7bbb458e6579df29118174eb65579f6f02773e8ead9e89b65933191796774617

Analysis

max time kernel
122s
max time network
140s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trkop.vbs
Size

4KB
MD5

e709fe17f4e7f99292b8685ddd0a0a7c
SHA1

f7f05bd5b2b4c134577a375f4d3d29fda36fc146
SHA256

101f060edf89f4362ee6657acc110f88d3140090fb676620049a2407b503b837
SHA512

58a3df44e7123d84abe59be6af06587845157f3e75132c0c55b891cd911c77ab0fa958eb1c395c17d34fec02fc07af93b57aa3188cb4bb9f66a251a9b23b9647
SSDEEP

96:UgWBAP2GmFP5AI2IYAvk4yZxIe2H132Tes2X2nj2jW32p2eR2p52pvc272nRgu/b:UAPbmFPrKlZxLk3uesceKso2eRo5okGY

Score

9^/10

defense_evasion execution impact ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2908 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2908	cmd.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000c75d7e8ec4de9f9e14fe6a8dd5d6c93a489149c71b937fb27b471634d88d3a88000000000e80000000020000200000000b08fca48183553316bc04139580d7ca04d13f6e4704d00f73c1a0059666d329900000001b4bb4682a09786bc6ad15655ed72a91b0bb19e0b701f17ffb06be9acc6d8a6beb3d2e5b094ee2b09e47fe08cd3a687ecc8ac9908fe737835c0e55e0ac05323bc87117eb5da76c8242440a71feaff0025ba518870a81b8ddde4c6ac4f0ce708ac1ff59ac8cdd3f7f7c125e2bf28b52d18d3ff3f2850d12722a7e16cb09ac434a8b5e3a24c9bf27f14a255c2f4f2581b840000000597f2f8b129f8f912d405e40eb16895a0e4b4dff9e4083e1abc7e2a758d127c561cbd48892cef92ee51530443e9fe2677856f99a190459ae52ad760b127938e9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a230000000002000000000010660000000100002000000093f7dc59b5b359e2222a23502a4c4b056e70c97f32b0988e795ea8cd83eb961e000000000e8000000002000020000000c701cc10609a0ee7e43b493c12b3c5d67b95f644c506d3daa4634237a53f8f9d20000000a297736e4f3a4417a97952803870a62286bf306867370ecf8fd507f163a3d16a40000000139e364e017c24600b30033f008d3d156c1ad41c16b1efd310427a22b64b5e2549da9c7e63f428c35fb6b48d963abf05d2c869cec9ca400c10489ddb22ffece3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422728717"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 405e7d8df4adda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B8E49A81-19E7-11EF-89B4-66A5A0AB388F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

gpg.exe

pid process

2912 gpg.exe

pid	process
2912	gpg.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

WMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2788	WMIC.exe
Token: SeSecurityPrivilege	2788	WMIC.exe
Token: SeTakeOwnershipPrivilege	2788	WMIC.exe
Token: SeLoadDriverPrivilege	2788	WMIC.exe
Token: SeSystemProfilePrivilege	2788	WMIC.exe
Token: SeSystemtimePrivilege	2788	WMIC.exe
Token: SeProfSingleProcessPrivilege	2788	WMIC.exe
Token: SeIncBasePriorityPrivilege	2788	WMIC.exe
Token: SeCreatePagefilePrivilege	2788	WMIC.exe
Token: SeBackupPrivilege	2788	WMIC.exe
Token: SeRestorePrivilege	2788	WMIC.exe
Token: SeShutdownPrivilege	2788	WMIC.exe
Token: SeDebugPrivilege	2788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2788	WMIC.exe
Token: SeRemoteShutdownPrivilege	2788	WMIC.exe
Token: SeUndockPrivilege	2788	WMIC.exe
Token: SeManageVolumePrivilege	2788	WMIC.exe
Token: 33	2788	WMIC.exe
Token: 34	2788	WMIC.exe
Token: 35	2788	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2788	WMIC.exe
Token: SeSecurityPrivilege	2788	WMIC.exe
Token: SeTakeOwnershipPrivilege	2788	WMIC.exe
Token: SeLoadDriverPrivilege	2788	WMIC.exe
Token: SeSystemProfilePrivilege	2788	WMIC.exe
Token: SeSystemtimePrivilege	2788	WMIC.exe
Token: SeProfSingleProcessPrivilege	2788	WMIC.exe
Token: SeIncBasePriorityPrivilege	2788	WMIC.exe
Token: SeCreatePagefilePrivilege	2788	WMIC.exe
Token: SeBackupPrivilege	2788	WMIC.exe
Token: SeRestorePrivilege	2788	WMIC.exe
Token: SeShutdownPrivilege	2788	WMIC.exe
Token: SeDebugPrivilege	2788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2788	WMIC.exe
Token: SeRemoteShutdownPrivilege	2788	WMIC.exe
Token: SeUndockPrivilege	2788	WMIC.exe
Token: SeManageVolumePrivilege	2788	WMIC.exe
Token: 33	2788	WMIC.exe
Token: 34	2788	WMIC.exe
Token: 35	2788	WMIC.exe
Token: SeBackupPrivilege	2840	vssvc.exe
Token: SeRestorePrivilege	2840	vssvc.exe
Token: SeAuditPrivilege	2840	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2692 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2692 iexplore.exe
2692 iexplore.exe
3012 IEXPLORE.EXE
3012 IEXPLORE.EXE
3012 IEXPLORE.EXE
3012 IEXPLORE.EXE

