Overview

overview

10

Static

static

3

suspect_file_2.exe

windows7-x64

10

suspect_file_2.exe

windows10-1703-x64

10

Resubmissions

05-09-2023 09:36

230905-llcqbseg77 10

12-04-2023 15:55

230412-tc7s4sdc52 10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    05-09-2023 09:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    suspect_file_2.exe

  • Size

    360KB

  • MD5

    9ce01dfbf25dfea778e57d8274675d6f

  • SHA1

    1bd767beb5bc36b396ca6405748042640ad57526

  • SHA256

    5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d

  • SHA512

    d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b

  • SSDEEP

    6144:4qZbqZToxIizLBZ6R56VkGM4ceLJ5vs5JGJceO/QCErIiuNAvwu:4qZb8oR3D6R5QHXZJy/Q50imAvB

Score
10/10
teslacryptpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+wjohh.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/617B090EEAC249 2. http://tes543berda73i48fsdfsd.keratadze.at/617B090EEAC249 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/617B090EEAC249 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/617B090EEAC249 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/617B090EEAC249 http://tes543berda73i48fsdfsd.keratadze.at/617B090EEAC249 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/617B090EEAC249 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/617B090EEAC249
URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/617B090EEAC249

http://tes543berda73i48fsdfsd.keratadze.at/617B090EEAC249

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/617B090EEAC249

http://xlowfznrg4wf7dli.ONION/617B090EEAC249

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\_RECOVERY_+wjohh.html

Ransom Note
NOT YOUR LANGUAGE? USE Google Translate What happened to your files? of your files were protected by a strong encryption with AES More information about the encryption AES can be found https://en.wikipedia.org/wiki/AES at does this mean? his means that the structure and data within your files have been irrevocably changed, you will not be able work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them How did this happen? Especially for you, on our SERVER was generated the secret key All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program which is on our Secret Server!!! at do I do? do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed If you really need your data, then we suggest you do not waste valuable time searching for other solutions becausen they do not exist. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/617B090EEAC249 2 - http://tes543berda73i48fsdfsd.keratadze.at/617B090EEAC249 3 - http://tt54rfdjhb34rfbnknaerg.milerteddy.com/617B090EEAC249 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser and wait for initialization. 3 - Type in the tor-browser address bar: xlowfznrg4wf7dli.onion/617B090EEAC249 4 - Follow the instructions on the site. !!! IMPORTANT INFORMATION: Your Personal PAGES : http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/617B090EEAC249 http://tes543berda73i48fsdfsd.keratadze.at/617B090EEAC249 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/617B090EEAC249 Your Personal TOR-Browser page : xlowfznrg4wf7dli.onion/617B090EEAC249 Your personal ID (if you open the site directly):
URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/617B090EEAC249

http://tes543berda73i48fsdfsd.keratadze.at/617B090EEAC249

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/617B090EEAC249

http://xlowfznrg4wf7dli.onion/617B090EEAC249

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (373) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\suspect_file_2.exe
    "C:\Users\Admin\AppData\Local\Temp\suspect_file_2.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Windows\tijwkmbummiw.exe
      C:\Windows\tijwkmbummiw.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2008
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2720
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:1480
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:944
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:944 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1904
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1888
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\SUSPEC~1.EXE
      2⤵
      • Deletes itself
      PID:3012
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2464
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+wjohh.html
    Filesize

    11KB

    MD5

    527ca3a3ba11c56d51c0ec2a8babe621

    SHA1

    275af1d2865e4da6a1a9b6d503de1e688537caed

    SHA256

    7e0bb636e18304bc20e67be075963d7d9f9dadb56030f4dacfc86deed0b001f4

    SHA512

    166826a528816390ff621e6a5be6979302718ee35b7da51d6c0899a5a71d1a2bcfb21b43e8da5404e54b34c9cbca7853a9cc8656c45248df6e75d2f923a6005f

