Overview

overview

10

Static

static

5

b82b65ace1...18.exe

windows7-x64

10

b82b65ace1...18.exe

windows10-2004-x64

10

Resubmissions

02-12-2024 11:09

241202-m871esxnap 10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2024 11:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b82b65ace1731fe2d694512fcd448895_JaffaCakes118.exe

  • Size

    8.0MB

  • MD5

    b82b65ace1731fe2d694512fcd448895

  • SHA1

    c6de94da7152e237c1f0b36264b14deb32e85ce2

  • SHA256

    85639d9a1900703f2ffbf076d28925ea8d5fe4537098fa82dd96cb8eb21d2911

  • SHA512

    70bcfc8449ae913ae1e81f90fcb49ce05076b18d495683f101a4353719b3917451e8d507c701790805f6f1484ce6e12935e2dd7a8f1fabb5192492a19ec93564

  • SSDEEP

    196608:6CKhIwvgsb87DwQiiFFL4an2L/dfXaI+fVcZ2/:RC3Stl4LL/ZaI

Score
10/10
gandcrabbackdoorcredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealertrojan

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-3350944739-639801879-157714471-1000\KEFKTRJ-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KEFKTRJ The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/7287c39c35e12573 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAOeFx4mClyT4mOpiT4HWSFPRh9fXPDzJ/YcQ62aQ9JbDlhZ392uyEBtfXIT4VtbwCtyvi2wgaVyccSg9Djt//BhX4St1tsF+gz7nseoKO6E4uXSbSru6AVNSgCTnyJI9L50p1Eo6uPW7oYsIFs0059tNiS/u83lowy5ZZvVLuWtaC+oGkONrBVf+H8D0iBBaEVYcOcGFSvQPKIELTnu0qR3xiMOU8T8sJ/RMCnojlWUBW7JHBjjtdErVEE0+iI+3sAipkIIIQ+8UzEcofe6DPyQY+JD4mWNoeJ5r8NqVZA/qNnYzzIE+ORv41YC4TGGqcd7BN+DyZXS/ewZhInlJ+zvt729JYm7ojwoLK5sNHHCJPVh5eOI9xvrjlmg01HKm8YkY9wwYu+Z9dD+Ot/rH0QEiZrv7Lku6YKh/lvJATc4ycVRbxflnbvZROYrIqtc5PMnhkB29+xmW1eJoi16R7USkpcHy7tR4cekenG2GmWFipGtHaZ30Tw512TXtJUgJ+9c2/Iv+XuLE1Lms1yxOYGqwlzLK8v2PKGVJM7g+O9MaWTLs1cAS0YKT03l1wgTwZ+Gg3Z0OpfdjoDNTtaxRTWZPKU0hbiFcAjUQHBccGYcAh6a7dJTtyv+1JzG097QOAketKN5TiI1c2Ztdp4haPg5hNtxXCbk62WyzleLoXrdgGRUoDialHQ3KQPkeFLuAuNAxAamSsPDHqC4bCm2AMLU9evFY9qUiJLuzywPFBMlPInSp87R3zW9pvqUTg776tyKIYTGlj8tyap/wHJjAoP58JLtGws6V2HJ0j8UEcyqkPwP/ZpMwgmk7zYoVLObjaJ5QFLvBUqrFAikgU/CVHl0r9R2PVyKEGyqG6Bur9H9sXLQ1lxa1XBZAq8tKI2iqbfg/o53MS+wrLu0JNForNcfFWetwBVoVPLW7vfplRwQRQ89jhy1zwHaWDD0ZEtshJjPyiDYGx2H73AJG1TtyyTTvDKV2tHNM35eGEdLMCDf1kbWavq6ERH4OC+RVwK8nPxtjWNhj0lBhBkqzsb2OwuawHuQQAkL+TrJpx2xQufO/5lBSfKFAgo9tuPCC3bRYUJBfHsLznq6uTfTLyhcWO2kwuvkree0VRwv/04BpGyVqJX4sAlB6jMUafQ/SiiWFU0GV5VYsl/7pG3Q7daQi3i8vnxj3nvRj9k854a/nPYIwpOVnZRv7znHkP6dzhKqwhRcpWfIuCm90mFSo3WhH1KIyX9qyhdH5C4XuQoD5r9VGVRlQSuctXkLPxhKiSvaljK5Uc09EeuxbJLzeubcURqZ3CtxDsVwHAWy0cuCYMp4FCZEZ/iHdA2adrwnKvN9OaqZDpiD+xc51qRm6sJpHpMIuQHMne2rIZIBmnvPlSBc6j292gNkuhE2n1cYsfiueDyzHKiPoyliPDUgvAIHV9mYZ/vAFLMkOYrWlw/pKvzrMPM4A1pwy4OJClTE5GnfSN1X4aPdXeR3g1NQLikfq0PQc+8FN1G68Nkxg3xQASCgJtfVjtGcBZnXjzMqLvXkecyenu3EfN+8ZOb3k1/NE8TqhFhPV50I8TSA+wsY3EybzUVABKv85sJj3QEDVxRIwEo6qaEC1/4HPXSSZAZuUiNPeDjebkTvSGkFE6S38elfn8UkuO1O2IAB3Yf4W4yWWK++vsG1dMJtVW+1gt1pUJHD0XgLB/+cu1hWXCuUqxcTbbFLfOF/UWYjBsB3P5kBfSLlF027LSvel9KLJzQN7LMVPf8a0hNFkpk58VVEQsjF5gM6lF3mYbpYp/mUducTgAXaKsxMoeczA+O23Uof7ne1ELs3RTGfpdNmH+aGdZiuZgSEcVYAqX8bNs6X4bWdoMD4ggvMQ1noF6bZLSH5WY3ph2HLaaGHLoVfUuuAFtk6EEL85IPRjArgP6mIDcCtDlgTtBmMRZL7LHAbBitqMd60NWtcXqQQ+mW2udol0DW6moj/v2IFdeAtXcGDe0lI+7dGb7DTyiOFYGQT5WLu76pqDBJNHgUi+eCR5oHJkMh5swBGWW7DHqR1Pi2QCWaNlWdx3KsNSW5qpIuowAPRTR+EEr6JSgM55kXTYDBj3tDLeSuKojoRVODIhy6pKVjSrBxgK0/cCajLCLWSr+ysZXRivdH3a22JpU7GDg1iGE6MgKVhQmVoYXZ0gN186JRcvQVacWV/NtFrsgNnH6Nc9BCTC2zGXkEbTYBHIM2fHIsALxz0Tb4euFiMJuIp/FKMxqBBFsdc= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZYTpFRuXYe7nxWsLfGTGSHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB5+Km/242Fut1GthYZVrQBiTtqBGDEdgboycX4t64OKb3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pDxFJ3vHLN+at1wUZMnQURl2KYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9XQ3DC2qZAEuDtLkioBZ9MNJGhHpcOfr/PRd4Psok9V+butLOnzJ/9bHYIh8Yz6+xORettGP+Pbn3W/eJIXs9ebdQm9EdhJFLd2qBglmnMLQYzygtAfj75QWEAiTIEnbJST+zbSAE= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/7287c39c35e12573

Signatures

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Gandcrab family
    gandcrab
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (349) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 2 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 7 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 62 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 52 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of FindShellTrayWindow 14 IoCs
  • Suspicious use of SendNotifyMessage 13 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\b82b65ace1731fe2d694512fcd448895_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b82b65ace1731fe2d694512fcd448895_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Users\Admin\AppData\Roaming\cexplorer.exe
      "C:\Users\Admin\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:436
      • C:\Users\Admin\AppData\Local\Temp\is-79FJ7.tmp\cexplorer.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-79FJ7.tmp\cexplorer.tmp" /SL5="$8002E,6397385,121344,C:\Users\Admin\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:4944
        • C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
          "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /trialregister
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Modifies registry class
          PID:4408
        • C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
          "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /replaceexplorer
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Modifies registry class
          PID:1640
        • C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
          "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /update
          4⤵
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          PID:5016
        • C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
          "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /update
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          PID:1104
    • C:\Users\Admin\AppData\Roaming\update.exe
      "C:\Users\Admin\AppData\Roaming\update.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1000
      • C:\Windows\SysWOW64\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4664
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
    Filesize

