Overview

overview

10

Static

static

4ace7b3da6...9a.exe

windows7_x64

10

4ace7b3da6...9a.exe

windows10-2004_x64

3

Analysis

  • max time kernel
    136s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    12-07-2022 12:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ace7b3da6d042f34d583d057abdb503f0f56f746801cbb0383da5efe8e3239a.exe

  • Size

    325KB

  • MD5

    28215a5ed45d61536d22322602407aeb

  • SHA1

    d4db7b54acd5a8f2f7022f3f947ad79e0226801a

  • SHA256

    4ace7b3da6d042f34d583d057abdb503f0f56f746801cbb0383da5efe8e3239a

  • SHA512

    639ab48113f68f07e0573fcafac435aa5c41394572104a023f6c79ae33484a1b0c20765f7ffac2bf84e1ff715d0aacc08a927a24028d6863cdd0c31fad9896a5

Score
10/10
teslacryptpersistenceransomwarespywarestealersuricata

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1819626980-2277161760-1023733287-1000\_RECoVERY_+nqtrx.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9B1627686B7818F4 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/9B1627686B7818F4 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/9B1627686B7818F4 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/9B1627686B7818F4 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9B1627686B7818F4 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/9B1627686B7818F4 http://yyre45dbvn2nhbefbmh.begumvelic.at/9B1627686B7818F4 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/9B1627686B7818F4
URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9B1627686B7818F4

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/9B1627686B7818F4

http://yyre45dbvn2nhbefbmh.begumvelic.at/9B1627686B7818F4

http://xlowfznrg4wf7dli.ONION/9B1627686B7818F4

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1819626980-2277161760-1023733287-1000\_RECoVERY_+nqtrx.html