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+wjohh.png
    Filesize

    62KB

    MD5

    b28c62896ed00f22ca0b6ace8c243a83

    SHA1

    70609c9bb229f41e48c9a1d090f3f4a3f958adda

    SHA256

    960207671c264622e80434242e795b51b5bc66889166e08b30f4b373076c9a61

    SHA512

    6320e21b2a286f12101b431c878dae11c31ded2e0b4aba4cc756a6bcbf0eb00b5b58e1df10f240451cff40b0bbae6cd6e9c54b9294becb228de4097b3599577f

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+wjohh.txt
    Filesize

    1KB

    MD5

    c6eb7ce267257f4e27747c0c1d1c81d8

    SHA1

    45a59717f93b3ee0f3cb7b2d33cfa348e6b3c57d

    SHA256

    fea6088034876e6e10386079644ca1721883fc0051792f1dddb4e2008a788823

    SHA512

    dab939a3914b46d8c024d47319ae33d25dd0ab5c97fa6835687adfe5215608fdb5e4972b6c324e778b11fdfdd1f8cd83165fe2b72df4d95dc6dfe3797ff5e186

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    865f019744b143a15e968a02335ba375

    SHA1

    e52e6c2e5e09c781d307277cd9b54f17537c226d

    SHA256

    37cdf05b1f74bafdffb6a61022f6cf48f1bd0605a39b57b178a98e66ffa3a2ec

    SHA512

    76d3ed30aee61b88d34ac08f3238aa0f3902ff34f68b9bd840b3aae819585ab6deb74fcb68341655ca1102a6eae172c99808915adee09a5ad8772aedee0fc24f

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    bd2739e2de947a0b801e5853411b2047

    SHA1

    1f4dfca81ad4b4c9b405146037c2a87f2e33a876

    SHA256

    11092e9d7e8df5a9fc7b222d8c04679c3f42b0a13b8bc6f5613fb0db9fcfd5dd

    SHA512

    7621768fcbeb3c8d06eb6c3a93a2e8edac39a75354a70b45b32ea0aaf18358150f969adc32c7f0223eb05abb40b1f0b76e820fc8a2b7748903d3204896ebdc65

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    173KB

    MD5

    64a88dea698eaaf68a6d259771bf4c77

    SHA1

    7cdec96240d769bea7324e00ab47f1497f1a7678

    SHA256

    ee2b6167cf3ef89d83110ee07201c8a56aeb6c296c50efe883c5a38f0f766ba4

    SHA512

    63b336ee98d847dd787143172857eed2d92b5e67199bca2d822c7534006004e40db0d01ec4fbdc2718246df09d826a5c922c7d7c8333eb1961874594020572bd

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    4d09c0dc1fd5a5574524c2ab5714ba26

    SHA1

    43f27d50ad614133c22083314f2d77b18ee44470

    SHA256

    e44c74df70e660abaae29959e3d19ded00fb9be2fb332fc055d15e0d9d03a6e5

    SHA512

    8ecfc86123f93ed943ebef5c722aaf59eb67a3adbc2133dfc7e21e8b3c3b01023db89b616014a44fa9a4ae5ecdafc78e67541a3ee76b2601b9573861555bfcc7

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    1ee59630de449585d8564cae093fe739

    SHA1

    f43daad2290145d5ec44c6e1a74e81fc6f365788

    SHA256

    f98d512190d0da2ac561685f0bc37924e6a14ee6bca0dc3dc067c429ea9a818b

    SHA512

    5c78024340e803d31def42ba443050e2e704a40e3c67b568f1b65b73830cff709c460557e51961da0dba49ac7cd4d18183e9dc2121c1437dacedae2da0389086

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    0a65e13de9883660fe39215a021b109b

    SHA1

    f11fb36d140a2a53e20f77921e9e65c773ddbda0

    SHA256

    e0b1bd7c8f57e5d6f539a6e28e4fc999779e69c6503d51746d12690addb75ae6

    SHA512

    6a7c70f64fe855acab6d4c771cf64db1bc163daed3dc9eb50bfdb09022626a736d8a36a623f505660cd92eeab5f39c395df14479df8126e96ed58a8413bf2c36

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    69d97452019f0763ebc674d4947cd0ad

