Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    27/10/2024, 22:36

General

  • Target

    764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe

  • Size

    364KB

  • MD5

    764a3a6827e4d04ebbb801e8f5b95f8b

  • SHA1

    6bdba1a36f825e2b6cbe2c71bfa2e31ad148ddcb

  • SHA256

    091a2ac2c8e821715490400c991ed7af94a6cb48462c24f4fce5142f93b906a1

  • SHA512

    2a05444918da6ac9e400c1b7c5f58e60187035b4533be28b4b516f8002edfcd9b1eaa9207b820e26f6cd08c51a7ca8610dd4aa785d3b9ffd2dedd04a8aa197f2

  • SSDEEP

    6144:3M3Ia4g7E/Rd1WjfqMsSW9ZgsQ6LEme81Ip8/V+9jeOLzZXcIwXHX:qIt4EELq7p9ZgeLDc8/VkphcI

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+kau.txt

Ransom Note
________________________1234____________________________________- What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen ? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? ________________________1234____________________________________ Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist. ________________________1234____________________________________ For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gfhshhf.home7dfg4.com/BC924546C7D5D9B 2. http://td63hftt.buwve5ton2.com/BC924546C7D5D9B 3. https://tw7kaqthui5ojcez.onion.to/BC924546C7D5D9B If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: tw7kaqthui5ojcez.onion/BC924546C7D5D9B 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal pages: http://gfhshhf.home7dfg4.com/BC924546C7D5D9B http://td63hftt.buwve5ton2.com/BC924546C7D5D9B https://tw7kaqthui5ojcez.onion.to/BC924546C7D5D9B Your personal page (using TOR-Browser): tw7kaqthui5ojcez.onion/BC924546C7D5D9B Your personal identification number (if you open the site (or TOR-Browser's) directly): BC924546C7D5D9B
URLs

http://gfhshhf.home7dfg4.com/BC924546C7D5D9B

http://td63hftt.buwve5ton2.com/BC924546C7D5D9B

https://tw7kaqthui5ojcez.onion.to/BC924546C7D5D9B

http://tw7kaqthui5ojcez.onion/BC924546C7D5D9B

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs
  • Renames multiple (417) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Drops startup file 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Users\Admin\AppData\Roaming\iquwh-a.exe
        C:\Users\Admin\AppData\Roaming\iquwh-a.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2944
        • C:\Users\Admin\AppData\Roaming\iquwh-a.exe
          C:\Users\Admin\AppData\Roaming\iquwh-a.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1928
          • C:\Windows\system32\bcdedit.exe
            bcdedit.exe /set {current} bootems off
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:528
          • C:\Windows\system32\bcdedit.exe
            bcdedit.exe /set {current} advancedoptions off
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2640
          • C:\Windows\system32\bcdedit.exe
            bcdedit.exe /set {current} optionsedit off
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2412
          • C:\Windows\system32\bcdedit.exe
            bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2356
          • C:\Windows\system32\bcdedit.exe
            bcdedit.exe /set {current} recoveryenabled off
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2660
          • C:\Windows\System32\vssadmin.exe
            "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
            5⤵
            • Interacts with shadow copies
            PID:3060
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.txt
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:2180
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2028
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1616
          • C:\Windows\System32\vssadmin.exe
            "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
            5⤵
            • Interacts with shadow copies
            PID:1684
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\iquwh-a.exe
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1300
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\764A3A~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2692
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2916
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+kau.html

    Filesize

    6KB

    MD5

    0794ac99a6f60eb0e737a2e9cb1ab4ec

    SHA1

    89d31ef1b6e2d41655123ac0e76a4da3401ce796

    SHA256

    9894bf3d7044ced3910bf242282de2386a4af5ff3247fb982f1c749a808b73b3

    SHA512

    dd160ebb99054be2c47b1ab271408a86bb72a0f9434b71ef6314a0244361ec6db650a8afa40e0946b6c4d332f2ad37b648ecc06805da4a83bfcacdde03652e37

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+kau.txt

    Filesize

    2KB

    MD5

    148f92ad3e9e94860edac78a1cf11538

    SHA1

    67364632d152c05e99d6ff81a4ad7c793a8673de

    SHA256

    206b3974f77e98783e9a3d2d16b0400a911170cb3fd1cd0bb6dbbccfd89b9227

    SHA512

    01dd7d42fe1f1ee3b2a1bbbd7486bf97f8c65fe0e521e37741b88b4c9807966e577442722e276d33666606940da66c182c2caeb42d4474bc8b80b2929ad77608

