Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-04-2024 10:08

General

  • Target

    c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe

  • Size

    4.8MB

  • MD5

    affa6575a3ff529c583fab38ff9f59e5

  • SHA1

    a4d2dde718cc10d6ac12e4ec1f602a1050746aa5

  • SHA256

    c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259

  • SHA512

    c7ea550c214c3d4cf0686f50e2644b6fe569397bc1d4b0363da173e9a9889ce290f33f6a4e9215aba6cf1deef0be73abdf4b44a8070204d75868d845b34a8767

  • SSDEEP

    98304:bw3OKBzMFxybbbbpNGWeEi4DtrRKm40djW1mGaHBad6s:bw3y6bbbbpNYwDdjW1zqEn

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\JxhOTKIU_readme.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aDAEAAcAbb You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzc3LVFWT05HeWdUcjFHWGVHSmpjQU10d3h6YnJKUGw3YTlKTFIzZFR6R3FYQmNpWndZT1RWVTVWOWhMNE5JTGpYYVFhclRmZng0RUdQS1d4WmZLNmE4UG81azAxRmZBWXpYVUptVmxxWWlnM0UrZEp4WEEzcFZxNGtrMlZreGpPZUVabkVhRWdzV1d5czhXUkRTTFdVSm9yUjFtMmpJQnpCSUU2NE1iMVdFYlZBWTlHcktHeldhNHNLN3pKbmtuL3lEd1Vqa1ZkdWJ2cThKVHE2MDNMRlpBS1ZyWXdJYzA3QU9zZE01bGJaTVp6WmQ1Rmk3TnBEaWxmTmZhSUNjUEhRcEg2UjNiNmpsSExTTktTWndYSXF0Y21ZalhTRVgyUWprdGVYbDlQeFJuclBBL1BMOEk1bEhhYjZENkE3cXhxZDlVai9IcnhFbVdoU0lmYThwSi8wckhKWEJGb044aVJhZmFDUmxWRUFpaUtEWGMwRy9iZkFWN2ozbkR4aVVVdk03c2krb2xGbkxleUlIb3lRSTYrSnZFbGhHbXhXRzgxZHlXWEgyYnoxcUJHVlVoODdtbGlFSUVsT1RidHNXa3pnMnd5aTU2eUpGVkZzNVJXWmdSMTh3cmtlMmMrc2xTbzFCekszUXV2ODVFam5vc2ZLc2JIQjVxNVBVUUtOd1dtaGJVc0VPZ0Y2c3poeEgyb0orOGx4YUtPcGdGYnB6UTR6UzlPTEJGMXFGV0pCaCt3WVY2K2s3OHErY0p6OGpGbDRzd1RvZ2FORi9pdmhwV1UzeHpWekVhcEsvWHlwTURObS9MMmduK0pER2prQlhUVFcrUDg1NEltL3h5d01Ec3ZVS0JkZTVVSzAzalhQYlFsZko5ZWJVQ1d6VUdOZEk0QjlLdzRjMzBoWWNEdjFIaTlWR2NkeW9JS1Q0L09lVmRic0hKa0tMeVVYNlUxSXNrMFY2WlNIN2diUVM4aXB1Q3dJNEtVSkFFNlRJeXJ6U1JEWmdHYXl2UjFuMDBheWZRdXdkWitHb3V3K0J2eWJRTzFlWmJQbnVybTdHY1YrVFR1SlpLb0g5eERsWUFwUG9uKzEvUWVtNThRNFYxc2VneHBGRnJTSUxmaVpoTVhvNWVna092YzNKYW5kMkErZEpmS054WjBFNFZEZnNkYitZRklnWEM2UEhUZXN2UHFlSk9jbW5NbkVnMFkzK1pYcUVWSDUwS05kMjBIdXlYV2