    SHA1

    928769962f0e59f77f3023a4e47cc6cfbe465df6

    SHA256

    cfd7b0703f7e40710dcfc0a5e9d9e833156a0f2de907386a6106b6ab126c760a

    SHA512

    c5ad6142f6e7032a28ad510d9a957e5562b65014e9006a95459fc4049d49703cda45d581f606834901f6d3bc18717b8335c1f0ad05becdd28df844e7395f2bcb

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    11d0c0719195375c4f41067c35359c9e

    SHA1

    396aff55656b5333c5516a41e7878160cbffc1ef

    SHA256

    9c279d35bca7a093a3df6681a5b500846079937640e36dd11895648de590cfe9

    SHA512

    51479fdafb368eea9c5c0fbc4e208e1c9d23219424750ba5e438dad63bbc3fd95048bc6010c5a6540b4b141877a61be408a125550a44504ea451af3086a7caa6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    4388ce827db26a0410eeb576b371cc7a

    SHA1

    79ed18472d30e71a632dda63aad93601b06ca208

    SHA256

    589549ada5e70ce544bd586961dbd91ebbd3b68f30d5ef8151fe1c02a2ca351e

    SHA512

    7513829fa9d40ad39734d59091341021fe714f65a7ba9843c8a68d92c31cf01f5de0f4dfaf1d1a31978cec2e9a4fc675e5d3dd61731f1c40c443ed598e6e0b50

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    8cdd291fb87ef1a762a41b1d00297392

    SHA1

    ce868edcab11a58ee39c9d7af0cd79ee32cc216a

    SHA256

    da262c03b28b275cf60d4b2d86a1fccc941e45236cf8899e0d10b9e811924887

    SHA512

    12a908c2b4028f3383a716dc618072a734bacbd569d4c1ab8b1354c9bd74d2e20768420525d73ab144239a91b1324253d9655df37d5daedbb8d559e9054d04db

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    dd61ed2490fce47e1f47969c306d35e5

    SHA1

    c67bd07bdd88225d2028ab8e06034f239206208b

    SHA256

    3f8569cef712bd2ead0f84d7b3acd0f2a9df8b1d9a0a12d064f35d697a1e975a

    SHA512

    183fd7119809bf6bc26c380ff8ba526b5d8a7e1483be43be4d5c6cbaf2085b31037825e216102324f5e139604377ef8273f9a68a18fc53979dd058981cedbd64

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    7ce4697464e89616be25cb680143bda0

    SHA1

    9d5c2a570987e398c648e60baacf4bbcf177db98

    SHA256

    b4a91388b543fab84e641049b3e99d8036aa12befb35d0902d618668e71812fe

    SHA512

    d97f7095e553991b36302c8c4c1486f7ff11eda8be23e0e8996ced1ddcb61c677716513e87763a22c85f45b1e48026cbf810cf49b34467502343d705a5621489

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    daf43bd2db0709fb41c4de976900479d

    SHA1

    0566a80894d743f782085027fe5af6c3c369d2bf

    SHA256

    04df7dd023851e6c9fb40675c0500ffd6f1fa916fe3871c7c7ddaa9a2aa61fa7

    SHA512

    3df9c5eb28e7c853b2d5d7ad8f4247efb179017a497ced821350baf24e3ed1c9644580af7b4ade5721c4987b990255a206671c618865a724f72cd13b9787b89f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    72941c90ba193460c1a859286b19480b

    SHA1

    e200966943002670af0985f52fb89c431bb0cb59

    SHA256

    4d94305909557baa92094dfc7afd0e62d3a77a3ee9257cc7e0139a663f1a7072

    SHA512

    a88813b6ccc0ad068398574969838b614a98536c6ddca431d31af7afb5c79a80186c0bb41b5182de84dc45c033adb4f743b57beefe899906a2e77e46b0aff327

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    90d62d78d8bf4e1c9547ac8ef4a29a91

    SHA1

    923b906adcf9ce1d2d9a34b79cc0ff487dcdef4d

    SHA256

    c3921284a129baf10435ec5f969b6490ca36d97a5f55c48d842d20a0e73b41f8

    SHA512

    08f4462ea799e25953440b082644b4c7ab546a3fc845f42232ed9c8c8a3ee801ba90db7a5f6188d8d2593cd42e5eb633b5d7ad754d0179d34563c9275b5637ad