Ransom Note
<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; } .ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center> <div style="text-align:left; font-family:Arial; <!---4231213423142134231421342341234 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"> <b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center> What<!------4231213423142134231421342341234 --> happened <!------4231213423142134231421342341234 --> to your<!------4231213423142134231421342341234 --> files?</b></font><br> <font style="font-size:13px;">All <!------4231213423142134231421342341234 -->of your files<!------4231213423142134231421342341234 --> were <!------4231213423142134231421342341234 --> protected by a strong<!------4231213423142134231421342341234 --> encr<!---4231213423142134231421342341234 -->yption wi<!---4231213423142134231421342341234 -->th <!------4231213423142134231421342341234 -->RSA4096 <!------4231213423142134231421342341234 --> <br> More <!------4231213423142134231421342341234 --> information about the <!------4231213423142134231421342341234 -->encryption RSA4096 can be<!------4231213423142134231421342341234 --> fou<!---4231213423142134231421342341234 -->nd <a href= http://en.wikipedia.org/wiki/RSA_(cryptosystem) target="_blank"> htt<!--4231213423142134231421342341234 -->ps:<!--4231213423142134231421342341234 -->//en<!--4231213423142134231421342341234 -->.w<!--4231213423142134231421342341234 -->ikipedia<!--4231213423142134231421342341234 -->.<!--4231213423142134231421342341234 -->org/wiki/RSA_(cry<!--4231213423142134231421342341234 -->ptosystem) </a><br></font> <br><b><font class="ttl">Wh<!--4231213423142134231421342341234 -->at <!------4231213423142134231421342341234 --> does th<!--4231213423142134231421342341234 -->is mean?</b></font><br><font style="font-size:13px;"> T<!--4231213423142134231421342341234 -->his<!------4231213423142134231421342341234 --> mea<!--4231213423142134231421342341234 -->ns that the <!------4231213423142134231421342341234 --> str<!--4231213423142134231421342341234 -->ucture and da<!--4231213423142134231421342341234 -->ta wi<!--4231213423142134231421342341234 -->thin your <!------4231213423142134231421342341234 -->files ha<!--4231213423142134231421342341234 -->ve be<!--4231213423142134231421342341234 -->en<!------4231213423142134231421342341234 --> irre<!--4231213423142134231421342341234 -->voca<!--4231213423142134231421342341234 -->bly changed, you will not be able work wi<!--4231213423142134231421342341234 -->th them, read<!------4231213423142134231421342341234 --> th<!--4231213423142134231421342341234 -->em or see them, <!------4231213423142134231421342341234 -->it is the s<!--4231213423142134231421342341234 -->ame thing <!------4231213423142134231421342341234 -->as los<!--4231213423142134231421342341234 -->ing <!------4231213423142134231421342341234 -->them for<!--4231213423142134231421342341234 -->ever, but with our he<!--4231213423142134231421342341234 -->lp, you <!------4231213423142134231421342341234 --> can re<!--4231213423142134231421342341234 -->st<!--4231213423142134231421342341234 -->ore t<!--4231213423142134231421342341234 -->hem <br><br><b><font class="ttl"><!------4231213423142134231421342341234 -->Ho<!--4231213423142134231421342341234 -->w d<!--4231213423142134231421342341234 -->id th<!--4231213423142134231421342341234 -->is hap<!--4231213423142134231421342341234 -->pen?<!------4231213423142134231421342341234 --></b></font> <br> <!------4231213423142134231421342341234 --> <font style="font-size:13px;"><!------4231213423142134231421342341234 --> Espec<!--4231213423142134231421342341234 -->ially for y<!--4231213423142134231421342341234 -->ou,<!------4231213423142134231421342341234 --> on our SER<!--4231213423142134231421342341234 -->VER <!------4231213423142134231421342341234 -->was gene<!--4231213423142134231421342341234 -->rated <!------4231213423142134231421342341234 -->the sec<!--4231213423142134231421342341234 -->ret k<!--4231213423142134231421342341234 -->ey <br>Al<!