        Filesize

        12KB

        MD5

        3024997a92f4fc1adfd58fe2ce534b1b

        SHA1

        b28de2095cdca4340947696df81928e0f1c9820f

        SHA256

        30083ff1dc868e3ac67610ce9d3ec4d53f9da61005c5a7d616cee9f1f8358701

        SHA512

        1cc39d250a9fdbeb43a93fb129235b6bf96d143652e017fc365812da441ecaf746ce89120f15df2e14541a040a589e67aa0526d0fd1d336a0221f7aaf1b58ebe

      • memory/1356-76-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-63-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-14-0x00007FF9B5770000-0x00007FF9B5780000-memory.dmp

        Filesize

        64KB

      • memory/1356-15-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-17-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-16-0x00007FF9B5770000-0x00007FF9B5780000-memory.dmp

        Filesize

        64KB

      • memory/1356-18-0x00007FF9B5770000-0x00007FF9B5780000-memory.dmp

        Filesize

        64KB

      • memory/1356-19-0x00007FF9B5770000-0x00007FF9B5780000-memory.dmp

        Filesize

        64KB

      • memory/1356-20-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-21-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-22-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-23-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-24-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-25-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-116-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-115-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-26-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-29-0x00007FF9B35C0000-0x00007FF9B35D0000-memory.dmp

        Filesize

        64KB

      • memory/1356-30-0x00007FF9B35C0000-0x00007FF9B35D0000-memory.dmp

        Filesize

        64KB

      • memory/1356-114-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-112-0x00007FF9B5770000-0x00007FF9B5780000-memory.dmp

        Filesize

        64KB

      • memory/1356-113-0x00007FF9B5770000-0x00007FF9B5780000-memory.dmp

        Filesize

        64KB

      • memory/1356-110-0x00007FF9B5770000-0x00007FF9B5780000-memory.dmp

        Filesize

        64KB

      • memory/1356-111-0x00007FF9B5770000-0x00007FF9B5780000-memory.dmp

        Filesize

        64KB

      • memory/1356-81-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-79-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-80-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-78-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-77-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-75-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-13-0x00007FF9B5770000-0x00007FF9B5780000-memory.dmp

        Filesize

        64KB

      • memory/1356-74-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-28-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-73-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-72-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-66-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-67-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-68-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-69-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-70-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1356-71-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

        Filesize

        2.0MB

      • memory/3076-51-0x0000000003A60000-0x0000000003A68000-memory.dmp

        Filesize

        32KB

      • memory/3076-50-0x0000000003A60000-0x0000000003A68000-memory.dmp

        Filesize

        32KB

      • memory/3076-55-0x0000000003A70000-0x0000000003A98000-memory.dmp

        Filesize

        160KB

      • memory/3076-56-0x0000000003A70000-0x0000000003A98000-memory.dmp

        Filesize

        160KB

      • memory/3076-0-0x0000000002D10000-0x0000000002D68000-memory.dmp

        Filesize

        352KB

      • memory/3076-52-0x0000000003A70000-0x0000000003A98000-memory.dmp

        Filesize

        160KB

      • memory/3076-45-0x0000000010000000-0x0000000010012000-memory.dmp

        Filesize

        72KB

      • memory/3076-44-0x0000000010000000-0x0000000010012000-memory.dmp

        Filesize

        72KB

      • memory/3076-47-0x0000000003A60000-0x0000000003A68000-memory.dmp

        Filesize

        32KB

      • memory/3076-41-0x0000000010000000-0x0000000010012000-memory.dmp

        Filesize

        72KB

      • memory/3076-62-0x0000000000400000-0x0000000000461000-memory.dmp

        Filesize

        388KB

      • memory/3076-46-0x0000000010000000-0x0000000010012000-memory.dmp

        Filesize

        72KB

      • memory/3076-57-0x0000000010000000-0x0000000010012000-memory.dmp

        Filesize

        72KB

      • memory/3076-40-0x0000000000400000-0x0000000000461000-memory.dmp

        Filesize

        388KB

      • memory/3076-7-0x0000000000400000-0x0000000000461000-memory.dmp

        Filesize

        388KB

      • memory/3076-58-0x0000000003A70000-0x0000000003A98000-memory.dmp

        Filesize

        160KB

      • memory/3076-27-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

        Filesize

        4KB

      • memory/3076-5-0x0000000000400000-0x0000000000461000-memory.dmp

        Filesize

        388KB

      • memory/3076-4-0x0000000002D10000-0x0000000002D68000-memory.dmp

        Filesize

        352KB

      • memory/3076-3-0x0000000002D10000-0x0000000002D68000-memory.dmp

        Filesize

        352KB

      • memory/3076-2-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

        Filesize

        4KB

      • memory/3076-1-0x0000000002D10000-0x0000000002D68000-memory.dmp

        Filesize

        352KB