Overview

overview

10

Static

static

3

80bf2731a8...e4.exe

windows7-x64

10

80bf2731a8...e4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-10-2023 07:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    80bf2731a81c113432f061b397d70cac72d907c39102513abe0f2bae079373e4.exe

  • Size

    4.0MB

  • MD5

    d59aa49740acb5e45ecb65da070035e3

  • SHA1

    4086107b3fb71fb02361306da6099a85be97ae1d

  • SHA256

    80bf2731a81c113432f061b397d70cac72d907c39102513abe0f2bae079373e4

  • SHA512

    459805b020b78399fae8ac5e8ed439df1b8852519014029833794d2eaad1b1f2aecc3aaba99ae52a0881cf57987d4a60298acce04a9fa9299e9d21a832a335a5

  • SSDEEP

    98304:4gwRDvguPP+oGPn58kcuf2ilfio/roYs30f2hi:4govYoGPn5/ui8hi

Score
10/10
mimicevasionpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\FreeWorld-Contact.txt

Ransom Note
I encrypted your system with a vulnerability in your system. If you want your information, you must pay us. The ransomware project I use on your system is a completely private project. it cannot be broken. unsolvable. People who say they can help you often come to us and they ask us for help on your behalf . In this case, you have to pay more than what you normally pay. If you contact us directly, the fee you will pay will be lower. You may not trust us . but we are trying our best to help you. We can direct you to a company whose data we opened and helped within 48 hours. We want you to know that we have references all over the world. We do not work in a specific region or country. The company we will direct you to can be from any part of the world. We may also share various images and videos with you. We will open the encrypted data. this is our job. We get paid and we help. We cover your vulnerabilities. We ensure your safety and give advice. It is not just your data that you will buy from us. also your safety Our aim is to return the hacked systems back to you. But we want to be rewarded for our services. The most important thing we want from you. be quick . Respond quickly when communicating and quickly conclude the case. We don't want to waste time. We can prove to you that we can open encrypted data. You can send the sample file you want with .png ,jpg,avi,pdf file extensions that are not important to you. We will send the file back to you in working condition. Our file limit is 3 . we can't open more for you for free. You can send us your database files. After we have your database file working, we can send you a screenshot of the table you want. If you want to talk to us instantly, you can contact us via qtox. qtox program address: https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe My qtox address is: E12919AB09D54CB3F6903091580F0C4AADFB6396B1E6C7B8520D878275F56E7803D963E639AE Email address: [email protected] Contact number : 8Yh3i571KyXOQE7TOHauHSXunadWJz3-hPo2QFD1wGA*FreeWorldEncryption When you contact us, share your contact number with us.
URLs

https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe

Signatures

  • Detects Mimic ransomware 8 IoCs
  • Mimic

    Ransomware family was first exploited in the wild in 2022.

