Analysis

  • max time kernel
    1190s
  • max time network
    839s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 02:36

General

  • Target

    74add6536cdcfb8b77d10a1e7be6b9ef.exe

  • Size

    229KB

  • MD5

    74add6536cdcfb8b77d10a1e7be6b9ef

  • SHA1

    b35c295f625ce4203f70106d33ecdfb39be3537b

  • SHA256

    f5ab764c439a45ed892a3346f228d36f24d7f2377d4cddc5e82a0566f8521082

  • SHA512

    91c1f048b39bb620e498342a259b8edfdf0655c674870104d5d335d49598aed93b54e1793b80a0b5a3f203c493e07f72601f5174925021c94dee7d9afb78b1d6

  • SSDEEP

    6144:t9Kx9J/srIEV00YdR29lGx/adfteNtUlnNCc2HLN:+R29l2QfFfJ2H

Malware Config

Extracted

Path

C:\Users\Admin\Favorites\Microsoft Websites\_DECRYPT_INFO_elzyw.html

Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'> <!-- saved from url=(0014)about:internet --> <html xmlns='http://www.w3.org/1999/xhtml'> <head> <meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1' /> <title>elzyw decrypt</title> <style type='text/css'> <!-- html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px; background-color: #bfbfbf; height: 100%;} a {color:426BBD; font-family:Tahoma, Verdana, Arial, Helvetica; font-size:12px;} td { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #f0f0f0; font-size: 14px; } .style1 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #d7001e; font-size: 48px; } .style3 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #f5e700; font-size: 60px; } .style4 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #28caf9; font-size: 14px; } .style5 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #f5e700; font-size: 14px; } .style6 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #d7001e; font-size: 14px; } .style7 { width:685px; height:120px; background-color:#393838; border:1px solid #565656; font-family: Courier New; font-weight: bold; color: #f0f0f0; font-size: 13px; } } --> </style> <script type='text/javascript'> function init() { var xtime; document.getElementById('fe_text').innerHTML = '00:00:00'; xtime = Math.floor(1732243871+(12*60*60) - (Date.now()/1000)); window.setTimeout('update_timestamp('+xtime+')',1000); } function component(x, y, z) { var res if (z == 1) res = Math.floor(x / y); else res = Math.floor(x / y) % z; if (res < 10) res = '0'+res; return res; } function update_timestamp(tstamp) { if (tstamp < 1) { document.getElementById('fe_text').innerHTML = '00:00:00'; } else { var hours = component(tstamp, 60*60, 1), minutes = component(tstamp, 60, 60), seconds = component(tstamp, 1, 60); document.getElementById('fe_text').innerHTML = hours+':'+minutes+':'+seconds; tstamp-=1; window.setTimeout('update_timestamp('+tstamp+')',1000); } } </script> </head> <body onload='init();'> <div align='center'> <table width='700' height='100%' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'> <tr> <td width='225' align='left'><img src='file:///C:/Users/Admin/AppData/Local/Temp/elzyw.gif' width='225' height='221' /></td> <td width='415' valign='top'><div align='center' class='style1'>WARNING!<br /> </div><div align='center'>Your personal files are encrypted.<br /> <br /> <br /> </div> <div align='center' class='style3' id='fe_text'></div></p></td> </tr> <tr> <td colspan='2' align='center'><table width='97%' border='0' cellpadding='0' cellspacing='0'> <tr> <td colspan='2' align='left'> <br /> Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.<br /> <br /> </td> </tr> <tr> <td width='7%' nowrap='nowrap' align='left'>Open&nbsp;</td> <td width='93%' align='left'><a href='http://bs7aygotd2rnjl4o.onion.link' class='style4'>http://bs7aygotd2rnjl4o.onion.link</a> or</td> </tr> <tr> <td width='7%'></td> <td width='93%' align='left'><a href='http://bs7aygotd2rnjl4o.torstorm.org' class='style4'>http://bs7aygotd2rnjl4o.torstorm.org</a> or</td> </tr> <tr> <td width='7%'></td> <td width='93%' align='left'><a href='http://bs7aygotd2rnjl4o.tor2web.org' class='style4'>http://bs7aygotd2rnjl4o.tor2web.org</a></td> </tr> <tr> <td colspan='2' align='left'>in your browser. They are public gates to the secret server.<br /> <br /> <span class='style5'>If you have problems with gates, use direct connection:</span><br /> 1) Download TOR Browser from <a href='http://torproject.org' class='style4'>http://torproject.org</a><br /> 2) In the Tor Browser open the <span class='style6'>http://bs7aygotd2rnjl4o.onion</span><br /> (Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).<br /> <br /> <span class='style5'>Write in the following public key in the input from on server:<br /><br /></span> <div align='center'><textarea class='style7'> K1MTJ-7URB7-H5NKS-DXT7G-V4EBP-48CED-8TWS7-W0XNR-0Y3WS-CEKKP-TZAWR-JKGHY-16R1R-DVVP3 HEQV8-WPTKP-KNW7K-PPHQ7-K6Y0Z-6NH7F-BSK12-X3Z6B-T3HQM-0CQD5-BUJ0Z-SFM5H-HYWNW-C13GD GESWM-SN520-VBRX7-ZQ0FZ-BHSRR-7RB6H-MUA06-3D7G5-50Q7V-880DX-452DX-704Y3-GF18F-QTH6Y RYBDB-V18Y8-TARDR-RMZ6P-TN3XB-5FYDZ-KRFT8-0S47N-WYDFN-MNAW3-15RD1-87XB8-X40D6-SS22T 6X0Y0-3V4DD-EWUDB-SNZYM-CMQUW-UWFVW-Y8G21-HTSF7-QY0U6-SQ7UJ-FGAV5-BBSJF-Y182U-2RRAP PYJVG-NV4SK-H3DXE-8W6R6-WXCVS-01FK6-WMPX7-32E5T-PMMDQ-YUBP3-QDSGT-8DSUG </textarea> <br /> </div> <br /> <br /> <br /> </div> </td> </tr> </table></td> </tr> </table> </div> </body> </html>
URLs

