Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

3722b18641...18.exe

windows7-x64

10

3722b18641...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    117s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11/05/2024, 23:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3722b18641aa6ede7dc102364b583f2e_JaffaCakes118.exe

  • Size

    375KB

  • MD5

    3722b18641aa6ede7dc102364b583f2e

  • SHA1

    3edcff06d8091b9dd4b3a9543f05d3158c29e97a

  • SHA256

    55912e6cc4a71d5c51b0eba1e63473f9c5653cfbca176d8cdb22165417a0f2d6

  • SHA512

    d171c394ecb45cb3ef61bc89381cb8ea2f99c006f65c2f7fb0146fea8be82e52daa15dd84e14d196948400b024bd970a837ed3a5c2dcb47165792cade7e7d31d

  • SSDEEP

    6144:2npfnTfCEkXi0AOddyd1NTGRsPs9vAYY53Su29t7jnTIVcPp/jaL:+5LC1Xi09RRJjQCu2L7jTIah4

Score
10/10
defense_evasionevasionexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+wka.txt

Ransom Note
________________________1234____________________________________- What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen ? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? ________________________1234____________________________________ Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist. ________________________1234____________________________________ For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gfhshhf.home7dfg4.com/3CBB1F8BF46677CB 2. http://td63hftt.buwve5ton2.com/3CBB1F8BF46677CB 3. https://tw7kaqthui5ojcez.onion.to/3CBB1F8BF46677CB If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: tw7kaqthui5ojcez.onion/3CBB1F8BF46677CB 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal pages: http://gfhshhf.home7dfg4.com/3CBB1F8BF46677CB http://td63hftt.buwve5ton2.com/3CBB1F8BF46677CB https://tw7kaqthui5ojcez.onion.to/3CBB1F8BF46677CB Your personal page (using TOR-Browser): tw7kaqthui5ojcez.onion/3CBB1F8BF46677CB Your personal identification number (if you open the site (or TOR-Browser's) directly): 3CBB1F8BF46677CB
URLs

http://gfhshhf.home7dfg4.com/3CBB1F8BF46677CB

http://td63hftt.buwve5ton2.com/3CBB1F8BF46677CB

https://tw7kaqthui5ojcez.onion.to/3CBB1F8BF46677CB

http://tw7kaqthui5ojcez.onion/3CBB1F8BF46677CB

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs
    ransomwareevasion
  • Renames multiple (375) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\3722b18641aa6ede7dc102364b583f2e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3722b18641aa6ede7dc102364b583f2e_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Users\Admin\AppData\Roaming\qdwqh-a.exe
      C:\Users\Admin\AppData\Roaming\qdwqh-a.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2052
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe /set {current} bootems off
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2900
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe /set {current} advancedoptions off
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2524
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe /set {current} optionsedit off
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2612
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2708
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe /set {current} recoveryenabled off
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2876
      • C:\Windows\System32\vssadmin.exe
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        3⤵
        • Interacts with shadow copies
        PID:2404
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:1676
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2184
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2184 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1580
      • C:\Windows\System32\vssadmin.exe
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        3⤵
        • Interacts with shadow copies
        PID:2400
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\qdwqh-a.exe
        3⤵
          PID:2384
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\3722B1~1.EXE
        2⤵
        • Deletes itself
        PID:1972
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2452
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:2028

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+wka.html
      Filesize

      6KB

      MD5

      4fdbaae84350b13c67e8ec55f418d7b6

      SHA1

      e7701b352cf13227e6da7407a5faf53c922d6887

      SHA256

      5e23e0967a0fbfc421e5a35e360544e34afc2ab8ca247970e74ffc068d96a0d1

      SHA512

      7d018f773769befda275afc094ac51f2a60641f044f10bb49b56c7978b59c5e3cfbb78a8fb8f539ee469531c03c0ad1a8f05d92e34f6a196f18984c1b863292e

