Overview

overview

10

Static

static

3

9f1386e8a4...18.exe

windows7-x64

10

9f1386e8a4...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2024 01:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f1386e8a452ad99af7c9029a37412f5_JaffaCakes118.exe

  • Size

    332KB

  • MD5

    9f1386e8a452ad99af7c9029a37412f5

  • SHA1

    f9119838905f5b5d4f4e6b6d7e74506bf1138d7f

  • SHA256

    7ccc88dab435f8578677128a4e8f6394527dc220cca89d66b5e6f503a43fda78

  • SHA512

    72834d27bff45577b9e9c246644b61f3ae940ae858bf720c8a959049460146abe4275c0cfa4091a42044fd39ef68d11483b88e32b897ffc115ba3e48b40e6747

  • SSDEEP

    6144:tTRwz1xc5AOQRqoUt2FRd8zCKCzMcuZJJtgxCdU6xUKonQ:tTRA1x6izIZJJwCdBwQ

Score
10/10
defense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+tru.txt

Ransom Note
++++++==============================================================================================================+++++++======- What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen ? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. ++++++==============================================================================================================+++++++====== Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BTC NOW, and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://alcov44uvcwkrend.paybtc798.com/7A20DEB87CA88CD9 2. http://alcov44uvcwkrend.btcpay435.com/7A20DEB87CA88CD9 3. https://alcov44uvcwkrend.onion.to/7A20DEB87CA88CD9 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: alcov44uvcwkrend.onion/7A20DEB87CA88CD9 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal pages: http://alcov44uvcwkrend.paybtc798.com/7A20DEB87CA88CD9 http://alcov44uvcwkrend.btcpay435.com/7A20DEB87CA88CD9 https://alcov44uvcwkrend.onion.to/7A20DEB87CA88CD9 Your personal page (using TOR-Browser): alcov44uvcwkrend.onion/7A20DEB87CA88CD9 Your personal identification number (if you open the site (or TOR-Browser's) directly): 7A20DEB87CA88CD9 ++++++==============================================================================================================+++++++======
URLs

http://alcov44uvcwkrend.paybtc798.com/7A20DEB87CA88CD9

http://alcov44uvcwkrend.btcpay435.com/7A20DEB87CA88CD9

https://alcov44uvcwkrend.onion.to/7A20DEB87CA88CD9

http://alcov44uvcwkrend.onion/7A20DEB87CA88CD9

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs
    ransomwareevasion
  • Renames multiple (418) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f1386e8a452ad99af7c9029a37412f5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9f1386e8a452ad99af7c9029a37412f5_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Users\Admin\AppData\Roaming\gngvm-a.exe
      C:\Users\Admin\AppData\Roaming\gngvm-a.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2436
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe /set {current} bootems off
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2424
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe /set {current} advancedoptions off
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2828
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe /set {current} optionsedit off
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2952
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2936
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe /set {current} recoveryenabled off
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2812
      • C:\Windows\System32\vssadmin.exe
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        3⤵
        • Interacts with shadow copies
        PID:2096
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.txt
        3⤵
        • System Location Discovery: System Language Discovery
        • Opens file in notepad (likely ransom note)
        PID:2740
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2872 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:948
      • C:\Windows\System32\vssadmin.exe
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        3⤵
        • Interacts with shadow copies
        PID:2540
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\gngvm-a.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2380
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\9F1386~1.EXE
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1712
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2988
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Direct Volume Access

1
T1006

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

3
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+tru.html
    Filesize

    9KB

    MD5

    2427dcfdb3753608ff6ceda30432bdce

    SHA1

    39af58126b190b5d03818d7b4d0cbd3d6c2aeb18

    SHA256

    01dd4ca5d4aa9448e26a4c5b15c3d0c7191c72979ed1e11e0621e7373995228b

    SHA512

    902ebe6abf1ae103fc24b86c6c9d9c0d3a9824741a8b2b4e9ef68a283dc7e1a43acf41faecdd9702bb32a641b17445b56ad694ccf1946dfcd50604fb419e83a3

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+tru.txt
    Filesize

    2KB

    MD5

    f0ced552260155ad9b9c0967e314e1ef

    SHA1

    9c99fdebb47d4364a49b3b9cc4dbfd3c9496527e

    SHA256

    6bfa3f5e4b5eb425bde3bacef521bc53b9a637bd302cde490978f2d048d5e70e

    SHA512

    d7388d0d4219cea80477cf3d6e26f0b83a7b93ddb79455d628ef9e296f004b3a46b2587214cf03cc08bda724caddbd7d10ec491ddf0abbb3aab9e5a5fc632c14