http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>

http-equiv='Content-Type

Extracted

Path

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\_DECRYPT_INFO_elzyw.html

Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'> <!-- saved from url=(0014)about:internet --> <html xmlns='http://www.w3.org/1999/xhtml'> <head> <meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1' /> <title>elzyw decrypt</title> <style type='text/css'> <!-- html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px; background-color: #bfbfbf; height: 100%;} a {color:426BBD; font-family:Tahoma, Verdana, Arial, Helvetica; font-size:12px;} td { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #f0f0f0; font-size: 14px; } .style1 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #d7001e; font-size: 48px; } .style3 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #f5e700; font-size: 60px; } .style4 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #28caf9; font-size: 14px; } .style5 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #f5e700; font-size: 14px; } .style6 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #d7001e; font-size: 14px; } .style7 { width:685px; height:120px; background-color:#393838; border:1px solid #565656; font-family: Courier New; font-weight: bold; color: #f0f0f0; font-size: 13px; } } --> </style> <script type='text/javascript'> function init() { var xtime; document.getElementById('fe_text').innerHTML = '00:00:00'; xtime = Math.floor(1732243873+(12*60*60) - (Date.now()/1000)); window.setTimeout('update_timestamp('+xtime+')',1000); } function component(x, y, z) { var res if (z == 1) res = Math.floor(x / y); else res = Math.floor(x / y) % z; if (res < 10) res = '0'+res; return res; } function update_timestamp(tstamp) { if (tstamp < 1) { document.getElementById('fe_text').innerHTML = '00:00:00'; } else { var hours = component(tstamp, 60*60, 1), minutes = component(tstamp, 60, 60), seconds = component(tstamp, 1, 60); document.getElementById('fe_text').innerHTML = hours+':'+minutes+':'+seconds; tstamp-=1; window.setTimeout('update_timestamp('+tstamp+')',1000); } } </script> </head> <body onload='init();'> <div align='center'> <table width='700' height='100%' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'> <tr> <td width='225' align='left'><img src='file:///C:/Users/Admin/AppData/Local/Temp/elzyw.gif' width='225' height='221' /></td> <td width='415' valign='top'><div align='center' class='style1'>WARNING!<br /> </div><div align='center'>Your personal files are encrypted.<br /> <br /> <br /> </div> <div align='center' class='style3' id='fe_text'></div></p></td> </tr> <tr> <td colspan='2' align='center'><table width='97%' border='0' cellpadding='0' cellspacing='0'> <tr> <td colspan='2' align='left'> <br /> Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.<br /> <br /> </td> </tr> <tr> <td width='7%' nowrap='nowrap' align='left'>Open&nbsp;</td> <td width='93%' align='left'><a href='http://bs7aygotd2rnjl4o.onion.link' class='style4'>http://bs7aygotd2rnjl4o.onion.link</a> or</td> </tr> <tr> <td width='7%'></td> <td width='93%' align='left'><a href='http://bs7aygotd2rnjl4o.torstorm.org' class='style4'>http://bs7aygotd2rnjl4o.torstorm.org</a> or</td> </tr> <tr> <td width='7%'></td> <td width='93%' align='left'><a href='http://bs7aygotd2rnjl4o.tor2web.org' class='style4'>http://bs7aygotd2rnjl4o.tor2web.org</a></td> </tr> <tr> <td colspan='2' align='left'>in your browser. They are public gates to the secret server.<br /> <br /> <span class='style5'>If you have problems with gates, use direct connection:</span><br /> 1) Download TOR Browser from <a href='http://torproject.org' class='style4'>http://torproject.org</a><br /> 2) In the Tor Browser open the <span class='style6'>http://bs7aygotd2rnjl4o.onion</span><br /> (Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).<br /> <br /> <span class='style5'>Write in the following public key in the input from on server:<br /><br /></span> <div align='center'><textarea class='style7'> K1MTJ-7URB7-H5NKS-DXT7G-V4EBP-48CED-8TWS7-W0XNR-0Y3WS-CEKKP-TZAWR-JKGHY-16R1R-DVVP3 HEQV8-WPTKP-KNW7K-PPHQ7-K6Y0Z-6NH7F-BSK12-X3Z6B-T3HQM-0CQD5-BUJ0Z-SFM5H-HYWNW-C13GD GESWM-SN520-VBRX7-ZQ0FZ-BHSRR-7RB6H-MUA06-3D7G5-50Q7V-880DX-452DX-704Y3-GF18F-QTH6Y RYBDB-V18Y8-TARDR-RMZ6P-TN3XB-5FYDZ-KRFT8-0S47N-WYDFN-MNAW3-15RD1-87XB8-X40D6-SS22T 6X0Y0-3V4DD-EWUDB-SNZYM-CMQUW-UWFVW-Y8G21-HTSF7-QY0U6-SQ7UJ-FGAV5-BBSJF-Y182U-2RRAP PYJVG-NV4SK-H3DXE-8W6R6-WXCVS-01FK6-WMPX7-32E5T-PMMDQ-YUBP3-QDSGT-8DSUG </textarea> <br /> </div> <br /> <br /> <br /> </div> </td> </tr> </table></td> </tr> </table> </div> </body> </html>
URLs