--4231213423142134231421342341234-->l y<!--4231213423142134231421342341234-->our <!------4231213423142134231421342341234 --> files w<!--4231213423142134231421342341234-->ere encry<!--4231213423142134231421342341234-->pted with the p<!--4231213423142134231421342341234-->ublic k<!--4231213423142134231421342341234-->ey, <!------4231213423142134231421342341234 --> wh<!--4231213423142134231421342341234-->ich has b<!--4231213423142134231421342341234-->een <!------4231213423142134231421342341234 --> trans<!--4231213423142134231421342341234-->ferred to <!------4231213423142134231421342341234 -->y<!--4231213423142134231421342341234-->our co<!--4231213423142134231421342341234-->mputer via <!------4231213423142134231421342341234 -->the Inter<!--4231213423142134231421342341234-->net.<!--4231213423142134231421342341234--><br> <!------4231213423142134231421342341234 --> Decr<!--4231213423142134231421342341234-->ypting of <!------4231213423142134231421342341234 -->YO<!--4231213423142134231421342341234-->UR FI<!--4231213423142134231421342341234-->LES is <!--4231213423142134231421342341234 -->on<!--4231213423142134231421342341234 -->ly p<!--4231213423142134231421342341234 -->oss<!--4231213423142134231421342341234-->ible <!--- -4231213423142134231421342341234 -->w<!--4231213423142134231421342341234 -->ith the he<!--4231213423142134231421342341234-->lp of t<!--4231213423142134231421342341234 -->he <!----4231213423142134231421342341234 -->pri<!--4231213423142134231421342341234-->va<!--4231213423142134231421342341234 -->te k<!--4231213423142134231421342341234-->ey a<!--4231213423142134231421342341234 -->nd <!--4231213423142134231421342341234 -->d<!--4231213423142134231421342341234 -->ecr<!--4231213423142134231421342341234-->ypt p<!--4231213423142134231421342341234 -->rog<!--4231213423142134231421342341234-->ram <!--4231213423142134231421342341234 -->wh<!--4231213423142134231421342341234-->ich is on our <!--- -4231213423142134231421342341234 -->Sec<!--4231213423142134231421342341234-->ret <!--4231213423142134231421342341234 -->Ser<!--4231213423142134231421342341234-->ver!!! </font><br><br><b><font class="ttl">Wh<!--4231213423142134231421342341234-->at do I do?</b></font> <br><font style="font-size:13px;">Alas, if you <!--4231213423142134231421342341234 --> do not take <!---4231213423142134231421342341234 --> the nece<!--4231213423142134231421342341234-->ssary meas<!--4231213423142134231421342341234-->ures <!--4231213423142134231421342341234-->for the spec<!--4231213423142134231421342341234-->ified ti<!--4231213423142134231421342341234-->me th<!--4231213423142134231421342341234-->en t<!--4231213423142134231421342341234-->he co<!--4231213423142134231421342341234-->nditions fo<!--4231213423142134231421342341234-->r obta<!--4231213423142134231421342341234-->ining the priv<!--4231213423142134231421342341234-->ate ke<!--4231213423142134231421342341234-->y w<!--4231213423142134231421342341234-->ill be cha<!--4231213423142134231421342341234-->nged<!--- 4231213423142134231421342341234 --> <br> <!-----4231213423142134231421342341234 --> If you really need <!------4231213423142134231421342341234 --> your data, <!------4231213423142134231421342341234 -->then we suggest you <!------4231213423142134231421342341234 --> do not waste<!------4231213423142134231421342341234 --> valuable <!------4231213423142134231421342341234 --> time searching <!------4231213423142134231421342341234 -->for other <!------4231213423142134231421342341234 --> solutions <!------4231213423142134231421342341234 -->becausen <!----4231213423142134231421342341234 --> they do not exist.</font><br><br> <!----4231213423142134231421342341234 --><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please<!------4231213423142134231421342341234 --> visit your <!------4231213423142134231421342341234 --> personal <!------4231213423142134231421342341234 -->home page,<!------4231213423142134231421342341234 --> there are<!------4231213423142134231421342341234 --> a few <!