dXUVJiVVRGRzhaVllnZjJSdVZBVmhvbERPSDMzMTE1MmUxN3VRZnErOGt4M2RsRTY0VnlOdXpYZGw1RGZmK3ExdzdHVVlVR3FsWitFa1M5NWJvVFhtL0VhZWxGbi9wYmZ5blZXTVY4dllsK2V0TlE3bTQ5TEhZeisxeWozSThKRXFQYTYzd2Z4N01nUGRPUldKNUlPaWJEekR5eGtnbGZhRERyeFMraVZZbVlyMDZhSU5Lb3dHY1VVN3RWb01WbFc1ZkNOUzVNYndLTFFFcEV4TjZ6MWNNV1Y5U3YreGxpbjA4ejY4Z2Y5SWpVb0hZOFFqSERrTkV1Q2xyNDBLemdCbWJYTWRhUTJhS1NsakdEQ0cwd2ZPUGNxNU9QaUszdUVuSklrRXd0NHlxSEtjaUY4dHNXVUh1aDVkMktYQVJ6aGp4aEtWRllUbFZqYTVpd1NqL0lSN2J1TnYwdUFEdHFST1A1R1lVSDVHaC9ONDlpelFNd1lIMDE4U0lkOS9hRTAzOG5EV1dPTHRhMFUvWGFxaU9oSWFaRHYyRHZIbUxnanlJbHdRMHY3TG50VzRrVXMwM3NXNkZtYjRlNUlPeGdlQXVMUEtITm00TThCUTlmWGsxZTY2R093UmpIekdKTEV5NUFJOUxGWENCTDFzN1pFZnRpZnAwMks5YWYxTVlwMnZDMFl1anB2Y3BhWjFnV1V3TXFJN01yQ0FnTXF1VEpOK0RoSnQzR2xTbjVSMVpjem1VT2dkdVBlSkJwR25ad2lVaU1BWHNFcTc4dituRmJUNk1NRDkvb2o3elo2RjQ3UjFpVk1UcC9pYUVKSC9VVmd1Yi9SczF3dWNBNnd2OUhBYmlGOVJxNWZIQ0svTkg0OThkTEFyam9nSzRmYWI3UDJZV2RNMEwwZjh5dzRNTFdGU2pjVklzQlRoNzhvSUZHL0p3SU12T0R4alhwTmdWYWJ6MGhHelJoOWgyOU9OS3l3dFZIZ3ZD -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * jRc
URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\JxhOTKIU_readme.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aDAEAAcAbb You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzc3LVFWT05HeWdUcjFHWGVHSmpjQU10d3h6YnJKUGw3YTlKTFIzZFR6R3FYQmNpWndZT1RWVTVWOWhMNE5JTGpYYVFhclRmZng0RUdQS1d4WmZLNmE4UG81azAxRmZBWXpYVUptVmxxWWlnM0UrZEp4WEEzcFZxNGtrMlZreGpPZUVabkVhRWdzV1d5czhXUkRTTFdVSm9yUjFtMmpJQnpCSUU2NE1iMVdFYlZBWTlHcktHeldhNHNLN3pKbmtuL3lEd1Vqa1ZkdWJ2cThKVHE2MDNMRlpBS1ZyWXdJYzA3QU9zZE01bGJaTVp6WmQ1Rmk3TnBEaWxmTmZhSUNjUEhRcEg2UjNiNmpsSExTTktTWndYSXF0Y21ZalhTRVgyUWprdGVYbDlQeFJuclBBL1BMOEk1bEhhYjZENkE3cXhxZDlVai9IcnhFbVdoU0lmYThwSi8wckhKWEJGb044aVJhZmFDUmxWRUFpaUtEWGMwRy9iZkFWN2ozbkR4aVVVdk03c2krb2xGbkxleUlIb3lRSTYrSnZFbGhHbXhXRzgxZHlXWEgyYnoxcUJHVlVoODdtbGlFSUVsT1RidHNXa3pnMnd5aTU2eUpGVkZzNVJXWmdSMTh3cmtlMmMrc2xTbzFCekszUXV2ODVFam5vc2ZLc2JIQjVxNVBVUUtOd1dtaGJVc0VPZ0Y2c3poeEgyb0orOGx4YUtPcGdGYnB6UTR6UzlPTEJGMXFGV0pCaCt3WVY2K2s3OHErY0p6OGpGbDRzd1RvZ2FORi9pdmhwV1UzeHpWekVhcEsvWHlwTURObS9MMmduK0pER2prQlhUVFcrUDg1NEltL3h5d01Ec3ZVS0JkZTVVSzAzalhQYlFsZko5ZWJVQ1d6VUdOZEk0QjlLdzRjMzBoWWNEdjFIaTlWR2NkeW9JS1Q0L09lVmRic0hKa0tMeVVYNlUxSXNrMFY2WlNIN2diUVM4aXB1Q3dJNEtVSkFFNlRJeXJ6U1JEWmdHYXl2UjFuMDBheWZRdXdkWitHb3V3K0J2eWJRTzFlWmJQbnVybTdHY1YrVFR1SlpLb0g5eERsWUFwUG9uKzEvUWVtNThRNFYxc2VneHBGRnJTSUxmaVpoTVhvNWVna092YzNKYW5kMkErZEpmS054WjBFNFZEZnNkYitZRklnWEM2UEhUZXN2UHFlSk9jbW5NbkVnMFkzK1pYcUVWSDUwS05kMjBIdXlYV2dXUVJiVVRGRzhaVllnZjJSdVZBVmhvbERPSDMzMTE1MmUxN3VRZnErOGt4M2RsRTY0VnlOdXpYZGw1RGZmK3ExdzdHVVlVR3FsWitFa1M5NWJvVFhtL0VhZWxGbi9wYmZ5blZXTVY4dllsK2V0TlE3bTQ5TEhZeisxeWozSThKRXFQYTYzd2Z4N01nUGRPUldKNUlPaWJEekR5eGtnbGZhRERyeFMraVZZbVlyMDZhSU5Lb3dHY1VVN3RWb01WbFc1ZkNOUzVNYndLTFFFcEV4TjZ6MWNNV1Y5U3YreGxpbjA4ejY4Z2Y5SWpVb0hZOFFqSERrTkV1Q2xyNDBLemdCbWJYTWRhUTJhS1NsakdEQ0cwd2ZPUGNxNU9QaUszdUVuSklrRXd0NHlxSEtjaUY4dHNXVUh1aDVkMktYQVJ6aGp4aEtWRllUbFZqYTVpd1NqL0lSN2J1TnYwdUFEdHFST1A1R1lVSDVHaC9ONDlpelFNd1lIMDE4U0lkOS9hRTAzOG5EV1dPTHRhMFUvWGFxaU9oSWFaRHYyRHZIbUxnanlJbHdRMHY3TG50VzRrVXMwM3NXNkZtYjRlNUlPeGdlQXVMUEtITm00TThCUTlmWGsxZTY2R093UmpIekdKTEV5NUFJOUxGWENCTDFzN1pFZnRpZnAwMks5YWYxTVlwMnZDMFl1anB2Y3BhWjFnV1V3TXFJN01yQ0FnTXF1VEpOK0RoSnQzR2xTbjVSMVpjem1VT2dkdVBlSkJwR25ad2lVaU1BWHNFcTc4dituRmJUNk1NRDkvb2o3elo2RjQ3UjFpVk1UcC9pYUVKSC9VVmd1Yi9SczF3dWNBNnd2OUhBYmlGOVJxNWZIQ0svTkg0OThkTEFyam9nSzRmYWI3UDJZV2RNMEwwZjh5dzRNTFdGU2pjVklzQlRoNzhvSUZHL0p3SU12T0R4alhwTmdWYWJ6MGhHelJoOWgyOU9OS3l3dFZIZ3ZD -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 54EA9LE
URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Favorites\JxhOTKIU_readme.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aDAEAAcAbb You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzc3LVFWT05HeWdUcjFHWGVHSmpjQU10d3h6YnJKUGw3YTlKTFIzZFR6R3FYQmNpWndZT1RWVTVWOWhMNE5JTGpYYVFhclRmZng0RUdQS1d4WmZLNmE4UG81azAxRmZBWXpYVUptVmxxWWlnM0UrZEp4WEEzcFZxNGtrMlZreGpPZUVabkVhRWdzV1d5czhXUkRTTFdVSm9yUjFtMmpJQnpCSUU2NE1iMVdFYlZBWTlHcktHeldhNHNLN3pKbmtuL3lEd1Vqa1ZkdWJ2cThKVHE2MDNMRlpBS1ZyWXdJYzA3QU9zZE01bGJaTVp6WmQ1Rmk3TnBEaWxmTmZhSUNjUEhRcEg2UjNiNmpsSExTTktTWndYSXF0Y21ZalhTRVgyUWprdGVYbDlQeFJuclBBL1BMOEk1bEhhYjZENkE3cXhxZDlVai9IcnhFbVdoU0lmYThwSi8wckhKWEJGb044aVJhZmFDUmxWRUFpaUtEWGMwRy9iZkFWN2ozbkR4aVVVdk03c2krb2xGbkxleUlIb3lRSTYrSnZFbGhHbXhXRzgxZHlXWEgyYnoxcUJHVlVoODdtbGlFSUVsT1RidHNXa3pnMnd5aTU2eUpGVkZzNVJXWmdSMTh3cmtlMmMrc2xTbzFCekszUXV2ODVFam5vc2ZLc2JIQjVxNVBVUUtOd1dtaGJVc0VPZ0Y2c3poeEgyb0orOGx4YUtPcGdGYnB6UTR6UzlPTEJGMXFGV0pCaCt3WVY2K2s3OHErY0p6OGpGbDRzd1RvZ2FORi9pdmhwV1UzeHpWekVhcEsvWHlwTURObS9MMmduK0pER2prQlhUVFcrUDg1NEltL3h5d01Ec3ZVS0JkZTVVSzAzalhQYlFsZko5ZWJVQ1d6VUdOZEk0QjlLdzRjMzBoWWNEdjFIaTlWR2NkeW9JS1Q0L09lVmRic0hKa0tMeVVYNlUxSXNrMFY2WlNIN2diUVM4aXB1Q3dJNEtVSkFFNlRJeXJ6U1JEWmdHYXl2UjFuMDBheWZRdXdkWitHb3V3K0J2eWJRTzFlWmJQbnVybTdHY1YrVFR1SlpLb0g5eERsWUFwUG9uKzEvUWVtNThRNFYxc2VneHBGRnJTSUxmaVpoTVhvNWVna092YzNKYW5kMkErZEpmS054WjBFNFZEZnNkYitZRklnWEM2UEhUZXN2UHFlSk9jbW5NbkVnMFkzK1pYcUVWSDUwS05kMjBIdXlYV2dXUVJiVVRGRzhaVllnZjJSdVZBVmhvbERPSDMzMTE1MmUxN3VRZnErOGt4M2RsRTY0VnlOdXpYZGw1RGZmK3ExdzdHVVlVR3FsWitFa1M5NWJvVFhtL0VhZWxGbi9wYmZ5blZXTVY4dllsK2V0TlE3bTQ5TEhZeisxeWozSThKRXFQYTYzd2Z4N01nUGRPUldKNUlPaWJEekR5eGtnbGZhRERyeFMraVZZbVlyMDZhSU5Lb3dHY1VVN3RWb01WbFc1ZkNOUzVNYndLTFFFcEV4TjZ6MWNNV1Y5U3YreGxpbjA4ejY4Z2Y5SWpVb0hZOFFqSERrTkV1Q2xyNDBLemdCbWJYTWRhUTJhS1NsakdEQ0cwd2ZPUGNxNU9QaUszdUVuSklrRXd0NHlxSEtjaUY4dHNXVUh1aDVkMktYQVJ6aGp4aEtWRllUbFZqYTVpd1NqL0lSN2J1TnYwdUFEdHFST1A1R1lVSDVHaC9ONDlpelFNd1lIMDE4U0lkOS9hRTAzOG5EV1dPTHRhMFUvWGFxaU9oSWFaRHYyRHZIbUxnanlJbHdRMHY3TG50VzRrVXMwM3NXNkZtYjRlNUlPeGdlQXVMUEtITm00TThCUTlmWGsxZTY2R093UmpIekdKTEV5NUFJOUxGWENCTDFzN1pFZnRpZnAwMks5YWYxTVlwMnZDMFl1anB2Y3BhWjFnV1V3TXFJN01yQ0FnTXF1VEpOK0RoSnQzR2xTbjVSMVpjem1VT2dkdVBlSkJwR25ad2lVaU1BWHNFcTc4dituRmJUNk1NRDkvb2o3elo2RjQ3UjFpVk1UcC9pYUVKSC9VVmd1Yi9SczF3dWNBNnd2OUhBYmlGOVJxNWZIQ0svTkg0OThkTEFyam9nSzRmYWI3UDJZV2RNMEwwZjh5dzRNTFdGU2pjVklzQlRoNzhvSUZHL0p3SU12T0R4alhwTmdWYWJ6MGhHelJoOWgyOU9OS3l3dFZIZ3ZD -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * SCpXUXXqTP
URLs