    14.4MB

    MD5

    92a3d0847fc622b31f2d0c273a676c0e

    SHA1

    e642d694367cc98a8863d87fec82e4cf940eb48a

    SHA256

    9a9923c08d3fc5937b6ed189e20cf416482a079bc0c898c4ed75329e0ee3ae89

    SHA512

    01d13fd9a0dd52bc2e3f17af7a999682201c99ecf7218bca254a4944a483fd1dec2a3e6d59def501a024ad760b849787902ecb55bd33d23fa9651c0a7689cd1c

    Download Submit

  • C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
    Filesize

    4.4MB

    MD5

    5b0ae3fac33c08145dca4a9c272ebc34

    SHA1

    940f504d835fc254602953495320bb92456177b9

    SHA256

    137723bdd388f6e5a50b7942eff02f4cc70e6b86d8650a41f9e8956ea1e4de3b

    SHA512

    015ffc133ad3a6937222bbc057f68b60abfe22b900b5e7c4e6ca3ec7dc6b09abaf54b595f00fa9212f370da8531af1ac5fc52b39953e1f685e81c66d1ec61f8a

    Download Submit

  • C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll
    Filesize

    786KB

    MD5

    dd5ce4d765edd75eba6f311e6e0ea10a

    SHA1

    9ea7f6516e5ad0755b74463d427055f63ed1a664

    SHA256

    64b7f8f70a7b037d10da72eaa769078b7e4d1ac8964c5eae5515d373e816ed6d

    SHA512

    d2782310df7cc533cc9ffaf5c1903d5bc6a500c3bbe48148c1339fb5de19c835e4a8c765da1b80b3744ea231353f76f22ba4e04c78a3d950d7ee291d6eab2216

    Download Submit

  • C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll
    Filesize

    1.2MB

    MD5

    de5f74ef4e17b2dc8ad69a3e9b8d22c7

    SHA1

    42df8fedc56761041bce47b84bd4e68ee75448d2

    SHA256

    b89a6a57b48be10103825440d2157f2c4a56e4c6b79ad13f729429cd5393bf32

    SHA512

    515e9b498d8cd9bb03f8d9758e891d073627dfd6fb0b931650a47d6e53722aa6e1cc3caff8c0e64f4721ad2abef7a81ef4e7b49952d3c8fc325deb5bba6b3314

    Download Submit

  • C:\Program Files (x86)\Chameleon Explorer\Folder.dll_new
    Filesize

    750KB

    MD5

    fb76f4f533203e40ce30612a47171f94

    SHA1

    304ba296c77a93ddb033d52578fcc147397db981

    SHA256

    3de05f18ffe9fda589a45ea539a464e58a30f70d59d71444b018064cf831c4a6

    SHA512

    a416a6d6efbbd69209e1867f12b9d1d11b21160f6dfe07c510b43112c22c317f805c67dd9402744a6c7e1541f6b3a061c49942fe28fa70f74aea670ba9c71995

    Download Submit

  • C:\Program Files (x86)\Chameleon Explorer\Folder64.dll
    Filesize

    1.2MB

    MD5

    96f92c8368c1e922692f399db96da1eb

    SHA1

    1a91d68f04256ef3bc1022beb616ba65271bd914

    SHA256

    161408b86eed7c4d9a5882aa00df3f8765ed28fa4fd9aab2c9b3dceadbd527f9

    SHA512

    b3d3fb2d78fe2df864f0e07a8bc1610ee9d65251957e0495a34c1631895293590e0fca965ec9deb160f48a4e09a2feabd3bff6fb9a0c22888a941e308de39d14