pid	process
2692	iexplore.exe

pid	process
2692	iexplore.exe
2692	iexplore.exe
3012	IEXPLORE.EXE
3012	IEXPLORE.EXE
3012	IEXPLORE.EXE
3012	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

WScript.exeiexplore.exe

description	pid	process	target process
PID 2976 wrote to memory of 2136	2976	WScript.exe	gpg.exe
PID 2976 wrote to memory of 2136	2976	WScript.exe	gpg.exe
PID 2976 wrote to memory of 2136	2976	WScript.exe	gpg.exe
PID 2976 wrote to memory of 2136	2976	WScript.exe	gpg.exe
PID 2976 wrote to memory of 2912	2976	WScript.exe	gpg.exe
PID 2976 wrote to memory of 2912	2976	WScript.exe	gpg.exe
PID 2976 wrote to memory of 2912	2976	WScript.exe	gpg.exe
PID 2976 wrote to memory of 2912	2976	WScript.exe	gpg.exe
PID 2976 wrote to memory of 2692	2976	WScript.exe	iexplore.exe
PID 2976 wrote to memory of 2692	2976	WScript.exe	iexplore.exe
PID 2976 wrote to memory of 2692	2976	WScript.exe	iexplore.exe
PID 2976 wrote to memory of 2788	2976	WScript.exe	WMIC.exe
PID 2976 wrote to memory of 2788	2976	WScript.exe	WMIC.exe
PID 2976 wrote to memory of 2788	2976	WScript.exe	WMIC.exe
PID 2976 wrote to memory of 2908	2976	WScript.exe	cmd.exe
PID 2976 wrote to memory of 2908	2976	WScript.exe	cmd.exe
PID 2976 wrote to memory of 2908	2976	WScript.exe	cmd.exe
PID 2692 wrote to memory of 3012	2692	iexplore.exe	IEXPLORE.EXE
PID 2692 wrote to memory of 3012	2692	iexplore.exe	IEXPLORE.EXE
PID 2692 wrote to memory of 3012	2692	iexplore.exe	IEXPLORE.EXE
PID 2692 wrote to memory of 3012	2692	iexplore.exe	IEXPLORE.EXE

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\trkop.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2976

C:\Users\Admin\AppData\Local\Temp\gpg.exe
"C:\Users\Admin\AppData\Local\Temp\gpg.exe" --import C:\Users\Admin\AppData\Local\Temp\yin1abtn.cq124aqq
2⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\gpg.exe
"C:\Users\Admin\AppData\Local\Temp\gpg.exe" -r y1688 --yes -q --no-verbose --trust-model always -o C:\Users\Admin\AppData\Local\Temp\BLKLOCK.KEY -e C:\Users\Admin\AppData\Local\Temp\rizot.doc
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2912

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\blklock_Help_decrypt.html
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2692 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3012

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\System32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zapa.bat" "
2⤵
- Deletes itself
PID:2908

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2840

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6d6a8c25c897f35b8333a764cdf553c4

SHA1
ec5eb1d9e9fcad893cfbbc3e6ebb55eb28a27272

SHA256
f842f447250c15aa80f17d986e9819f5877729c973c7cd8782d8a55f8ffbd245

SHA512
e4464260c9c43be1502648b99576ca04bfaa91ddd15a304b23aa5df14c1fcd917a091c6ea6b9e245aad80c7229dd82cb5da56bf40cd2682f00690cdb9a4a76b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
44fd1b090214e1425e411e9838f52b6c