      Download Submit

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+wka.txt
      Filesize

      2KB

      MD5

      6d69fb8fda55d8bc8408f7c86ae61c92

      SHA1

      e2cd664a9983313a0b339bb04026acfc4bdcc903

      SHA256

      141d9c2a1c321270d27d2a749ade3af36dd37d1175f3af562d3a8ae92d2195b2

      SHA512

      f2b96fae77857e2feae1307bb53891ac30f5dc333bcfbb5747d4ad896b915f125905adf8dcd827c553c9cc6bfdc3fd9fd8b7a5fb364a29ab4f3331cb8db5a5b7

      Download Submit

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
      Filesize

      11KB

      MD5

      b08aae79d6a49270dc094527de404493

      SHA1

      91ed8f67aaaa0647947f2d22d6977a4e2da033a9

      SHA256

      444c7b9b711ae5c99962f3a1453a3ae8b4369ebc94bda8625ee91e62b8ebc866

      SHA512

      d5ba91ed5f6fbe198f136f26764d3264acf6ecb26c7548bc9fc44928406ca9e874e626e8cbb71b391df1aad92780e1eadc55b42c0c6f9653f35a23a437c46f6f

      Download Submit

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
      Filesize

      109KB

      MD5

      078496533dd38d4bf13f43b88c46d6cf

      SHA1

      6a2d20a3071e8e6e53ca7528238373cc0032da8a

      SHA256

      fa35c5261af14dcc864434c79a37eff5d07077b7956ec35f5a55ad216904691a

      SHA512

      acba2452ba32f28ab5b46e207ede97578d046504ba25ac78eec8b323a63f6166bc515107bc326f2ffafd9845a3e1bde684c5dec5ae1277e245b090c7f8b6f567

      Download Submit

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
      Filesize

      173KB

      MD5

      d4e43565cd9cd4ba6a984fa8f128fb5a

      SHA1

      0ce183d2a3066cd85de7c7b43fd4fd2db897b247

      SHA256

      f94d17941974c15db440d3180c8b1ed315de8b9587a7253bf473e61237d6d9f9

      SHA512

      7e5636a8a9f6f8a991dcc9809bc66c799be562e6d0cf54ca638cd2a27c645d5004ac15341833aaafab69b230ae758882774c1182b4f2fe31ce5bcca56e88647d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
      Filesize

      914B

      MD5

      e4a68ac854ac5242460afd72481b2a44

      SHA1

      df3c24f9bfd666761b268073fe06d1cc8d4f82a4

      SHA256

      cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

      SHA512

      5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
      Filesize

      252B

      MD5

      4cebc7b63c76ff626fb1702a5cee7077

      SHA1

      842558e20b0126f1950c6e1ca6474da31d56b4ab

      SHA256

      a481166761492b51e1a2bc79fe86928c0e58322ef3f3afaab575dd02e8bbbf8d

      SHA512

      a281fa7ca081b47e0c674a7c42cae13d7be815d3d2b182dc5047501ac5a3899d49d325ea4f2b042ff39d1bd39bba74e81bb24fb87f15a015c51b7a1513427c33

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      3a071f03ce00b759dd53f5508735126c

      SHA1

      a6fa93bc793ef6e29ba8ac66475ecb103738bdca

      SHA256

      364795860f4ecf27d14d97fed0416d319cf0eade2eb01aee9d662a30081ff43d

      SHA512

      0552e953207c4c93c5695deed757f3c16ec026621ce8a3d78ea3c13f79d64a39b544281334d4a940a31367ba220b34c8dc651ceb70752810e3a82a5665285d19

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      ef3ea88acd9ddc7c75274d69762cc418

      SHA1

      81521f323b5374736b3e9112fc3c618aa3285e8b

      SHA256

      c7f4f44b1843f93fc145317729f22059b09e6922dea06faf3dd234c006c323ff

      SHA512

      82ec9c0ce0529829256bc366ae87075a6fe4d87ec8236fce25f8ef820fc571bf53afdb43bdad615066972990c4ee49bcd065eeb70a1c6ef72af45a839cc69dee

