Overview

overview

10

Static

static

10

1bc0575b3f...81.exe

windows7-x64

10

1bc0575b3f...81.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    06-04-2023 21:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe

  • Size

    235KB

  • MD5

    f6f120d1262b88f79debb5d848ac7db9

  • SHA1

    1339282f9b2d2a41326daf3cf284ec2ae8f0f93c

  • SHA256

    1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281

  • SHA512

    1067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd

  • SSDEEP

    6144:c5vMUmRTTgwnfeP+Jx1cLNAIyBcc9WrEWUC4wQh/6BeX:/U8Tgufnx1cLNncgQWUUQh/+e

Score
10/10
medusalockerevasionransomwarespywarestealertrojanupx

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW_TO_RECOVER_DATA.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">4F23C1F50216113AB19615141866B77E14B33690114863A4636D34BFAFF48C1FD04D964F0B5A23974BC7ED592FBBEEA2E36C46088B7E4264C8EFAF45750B7D6F<br>0B6BBD6ADD488956B2D64F16EDA1DDB5174D1BF706DC5B42658E80B4C459A4C82AA6DAA61A85AF7C3E412EEB6203448BA35F9A9ADF0DD5D2E989391DADDE<br>C536F8193830BB393A5BC7A64082190D80DAE83F713B184BD3AA273CFE9D0C6D0A94585D70A0A8CE78FDDE77780EFD34B9F30D068FBD259D213A4E537C16<br>A13D19EF67D469C8F082083701073098E9183AE4FD1C7E2A1B4F7F5EAB0E5518093A063099CB401F1F32377A6202EFAF654B0541652E6035D881C5520675<br>B74A9A5DBA1ED4483D97B7DC48D124BFA400DDF250B211605099754752137D4A6097EF1FE7AF4A63D1BDFD3C9F9BC03C0C74036DB277F27DFCD4B2E6739F<br>4CBD346742EDB9CE6EDA4750289474FBE347D6E0A3D29F0E7EA82D3EF0371B2203969FD46FBFA5DA648565CBF4FE5A34FD836DD7E4F06C7379D7A6F49520<br>9CCE87B411FAB1245A650C16E2EEB60187D70B4F6C865223CEB4A55BF63D751B57FA676AE1FD865094C46C287B92A609274639F1679B560ABBC1DC009773<br>C7126D6754FD901B1D79A3E8667F984C79B24C711AFD6DD814778E218F5B1459503729DAE86CFEF225DFC0CFE508B5F6CB4CCC6742A5D48DC4C740DDF39E<br>C71737DC887E54F673E080D3B764</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_RECOVER_DATA.html

Family

medusalocker

Ransom Note
Your personal ID: 4F23C1F50216113AB19615141866B77E14B33690114863A4636D34BFAFF48C1FD04D964F0B5A23974BC7ED592FBBEEA2E36C46088B7E4264C8EFAF45750B7D6F 0B6BBD6ADD488956B2D64F16EDA1DDB5174D1BF706DC5B42658E80B4C459A4C82AA6DAA61A85AF7C3E412EEB6203448BA35F9A9ADF0DD5D2E989391DADDE C536F8193830BB393A5BC7A64082190D80DAE83F713B184BD3AA273CFE9D0C6D0A94585D70A0A8CE78FDDE77780EFD34B9F30D068FBD259D213A4E537C16 A13D19EF67D469C8F082083701073098E9183AE4FD1C7E2A1B4F7F5EAB0E5518093A063099CB401F1F32377A6202EFAF654B0541652E6035D881C5520675 B74A9A5DBA1ED4483D97B7DC48D124BFA400DDF250B211605099754752137D4A6097EF1FE7AF4A63D1BDFD3C9F9BC03C0C74036DB277F27DFCD4B2E6739F 4CBD346742EDB9CE6EDA4750289474FBE347D6E0A3D29F0E7EA82D3EF0371B2203969FD46FBFA5DA648565CBF4FE5A34FD836DD7E4F06C7379D7A6F49520 9CCE87B411FAB1245A650C16E2EEB60187D70B4F6C865223CEB4A55BF63D751B57FA676AE1FD865094C46C287B92A609274639F1679B560ABBC1DC009773 C7126D6754FD901B1D79A3E8667F984C79B24C711AFD6DD814778E218F5B1459503729DAE86CFEF225DFC0CFE508B5F6CB4CCC6742A5D48DC4C740DDF39E C71737DC887E54F673E080D3B764 /!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\ All your important files have been encrypted! Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. Contact us for price and get decryption software. qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion * Note that this server is available via Tor browser only Follow the instructions to open the link: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it. 3. Now you have Tor browser. In the Tor Browser open qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion 4. Start a chat and follow the further instructions. If you can not use the above link, use the email: [email protected] [email protected] * To contact us, create a new free email account on the site: protonmail.com IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.