http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>

http-equiv='Content-Type

Extracted

Path

C:\Users\Admin\Desktop\backup_elzyw\_DECRYPT_INFO_elzyw.html

Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'> <!-- saved from url=(0014)about:internet --> <html xmlns='http://www.w3.org/1999/xhtml'> <head> <meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1' /> <title>elzyw decrypt</title> <style type='text/css'> <!-- html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px; background-color: #bfbfbf; height: 100%;} a {color:426BBD; font-family:Tahoma, Verdana, Arial, Helvetica; font-size:12px;} td { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #f0f0f0; font-size: 14px; } .style1 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #d7001e; font-size: 48px; } .style3 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #f5e700; font-size: 60px; } .style4 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #28caf9; font-size: 14px; } .style5 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #f5e700; font-size: 14px; } .style6 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #d7001e; font-size: 14px; } .style7 { width:685px; height:120px; background-color:#393838; border:1px solid #565656; font-family: Courier New; font-weight: bold; color: #f0f0f0; font-size: 13px; } } --> </style> <script type='text/javascript'> function init() { var xtime; document.getElementById('fe_text').innerHTML = '00:00:00'; xtime = Math.floor(1732243867+(12*60*60) - (Date.now()/1000)); window.setTimeout('update_timestamp('+xtime+')',1000); } function component(x, y, z) { var res if (z == 1) res = Math.floor(x / y); else res = Math.floor(x / y) % z; if (res < 10) res = '0'+res; return res; } function update_timestamp(tstamp) { if (tstamp < 1) { document.getElementById('fe_text').innerHTML = '00:00:00'; } else { var hours = component(tstamp, 60*60, 1), minutes = component(tstamp, 60, 60), seconds = component(tstamp, 1, 60); document.getElementById('fe_text').innerHTML = hours+':'+minutes+':'+seconds; tstamp-=1; window.setTimeout('update_timestamp('+tstamp+')',1000); } } </script> </head> <body onload='init();'> <div align='center'> <table width='700' height='100%' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'> <tr> <td width='225' align='left'><img src='file:///C:/Users/Admin/AppData/Local/Temp/elzyw.gif' width='225' height='221' /></td> <td width='415' valign='top'><div align='center' class='style1'>WARNING!<br /> </div><div align='center'>Your personal files are encrypted.<br /> <br /> <br /> </div> <div align='center' class='style3' id='fe_text'></div></p></td> </tr> <tr> <td colspan='2' align='center'><table width='97%' border='0' cellpadding='0' cellspacing='0'> <tr> <td colspan='2' align='left'> <br /> Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.