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    e0e51b708a26a4ca8e433a78a9a6981b

    SHA1

    2bcadfe8213378352c449c2bd3964ec42236b7f8

    SHA256

    26b3f4d9f05cb0cd90f434288ef42599cb5a85d20d92d0243c362e72331efab9

    SHA512

    c9d55d77459d987fe5690ebfa6fe9d44a649164799221b98f474b18c81d9bb8bf4295c3b79f87ba8b8011d54a279eaf5a7d5f0a8cc5a981731db7532b3215d75

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    8eb897b8a60139594fc7335ab9c95ac6

    SHA1

    f64fed42bc3070bffbb63c3ce041f165abd16a45

    SHA256

    976e8ee9a1af83aecc27b87cd284a72f819cfe8a8840e15077f85300be578360

    SHA512

    71078e6875d497799a81ed18a15d62576a8dfd0194fd6ce1b2dff7323c6f05b6252929684425867868db92c2f850e0508e61256c4a61e3ebd17c28cb064072a7

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    173KB

    MD5

    84259c2906b854d951ff0e21ada54d49

    SHA1

    0e7cb0857d4e00de2cf5fb669338b0f27f6770e0

    SHA256

    54287ff0c2070babf70f589bfec5d96bc6143fe1055f52f0bdaedc6e007ebb8b

    SHA512

    6b838f39d0a7013cb4916c907d51ff5358dcc3756a76d20877a67fd64e99d862ad152382d97d3e8b3f1bceb51006b60191f3d8b7a8b0b8af2f361d64065dfb44

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
    Filesize

    914B

    MD5

    e4a68ac854ac5242460afd72481b2a44

    SHA1

    df3c24f9bfd666761b268073fe06d1cc8d4f82a4

    SHA256

    cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

    SHA512

    5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
    Filesize

    252B

    MD5

    489b9e2744ec6063e1da10f3a76c0f33

    SHA1

    bcc8d73a5f9b5b09e458339abae0f8b880ce8dc2

    SHA256

    b8c276ef0c5f1880e5fd7d1947a2d9be69b831690c05450a6ff49c9dcff19b5a

    SHA512

    917a8313bff5de3ae72e27108fb1a9bace62b00cb8eea907737f93090764eaa16b1d1be6745134abb826523e85f4a6dcdf9e0ccbc2cb485c21ec15864f6d71e7

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4349e41f13ccc907acb55a9421e675c1

    SHA1

    714c54f64a0c4c370d5408a7493c642bb92ac68f

    SHA256

    7e5cca64e11e5535c4e454596dd72d7acb35597b983ae78ed97d3144cb8082fe

    SHA512

    fbe10c00ed12ebb027d929a9ec35f6d8b4f9acfb21a2798c12eb9739a7da4fa523c5b0a987385b10c7e99a2792eaf149fd0f3d10fbd5d13507a0d29eebad2249

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    6d77a8089fc832cc397b22dbe0357628

    SHA1

    05520901ecd82f77f4d075bf09a88418c1f0f9be

    SHA256

    79d9fdd8a56bcaa7d75c304a5ed3001411cceb9c5a08eadfbdf15b97ca0bab4d

    SHA512

    2d3200d9e459498e2a85e4fa521d63b7e5752f9ec50d87f683f60c98dd60929436d0ceb6228b68ff88ffc71f1cf503a8bc8572f04cf12a5a13bdfecf606b029e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    94addba52e04bc3872cd7be14108e2d7

    SHA1

    6a2e66767b78304f78229a828759a906e3ca741f

    SHA256

    4324d99fcf427f629b072a42e8534dbd3e6eef0e07c1587f8de4f9a0a522b7d5

    SHA512

    09dace201ba38d4db830084a6bc3a89b677ce236f1a09de47e70e00222a1bb024ec612097a05570254c1520467621c438c44c71372a78854f4fa7456758a4311

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    08bd30cf9a1561f4a7191f2022ae1a69

    SHA1

    a9328b45be84bab73d8d5880f39e9e36104a6350

    SHA256

    4e2b395b25e1500ce7687cb9fa80c905e23aef1d5129d7f0e686f3987aec7246

    SHA512

    0166b7f688a6216b47169beb7aa240e67a0e0aa27adc3a613bca705c20b3dfc2718185c63c9b54049b0797062e573b1ac8e048be70ed09abcbe529aa81db379b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    02c5c67e1c2739bef7b10a811a5b15ac

    SHA1

    c64d49b2b5f159090dff3cafeda211b84c27d7c4

    SHA256

    2b1e5486a77e04f456f9f0210ae63f3e664f43348b1f83ac5504f995b1b6b01e

    SHA512

    e3e0023892f586af725dd26b57c8565ef5b5120c1ac063b164f7c660a37bda48267ac74dff917a4d157046193de1992addc51a6d326b0c9002205ece95f3c17b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    222c530992df1c7eb9b5157c1f08594c