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

    Filesize

    11KB

    MD5

    e54aa028e3de94289cfdffe267e019a4

    SHA1

    0a3630e5adb9edb5aa68ebe7a15e8c81c6f2f3f4

    SHA256

    5687e31b80f3c59d142130c68b8053ed00ebaa9f96c45580bc92be648465be05

    SHA512

    71a8f0ed802df2a321f440a52f2da793e9e2fb27ad849542a65448155380ca57f155dec583c163e15883f2014008c48eb9c5d05d1b0a7b30daf65e6fa83d4e8a

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

    Filesize

    109KB

    MD5

    166f6f456a1a6872f3773bf8418846ff

    SHA1

    2c328390bcaffed35ecf59ecb1976754d25ff482

    SHA256

    8f220bc06a83e03f303e8ec0545f8d38117b3fbac63922af8e48e7cb20b15525

    SHA512

    a2fd985842f5c033a197971ff555019c5dbac93bfe623614423472e3e9cda19c7b6baf7b5a9e82705b3b6c325dee9d5573bf0cfd3e0f6e8894e239a7f1089000

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

    Filesize

    173KB

    MD5

    6c4fdc53cf759ce56ebdbbb973944453

    SHA1

    6f949962c70291ea43d45f956ffec09d315b6d4c

    SHA256

    5cc35d60aa4ee3499f87f51ac13ecc2a3845916473ee43d00b0723deb4431f1e

    SHA512

    0db741ecb5aa9af4525bbfa350cb0531734a4987c80a44acaa8ee8791094460f4e6ed09a103cc137309ead4898a0829c35f0788ff926a504a370ab4b91730ac0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5de7135b51b4a68878ab48077214c761

    SHA1

    e0fc56f8cc1addba4f6c6c108c6bc26b3acf2f2d

    SHA256

    e325675e819d4d6c14ddca13268c82042251d2344afd158a28dd67b1dd970539

    SHA512

    a305ec061f348ad7a0f5189e90469f9dcd46fd65d0f227bae033eb86aefe4ec77a7d807f100e4d04f30cf44849756a2abfd3ef6e87c14cb884d2c625c600a7d2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0cf36a00e4ddb127ce114aced3e3d80c

    SHA1

    b3459c9b2a68463602a3f769b2962075fa3c2d42

    SHA256

    2564270afcd49a83d12386c375fbc5e55bada15e8e67b0c96adfc976fe84ca83

    SHA512

    aec0ba5eda8fc69d6f87499e2f8988a13d90d7b99fd1d040bf667b6e629723336627c13cf5425fd4fb15b8462dc03d580a76e9a5a7c42e1dc879c5f0d0f3b2b4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ee0aa1b5e93cbe3b3262d612e525af34

    SHA1

    1f7af529a1cb68a0b03f4fd4ccb6c3876a04adea

    SHA256

    6c8fdc00d23e65d87f18ee0267f0081ef5b89a549f64c8f982e0248b66737d2c

    SHA512

    13be6872385ebed2c2a7176bbec9bafdd4042d61041a073e2c01f5262ba4b5aa24fa55f5f3370fca2ba7441dcc4b654017a35efc32c891455356fdade1400219

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    43e4c4e94ac832273c514e8d63af3465

    SHA1

    8d167e7c2efdeac957d2d0a5fd127e7133ea01c6

    SHA256

    db4576c146badbf22f3c15c13fc93a2ad8a1e5323c4aa3c81bfaf58ac862c268

    SHA512

    e9db3c22969369021488a1d73fb41d5ccbdc3f18cf2793ad8a6df2cb1682da2ee9e35b674a71605790565c71fd6e14eb465f70fd8bb448f2076bb1f545e87c93

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8d83b5d4f009a765919f4abb38c418ce

    SHA1

    429ed501ec410776f0fb813dddca7e511fc0156d

    SHA256

    87b79b5b358a6cf97e7f41bf6b023142c2666b9ba2917c7203d2a6ed15d4da2f

    SHA512

    e8b1d1ff926dce29c3d7c1ad859b4088a1dff5939cbf6cd5abeac284f1eae35324843a24589f04621e37afb4432641ec56d7f3299b638b25f23b8ae374723cae

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3f582fe91a6dc67ae114994192e56942

    SHA1

    cfee7efd1f970f7750d8c342dc785b8e60ac6715

    SHA256

    06e8839df290d1ca3d070dfaeebdc4a49810177b23845d214caf9959435a8a77

    SHA512

    61d782d1226022be1c72a83ab38588ecc4ca5c937cca03a06fe67f56b15400d71c35c03c672cb1051d1db5b704d9fb959980094240e415e4ad4592cd37be2220

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9aaf90baa50aa261c66fd779e147847c

