Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/12/2024, 13:35

General

  • Target

    d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe

  • Size

    428KB

  • MD5

    d74daee515bd5a77f299151a568cb57a

  • SHA1

    68555ccb11104b0bb9243ba3f5f464de8bb701e6

  • SHA256

    1d8ce53b219771b49d743424498747af3f4201f194dd1020247bb4a492156fb0

  • SHA512

    62dc4d6d0d2831bf55247e6c87cd6b6a5c2798dd1aaea072140146598b9f07921b5f53af2a4c93d5430e54002456a1abc57a00acb2f57339ed827a790febb646

  • SSDEEP

    12288:oYV6HO69joWO8UD8KHCeAJlkMAUhX+cblCJxfS6:oYh8UD8cCEtUhXvOR1

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+nsxec.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D99C2BFB1793EE7 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D99C2BFB1793EE7 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/D99C2BFB1793EE7 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/D99C2BFB1793EE7 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D99C2BFB1793EE7 http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D99C2BFB1793EE7 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/D99C2BFB1793EE7 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/D99C2BFB1793EE7
URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D99C2BFB1793EE7

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D99C2BFB1793EE7

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/D99C2BFB1793EE7

http://xlowfznrg4wf7dli.ONION/D99C2BFB1793EE7

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Teslacrypt family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (427) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Windows\xcqongnqnjdy.exe
      C:\Windows\xcqongnqnjdy.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2780
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2740
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        3⤵
        • System Location Discovery: System Language Discovery
        • Opens file in notepad (likely ransom note)
        PID:2000
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2588
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2844
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2168
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\XCQONG~1.EXE
        3⤵
        • System Location Discovery: System Language Discovery
        PID:204
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\D74DAE~1.EXE
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2736
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1492
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2156

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+nsxec.html

    Filesize

    11KB

    MD5

    a640c7d1803a71b4f2b28564450d8b7b

    SHA1

    793047e8ef9770b29facf322f2895fa08a0c10ae

    SHA256

    bac8d3daecf554a836cad763e8f7eddb4a89f909741f3b88e50117ffa38a0acd

    SHA512

    e19abda6b1e4672963631885d4c4a0c9be8e9de372ede58fe2deb752ad21b446ef7c7bfec4fb9d316f835327ded7394b6b4b6ecfc37db3ca02442d8fa85cf28d

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+nsxec.png

    Filesize

    64KB

    MD5

    648a094b7716b1efc97a701c84978d04

    SHA1

    a32cfd401e5c9172ee52bae6283e111cd1413d30

    SHA256

    41c5e8abc975724ef1fd179fe0d353fa45f2f837c2da43ae491e86d625c5890f

    SHA512

    b7e70561479141d985ee5e26525114ab1354b1eafc6189cb464a2475739fab5ab97d0076a6aab609859b4927df632d4f13296660ca62fcc83c74e2b5ef0d6280

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+nsxec.txt

    Filesize

    1KB

    MD5

    922b2f65f114965e57e94308b63bfb86

    SHA1

    df37d85fe764bce70230247afe5e9c87dc002cac

    SHA256

    ba00088a2d3a79d492c3c16485727e08800d0edd46dae3e66cc8ed529028103b

    SHA512

    5b8cbc381976835836855612ab07ad35bec2aaa7415fed2a4704857fcd54df1ea6cfd4309020b4c57d434907f0d0ebef6dd05b075cb6e01a8adeb743b1644a50

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

    Filesize

    11KB

    MD5

    3603c09b79c160405b26c6fdfb292ec9

    SHA1

    f20629765006e24b36d23c604dcc96b657882cac

    SHA256

    e73eab24f47fc9a5a4844ad15f9c7d1c5fa59fc4c6189f7bcb26945dcac32b74

    SHA512

    0221efec92cf8c36c7dc5dda3cb33feae600a5f077269499388790822076cfda316c5213a991282947560b9dcff055ab3fc1136e22b5dd6af662a96988f17cf3