<br /> <br /> </td> </tr> <tr> <td width='7%' nowrap='nowrap' align='left'>Open&nbsp;</td> <td width='93%' align='left'><a href='http://bs7aygotd2rnjl4o.onion.link' class='style4'>http://bs7aygotd2rnjl4o.onion.link</a> or</td> </tr> <tr> <td width='7%'></td> <td width='93%' align='left'><a href='http://bs7aygotd2rnjl4o.torstorm.org' class='style4'>http://bs7aygotd2rnjl4o.torstorm.org</a> or</td> </tr> <tr> <td width='7%'></td> <td width='93%' align='left'><a href='http://bs7aygotd2rnjl4o.tor2web.org' class='style4'>http://bs7aygotd2rnjl4o.tor2web.org</a></td> </tr> <tr> <td colspan='2' align='left'>in your browser. They are public gates to the secret server.<br /> <br /> <span class='style5'>If you have problems with gates, use direct connection:</span><br /> 1) Download TOR Browser from <a href='http://torproject.org' class='style4'>http://torproject.org</a><br /> 2) In the Tor Browser open the <span class='style6'>http://bs7aygotd2rnjl4o.onion</span><br /> (Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).<br /> <br /> <span class='style5'>Write in the following public key in the input from on server:<br /><br /></span> <div align='center'><textarea class='style7'> K1MTJ-7URB7-H5NKS-DXT7G-V4EBP-48CED-8TWS7-W0XNR-0Y3WS-CEKKP-TZAWR-JKGHY-16R1R-DVVP3 HEQV8-WPTKP-KNW7K-PPHQ7-K6Y0Z-6NH7F-BSK12-X3Z6B-T3HQM-0CQD5-BUJ0Z-SFM5H-HYWNW-C13GD GESWM-SN520-VBRX7-ZQ0FZ-BHSRR-7RB6H-MUA06-3D7G5-50Q7V-880DX-452DX-704Y3-GF18F-QTH6Y RYBDB-V18Y8-TARDR-RMZ6P-TN3XB-5FYDZ-KRFT8-0S47N-WYDFN-MNAW3-15RD1-87XB8-X40D6-SS22T 6X0Y0-3V4DD-EWUDB-SNZYM-CMQUW-UWFVW-Y8G21-HTSF7-QY0U6-SQ7UJ-FGAV5-BBSJF-Y182U-2RRAP PYJVG-NV4SK-H3DXE-8W6R6-WXCVS-01FK6-WMPX7-32E5T-PMMDQ-YUBP3-QDSGT-8DSUG </textarea> <br /> </div> <br /> <br /> <br /> </div> </td> </tr> </table></td> </tr> </table> </div> </body> </html>
URLs

http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>

http-equiv='Content-Type

Signatures

  • Maktub Locker

    Advanced ransomware family capable of offline decryption, generally distributed via .scr email attachments.

  • Maktub family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (140) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\74add6536cdcfb8b77d10a1e7be6b9ef.exe
    "C:\Users\Admin\AppData\Local\Temp\74add6536cdcfb8b77d10a1e7be6b9ef.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\74add6536cdcfb8b77d10a1e7be6b9ef.rtf"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1444
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        2⤵
        • Interacts with shadow copies
        PID:576
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1900

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\_DECRYPT_INFO_elzyw.html

      Filesize

      5KB

      MD5

      13c868e109968d23c72b3e5de04abfa3

      SHA1

      743507da7f922fe061fe0a791b421857fc7c1083

      SHA256

      76957d7a86db61be8f50063b323dfee1c91922f3677456f97ca761007f00b092

      SHA512

      4b218438f4951ba09282b1a6e1b79dc6362836a667dd7539fc4bc0d62b4f4f31ea1005bb20d2195eb77266540a72fba0e052983731f41a607387fe61781e0bcc