    ransomwaremimic
  • UAC bypass 3 TTPs 4 IoCs
    evasiontrojan
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (2659) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes System State backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies system executable filetype association 2 TTPs 10 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 11 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\80bf2731a81c113432f061b397d70cac72d907c39102513abe0f2bae079373e4.exe
    "C:\Users\Admin\AppData\Local\Temp\80bf2731a81c113432f061b397d70cac72d907c39102513abe0f2bae079373e4.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4712
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" i
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1620
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" x -y -p105689248955111405 Everything64.dll
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2016
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\50000.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\50000.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4068
      • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\FreeWorld.exe
        "C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\FreeWorld.exe"
        3⤵
        • UAC bypass
        • Sets file execution options in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1496
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c DC.exe /D
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3336
          • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\DC.exe
            DC.exe /D
            5⤵
            • Executes dropped EXE
            PID:3320
        • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\FreeWorld.exe
          "C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\FreeWorld.exe" -e ul2
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          PID:4324
        • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\FreeWorld.exe
          "C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\FreeWorld.exe" -e ul1
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          PID:4468
        • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\FreeWorld.exe
          "C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\FreeWorld.exe" -e watch -pid 1496 -!
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:776
        • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\Everything.exe
          "C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\Everything.exe" -startup
          4⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Suspicious use of SetWindowsHookEx
          PID:3860
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
            PID:3772
          • C:\Windows\SYSTEM32\powercfg.exe
            powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
            4⤵
              PID:652
            • C:\Windows\SYSTEM32\powercfg.exe
              powercfg.exe -H off
              4⤵
                PID:4612
              • C:\Windows\SYSTEM32\powercfg.exe
                powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
                4⤵
                  PID:2132
                • C:\Windows\SYSTEM32\powercfg.exe
                  powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
                  4⤵
                    PID:4860
                  • C:\Windows\SYSTEM32\powercfg.exe
                    powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
                    4⤵
                      PID:3444
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell.exe -ExecutionPolicy Bypass "Get-Volume | Get-DiskImage | Dismount-DiskImage"
                      4⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4472
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell.exe -ExecutionPolicy Bypass "Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage"
                      4⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3364
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell.exe -ExecutionPolicy Bypass "Get-VM | Stop-VM"
                      4⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3736
                    • C:\Windows\SYSTEM32\powercfg.exe
                      powercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb61
                      4⤵
                        PID:804
                      • C:\Windows\SYSTEM32\powercfg.exe
                        powercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
                        4⤵
                          PID:3004
                        • C:\Windows\SYSTEM32\powercfg.exe
                          powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
                          4⤵
                            PID:4044
                          • C:\Windows\SYSTEM32\powercfg.exe
                            powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
                            4⤵
                              PID:4588
                            • C:\Windows\SYSTEM32\powercfg.exe
                              powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
                              4⤵
                                PID:4568
                              • C:\Windows\SYSTEM32\powercfg.exe
                                powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
                                4⤵
                                  PID:2844
                                • C:\Windows\SYSTEM32\powercfg.exe
                                  powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
                                  4⤵
                                    PID:4804
                                  • C:\Windows\SYSTEM32\powercfg.exe
                                    powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
                                    4⤵
                                      PID:4164
                                    • C:\Windows\SYSTEM32\powercfg.exe
                                      powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
                                      4⤵
                                        PID:2364
                                      • C:\Windows\SYSTEM32\bcdedit.exe
                                        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                                        4⤵
                                        • Modifies boot configuration data using bcdedit
                                        PID:3364
                                      • C:\Windows\SYSTEM32\bcdedit.exe
                                        bcdedit.exe /set {default} recoveryenabled no
                                        4⤵
                                        • Modifies boot configuration data using bcdedit
                                        PID:1376
                                      • C:\Windows\SYSTEM32\wbadmin.exe
                                        wbadmin.exe DELETE SYSTEMSTATEBACKUP
                                        4⤵
                                        • Deletes System State backups
                                        • Drops file in Windows directory
                                        PID:2564
                                      • C:\Windows\SYSTEM32\wbadmin.exe
                                        wbadmin.exe delete catalog -quiet
                                        4⤵
                                        • Deletes backup catalog
                                        PID:4168
                                      • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\Everything.exe
                                        "C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\Everything.exe" -startup
                                        4⤵
                                        • Executes dropped EXE
                                        • Enumerates connected drives
                                        • Suspicious use of SetWindowsHookEx
                                        PID:2096
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
                                    2⤵
                                      PID:3592
                                  • C:\Windows\System32\Systray.exe
                                    C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                    1⤵
                                      PID:1244
                                    • C:\Windows\System32\Systray.exe
                                      C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                      1⤵
                                        PID:4048
                                      • C:\Windows\System32\Systray.exe
                                        C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                        1⤵
                                          PID:3932
                                        • C:\Windows\System32\Systray.exe
                                          C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                          1⤵
                                            PID:2304
                                          • C:\Windows\System32\Systray.exe
                                            C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                            1⤵
                                              PID:1368
                                            • C:\Windows\System32\Systray.exe
                                              C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                              1⤵
                                                PID:628
                                              • C:\Windows\System32\Systray.exe
                                                C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                1⤵
                                                  PID:2888
                                                • C:\Windows\System32\Systray.exe
                                                  C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                  1⤵
                                                    PID:1176
                                                  • C:\Windows\System32\Systray.exe
                                                    C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                    1⤵
                                                      PID:3388
                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                      1⤵
                                                      • Modifies registry class
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:1572
                                                    • C:\Windows\system32\vssvc.exe
                                                      C:\Windows\system32\vssvc.exe
                                                      1⤵
                                                        PID:3536
                                                      • C:\Windows\system32\wbengine.exe
                                                        "C:\Windows\system32\wbengine.exe"
                                                        1⤵
                                                          PID:3888
                                                        • C:\Windows\System32\vdsldr.exe
                                                          C:\Windows\System32\vdsldr.exe -Embedding
                                                          1⤵
                                                            PID:652
                                                          • C:\Windows\System32\vds.exe
                                                            C:\Windows\System32\vds.exe
                                                            1⤵
                                                            • Checks SCSI registry key(s)
                                                            PID:3680
                                                          • C:\Windows\System32\Systray.exe
                                                            C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                            1⤵
                                                              PID:3576
                                                            • C:\Windows\System32\Systray.exe
                                                              C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                              1⤵
                                                                PID:1680