------4231213423142134231421342341234 -->different <!------4231213423142134231421342341234 -->addresses<!------4231213423142134231421342341234 --> pointing to <!------4231213423142134231421342341234 --> your page<!------4231213423142134231421342341234 --> below:<b><hr> <!---000==-=-==-=-=-=-=-=-=---> 1 - <a href=http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9B1627686B7818F4 target="_blank">http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9B1627686B7818F4</a> <br> <!------000==-=-==-=-=-=-=-=-= --> 2 - <a href=http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/9B1627686B7818F4 target="_blank">http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/9B1627686B7818F4</a> <br> <!------000==-=-==-=-=-=-=-=-= --> 3 - <a href=http://yyre45dbvn2nhbefbmh.begumvelic.at/9B1627686B7818F4 target="_blank">http://yyre45dbvn2nhbefbmh.begumvelic.at/9B1627686B7818F4</a> <br> <!------000==-=-==-=-=-=-=-=-= --></div><br><div class="tb" style="font-size:13px; border-color:#880000;"><b>If for some reasons the <!-----000==-=-==-=-=-=-=-=-= --> addresses are not available, <!------000==-=-==-=-=-=-=-=-= --> follow these steps:</b> <hr> 1 - <!------000==-=-==-=-=-=-=-=-= --> Download and <!------000==-=-==-=-=-=-=-=-= --> install tor-browser: <a href=http://www.torproject.org/projects/torbrowser.html.en target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br> 2 - <!---000==-=-==-=-=-=-=-=-= --> Af<!---000==-=-==-=-=-=-=-=-=--->ter a<!---000==-=-==-=-=-=-=-=-=---> succe<!---000==-=-==-=-=-=-=-=-=--->ssful<!------000==-=-==-=-=-=-=-=-= --> instal<!---000==-=-==-=-=-=-=-=-=--->lation, run the br<!---000==-=-==-=-=-=-=-=-=--->owser and w<!---000==-=-==-=-=-=-=-=-=--->ait for initi<!---000==-=-==-=-=-=-=-=-=--->alization.<br> 3 - <!--- 000==-=-==-=-=-=-=-=-= --> Ty<!---000==-=-==-=-=-=-=-=-=--->pe<!-- 000==-=-==-=-=-=-=-=-= --> in<!-- 000==-=-==-=-=-=-=-=-= --> the t<!---000==-=-==-=-=-=-=-=-=--->or-bro<!---000==-=-==-=-=-=-=-=-=--->wser<!-- 000==-=-==-=-=-=-=-=-= --> add<!---000==-=-==-=-=-=-=-=-=--->ress<!-- 000==-=-==-=-=-=-=-=-= --> bar: <font style="font-weight:bold; color:#009977;"><!-- 000==-=-==-=-=-=-=-=-= -->xlowfznrg4wf7dli.onion/9B1627686B7818F4<!-- 000==-=-==-=-=-=-=-=-= --></font><!-- 000==-=-==-=-=-=-=-=-= --><br> 4 - <!--- 000==-=-==-=-=-=-=-=-= --> Fol<!---000==-=-==-=-=-=-=-=-=--->low the instr<!---000==-=-==-=-=-=-=-=-=--->uctions <!-- 000==-=-==-=-=-=-=-=-= --> on the site.</div><br><br><b>!!! IMPO<!---000==-=-==-=-=-=-=-=-=--->RTANT INFO<!---000==-=-==-=-=-=-=-=-=--->RMATION:</b><br> <!-----000==-=-==-=-=-=-=-=-= --><div class="tb" style="width:790px;"><!-----000==-=-==-=-=-=-=-=-= --> Yo<!---000==-=-==-=-=-=-=-=-=--->ur Pers<!---000==-=-==-=-=-=-=-=-=--->onal PAGES<b>: <br> <a href=http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9B1627686B7818F4 target="_blank">http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9B1627686B7818F4</a> <br><a href=http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/9B1627686B7818F4 target="_blank">http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/9B1627686B7818F4</a> <br> <!-----000==-=-==-=-=-=-=-=-= --><a href=http://yyre45dbvn2nhbefbmh.begumvelic.at/9B1627686B7818F4 target="_blank">http://yyre45dbvn2nhbefbmh.begumvelic.at/9B1627686B7818F4</a> <br> <!-----000==-=-==-=-=-=-=-=-= --> Your <!------000==-=-==-=-=-=-=-=-= --> Personal TOR-Browser<!-----000==-=-==-=-=-=-=-=-= --> page : <!-----000==-=-==-=-=-=-=-=-= --><font style="font-weight:bold; color:#009977;"><!-- 000==-=-==-=-=-=-=-=-= -->xlowfznrg4wf7dli.onion/9B1627686B7818F4<!-- 000==-=-==-=-=-=-=-=-= --></font><br> <!-----000==-=-==-=-=-=-=-=-= --> Your personal <!------000==-=-==-=-=-=-=-=-= --> ID <!-----000==-=-==-=-=-=-=-=-= --> (if you open <!------000==-=-==-=-=-=-=-=-= --> the site directly): <!-----000==-=-==-=-=-=-=-=-= --> <font style="font-weight:bold; color:#770000;">9B1627686B7818F4</font><br> </div></div></center></body></html>