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

    Filesize

    109KB

    MD5

    f80ddafedefdde3c9af729e98a9ea761

    SHA1

    47d73a400e4899093c269afde8770bbc0ad1e005

    SHA256

    c37d97c1ddb2eec20ef3c9cb9fedfeedab930c74407298f67c7172f3f6ea87d1

    SHA512

    b4f20f3f1eb61219d2a2dd98309da0d8d9eacfba027df31a40314d0b8977077b81d5abb099b8368c027b13a8d557c1cd13ea5ba736a5cb4d854eb9b1770864d5

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

    Filesize

    173KB

    MD5

    ebd901a178ad1084e940fc5da5b423b1

    SHA1

    ecf39d36998fe312fd1ec8ae05562ea1e2e32d5c

    SHA256

    570114d56534a7cd2e9ded90d5de09c91e898c0a66fd27a580af8d99a4ef79df

    SHA512

    b6a06101fe98d6b8a956f2468d28f0803a622e09e0c34030bbba3307179ddc7efadc8747f0eb26c29ac5f1d2cc6f12efa7d68517501df92a9a0835c777cb2341

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3224cf99eb83c523c8d981911108e9f5

    SHA1

    3050b0d2e7bd8f6f317d21044f2f6620e757a7c5

    SHA256

    49e6f1b18f923b26e2c80cb16f74bc54ca819aadb5b175e3344a2dae83a05e12

    SHA512

    bb7ec3d7625ef76f1080587a7439da01175f9ec2f0e3d752ce2dfcab78ab0687f246d99c3010e6754b338d0a72946efe5e5f68d84717704ee800ecb2da3061b3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8ebc4430812e547b0e22f9b5e619d718

    SHA1

    b0259c380dc2b22d35a8b923da37edb3d2289601

    SHA256

    8b23439e244ac1cea8c7381fb8d251a323dd25dbf1ba9636e5e609af3f317599

    SHA512

    952b5acafe2246c27c7272db40bdf15b1b0033ccc43a00033d9de787864c3d428a36aa5408244809273dd13be34eb077322b870be08a8d4d4c30094e7556c77a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c0e16e254a4be31a0b6d9ebfb352e44f

    SHA1

    b5fc1452a7842b65fda153341246d2da60185f1e

    SHA256

    4262bb583da636bc7866b347953aacea6fa6d996f443f86eaf914242203d151c

    SHA512

    9cea0bac9f26e5ee30b463bfb41106cfcb6dcba7110188dca5ff290d3960b2205643abdd05eadece89d51c83d794fb099187f172facb2b5f6dbc79f2ae6867e5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f869ff157398d56b8bf3780237c398a5

    SHA1

    624424eb98efb246b3baef97566bc7e8a46e74f8

    SHA256

    c407dfc474caed7b0142024b793c6200be14ba614109c65c68e4403dd3760451

    SHA512

    0fc0e2a179bf6d30c7be795619494c887cd10574c8866f49e6000ce960531a396c7bdca72243ef7468082ac6ec9c30b6cca5ff16e9dc410594e31b6ab6a056e5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a823da03609a8e508c4fb3ef0f4c5bcf

    SHA1

    6c31364329d7f288c7b6f3c4b658255fae4c2b2b

    SHA256

    25a7ab73bfa38d000ece908775506767ebab7c129ce68db58bef7acd23d38d57

    SHA512

    9fde69ca49b0d4ea72362886cf52b1a0fbfe9e7754eff542539956c2518fee8d37223e4f38bc7a196e9fb655146ff02bcac07ec7ae685166c100a7d401558f53

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    67657a157925ae63fa6c55d47755390b

    SHA1

    4ad3d36e2d25f0f414f9ffa601321a732a29b808

    SHA256

    0f16b7000d74020661e52e48327250f50995f85275a3e0bed10934928c974931

    SHA512

    a22845139f4ea912a2725edd44bf4dc61f6d62e80f58b903fe01c55acfe6101640d6e16cddd849befa8e15b7fa3383b0d20c884e05cc0b8189aa9d86bc2c5eef