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    f80b1e3f93b8146f91ee5aa030c92732

    SHA1

    8f8252fa8dbd6eceb7b0f31f46b4da65dd2b762e

    SHA256

    64a49357ec1236fdcd8000f42db1b9240aefd7180943505fbdc5ae6f30db12a9

    SHA512

    f8ca29009d335e8b216e5e49cd4048635359722ec3de7383f6027346db00ff465075445dfb5d6e62ac0d41cc829f8ffff60101aef184b7efb559626e093d27de

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    e03a59a11837c886021905b6a31476fd

    SHA1

    eaab7292d0efd0c13e426e1a5aeaac6a1cf61858

    SHA256

    3bcdbd1dea5d93415701513be69b8f733ae48d0ab5744a87741f187dd54c99a9

    SHA512

    6b6d8bf8055389bf70c33e0b07f2e70363bfb2d6f5b876f9fd811fdae0cf9b09ee68c35f5aef9e005ec96df28554218bdee5046ab9b5725d38f2a3aecea482dd

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    38162aa519cb61e05f6a9c678f94d01d

    SHA1

    3b5c5f01de353a8795b08149395174143bddc08d

    SHA256

    6ebdc8902c7a0d9cfe3f9cde968946df52b98ce177ea58931dcdae642d78e085

    SHA512

    0acf7fb7c57fbe76e4e0a9155d7b42bf7a22397bc102d7bc349797e98899ba8b206f2e12d42d508d287bb9d4e741a7a2da805766c549d8d4b3210868fe79fc87

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    cbbb709a5b59ac94c619864ce46e27e9

    SHA1

    cb52733af79009a501e109a4ff52e4f755322aca

    SHA256

    4e19fd4c9e2ae49e74c2f0a61f5eb6ae670b06aedb66bb84ff7cf090523f05dd

    SHA512

    4c3ee82dd3f9b93d468da4f7c70f5cbc6308b6bbe8c64cd79922b66e5a9f5cae3ee783c47e252ae653802c756809096895b14f5db0441cce38a29fc4e5f66341

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    4fe29f2695a282396acd201599df48ac

    SHA1

    53598555113369754930d4c71730aded7eed9b45

    SHA256

    0916b9c7660dce4f22ede1f3f18ad4db8a4fa48ca2c664a49ee9df4d6ad1a67b

    SHA512

    8a40463dbdf45d6374ac9e9851c72b5ca740000279dae7795619c10819ab0075789ea4ae0fe287f6c0782a0c57e00c23648083fd0c3d19c58c4c65e91bc4a667

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabC3BF.tmp
    Filesize

    61KB

    MD5

    f3441b8572aae8801c04f3060b550443

    SHA1

    4ef0a35436125d6821831ef36c28ffaf196cda15

    SHA256

    6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

    SHA512

    5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarC410.tmp
    Filesize

    163KB

    MD5

    9441737383d21192400eca82fda910ec

    SHA1

    725e0d606a4fc9ba44aa8ffde65bed15e65367e4

    SHA256

    bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

    SHA512

    7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\_RECOVERY_+wjohh.html
    Filesize

    11KB

    MD5

    527ca3a3ba11c56d51c0ec2a8babe621

    SHA1

    275af1d2865e4da6a1a9b6d503de1e688537caed

    SHA256

    7e0bb636e18304bc20e67be075963d7d9f9dadb56030f4dacfc86deed0b001f4

    SHA512

    166826a528816390ff621e6a5be6979302718ee35b7da51d6c0899a5a71d1a2bcfb21b43e8da5404e54b34c9cbca7853a9cc8656c45248df6e75d2f923a6005f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\_RECOVERY_+wjohh.png
    Filesize

    62KB

    MD5

    b28c62896ed00f22ca0b6ace8c243a83

    SHA1

    70609c9bb229f41e48c9a1d090f3f4a3f958adda

    SHA256

    960207671c264622e80434242e795b51b5bc66889166e08b30f4b373076c9a61

    SHA512

    6320e21b2a286f12101b431c878dae11c31ded2e0b4aba4cc756a6bcbf0eb00b5b58e1df10f240451cff40b0bbae6cd6e9c54b9294becb228de4097b3599577f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\_RECOVERY_+wjohh.txt
    Filesize