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon

    suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon

    suricata
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 25 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ace7b3da6d042f34d583d057abdb503f0f56f746801cbb0383da5efe8e3239a.exe
    "C:\Users\Admin\AppData\Local\Temp\4ace7b3da6d042f34d583d057abdb503f0f56f746801cbb0383da5efe8e3239a.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Windows\nkhnlblxlvtm.exe
      C:\Windows\nkhnlblxlvtm.exe
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Drops startup file
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1456
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:868
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:1120
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1308
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1308 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:204
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1728
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\NKHNLB~1.EXE
        3⤵
          PID:800
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\4ACE7B~1.EXE
        2⤵
        • Deletes itself
        PID:1124
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1004
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:760

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    File Deletion

    1
    T1107

    Modify Registry

    3
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Inhibit System Recovery

    1
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\RECOVERY.HTM
      Filesize

      12KB

      MD5

      8969b97e474ad3d3f592de4e5537fded

      SHA1

      1bca1b71ca1ac32fdb5c07e97922ba0ebb00c8f0

      SHA256

      f80b6cc1379c3bc57010f7ebf8cd3a942b3b7027e2e8954a3aa5d437b2d8da1b

      SHA512

      f0c0c37ada8cd7fca50b5606b25b39e91822922648b999e7f208584771625dae95b8eaa9b9def46e16383f208d3d47ce5e38607e89badcbb33406e2562c0804f

      Download Submit
    • C:\Users\Admin\Desktop\RECOVERY.TXT
      Filesize

      1KB

      MD5

      d09ea7a5a5a986ab78462b4cee39403c

      SHA1

      05d6a36bfba55ff0941b49705cea8d6ffc1e5f3d

      SHA256

      550d933c4c78870165aaf7fda4d6990bce0000ce9609749199edd79d42a79cae

      SHA512

      0cd14795f1b2223d99ae5f626d6887b763cd25a3b251b8b0e1c1e2a2a15b3539b4050ba8d2290af480ebbb4563c5c01524c6efed0ec1356df9ce2a780c1e1517

      Download Submit
    • C:\Users\Admin\Desktop\RECOVERY.png
      Filesize

      64KB

      MD5

      3d6f46963d62e242c2e784c6e3908209

      SHA1

      f51c6d7d15d3c7566e609e71bc87ea45baf45e3d

      SHA256

      9919c94d507644b1814c955be5c041ba02a1b3ebe11311765130eb575522acc1

      SHA512

      8a2b48a426c4cc5e97a3105a4766c7e9e46ab8d1e64e180157e3b35dc290eedfbe9a8d789e93477d6a03b01e2c4bca59b0b1d7b218080eb8e5db51d800f0b616

      Download Submit
    • C:\Windows\nkhnlblxlvtm.exe
      Filesize

      325KB

      MD5

      28215a5ed45d61536d22322602407aeb

      SHA1

      d4db7b54acd5a8f2f7022f3f947ad79e0226801a

      SHA256

      4ace7b3da6d042f34d583d057abdb503f0f56f746801cbb0383da5efe8e3239a

      SHA512

      639ab48113f68f07e0573fcafac435aa5c41394572104a023f6c79ae33484a1b0c20765f7ffac2bf84e1ff715d0aacc08a927a24028d6863cdd0c31fad9896a5

      Download Submit
    • C:\Windows\nkhnlblxlvtm.exe
      Filesize

      325KB

      MD5

      28215a5ed45d61536d22322602407aeb

      SHA1

      d4db7b54acd5a8f2f7022f3f947ad79e0226801a

      SHA256

      4ace7b3da6d042f34d583d057abdb503f0f56f746801cbb0383da5efe8e3239a

      SHA512

      639ab48113f68f07e0573fcafac435aa5c41394572104a023f6c79ae33484a1b0c20765f7ffac2bf84e1ff715d0aacc08a927a24028d6863cdd0c31fad9896a5

      Download Submit
    • memory/800-73-0x0000000000000000-mapping.dmp
      Download
    • memory/868-65-0x0000000000000000-mapping.dmp
      Download
    • memory/1120-66-0x0000000000000000-mapping.dmp
      Download
    • memory/1124-60-0x0000000000000000-mapping.dmp
      Download
    • memory/1456-62-0x0000000000400000-0x00000000004A7000-memory.dmp
      Filesize

      668KB

      Download
    • memory/1456-74-0x0000000000400000-0x00000000004A7000-memory.dmp
      Filesize

      668KB

      Download
    • memory/1456-64-0x0000000000400000-0x00000000004A7000-memory.dmp
      Filesize

      668KB

      Download
    • memory/1456-57-0x0000000000000000-mapping.dmp
      Download
    • memory/1728-70-0x0000000000000000-mapping.dmp
      Download
    • memory/1948-54-0x0000000076571000-0x0000000076573000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1948-56-0x0000000000400000-0x00000000004A7000-memory.dmp
      Filesize

      668KB

      Download
    • memory/1948-55-0x0000000000380000-0x00000000003AF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1948-61-0x0000000000400000-0x00000000004A7000-memory.dmp
      Filesize

      668KB

      Download