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ee05ce4bdf6435e8f794a6fa35280ccd

    SHA1

    28bf9fcad424ef78dae775e6321b53ed235dea20

    SHA256

    cd6ac317034adb8d4492220beff2427770f665c4cac6447b59b7a3110c06915e

    SHA512

    1ce2eb705c6857f5a9ec818969729a6af754a0ff1469f654df42298c205576719be6cd53bf3701446bde8d07b9ea8db99ca03d9a261833c3eaf6c2ee1f59a1be

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    cb0e3a0c3119f440a16a653ce01c60e2

    SHA1

    0088fee630a4998d9ce3a64fbcb5398eeac68ea2

    SHA256

    ebfd35cd3a20c9302b91a26f1bb4a0cdcead1a734d04dc9949c9b5bf51c0e3ae

    SHA512

    7ac8014bf82c5615ebe60124bd70ab354898403ef5ea96b1dc2e1ba874a8254c078b228a77b6aa3287ccff6312a2c5f3fe53a89584e73a6bcd06e45f44bf366b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ff33e1afe5d9d29a8e215dff1d1fb142

    SHA1

    be82e3a76b470770fae816107257fbe84ac64cc8

    SHA256

    c34022a8dd32d4ca219118dd968ba66babde19e498a7bf05cb8e56f1aa96ba50

    SHA512

    98cc4a3f7b8552704e02cfa156f97569704ebe2955163b6a3e9e9a5813187d72e44ca16772714d0ba0a4035a55c2a67b573edae66ce9c5e219aa97aebe46bc1b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    84d95e3a2414891c60450eaa9db8f0cf

    SHA1

    39e05f73aa1bd34cf94c22052b619f7e24785d26

    SHA256

    5f1cb61dd777db137c9acae41dea2b4e82478c65ed999c3f27cbc9c2e132a72f

    SHA512

    13486686b63717daba85c3d51cec9ccaa174f51270194b0ce0aad075308db2abe70af7bf47e3c9037695022d7436df56ba2f367724566f7fa7c520c21d3cf175

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2d1ace550f6d0480aab733533801b1dd

    SHA1

    08c3208b4c3bffd014cf5117d4794f7ebc21b0ea

    SHA256

    be97e15ab1adcd4055cf14cd907a41a96a9c3689004fc5789152c1d5db2b73c5

    SHA512

    997d7e1c3a208584e5d9344a6b7ab065f896996ad716f11ff3c1d372c6eb60cc6f473e220dec7bfbfdfe853b9a1f16399c2e0a763cb4ef53b06ad4634a4b45b0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b4cd1cf335defcae96b290d3b8aa88f5

    SHA1

    e9207747f59eb04ec2ac35862e854fffd85d8767

    SHA256

    6065c57f46d2557944839ca34df8047c04cdb3bd98fb4e46044c65f8322ff5a7

    SHA512

    07e1bf792cbc12f1f3e7ee5076b963475401756e9bc73cbf5bbb09cce415de1820378e1f4d5de4eec37863e36175abc050c754d9b66352dd7590da31ab84b66b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e6e11699d3c20c743dbdade4c6eb45e4

    SHA1

    dd55ab6cd85ec602f8dccfac9c16c5c4849696d1

    SHA256

    a6b525a5441af8b8438ea19835ccc829f50c079dfcfd99856e3a6469c1aaeb85

    SHA512

    8efa357233d5f0d6b1570deb5d3b7c5f04bbc8d7eaa28992ebf220f487195b24c83497f04cb3bc350ba6ea977ccfde33532f80ea2270cd74cb90bd14f292bebf

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d89792e2d4127dc5b15b75b9f0522757