    SHA1

    3d4626d5a7a37aa2a7aa1ee869621be3dc924728

    SHA256

    79613e13fcde8e36c3ca79f03327c202b0456be5c6e19e6296592a5f5bd4eb0d

    SHA512

    07c8561623244b5936d01dd9d72c56d6a3f6a84321b6b2a8641a6ec3eb2ac5a5f4513b94ad9bb4867a147b3f84d918dad924ee71d34a1ed5966f0c7985adf68f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    49e80b222c47e2c01150c4ebdee43cb2

    SHA1

    29e107740798bc18f5a64199851a6b7862715d9f

    SHA256

    b10961390e456962b0868d322cee02a6619df826b9728a188db93dea2d0c3d9a

    SHA512

    7820ef693c54a3e097246cdb947598ac1029916fdad98804ed3adaea6f9f2dab3987527a0548c2338043101a9d52a14a94eea85122204cca92c1546b097aaf27

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    0ba4e19a83a187d227b0f557106522af

    SHA1

    6421043ca7c2b6f960c45bb71da1f340cdd93104

    SHA256

    2e95e0cc617a8fccce6399faf571f1de1dab6626546bc8ec6fb091c7d038d0e9

    SHA512

    7f8d5bc81e0151fc8d2f5b11490228b8592e179455d5c3e57bd40807e9e98ed0073dd7c9b51441794451ad6d491dc9cb1be6712a54ef3ddd012c740826bdc416

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    21ccacd6f180ede2e961b55da410787b

    SHA1

    3d08b24de95d78ec1ce734258e007d68d24d1e3d

    SHA256

    a0d69c4796a31c7f83939a6619da4f21429a701aa52fe91137f3a2d6f90e86d2

    SHA512

    25dd1b0343df07db6a8d68c1223c2151d2d1ed2c7a3cd1e1eade9b6e4c2c84df692a25daa5af79a6a51fc9f6397665bc7d7d2a99a7d4a4a1a18cfba9e6829bcf

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    27560dffb5f74a39c6d215f1092af5b7

    SHA1

    85f31f5f4c0fe62e4eb695386b2f9665dbc46a2b

    SHA256

    1055fbbd18f2a43a8e8e2465f5b37916f6df1813aa235f7f1d9e844b4f0362ba

    SHA512

    15e57041572c3ed94175c696e06afcc7696e95d30977ad43930ad8e4c93544628262b73853efcaa2c4de31a10642eca9d2b2418ca40c4981e4a18aa8e9bf7ac2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    485b5236f26bb5429e5b3f00b1975361

    SHA1

    cce8db16d89d232ff322c3b14b5dee8fefdb0f51

    SHA256

    ba46598a4d7c75e5197dc416944fc5325e400dff68b67b25ab6e7b0fb420de88

    SHA512

    07eb5d81b38849532328cd4b601a7dc218b0a056740a5e18c506dddda3c1d364fc602d36eb6820708171ff6363db337db2d48894e6bf4172fd1cc8946b6a6e1a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b19a96058bbaf39e1c497e6f7df0c7b3

    SHA1

    40f5ae36ffe8b810836b9fb1e711597e1b905a97

    SHA256

    e29c0a6979c4c8017723e3d0bd11156eaed4c900eac7b4cec7fef66a8e4f4060

    SHA512

    d2c147996432a19bf577020bc1b9d0dfb52a58af88a9266c8661195bf0c6d911d4e57020122f872d0c0c6f070db489802a84af698721216c84d2dd2f12fc17f2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9d8e254c9c0157f55b0b8cea79ecc471

    SHA1

    7cf1e5b88480634aba48970b81aca57d1ad4baec

    SHA256

    f4fd8a6d28bef071e3c1e5504466f75d258f7659395bdb363d39aebaecfc13c7

    SHA512

    a15268b82a96350bfb5891bd2128987b3dc171c02a7548dfaf7b4c8032312483a619d8076a1c5c0b035ce6622febb4d694835a139ab4894684510251bdce7a71

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    2e070b8a19394afcddf6ffa04b28f188

    SHA1

    795967956dbfb06f312eba49d71b853c9166b96d

    SHA256

    e3bb655c8f321f0b16bde1d0f1bd7ea4ee6906a75724481e72f9048a6425433e

    SHA512

    0624f4ae476ede90fce635e449a752f985f43b2e9d38721817247edd16780d6f92f1039040067dadefb42aa1cf32d1c038a706710f69e2cad76d77a94212701a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1d50eb380a77c847d06fab4acf455d94