    • C:\Users\Admin\AppData\Local\Temp\74add6536cdcfb8b77d10a1e7be6b9ef.rtf

      Filesize

      2KB

      MD5

      a945a8899cc5fa3620b89fb23997f887

      SHA1

      60dce9277089ceeddb5b1ac4bdbe6b575e7a29bf

      SHA256

      5ac025473de03bba56f3b92496571804a1f7dea2a75005caaa9ddac5dcf91de5

      SHA512

      896d66c2b95c2c2cc85679ef0b1b510b531872079dc7f475d88c65ed48ca3d9299a023e2c1208848ffa52c01dba0103e57bcdb4cfec2c593a3088e0eeef30bed

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      19KB

      MD5

      def5ec4c64b3b6c51ceca02b0a2e7a82

      SHA1

      e2ba99dadc38b62442fda548f480b44694b8d426

      SHA256

      a205d15c22258042a3a654b01a6299986a23a38baf96f9b70371828b89915531

      SHA512

      9fe33e31167e5c6fda3d8c5ca55d3c27b1bd14f547f737ab82a5a91a3400dcab287b56e5c9586661da70d70f017b27f0af6bdbb754c95743843dd9d6f7afab2e

    • C:\Users\Admin\Desktop\backup_elzyw\_DECRYPT_INFO_elzyw.html

      Filesize

      5KB

      MD5

      3447c812184ad6059d152379c83373c9

      SHA1

      01564265e5125ab4d36d3b4389c788859fafcd93

      SHA256

      c672b9c7472fff2a1702b4a8177cc6f4ee0b9e41d825f26533de7f08dafc85b1

      SHA512

      5fefb3f555249d751be934a5b1115d5476a96fdc2e1c89bb1b8cf31165de832407dcc526c2ddc4ddc89663ae4b29a46aa5827497697952660e14a827a117c794

    • C:\Users\Admin\Favorites\Microsoft Websites\_DECRYPT_INFO_elzyw.html

      Filesize

      5KB

      MD5

      ee869afb1bc5d5c1b0f957f439ad50ac

      SHA1

      2ca1d0c98f8ad6cc80a0026dc046f17e183c36fa

      SHA256

      5bfd82880c7be0c39f6c166fcc1813efedd9f213525b344cd3e9c87bdb457745

      SHA512

      bf3a1f77456ef63448dbb59c29de3110bf3ef373dc87c1f44288610a8a5a1f9c2856496ce67309e8e397e0c1556bb7ede3711faa4fdfcd77794f62ad83c42936

    • memory/2716-17-0x00000000003D0000-0x00000000003D1000-memory.dmp

      Filesize

      4KB

    • memory/2716-21-0x0000000010000000-0x0000000010022000-memory.dmp

      Filesize

      136KB

    • memory/2716-7-0x0000000000400000-0x00000000004DA000-memory.dmp

      Filesize

      872KB

    • memory/2716-1-0x00000000003D0000-0x00000000003D1000-memory.dmp

      Filesize

      4KB

    • memory/2716-5-0x00000000026B0000-0x0000000002740000-memory.dmp

      Filesize

      576KB

    • memory/2716-0-0x00000000026B0000-0x0000000002740000-memory.dmp

      Filesize

      576KB

    • memory/2716-18-0x0000000010000000-0x0000000010022000-memory.dmp

      Filesize

      136KB

    • memory/2716-23-0x0000000010000000-0x0000000010022000-memory.dmp

      Filesize

      136KB

    • memory/2716-22-0x0000000010000000-0x0000000010022000-memory.dmp

      Filesize

      136KB

    • memory/2716-6-0x00000000003D0000-0x00000000003D1000-memory.dmp

      Filesize

      4KB

    • memory/2716-100-0x00000000003D0000-0x00000000003D1000-memory.dmp

      Filesize

      4KB

    • memory/2716-99-0x0000000000400000-0x00000000004DA000-memory.dmp

      Filesize

      872KB

    • memory/2716-4-0x00000000003D0000-0x00000000003D1000-memory.dmp

      Filesize

      4KB

    • memory/2716-3-0x00000000003D0000-0x00000000003D1000-memory.dmp

      Filesize

      4KB

    • memory/2716-2-0x00000000003D0000-0x00000000003D1000-memory.dmp

      Filesize

      4KB

    • memory/2716-311-0x0000000010000000-0x0000000010022000-memory.dmp

      Filesize

      136KB

    • memory/2780-13-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.