    SHA1

    31391f8a22340c460e68a2ce7cc90c36819048af

    SHA256

    31863e4c5f2382f87258fc4cdd65b1811bc8c692300a6679b909900280c90111

    SHA512

    e261dcff6fe86a79565bf4dd72620392b64274ac955d9026ce0587ccb37d35e48f9de3ec386795b0157f7de53c55f115d4c585fd42e65c986959df7adce68620

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    51647dde48a89b984586d587f9266a5b

    SHA1

    b43136f49ff9bf7cb510895c51a02f0803be79aa

    SHA256

    8964d3c2d28fd343048b3048143180a91d8007d296d664323dc4b2b37e1306b7

    SHA512

    d9f223f139dfc1435c1c18e3da8cc86a2363c342219c90c6aa6555230ca04bb501d6ce1d44a4828c3b2f48df8e9627f027587c1bfa219bbfbbcc5849f39d5c29

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b04f293028a1b59b247c49ad68b6be3e

    SHA1

    7c4d2e30e988702a0096e2b27aa576c746c64239

    SHA256

    e6c3cbb7800e3b6e9d48b5b91ff9ac432c6d87b62de9ea49f7e3eabf790f757b

    SHA512

    0eede8656279f2573f3eebee93cf6e8b0ac426eda7530f3d81e10df40b1736d42b16aa1ac3b2da38778d11ad989fa742233943519b38f7074f7c908b6a3f8b2f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b32e40d53096440cb57a67b3400eb9d1

    SHA1

    bbb1b893555bdd70a8802a899afd11313a42727b

    SHA256

    5b25f52f3fcaa945205186bd2ad7323fca4e558857ee06e8dea87cdfe554613c

    SHA512

    752a84f1d84aa2200c182ec1bebb86caa189b42380d3d987575078174b9db6874152e823938c3a353e1901a14aed0b9f1a973590ee0b00f6faffdce720f96d76

  • C:\Users\Admin\AppData\Local\Temp\CabB933.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarB9C4.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Windows\xcqongnqnjdy.exe

    Filesize

    428KB

    MD5

    d74daee515bd5a77f299151a568cb57a

    SHA1

    68555ccb11104b0bb9243ba3f5f464de8bb701e6

    SHA256

    1d8ce53b219771b49d743424498747af3f4201f194dd1020247bb4a492156fb0

    SHA512

    62dc4d6d0d2831bf55247e6c87cd6b6a5c2798dd1aaea072140146598b9f07921b5f53af2a4c93d5430e54002456a1abc57a00acb2f57339ed827a790febb646

  • memory/2156-6078-0x0000000000130000-0x0000000000132000-memory.dmp

    Filesize

    8KB

  • memory/2656-1-0x0000000000400000-0x00000000004AE000-memory.dmp

    Filesize

    696KB

  • memory/2656-0-0x0000000000340000-0x00000000003C5000-memory.dmp

    Filesize

    532KB

  • memory/2656-12-0x0000000000340000-0x00000000003C5000-memory.dmp

    Filesize

    532KB

  • memory/2656-11-0x0000000000400000-0x00000000004AE000-memory.dmp

    Filesize

    696KB

  • memory/2780-13-0x0000000001E50000-0x0000000001ED5000-memory.dmp

    Filesize

    532KB

  • memory/2780-6081-0x0000000000400000-0x00000000004AE000-memory.dmp

    Filesize

    696KB

  • memory/2780-1162-0x0000000000400000-0x00000000004AE000-memory.dmp

    Filesize

    696KB

  • memory/2780-6077-0x0000000002F40000-0x0000000002F42000-memory.dmp

    Filesize

    8KB

  • memory/2780-6071-0x0000000000400000-0x00000000004AE000-memory.dmp

    Filesize

    696KB

  • memory/2780-3898-0x0000000000400000-0x00000000004AE000-memory.dmp

    Filesize

    696KB

  • memory/2780-14-0x0000000000400000-0x00000000004AE000-memory.dmp

    Filesize

    696KB

  • memory/2780-1166-0x0000000001E50000-0x0000000001ED5000-memory.dmp

    Filesize

    532KB