                                                              Network

                                                              MITRE ATT&CK Enterprise v15

                                                              Reconnaissance

                                                              Resource Development

                                                              Initial Access

                                                              Execution

                                                              Command and Scripting Interpreter

                                                              2
                                                              T1059

                                                              Persistence

                                                              Boot or Logon Autostart Execution

                                                              2
                                                              T1547

                                                              Registry Run Keys / Startup Folder

                                                              2
                                                              T1547.001

                                                              Event Triggered Execution

                                                              1
                                                              T1546

                                                              Change Default File Association

                                                              1
                                                              T1546.001

                                                              Privilege Escalation

                                                              Abuse Elevation Control Mechanism

                                                              1
                                                              T1548

                                                              Bypass User Account Control

                                                              1
                                                              T1548.002

                                                              Boot or Logon Autostart Execution

                                                              2
                                                              T1547

                                                              Registry Run Keys / Startup Folder

                                                              2
                                                              T1547.001

                                                              Event Triggered Execution

                                                              1
                                                              T1546

                                                              Change Default File Association

                                                              1
                                                              T1546.001

                                                              Defense Evasion

                                                              Abuse Elevation Control Mechanism

                                                              1
                                                              T1548

                                                              Bypass User Account Control

                                                              1
                                                              T1548.002

                                                              Impair Defenses

                                                              1
                                                              T1562

                                                              Disable or Modify Tools

                                                              1
                                                              T1562.001

                                                              Indicator Removal

                                                              2
                                                              T1070

                                                              File Deletion

                                                              2
                                                              T1070.004

                                                              Modify Registry

                                                              5
                                                              T1112

                                                              Credential Access

                                                              Unsecured Credentials

                                                              1
                                                              T1552

                                                              Credentials In Files

                                                              1
                                                              T1552.001

                                                              Discovery

                                                              Peripheral Device Discovery

                                                              2
                                                              T1120

                                                              Query Registry

                                                              4
                                                              T1012

                                                              System Information Discovery

                                                              5
                                                              T1082

                                                              Lateral Movement

                                                              Collection

                                                              Data from Local System

                                                              1
                                                              T1005

                                                              Command and Control

                                                              Exfiltration

                                                              Impact

                                                              Inhibit System Recovery

                                                              3
                                                              T1490

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • C:\Users\Admin\AppData\Local\FreeWorld-Contact.txt
                                                                Filesize

                                                                2KB

                                                                MD5

                                                                44135a4b1ca48956728df5d02a57165d

                                                                SHA1

                                                                4c08bd04717f641f1f5b9bba1caaab4cd1ba5b56

                                                                SHA256

                                                                e3235887d1969600ff90f708aeb0b591bb3d02c1bfa227eac3e504ba7e1c4378

                                                                SHA512

                                                                20d8bb8f04ccbfeb0e319a788b572826d18b4a972e0605e3efb81ed081942a95f5822626977fae6ff1e5c7918f8599213c8573fd87ab5a3cbaba3673bfe52c1b

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                Filesize

                                                                944B

                                                                MD5

                                                                62623d22bd9e037191765d5083ce16a3

                                                                SHA1

                                                                4a07da6872672f715a4780513d95ed8ddeefd259

                                                                SHA256

                                                                95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

                                                                SHA512

                                                                9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                Filesize

                                                                1KB

                                                                MD5

                                                                e07cb57243e23a32ac2df0cfd1f00c57

                                                                SHA1

                                                                38dca5b33b7df804f28b81c907c98edb46de5812

                                                                SHA256

                                                                a1410c62f0ba4f0551bd570b4937c6ff59a6d2aae280955fbda73f66fa774140

                                                                SHA512

                                                                44c45315c0f2995bafb7df75f6f1e590916bf8ec1463d8fb26641dbde55fcf820b1092e2656e7046f650256b55db03ed2c284fe4e2c1651c43900772d4446921