Signatures

  • MedusaLocker

    Ransomware with several variants first seen in September 2019.

    ransomwaremedusalocker
  • MedusaLocker payload 12 IoCs
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 12 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
    "C:\Users\Admin\AppData\Local\Temp\1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe"
    1⤵
    • UAC bypass
    • Modifies extensions of user files
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1296
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2024
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2028
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:560
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:760
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:832
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1228
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1924
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\SaveTrace.wmv.marlock07
    1⤵
    • Modifies registry class
    PID:960
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\HOW_TO_RECOVER_DATA.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:760
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:760 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1208
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {D5F9DB93-9A6F-4F95-AADF-E493039222D6} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:636
    • C:\Users\Admin\AppData\Roaming\svhost.exe
      C:\Users\Admin\AppData\Roaming\svhost.exe
      2⤵
      • Executes dropped EXE
      PID:896

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW_TO_RECOVER_DATA.html
    Filesize

    4KB

    MD5

    60aaa4ff040fd3122ba7c39efbd2ab74

    SHA1

    f515ad71cf8b99ba126c52cd80320f681b431eec

    SHA256

    fb3e50519dd4874937db1805b00df0c223bce104359573320e04e83a3dfd27b2

    SHA512

    2150fe572c8448552d22b052ccfa0516e1d2597eee4212432c174f4a619d8aeb28d9c62900c2127b999b4ddf8c5b94c501512b7888a276e08be8e6ec702ff0d2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    61KB

    MD5

    e71c8443ae0bc2e282c73faead0a6dd3

    SHA1

    0c110c1b01e68edfacaeae64781a37b1995fa94b

    SHA256

    95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

    SHA512

    b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    7571e36cf0a9eff89fd97459079fb906

    SHA1

    269398b1fdc15fe4610afd9223c852e05b895e28

    SHA256

    992c2aec79d014a410e3f7d6b138aa09af5a762a9ab973f3274d9a6ca408a2bb

    SHA512

    b55dc322cecc8cd4ca0a2edf174303a0a99869cc17db2620a86f61008d067247827acf9640522c1d972a0341f37cdb7fbddc6081c0ad1366117e60ebd63dc6d8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    37b0023f47ebcd19455f5e9d4d57b263

    SHA1

    97cb4de8cd95d640d7ee5ef761130a8ce894a6a5

    SHA256

    ad2eb1362d294f5debaad1fd5dd3668beb60c3a584160688d1e0b78858d899e7

    SHA512

    5e5303aa092ec9f44049447adb5cc6c05b39700650230d556324e4fdca8bd46528f4657e3bf645e51264a34ecc074b751e7f7acd5f7a5ab988168f6e1399e1a1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1fd6f93db983e2cdcda148c6818a2725

    SHA1

    f57a0d3232c7ca71ab907d7d5b75ab7da5e8c7c3

    SHA256

    28b00cbefe6ca1324cd7512e761425f6b0e904c6828e920ff052b93c1bf3f681

    SHA512

    61aabc02837e7c3c230f29d925e0f38af4ea9d9e059784656cfe9f99e6262a950199fc363e12295080b8b03aaf7e2195d57b489c88d66e41ab001c1921b42689

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c87523b1162519b8d8f495428811b511

    SHA1

    8d61e66f7dea84e993c88c695ca42b61d91949fe

    SHA256

    8ab391695d9b0bc4e3a7a267cbef1d2c66bce48358565db77ba63112df8c5ebb

    SHA512

    b5f3005f335c3eb165e1b655047267967da1f43371d4f2fd032ed7ac9ff9418ca9709f9a9308e5ebd8eeea1aac632141d60ae299ff2dbfbfd0c1e729a54222a1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    af3bee5246e47683332c89474d66cf37