SHA1
177de73aa7748d0796a526028d1ea54a56f91636

SHA256
90701b1c7fdeb5ff36d74ad5371d52f89a432d80c2c95a2c7d701fb98f07cfc3

SHA512
8eb869957a491df1fbae3b332de657369c411cfaf4bcca8f7a29ca3bc3b330a39c485c192ec9a8a61f1f1fe61c792e15cea027863a65be6d2f982e3c18d3c38a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d44479bc64a69d220430c4580ab62b77

SHA1
19a5c9f6c6823f08f8305b740d777026ea83c803

SHA256
e1a180eb9436b10be613383c911116fe49aa6e8548ad1f8637d78c156edba1bf

SHA512
f332ab1052d82900dc55228c66d20b386530c232355ce6aad94166a86c12ac98aca0ebe0336dca1daa4452cf703c7c11cbdbbc01392258248f4e5b8a9486d000

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ac42d77fc2c2b213d6c50cbecb482e5a

SHA1
16b1a045849cedba45622e3c8c9f51348b645d6c

SHA256
6d2caa9c107b2b31e7a88f0c2aac1721ddd032361ca706d2af78269f8b0d589e

SHA512
3bc1f3496b436b45a0e59875b9a076961cf87e73ab238e6f38e64622ea2e063ce898a8bb45ecbf0992a1114a0c57b62a0afc5f03e8789204556ae3f16d8d3b7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0221bf1164c740ad0d7f9fc7d6c91794

SHA1
ec769e70c66e8ed79dffca17bfd0e2dfd8c22b5f

SHA256
34f46b416967c384ff3d6a002c86395da11f5a7565b6821b86e1d8be99d64294

SHA512
2aa25b20755f72942a4f620467d1a566757c9252ba5f025ea9642cbf6f18a62a7199fa852c6919602f0b2591905d15a2474a12c3db38119cbf83c0be05cde4ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
94a3738b6c7a645d73f3850ed5e778cf

SHA1
51a0def09573efb4490594a609247010d429bebe

SHA256
68c008522b88b83ae989558e1cc82e204438eba5ff77520a9e466902e868287a

SHA512
181226f3bfc8e6f397af2aaee773d9be4106ee46b7b5b89274da4bcb247912d0e176466b477185d0746507e344470fb412192532227858e11a6f8029a88eac96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
408d37d9f138febff0e9ebe80676839f

SHA1
02e622a4af171930ac2864529616656dabfaea4e

SHA256
20cb23a7676b5866c98cc4892367dcc9a278d930ffed8f7f779eb6eb920bcf21

SHA512
6b027ea07d060cefbb23cf586f54d59d6fb1771975ee99e80dd676d3e2cc9027816023373c0c337493798aebce975800d0fa55e14ec3220b2512c89676f5db9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c18407789ac969773f7d6bf3a87ad2bc

SHA1
c40fe4684a14632e7b2377c6d0b6e8db3bb63ae6

SHA256
2fa51e831ff8ac29ceb48ec86dbb7d4e9e8ac35548fd5c422e2c52bc34ff3bea

SHA512
6f4c75bd17936fc1489707122970b6380f77fc4a0d26e09b6a7e0bebe3305c84d7b360697bef8d2cef32f7ed96d31284f6289744116effc96f2904fc49972d0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8ae499656c313304fb8605d3c76bd1fa

SHA1
5f67f6705f4b024c9fa4888081e91e7abf750c0e

SHA256
ba882b4b039c0f3b5473261f257ffe50c75a83655d6e9d8155fa306035786207

SHA512
2d5a94360d7ab7f1dc8688638a5ec487cd565c83b7af135cda231068b5717b4fb3847451c8a3e5a9586aaaf98c07db4ed7411e8e06de7d083aeac58ebe9d58da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
28f882d43bf0030845f8b2e734ec7d55

SHA1
11a5f9c74548a8a78328a5fb582560b7825d9890

SHA256
705c6d3cfa7e7064a8441df9fdf2e958acafac93da257dea1f81e97e82d39eae

SHA512
aabfe5777b748597b6f55e9d64692e8aebf23a5276fe4b224a4f303dd846fd4f2ae2baf1c38536a8a1b234560f575f15edfd94fa2eb9b027432ac837b098dfeb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
55a06ae6694bee1a14f35c6c49e7f6fa