    1KB

    MD5

    c6eb7ce267257f4e27747c0c1d1c81d8

    SHA1

    45a59717f93b3ee0f3cb7b2d33cfa348e6b3c57d

    SHA256

    fea6088034876e6e10386079644ca1721883fc0051792f1dddb4e2008a788823

    SHA512

    dab939a3914b46d8c024d47319ae33d25dd0ab5c97fa6835687adfe5215608fdb5e4972b6c324e778b11fdfdd1f8cd83165fe2b72df4d95dc6dfe3797ff5e186

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\_RECOVERY_+wjohh.html
    Filesize

    11KB

    MD5

    527ca3a3ba11c56d51c0ec2a8babe621

    SHA1

    275af1d2865e4da6a1a9b6d503de1e688537caed

    SHA256

    7e0bb636e18304bc20e67be075963d7d9f9dadb56030f4dacfc86deed0b001f4

    SHA512

    166826a528816390ff621e6a5be6979302718ee35b7da51d6c0899a5a71d1a2bcfb21b43e8da5404e54b34c9cbca7853a9cc8656c45248df6e75d2f923a6005f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\_RECOVERY_+wjohh.png
    Filesize

    62KB

    MD5

    b28c62896ed00f22ca0b6ace8c243a83

    SHA1

    70609c9bb229f41e48c9a1d090f3f4a3f958adda

    SHA256

    960207671c264622e80434242e795b51b5bc66889166e08b30f4b373076c9a61

    SHA512

    6320e21b2a286f12101b431c878dae11c31ded2e0b4aba4cc756a6bcbf0eb00b5b58e1df10f240451cff40b0bbae6cd6e9c54b9294becb228de4097b3599577f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\_RECOVERY_+wjohh.txt
    Filesize

    1KB

    MD5

    c6eb7ce267257f4e27747c0c1d1c81d8

    SHA1

    45a59717f93b3ee0f3cb7b2d33cfa348e6b3c57d

    SHA256

    fea6088034876e6e10386079644ca1721883fc0051792f1dddb4e2008a788823

    SHA512

    dab939a3914b46d8c024d47319ae33d25dd0ab5c97fa6835687adfe5215608fdb5e4972b6c324e778b11fdfdd1f8cd83165fe2b72df4d95dc6dfe3797ff5e186

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\_RECOVERY_+wjohh.html
    Filesize

    11KB

    MD5

    527ca3a3ba11c56d51c0ec2a8babe621

    SHA1

    275af1d2865e4da6a1a9b6d503de1e688537caed

    SHA256

    7e0bb636e18304bc20e67be075963d7d9f9dadb56030f4dacfc86deed0b001f4

    SHA512

    166826a528816390ff621e6a5be6979302718ee35b7da51d6c0899a5a71d1a2bcfb21b43e8da5404e54b34c9cbca7853a9cc8656c45248df6e75d2f923a6005f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\_RECOVERY_+wjohh.png
    Filesize

    62KB

    MD5

    b28c62896ed00f22ca0b6ace8c243a83

    SHA1

    70609c9bb229f41e48c9a1d090f3f4a3f958adda

    SHA256

    960207671c264622e80434242e795b51b5bc66889166e08b30f4b373076c9a61

    SHA512

    6320e21b2a286f12101b431c878dae11c31ded2e0b4aba4cc756a6bcbf0eb00b5b58e1df10f240451cff40b0bbae6cd6e9c54b9294becb228de4097b3599577f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\_RECOVERY_+wjohh.txt
    Filesize

    1KB

    MD5

    c6eb7ce267257f4e27747c0c1d1c81d8

    SHA1

    45a59717f93b3ee0f3cb7b2d33cfa348e6b3c57d

    SHA256

    fea6088034876e6e10386079644ca1721883fc0051792f1dddb4e2008a788823

    SHA512

    dab939a3914b46d8c024d47319ae33d25dd0ab5c97fa6835687adfe5215608fdb5e4972b6c324e778b11fdfdd1f8cd83165fe2b72df4d95dc6dfe3797ff5e186