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      572b7f5570af577985836cb14e960a90

      SHA1

      1f4beb364b82ff97e0f5f0cb030032969218436a

      SHA256

      aeab8da815ba508453ddba486a126bcf1b3db178466939f9cb80e7adec5aa4b2

      SHA512

      a7a872bf0aca56a2caae9aa0eb685e9393b6ff9c1fa3a99d1c4faea1def5c9451c1f51be9741da2842e74080a30ef2073790ad1e73c245bfc6348cb75617ebd1

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      c1d21f0ba00e093374b5f53a96a0023a

      SHA1

      9ea669c77c52bd97a322e5e5c2461beaba82b956

      SHA256

      7d07eee83a9ccdf08ddc07a1d5c8381db647a102e5ca5ed7268f89ca00cd5914

      SHA512

      c54b4b1d1bb1e0156407663ea251f7c1b3e593b2d23cbc41489c84bb2fe3a6b5f4a954900079c49ba2b16c502858b842731dbb185e34c671904f5e112d5c02a5

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      c1b4986daab02a2d3450eb4b6e92eb7f

      SHA1

      c046137c52603dbc4322c20b952aa2ff223c74aa

      SHA256

      5861392e20484d1e821fbaa16bb51a5081a649138e8eda8a234b886bd14c6ec9

      SHA512

      71c77c3491363a90181662cd9b481670c4aada175d39a1bec7b0c6d36a77bd7123425ab007cc6ea910a38c45ab76e1cb319d271aa0335d5082b199fbf31df709

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      d5bd27306a782b69d3684ec0fa9e4f5f

      SHA1

      e67fe3f5ff3a10cf9e9c060863bb645906db2765

      SHA256

      f4eec580e2198928bff83203f2b7c1c12dddc26895bd19fa4778e26cc0df3c52

      SHA512

      be365e6b1783bbb040b895c5eb275dee37480a2d4590582d257b36cfec467e13820e906033e8f72a6fe6ce8c9f7b124b1f6b4f8db3337439512593575803ef2c

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      c0b7c25a75b2bd0f3515282f57e62eda

      SHA1

      68dde2a19b085d389e1fd8a17715e49d2f07c808

      SHA256

      8d42a6f1b90ab0a7476ea1998e112d83910f727d50ced77dbfbe5c75805db32d

      SHA512

      7d217121e11628eab603cfe5b71afabdfe5fdf2a11f119d49168a44004e8573a34a8dd34dcd042f05f39af3a7a570d085ad292a849357464728210978c73b115

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      5a7c6fe032aeb753951d324b85baabca

      SHA1

      080b909ceb01f63468201779ebd9a4e2cc4d9d7c

      SHA256

      90f0b1f6b5775d2aac54a3e112f4ec35a8cb17e0d8c6055860717dfc635552ba

      SHA512

      205cab6ad6e5a3328d73cb9cfd37b4d81564c7b82e59bf0abbf3a61b1a6adb21e9290a8522a5e4422acc5233e22c369a960ccb98c6cc80017533f857f5b41a8a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      a4fee2d47a05979761f5246cd4386096

      SHA1

      174e2dfff9a9300fd988528494a9bd1927c37ebf

      SHA256

      6cb80768e7ab336fe03ce73be68846cabd02089eaa8aaa90301330ae5c979fc8

      SHA512

      0afd90724b6436b6fb68c6044573250c5ec51a93a3a253c09ec98e6869d1e30971326da0272184dc1eac22398f2fa2ef651a70b772812bc45b3faccce024e76a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      5fc2643758b6ced1bf6a6b3d6c0a8195