SHA1
c80c53b9ad9bbe92b09925a42a816bc3317ee1e6

SHA256
8e7cf2bf883ed8ec8a6293d7643f1291b436940ec454be303436580d7e00b9a3

SHA512
824e0b7f8c48e00d66ded83e76585eb57b6eb021ff2c32cd83f9368836b58a6ac7868ae523e1cad5a0d56c11a6434e364e79e975602f0de269f8ccd6daa947d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d252a86f2ebb2cb33650fbffa44cac1c

SHA1
6765beab105f7232a47ce36efcb42620ef423d8e

SHA256
aec53bd96e0d60ecb02fd40b90d3aeb4d67012ee34e0b44fc8fb1c5795a855ed

SHA512
a8ebf3cd071c08392edd67fc05fa076ac03d625d419060120720471d37990474106f234363da41769392c1270c978806fc770c19c8828419bcd9c27e053eff02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f7b7925d4cc7d197845a0adf5dd89e95

SHA1
9df1ecde1f42da8df83f33cc15db564ea8568802

SHA256
509cd39a5d570f6349c1b092b5a87ce568c9b792aca36ff689b53d189d63e676

SHA512
67f527aa28763d47e7e246095a4d80aa682083b78de59a4bd1e1587ab689ffaff12bb8560c0e22061e96e725d34995aa96d10932c1894b58498720ee3077d691

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
15e18f5593a8497713cf6f379fd29daa

SHA1
9f2dd3083b2f58f4bf9e2605649c9a8eccba76bf

SHA256
bff7d4a23a9ca12b76800b924fd7050913d2a3f470326fd3104b212d9f8a5458

SHA512
70da793f5f20fabbe3590fbe7208275ff3229e20518871a455eb69d623b18cffbcc056b7d4e3e1bfbc4bd99b766ad1c76ac0dec25be0b8cfdaaae7455e2082ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7db00d8986d733d289ad69e36f10efde

SHA1
aeba99fc205059e72ea1827fff6305458b6a2f47

SHA256
d83262924dae93f3d2309f418f64174c7cbd463f3506204badb0fb7d823c46df

SHA512
19e41fc9f1de4b07de274e106bbf71f79fe8f67d589dd763f35a2ad8ed3a9e25cce63d55abc840c00824bc410f84595b7da0e314187f5d2a868ebaf9a43812f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d3019c4c638ecc2f661286df8dbb8d33

SHA1
62060a700603741c462276fbd591a33168e81776

SHA256
4aa4ead1452f0e50e31f17a61f401ef2e635d85284be7c9a7663b8f800d433d3

SHA512
d35fbf18d26ce97c7ce3b2d244a33eecf2c073cae75f47b9e5b59cf6f4be897fc3a7ebd760a5fc782161c0596f08b38ceca45e7cd3f5a036f8dee0b19867f170

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9ee3052e1f0955a4af69dec82f061501

SHA1
6c20b494c4f99c3945eb8cd037623dfd6f88ead9

SHA256
ec8ac6f1e055a0241131dbf11b904b21e10cbd3854a835e0d30353bb106e2c2c

SHA512
153b16e627cd25f3e685c25f4f846ca2f94563db4d1e398b3b2389ab5724191d8483be535011fb464ad19a5b7e07c9c019d44a4d0d661371366aed4c2f7d6fbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d4696dac162a3915bef2f9958ba7a04e

SHA1
a078a21cf7604d79ee642489c22ff0bcb37e6a4b

SHA256
bba38c363d9c70490d719782dfe4c69d5eef31b98d77c529c4f65b50d3bf1fac

SHA512
b686243ea492885b21ee240ac1da1bdbd21bcceb0ee1004439c1c9800491e18446f6743792fb99062a434c4993247b05b134f1f2d0d934a2e7f96a603a54613d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0af4cf8985bba6cfe7ac3a55eb1fb77f

SHA1
8370037d34d40177f80389aebcf6ae05531ac3eb

SHA256
6f8f86ec7c5cad62d8998efe3758e130ce9ab014dbb84da77ba4fc41cd109bab

SHA512
1795801a64915266de4e959009e756e3e503360ae20c28449f064df76d4806db9b633af531efa7957c7e519675700866ef90e3558c67475c0a2f4db9090a182d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLKLOCK.KEY
Filesize
363B