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199
    Filesize

    854B

    MD5

    e935bc5762068caf3e24a2683b1b8a88

    SHA1

    82b70eb774c0756837fe8d7acbfeec05ecbf5463

    SHA256

    a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

    SHA512

    bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
    Filesize

    170B

    MD5

    206b29c9c4d86729591694b537a72dce

    SHA1

    565ec4bfea991931c0c9725c7b8c4ae945764221

    SHA256

    40326a16c58913f7f2fb3b2ca0471a496c4a66637b83bb2f9f41f895846295fc

    SHA512

    6061472508738d9e2bc5c59025089f10924d5d9ca912e019de010d14502deb241fac5407b3b8f53b913c13b1518bfe72fe92468758d1e0b7cbe9661e72659351

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-79FJ7.tmp\cexplorer.tmp
    Filesize

    1.1MB

    MD5

    729bc0108bcd7ec083dfa83d7a4577f2

    SHA1

    0b4efa5e1764b4ce3e3ae601c8655c7bb854a973

    SHA256

    b1c68b1582ebb5f465512a0b834ccac095460b29136b6c7eea0475612bf16b49

    SHA512

    49c83533ce88d346651d59d855cff18190328795401c1277f4e3d32ff34f207d2c35f026785aa6c4a85624d88bf8c927654907faf50db1d57447730d9d6ac44c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\cexplorer.exe
    Filesize

    6.5MB

    MD5

    d8388140b196952bc419141fa07ac0c9

    SHA1

    71e6f4a14964c39a9b827479ffe90ec07b9145e3

    SHA256

    6d77ff618ac5c4306dea8f34e66092e146f172570e88a3ac05166068e5a4abd6

    SHA512

    4f8e089eba0cc90af09321cc83297cf763b9899cb65cd1ebd44697866e7458fa5ba1f3ace9e6cf7875c92fa5ac7d7fe85ff3a4af0c6f659b1849c03bba674e22

    Download Submit

  • C:\Users\Admin\AppData\Roaming\update.exe
    Filesize

    356KB

    MD5

    73497313a18a4e8ef6fcc7810a5f4637

    SHA1

    beafc036b2baea46e618982615d3422ab2994920

    SHA256

    3538d4438f167ad175116729425ce8a11f46b54d1a4b3827967b12782ddeb1dc

    SHA512

    57ea5e6de79fdc23be150f6dc5c996e03447990560d208e13f7403453eef03fdc56efd448649d4773fd6cd6f109b1f2b3f3656ddb164945aa572ad3de4d53da2

    Download Submit

  • F:\$RECYCLE.BIN\S-1-5-21-3350944739-639801879-157714471-1000\KEFKTRJ-DECRYPT.txt
    Filesize

    8KB

    MD5

    21bf13c4ffd4209acefe9cafe3fdd7e2

    SHA1

    0e5a52bbd0dd49f5b377f3636ddfc488c3c70144

    SHA256

    b4737118774d39209e931d59aaa1586e9a65b5ad7450abff98ace09e3fb0bead

    SHA512

    5f65bdaf63728a5dad673b3e1d83e1344dc566e1d8e0013d9762746c61d3b5c90d44ff0d511964aafd743c23292d1499d1be0e81ca31ad422da2ee6f45d237cc

    Download Submit

  • memory/436-12-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/436-1002-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/436-14-0x0000000000401000-0x0000000000412000-memory.dmp

    Filesize

    68KB

    Download

  • memory/436-935-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1000-1003-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/1000-63-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/1000-1005-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/1104-997-0x0000000000400000-0x0000000001438000-memory.dmp

    Filesize

    16.2MB

    Download

  • memory/1640-819-0x0000000000400000-0x0000000001438000-memory.dmp

    Filesize

    16.2MB

    Download

  • memory/4408-654-0x0000000000400000-0x0000000001438000-memory.dmp

    Filesize

    16.2MB

    Download

  • memory/4944-952-0x0000000000400000-0x000000000052D000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4944-1001-0x0000000000400000-0x000000000052D000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4944-19-0x0000000000400000-0x000000000052D000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/5016-981-0x0000000000400000-0x0000000000A39000-memory.dmp

    Filesize

    6.2MB

    Download