    SHA1

    d1a642cd7867ac6a813f40c93a6bdb7fd167e947

    SHA256

    88e8c5b9d5fa793e5a06e319100660bf7a924eac6825514d75dbe1ca3c1f3d05

    SHA512

    5358fd0924c637d56a250c446253d1ffb15a53a14e8464984719a9651ad1086490baa546a43685c6a12da50263d6a147ce6c2fbdbb21d9c5d823f907b0f49d34

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    90fadd2450d5f07808adfa5111009198

    SHA1

    d68f223fffe86d87b2e5418dc52231877b8bf6c5

    SHA256

    df9e88b976b8a88ac97ae9de93bae16ab1a046940e7c68c68f20ae428d3f9c12

    SHA512

    0a1355d7548301f113f5ef6ac38eb6bb7c3cafad2fce004da4fcf41c043560342e52a9f10803a47c9da92f7f4342c46edf666012f6d8ceddb847dc689362b09f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    0506746087da6b0285959d92e5781ee7

    SHA1

    94d20491f311cc7ddf41904aeef04557d212437a

    SHA256

    fb6d2f286be0398a9355c62e60c21246a01307ac8a180c2d34b9d3b18170729a

    SHA512

    38f783ed063a7b5eb963c312a8462961cd4be06b078283544debf927bc992c561cf1240577ff9b6ac96c161b482e204e148b5a1e9059544b9442db7e5d8d6935

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    fc478bf5084b6a4ad6b88efd7fd53f7c

    SHA1

    90610c34d6d0ef6c29b3c18b7a7f532883927b87

    SHA256

    6cea4032ca5f745b3cbfdcd6c937159b591d2a11d1d532dab489c6cd93e5d3fb

    SHA512

    d688cd18a9289d4b1b5f57790bec84ab19dd2aee6245f6f66d1aface88a672924346b802a487f44d2e55f5e380e992a0f08227df8b7e68d131cca1dc5ecb437a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9044bc305cb94ab23f8ac07efb9fe743

    SHA1

    80d6051d591b072c9583a80fce7e19c13eebaa86

    SHA256

    164c74ffd65ed17da6ca615c3ed4913d39761b3481044ee4f34793a6072cfebf

    SHA512

    20f82cea148d73d2f0dbaf80c87cd124aaf5065a82480786c07885a881eeece0b333e1488e5ee3c139377667440c45ad078721a9a65642ad3dc6431bd5d5a765

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    242B

    MD5

    55837ba5be0a2eb21fb52b294a36680b

    SHA1

    40d2d7fa480448f76f59948a5c5c9a8718676af8

    SHA256

    17a66e5aa475fa27d061ef1cdeed13e16c263fb7cdf8288eee561d6238baa0c0

    SHA512

    e2e7e4bf875143a00871d61dca7cabf5baf821267080730d6165f7c03487e396c80579a955bf749cb397a7803e72ab712bbc4879bb734dad250e98864adc6d2b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab2253.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar2252.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\Desktop\Howto_RESTORE_FILES.bmp
    Filesize

    3.3MB

    MD5

    bb01d8eb31e584df562501f108b1777c

    SHA1

    9422976a2f8a17a7c2aa716808b3b9b1855f414a

    SHA256

    b2d88320f895d9f2a122d4bc29918c4aec012d5805cff4882004dcb9d86c1e38

    SHA512

    942d9471432dbcc184d927d4eee86d7e086b517787c5b12af3b6525e77a5c74bcda4a18ea828a9afade60a785f88c3a1b7ee2c9515ba8af75fc64e7ed672a000

    Download Submit

  • \Users\Admin\AppData\Roaming\gngvm-a.exe
    Filesize

    332KB

    MD5

    9f1386e8a452ad99af7c9029a37412f5

    SHA1

    f9119838905f5b5d4f4e6b6d7e74506bf1138d7f

    SHA256

    7ccc88dab435f8578677128a4e8f6394527dc220cca89d66b5e6f503a43fda78

    SHA512

    72834d27bff45577b9e9c246644b61f3ae940ae858bf720c8a959049460146abe4275c0cfa4091a42044fd39ef68d11483b88e32b897ffc115ba3e48b40e6747

    Download Submit

  • memory/1456-4354-0x00000000001E0000-0x00000000001E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2036-0-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2036-8-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2036-7-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2036-1-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2436-10-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2436-4353-0x0000000003950000-0x0000000003952000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2436-4363-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2436-3604-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2436-4793-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2436-551-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2436-391-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2436-9-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download