      SHA1

      322f82f3666d8b4887d822d5c87fd315049185f2

      SHA256

      10b868f9090f4dbffb9644f783287e4f5dc1f737f86d329f13fcaf1424b78b7b

      SHA512

      046c97a0e5834336bb46dee4130af817416ecae5402588c751c185ac3a54bf7247e942514f3dc6932aa45e406cbb8d527f3405a2a5122de9345e0fa27f42bdb5

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      b553db55b15b1a1720dd473708873ce6

      SHA1

      beb3909035fea5984c3b409a6ec7c408658234d3

      SHA256

      2127e991fc6518237fde58603849d70e05e8a15d8aafb8be213649dd338d48d4

      SHA512

      1cb25fb2465a046f1746cbb7b7aa7d648952b75b96af54578db02e83a571af1212aec7c9fc42b09f0453c16672fb1a36652db06095eeab81ab4741429586928e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      3752718dd8b8813cc415b860d0eb1900

      SHA1

      d98d183cd61dae8f5002428ae1ea40bfcd41c1e1

      SHA256

      81f2a1b419f97f01fa020c82504826ec148b927c312b56e8813758dc4232a9d8

      SHA512

      fb020068f759a71856ff5710bef9083a8deaa30eb8a2fb9d1fe6d69a3ea2c2a60b7682a7075d61eb15047d3118e5ac6a5cd527e65f16c531a68433f1c9aec18f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      26b506ec87cac1e0feaae8a458d316ce

      SHA1

      3cd9603a09dd0454d07e287a8aafc7c6b918369c

      SHA256

      c2baa9fed1b281237797599e6369757f2c94a078f2c821f992af8e829b3f94a9

      SHA512

      1ce7b4ec44f28314f1f5cea0b03ff13653eb8739b265ed1208ceebb77426916523f0d15759267996f5cc80d15015e6517b05b15a717e127edd40d37242afe804

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      637f22d749cc57a6a4c2b1298608e057

      SHA1

      0cb336cfb08985ecd8057a80917c640ab7ed6a3d

      SHA256

      a72699ce9fe8c9086669701f43763c9dbcf0068d5c8607a86e1ee8a4b44f738f

      SHA512

      822b010b9a90b22d1e625028270f109ea7540dcb823a28cec9538bbba234e70770e2a6fb448a9ac8e1a7e275b450f161edaa5009f4b589da5bbc61620e23c78c

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      18b123fdd34771c1e1bf235405720416

      SHA1

      989bed5e287349aed8c64a60e1adafd8ff112d5e

      SHA256

      5e5ebd67956e59c284c1ea44e8e20a37a68418cada4e2b5250976bc5fe6584b0

      SHA512

      dbf2361858cd81c93042e7f52e859d570ef2c9a804de5001fc39bf8c6067ab8dceceeef8d41f1d20c93de90b9872989db3af2a199a504a2b8592f93e7ac24078

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      3a635c8b0b51d953865703bf9d058f3e

      SHA1

      8344b61d2a6426fab4e7c4a5dd3e12cba521b57a

      SHA256

      bd17aefef0742272869d8c74186653e7ac6e9562cd43286cf30baedcd107994b

      SHA512

      6c1bdff28d33ea4ad86bec6846f6f6e32bc1e6e7fdcbfb0e96e25a763df32efb6571341f544a90ac75640723214d50c0ff587b2cd71f329bad1434a283b4a9b8

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      d1817aab3771eaabc209eecbe2420db2

      SHA1

      d5cd4f22ce3d069c636377fd6d06a5c6eb0166cd

      SHA256

      269519caebf8272b5ab755a808e2dd39a52d1c22bd5108a2d474ddf217176b58

      SHA512

      1bfaba883cc9259ab96113237a29d5e740b21a5a4233935dfc557d7b7d7da881a1b3cc70a872ae0b3808e6602d738c92895c95ec4ea11c8d6d0fc64e3dfc89f1

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      d3cc1bbb8fb6a5aafcc103dea5837e2a