    SHA1

    9ac824a5d64ce2b235f116f81b372006e52eea5a

    SHA256

    125b08516c88952fab5d439de68ce1c78b23b4e8a2871044e541c8ccf1105396

    SHA512

    3cfe8908749c2bfaa1f9cd731be4f7cb70a2af8ad6bb6757d53c120e268d18163019b8a65474df24e87d033ebeef21284c287372c099f1b6895857de5caefe41

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ACT9UUKV\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabE0C2.tmp
    Filesize

    61KB

    MD5

    fc4666cbca561e864e7fdf883a9e6661

    SHA1

    2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

    SHA256

    10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

    SHA512

    c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarE220.tmp
    Filesize

    161KB

    MD5

    be2bec6e8c5653136d3e72fe53c98aa3

    SHA1

    a8182d6db17c14671c3d5766c72e58d87c0810de

    SHA256

    1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

    SHA512

    0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YM0GICKE.txt
    Filesize

    600B

    MD5

    b523f2b16deea2f96f3623fca25a18ef

    SHA1

    ebcee2d0ad3a107e24d7ef20f88d118d865e7685

    SHA256

    f45e4667397e131a30c2fdd0c4c17401384738ecc312749a1dcf53238b0b67a8

    SHA512

    74fec50448b763d7c245e2fffc95e819a42c6f70e17cc6ab46488e596b52227a4302254a5bf3cbec56b2e9c1f19da8899452164200beb07bad13af75f7057276

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svhost.exe
    Filesize

    235KB

    MD5

    f6f120d1262b88f79debb5d848ac7db9

    SHA1

    1339282f9b2d2a41326daf3cf284ec2ae8f0f93c

    SHA256

    1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281

    SHA512

    1067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svhost.exe
    Filesize

    235KB

    MD5

    f6f120d1262b88f79debb5d848ac7db9

    SHA1

    1339282f9b2d2a41326daf3cf284ec2ae8f0f93c

    SHA256

    1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281

    SHA512

    1067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd

    Download Submit

  • C:\Users\Admin\Desktop\HOW_TO_RECOVER_DATA.html
    Filesize

    4KB

    MD5

    60aaa4ff040fd3122ba7c39efbd2ab74

    SHA1

    f515ad71cf8b99ba126c52cd80320f681b431eec

    SHA256

    fb3e50519dd4874937db1805b00df0c223bce104359573320e04e83a3dfd27b2

    SHA512

    2150fe572c8448552d22b052ccfa0516e1d2597eee4212432c174f4a619d8aeb28d9c62900c2127b999b4ddf8c5b94c501512b7888a276e08be8e6ec702ff0d2

    Download Submit

  • C:\Users\Default\NTUSER.DAT.LOG2
    Filesize

    536B

    MD5

    4a61c3655c811fdfdbc5c5410b4f7931

    SHA1

    be0bc6b3393846c0ba478f20c4d2a75401105dde

    SHA256

    c55785523bc0596ded27dfbf3960c45e2aa0e7b001471af6f32d936f34b28d5d

    SHA512

    64c335718bfdf28ebc62f2af692fc3e156d53240506e6a3d7de500ea4aff0eab609fb24469a2aa9f1d6a7dbe370c354689078505f21f843aed1cd42a34cf989b

    Download Submit

  • memory/896-1501-0x0000000000970000-0x0000000000A22000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1296-55-0x00000000009B0000-0x0000000000A62000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1296-937-0x00000000009B0000-0x0000000000A62000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1296-1023-0x00000000009B0000-0x0000000000A62000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1296-1019-0x00000000009B0000-0x0000000000A62000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1296-1022-0x00000000009B0000-0x0000000000A62000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1296-1503-0x00000000009B0000-0x0000000000A62000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1296-1504-0x00000000009B0000-0x0000000000A62000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1296-1505-0x00000000009B0000-0x0000000000A62000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1296-621-0x00000000009B0000-0x0000000000A62000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1296-311-0x00000000009B0000-0x0000000000A62000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1296-1533-0x00000000009B0000-0x0000000000A62000-memory.dmp

    Filesize

    712KB

    Download