MD5
cec37130f6398251c25fb254235caf90

SHA1
6706e5b1b752f02aa0b142d64684fa46ff18fbce

SHA256
80e6dbbd7b34ef982feb564f95d2939419409f43dc70f86bc6a4fd8c46d59ced

SHA512
51d4f2b70df8e9d391f60d83e663cf0f7477b84bca79497e46cf39ff5d8106e3d75e84712a0c078a14535f96c56bb8cfbf305317b57fa4e7e3838feb2f35f50e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab60C9.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6129.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\blklock_Help_decrypt.html
Filesize
719B

MD5
67a3375773562e7e470c820536880720

SHA1
6ab9afcc84754315ff874fd5718f003ec2d8d23f

SHA256
315bbddec308682ed567e96410ec6a78065ba5a986ea082b95d0091001e75026

SHA512
0e611ae7f0395fc55c522b6625afe1b43d74dbe4bb43d0524f5c43b305ac1741dcae3dc711e88ec8e91ecfc5a5050459a34a030e1dfb56f971a5e68e8d033ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\rizot.doc
Filesize
22B

MD5
bba7072de15920edcd0392c067e0d837

SHA1
6e57a7fa97d8ca55f3940b31eb4e5dfd294a0dee

SHA256
423d87f950f74dad1e79d1fa71d9bae46f4e833eb7c859ae3d22ada6421c3796

SHA512
4eb5d6e949aa42727d8cc259764fb5c5a18a0e12cc5df9ede7da238ad0cd44bc05c52291fa5295181f287cfc54ad9361c98b524c97f1bbab7c58314c38922ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rizot.doc
Filesize
87B

MD5
1e7c8aef2705d09c6d2d3064f4b3441b

SHA1
966bbf4f2c13066a6d01da31c4734e062944f65f

SHA256
c1ebe509542f5a3027feafe813474fb2ea8c6d8247c84554e7d8542337168c03

SHA512
6ee16ede6b39d6f54fc6eb9cbbf0a0c1c8e60eb8ab559d3e70b01a97924ac4b61fa5c18a979315d6d35a3f07eb0e8668449962f3bb51123bff34bb781a9b0b27

Download Submit
C:\Users\Admin\AppData\Roaming\gnupg\pubring.kbx
Filesize
1KB

MD5
4a84d5ebc94bfafba8056331f2626018

SHA1
d39560c69c7aa57e9fe24d4919c9889ba620b4ec

SHA256
bbb9e5a30afe01e5160ea757bf183eb13830f3f519c6348037efd689ace8309d

SHA512
5f3a9d7ccd8c0b9ac0503655aff018c6d448d19bc601f5b73f9dd2d7a96fafc394ddb7a534f4a2be1dff0b465f0369f217555d0641d234556a6777ea15ad4295

Download Submit
C:\Users\Admin\AppData\Roaming\gnupg\trustdb.gpg
Filesize
1KB

MD5
6f2bce9c026e4cca1609f17097d184ca

SHA1
f4144f08a4bd04a00063a21dfce7ca8a9f1aff01

SHA256
f7d731ec139a38cf08bf6d247eb2c9176764489030fba05d48cdf9c64c9a0eee

SHA512
1577afa4790aa021d77fda6fa77ae8502a38100b096e06d4753e4200b645839f6d0db10d61e241a0d8fffb9834f7fbe7073945432686c4a85fa1d296b438157f

Download Submit
memory/2136-11-0x000000006B480000-0x000000006B4AF000-memory.dmp

Filesize
188KB

Download
memory/2136-10-0x0000000065A80000-0x0000000065A99000-memory.dmp

Filesize
100KB

Download
memory/2136-13-0x0000000066580000-0x000000006664C000-memory.dmp

Filesize
816KB

Download
memory/2136-14-0x0000000063080000-0x00000000630A0000-memory.dmp

Filesize
128KB

Download
memory/2136-12-0x00000000655C0000-0x00000000656BA000-memory.dmp

Filesize
1000KB

Download
memory/2136-9-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/2912-20-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/2912-21-0x0000000065A80000-0x0000000065A99000-memory.dmp

Filesize
100KB

Download
memory/2912-25-0x0000000063080000-0x00000000630A0000-memory.dmp

Filesize
128KB

Download
memory/2912-24-0x0000000066580000-0x000000006664C000-memory.dmp

Filesize
816KB

Download
memory/2912-23-0x00000000655C0000-0x00000000656BA000-memory.dmp

Filesize
1000KB

Download
memory/2912-22-0x000000006B480000-0x000000006B4AF000-memory.dmp

Filesize
188KB

Download