      SHA1

      8c4bb6240689c7de29b75624a029fc0f644d5323

      SHA256

      e3834ae1fa8cc724e999cabad76c803e5c01d6fa0b375c13383032f166162d2d

      SHA512

      55656142b05f9693ca65262b91f0c6090219b37d3f584abc03f921531450415e1245fc41cee9b2132590fc9f8c3838b42a451a70666283935e24c130daf7a6fa

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      242B

      MD5

      a6f9ec64b83c2ab5a024940ccd18d294

      SHA1

      9ce32cd37b8bce57d3ba85a7285618beba5e985d

      SHA256

      92065d9dc9245e58bef7e18b3b1cb10b3eeff87194bfb693057e1ffefa9050e7

      SHA512

      34172b2ffbbe9e99bd69798ded49e268b9af5523e35a737e89d58504c47b39a887259a02cf607773ae3c11c44b26088989b12595ecf67c8c18d0f0fdc24c5b28

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab4D37.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab4EF0.tmp
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar4D78.tmp
      Filesize

      171KB

      MD5

      9c0c641c06238516f27941aa1166d427

      SHA1

      64cd549fb8cf014fcd9312aa7a5b023847b6c977

      SHA256

      4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

      SHA512

      936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar4F52.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit

    • C:\Users\Admin\Desktop\Howto_RESTORE_FILES.bmp
      Filesize

      3.3MB

      MD5

      b092dda4f22feab3059d592bb3eb052d

      SHA1

      d6c580fbb3916498976c525f0dc30b7b42283544

      SHA256

      cddda769f568d0472f21a4627898868e109e170a82ca8f3f1c1f6bdd829d681b

      SHA512

      04be17083baa8225746b363c10d3c2e64287994c1e0f203f9e4b8420a70cda183e4beac4930b4b68449ccaacd8b48ee00f1e6d39741b7d0aca31881abf92c1cb

      Download Submit

    • \Users\Admin\AppData\Roaming\qdwqh-a.exe
      Filesize

      375KB

      MD5

      3722b18641aa6ede7dc102364b583f2e

      SHA1

      3edcff06d8091b9dd4b3a9543f05d3158c29e97a

      SHA256

      55912e6cc4a71d5c51b0eba1e63473f9c5653cfbca176d8cdb22165417a0f2d6

      SHA512

      d171c394ecb45cb3ef61bc89381cb8ea2f99c006f65c2f7fb0146fea8be82e52daa15dd84e14d196948400b024bd970a837ed3a5c2dcb47165792cade7e7d31d

      Download Submit

    • memory/2028-4150-0x0000000000170000-0x0000000000172000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2052-4149-0x0000000002830000-0x0000000002832000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2052-4159-0x0000000000400000-0x00000000004B3000-memory.dmp

      Filesize

      716KB

      Download

    • memory/2052-4161-0x0000000000400000-0x00000000004B3000-memory.dmp

      Filesize

      716KB

      Download

    • memory/2052-3718-0x0000000000400000-0x00000000004B3000-memory.dmp

      Filesize

      716KB

      Download

    • memory/2052-1495-0x0000000000400000-0x00000000004B3000-memory.dmp

      Filesize

      716KB

      Download

    • memory/2052-1024-0x0000000000400000-0x00000000004B3000-memory.dmp

      Filesize

      716KB

      Download

    • memory/2052-573-0x0000000000400000-0x00000000004B3000-memory.dmp

      Filesize

      716KB

      Download

    • memory/2052-62-0x0000000000400000-0x00000000004B3000-memory.dmp

      Filesize

      716KB

      Download

    • memory/2052-9-0x0000000000400000-0x00000000004B3000-memory.dmp

      Filesize

      716KB

      Download

    • memory/2076-8-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2076-7-0x0000000000400000-0x00000000004B3000-memory.dmp

      Filesize

      716KB

      Download

    • memory/2076-0-0x00000000001F0000-0x00000000001F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2076-1-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download