    SHA1

    f926b25e4f933f1193ab7980822b3da603b8ec70

    SHA256

    8f5df2482ad591c384de719c02b29e468db3ab932bd3414712487fcb6f01ccb0

    SHA512

    1e312f2a5714559a397f344ff28a4c1285b5c68682cffc5d03835fdfbbdf58b4793f6a0aa515d09106d6155429cdb60ba0ee3c6d8575162a647945bb0e561f7f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    aa3f60be9db59b9f7dc6abf2b149227f

    SHA1

    5f1d744b4e69e6277e7685be0883ed17284569e0

    SHA256

    fd72d34bb4b06a3d544f108934d369615a1c5e2884b536624dc529a3966428ad

    SHA512

    88406eac1e6a82e4a5b76b66b45439ddc1b9126114cc0fe8f65614b79948216cb6b2d449691663c0b2e1cb55bb95773388e5e9949c0e36c68f706fe07c9464b3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8dd578b6f34368bbc51fc66a8c1c2a11

    SHA1

    80356234173c64f8ab59d464d152542787dfa91a

    SHA256

    b8199b730cd6882c3fbc0c12b5f54b4bd4133008e451e8c1de91d72dcbd10d31

    SHA512

    ec18fade41342bdae9e95cb285a60bebb5a71b457a57fd97af36ff4b102ca16f81f324f066e15f47e386d8d78ceca00a50cccc6560ad154ce0bd0d3b818a0c92

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    36e66ef82d60face7dc260aaac3105ba

    SHA1

    e8fe314d6eede1e5155ab0d5636eeeeb759ecae3

    SHA256

    9cf1c1e2e06e2346a69a05e09e61a6b1c0b70a647062a4c22a2a2288a30263d1

    SHA512

    52a8b2564ec1a0e7926f660ea8f08415cbf4da7baf2f457a403f4f09da8258ed61397f1579d5095ac8f2f661ae6e102fcd30160d0388fe8bfc896bb9557784b3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e4a47dbcf4f14f9a522c941c9536f156

    SHA1

    18c825261be413f4edfa1e9b6806f91127c3db00

    SHA256

    1e0e2c76d7fe54deabc8118799928e56fdafb6823d39b084be190f82ddc8ab94

    SHA512

    3c29d8ff7d36943a419f815ae137c2338b834395695f8743c5c3a9c37717c829aa937d9df8b055be90a248279e7dec07f5c502a1e6c792d661cc6a5741983bef

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b50031b453ad5f65c1ba3360ff5a4f4f

    SHA1

    e8c11d3da00b593eb758d84a439f7d1ba1eed9f8

    SHA256

    87772a7b9d9a56bb46a98e105e84836e0d66e4d2ff12b17a59827b4a0bc67ae9

    SHA512

    4f937f51f29a9623060a6ecef0fcf7de0d41c8a42ecf1532a14fc627791ceca564070a29df599404b11356d8f9ad125fe7ed02f6a26b2e9950ad45f445daa8f6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9379ff00310de84c34ba4ecb11bd7070

    SHA1

    bbb3cf696da9ef86a1c4470ecf5c1696e7480aac

    SHA256

    fca5cd62bbdc9430d044c6f8fa06d08a0c8c6678df36d3b4a6391d691cc1480d

    SHA512

    a8d697c80a33e34dcce8d1bb7f05c7b1024c41923c0ebd7dbb1203328685e360ecb12fbecc110333b32915b07620bbeeef213936b619b50de20c37864e82bff9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    687cea0aa5e152280e12ac1ae7be2867

    SHA1

    1ee71e3c3c391574be5ac220e239d052024a02fc

    SHA256

    af6c80bc064b53de3285db773d18fc6bcc53fc331cb3705b0871f5ff2226f52b

    SHA512

    a97716be11029a243f0825f560b1559dc297afd7d990880394773d3422cb422b8cd441cb10d555a601d65cd78b8b6beac1736fab244d9da236d2a74ee386b749

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e834d86b3c32c3bd591e38542291383c

    SHA1

    1a1a814d9d97dbfb4a535bab4f5c1d262160e8ed

    SHA256

    90921886f633a7e21e9f125810ac925780aec71579c87aac6880280bb3c1738b

    SHA512

    9a43a88842068bb5fe603b60fea5f1fa09ae8733758627c8941440f8ec86328b3031b668568aa50d3ef18bcee9f4c0f3d34197629054d1aa018b23329d76588f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    756956d495bc0b2d4474fd6894575d96