    Download Submit

  • C:\Users\Admin\Desktop\RECOVERY.HTM
    Filesize

    11KB

    MD5

    527ca3a3ba11c56d51c0ec2a8babe621

    SHA1

    275af1d2865e4da6a1a9b6d503de1e688537caed

    SHA256

    7e0bb636e18304bc20e67be075963d7d9f9dadb56030f4dacfc86deed0b001f4

    SHA512

    166826a528816390ff621e6a5be6979302718ee35b7da51d6c0899a5a71d1a2bcfb21b43e8da5404e54b34c9cbca7853a9cc8656c45248df6e75d2f923a6005f

    Download Submit

  • C:\Users\Admin\Desktop\RECOVERY.TXT
    Filesize

    1KB

    MD5

    c6eb7ce267257f4e27747c0c1d1c81d8

    SHA1

    45a59717f93b3ee0f3cb7b2d33cfa348e6b3c57d

    SHA256

    fea6088034876e6e10386079644ca1721883fc0051792f1dddb4e2008a788823

    SHA512

    dab939a3914b46d8c024d47319ae33d25dd0ab5c97fa6835687adfe5215608fdb5e4972b6c324e778b11fdfdd1f8cd83165fe2b72df4d95dc6dfe3797ff5e186

    Download Submit

  • C:\Users\Admin\Desktop\RECOVERY.png
    Filesize

    62KB

    MD5

    b28c62896ed00f22ca0b6ace8c243a83

    SHA1

    70609c9bb229f41e48c9a1d090f3f4a3f958adda

    SHA256

    960207671c264622e80434242e795b51b5bc66889166e08b30f4b373076c9a61

    SHA512

    6320e21b2a286f12101b431c878dae11c31ded2e0b4aba4cc756a6bcbf0eb00b5b58e1df10f240451cff40b0bbae6cd6e9c54b9294becb228de4097b3599577f

    Download Submit

  • C:\Windows\tijwkmbummiw.exe
    Filesize

    360KB

    MD5

    9ce01dfbf25dfea778e57d8274675d6f

    SHA1

    1bd767beb5bc36b396ca6405748042640ad57526

    SHA256

    5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d

    SHA512

    d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b

    Download Submit

  • C:\Windows\tijwkmbummiw.exe
    Filesize

    360KB

    MD5

    9ce01dfbf25dfea778e57d8274675d6f

    SHA1

    1bd767beb5bc36b396ca6405748042640ad57526

    SHA256

    5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d

    SHA512

    d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b

    Download Submit

  • C:\Windows\tijwkmbummiw.exe
    Filesize

    360KB

    MD5

    9ce01dfbf25dfea778e57d8274675d6f

    SHA1

    1bd767beb5bc36b396ca6405748042640ad57526

    SHA256

    5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d

    SHA512

    d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b

    Download Submit

  • memory/1200-12-0x0000000000340000-0x00000000003C5000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1200-11-0x0000000000400000-0x000000000049E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/1200-0-0x0000000000340000-0x00000000003C5000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1200-1-0x0000000000400000-0x000000000049E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/1740-5814-0x0000000000330000-0x0000000000331000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1740-6254-0x0000000000330000-0x0000000000331000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1740-5813-0x00000000001B0000-0x00000000001B2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2008-3561-0x0000000000400000-0x000000000049E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/2008-5812-0x0000000002F80000-0x0000000002F82000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2008-5579-0x0000000000400000-0x000000000049E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/2008-4533-0x0000000000400000-0x000000000049E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/2008-5816-0x0000000000400000-0x000000000049E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/2008-2536-0x0000000000400000-0x000000000049E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/2008-1682-0x0000000000400000-0x000000000049E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/2008-773-0x0000000000400000-0x000000000049E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/2008-506-0x00000000004A0000-0x0000000000525000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2008-505-0x0000000000400000-0x000000000049E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/2008-13-0x0000000000400000-0x000000000049E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/2008-14-0x00000000004A0000-0x0000000000525000-memory.dmp

    Filesize

    532KB

    Download