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Avaddon payload 10 IoCs
  • UAC bypass 3 TTPs 2 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Renames multiple (166) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Themida packer 10 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe
    "C:\Users\Admin\AppData\Local\Temp\c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe"
    1⤵
    • UAC bypass
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4692
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3920
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2532
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:464
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Checks whether UAC is enabled
    PID:1904

Network

MITRE ATT&CK Matrix ATT&CK v13

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

2
T1112

Virtualization/Sandbox Evasion

1
T1497

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe
    Filesize

    4.8MB

    MD5

    affa6575a3ff529c583fab38ff9f59e5

    SHA1

    a4d2dde718cc10d6ac12e4ec1f602a1050746aa5

    SHA256

    c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259

    SHA512

    c7ea550c214c3d4cf0686f50e2644b6fe569397bc1d4b0363da173e9a9889ce290f33f6a4e9215aba6cf1deef0be73abdf4b44a8070204d75868d845b34a8767

  • C:\Users\Admin\Desktop\JxhOTKIU_readme.txt
    Filesize

    3KB

    MD5

    b404d572fad72706e2f051abb2519c73

    SHA1

    99cf095c05f8ec91790b88da82459238a96ee17d

    SHA256

    1d87f7b1ef89abb34f4fdc291f8c2fc9d39e2aad187375238bf95609fe787e4a

    SHA512

    2350e0fa35996aeb82965093f8602d7f32319c56ab4da48ec8e57dfc187abf60b04b1ad8b5a176b71da2d76730f14a7905f941d276f3ac4cdf5b4c16b46ead2c

  • C:\Users\Admin\Documents\JxhOTKIU_readme.txt
    Filesize

    3KB

    MD5

    18ddc90e23060dcb9dfcc967929086c1

    SHA1

    9ccd4dd1894fd5b5561760951e7c0a92cfe7a8f9

    SHA256

    6dd6c340b55f0e609b4f00d7df65f982046ef98a3b383929090bcd04c8597944

    SHA512

    31be62ff69932009d1a70709522f74dc2600e31b47f0bb1ea88651717281b5832b106240af7ee3144feed1fb3ae70c298cb3db2f51f04ce85a3bb587d2903cfe

  • C:\Users\Admin\Favorites\JxhOTKIU_readme.txt
    Filesize

    3KB

    MD5

    81057a0ab4c405bca6a3b44ba19bfe6f

    SHA1

    dc0d358301512c3a69e197b02175e4281c44f366

    SHA256

    09a2488d00e34d07c32df49e7a6b5fd99efa54314bf05981d1827a721c5b6f94

    SHA512

    1ecfd37b51512b6218f037a068b61b243f2684b6416fa670895f63a8495bbbaad147a05268c57ae417eda205d5fd5542578f7e5c2e1aa16857a76b43f1d7d881

  • memory/1904-527-0x00000000009E0000-0x0000000000EB8000-memory.dmp
    Filesize

    4.8MB

  • memory/1904-528-0x00000000009E0000-0x0000000000EB8000-memory.dmp
    Filesize

    4.8MB

  • memory/1904-529-0x00000000009E0000-0x0000000000EB8000-memory.dmp
    Filesize

    4.8MB

  • memory/1904-530-0x00000000009E0000-0x0000000000EB8000-memory.dmp
    Filesize

    4.8MB

  • memory/4692-3-0x0000000000480000-0x0000000000958000-memory.dmp
    Filesize

    4.8MB

  • memory/4692-2-0x0000000000480000-0x0000000000958000-memory.dmp
    Filesize

    4.8MB

  • memory/4692-519-0x0000000000480000-0x0000000000958000-memory.dmp
    Filesize

    4.8MB

  • memory/4692-1-0x0000000000480000-0x0000000000958000-memory.dmp
    Filesize

    4.8MB

  • memory/4692-0-0x0000000000480000-0x0000000000958000-memory.dmp
    Filesize

    4.8MB