    SHA1

    79dab64b305640453fbbb6a7d3de241ddfea46d0

    SHA256

    16c069495c7e428e829e88b0f8e2a8fc52d08ad6834eb291e425857c452d3b3b

    SHA512

    885b8330c330d61e70dda2dfe3ea87c8bb17346b89278b2dfbfb9a7a1d1b81c4a1a818e6020e6b81e0036a1d586e989280439d987fc748694950d85dd972bb8e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1939359c1f66726c190cf582e68328a6

    SHA1

    e9b36d1c95a882871e3ddf315845439006eb1633

    SHA256

    305a53c05e1b604aa5241a0f75b9eb3aa870bf340cd40764b698943006d8db2b

    SHA512

    858b72d20b9cb10479de212c5bbe9409fa4f295edce9f8bacaf40f9485111ed4cf1862efac2827b97760086bcc175acc159ba836c831f598a08c58693f392c00

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d60cc289134d6f241c6e0a63f4089dba

    SHA1

    357b0e9ecd47bfb6cb397c466f20915cc6d8704a

    SHA256

    35e2db4c7cb676dcc4aa86f5143b30d30e30c0c9c5c60632d2e85b66f65c8148

    SHA512

    49656aa1406ae11b592f739c89cbe92d9c6637a660de1f0a408ef67dc1acb804506076764ebf4c81a40ed1fb83e980b307cbf4955517c3a04557c0816a9c8a33

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    40f339d4ae4e1409caeedf344586e8df

    SHA1

    ee6a9f3702247364a48f52f67998beff9cde5c22

    SHA256

    42b3fa4373de5c358555e15539ee5b3b32fb82f99dbf2cb36884f916123302f7

    SHA512

    084d905bf616bcd41846462b0f97598519f4fc7b446d08c9e0f2f8baa138c58c459a3cc140ac527ffd3bcfde57af9d47e2b7cab6b9b7482bf6c74c34cfc22989

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    69c5f88e3953227e53139fb53cd330e8

    SHA1

    484817f7090aa6e190cef4adbe55ee7dcfe6abe5

    SHA256

    39bf2b88fdb10fb27043c819371797fd32eae6767aee756201c47a01d0452996

    SHA512

    a78d648ea29ae07743810f77062458f2152cd9433fc5ac4ed51a7e92d82efa2fb70d71fd75068c968a8157ea7cee3b2fc17683988c8b25413adfd193a941b1b7

  • C:\Users\Admin\AppData\Local\Temp\CabE1CA.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarE1C9.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\Desktop\Howto_RESTORE_FILES.bmp

    Filesize

    3.3MB

    MD5

    1666a00bff6235739b5d06cfa331e517

    SHA1

    2dd42a1c40ccda81ebc1102f1b920117ecc76841

    SHA256

    00102c61a4cbbfb1ca06c78248730af25eb970a089c21e89e53040cb5a8c9408

    SHA512

    f9d7ef3d4a49a21f16f084316e0aa19df7a98200ea4fbc6683ad406442040e8f2cc73c5f77534a04313afe6f98db7d91201042505643c49dd604d6b030477694

  • \Users\Admin\AppData\Roaming\iquwh-a.exe

    Filesize

    364KB

    MD5

    764a3a6827e4d04ebbb801e8f5b95f8b

    SHA1

    6bdba1a36f825e2b6cbe2c71bfa2e31ad148ddcb

    SHA256

    091a2ac2c8e821715490400c991ed7af94a6cb48462c24f4fce5142f93b906a1

    SHA512

    2a05444918da6ac9e400c1b7c5f58e60187035b4533be28b4b516f8002edfcd9b1eaa9207b820e26f6cd08c51a7ca8610dd4aa785d3b9ffd2dedd04a8aa197f2

  • memory/1928-4569-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1928-52-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1928-51-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1928-4399-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1928-4400-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1928-4389-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1928-3988-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1928-1260-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1928-610-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1928-58-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1928-55-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1928-56-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1928-53-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1928-4396-0x0000000002E60000-0x0000000002E62000-memory.dmp

    Filesize

    8KB

  • memory/1928-4557-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1992-4397-0x00000000001B0000-0x00000000001B2000-memory.dmp

    Filesize

    8KB

  • memory/2800-7-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2800-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2800-30-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2800-4-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2800-5-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2800-1-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2800-9-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2800-11-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2800-15-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2800-18-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2800-19-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2944-31-0x0000000000400000-0x00000000005C0000-memory.dmp

    Filesize

    1.8MB

  • memory/2956-16-0x0000000000220000-0x0000000000223000-memory.dmp

    Filesize

    12KB

  • memory/2956-0-0x0000000000220000-0x0000000000223000-memory.dmp

    Filesize

    12KB