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
                                                                Filesize

                                                                300B

                                                                MD5

                                                                1f092347239d24d54055fc4162ed1404

                                                                SHA1

                                                                b48e8e2fdd3bf1f49affdc036d71f49888a2c95b

                                                                SHA256

                                                                49f4a0c7f862edce8ba313e0da16d0acb0588f6c5143257bc6d201366f805120

                                                                SHA512

                                                                e81b0d3ba26ecceec925550564fa22d5e9da950e131a44da88014fda0a2406ac421f6e77a4ac73fb8b7a97c8c0aee08c86bae8e77369678c5c456384d56b0318

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\50000.exe
                                                                Filesize

                                                                3.5MB

                                                                MD5

                                                                dbf9675bd273e982ca5de58ac32de399

                                                                SHA1

                                                                5e6df45bdc8d4a5f711988672cc43643fb35a876

                                                                SHA256

                                                                75975b0c890f804dab19f68d7072f8c04c5fe5162d2a4199448fc0e1ad03690b

                                                                SHA512

                                                                f32ca912f9d5f6a1e1b4615be9ed03b1a823fb961bdd96e5caaaf6beb217dbe8418635c979355c84444ab944cccbef36a606fed8fdd50e42a4786d4930d60631

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\50000.exe
                                                                Filesize

                                                                3.5MB

                                                                MD5

                                                                dbf9675bd273e982ca5de58ac32de399

                                                                SHA1

                                                                5e6df45bdc8d4a5f711988672cc43643fb35a876

                                                                SHA256

                                                                75975b0c890f804dab19f68d7072f8c04c5fe5162d2a4199448fc0e1ad03690b

                                                                SHA512

                                                                f32ca912f9d5f6a1e1b4615be9ed03b1a823fb961bdd96e5caaaf6beb217dbe8418635c979355c84444ab944cccbef36a606fed8fdd50e42a4786d4930d60631

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
                                                                Filesize

                                                                772KB

                                                                MD5

                                                                b93eb0a48c91a53bda6a1a074a4b431e

                                                                SHA1

                                                                ac693a14c697b1a8ee80318e260e817b8ee2aa86

                                                                SHA256

                                                                ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142

                                                                SHA512

                                                                732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
                                                                Filesize

                                                                772KB

                                                                MD5

                                                                b93eb0a48c91a53bda6a1a074a4b431e

                                                                SHA1

                                                                ac693a14c697b1a8ee80318e260e817b8ee2aa86

                                                                SHA256

                                                                ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142

                                                                SHA512

                                                                732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
                                                                Filesize

                                                                772KB

                                                                MD5

                                                                b93eb0a48c91a53bda6a1a074a4b431e

                                                                SHA1

                                                                ac693a14c697b1a8ee80318e260e817b8ee2aa86

                                                                SHA256

                                                                ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142

                                                                SHA512

                                                                732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
                                                                Filesize

                                                                772KB

                                                                MD5

                                                                b93eb0a48c91a53bda6a1a074a4b431e

                                                                SHA1

                                                                ac693a14c697b1a8ee80318e260e817b8ee2aa86

                                                                SHA256

                                                                ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142

                                                                SHA512

                                                                732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DC.exe
                                                                Filesize

                                                                802KB

                                                                MD5

                                                                ac34ba84a5054cd701efad5dd14645c9

                                                                SHA1

                                                                dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

                                                                SHA256

                                                                c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

                                                                SHA512

                                                                df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.exe
                                                                Filesize

                                                                1.7MB

                                                                MD5

                                                                c44487ce1827ce26ac4699432d15b42a

                                                                SHA1

                                                                8434080fad778057a50607364fee8b481f0feef8

                                                                SHA256

                                                                4c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405

                                                                SHA512

                                                                a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.ini
                                                                Filesize

                                                                548B

                                                                MD5

                                                                742c2400f2de964d0cce4a8dabadd708

                                                                SHA1

                                                                c452d8d4c3a82af4bc57ca8a76e4407aaf90deca

                                                                SHA256

                                                                2fefb69e4b2310be5e09d329e8cf1bebd1f9e18884c8c2a38af8d7ea46bd5e01

                                                                SHA512

                                                                63a7f1482dc15d558e1a26d1214fcecca14df6db78c88735a67d1a89185c05210edc38b38e3e014dac817df88968aaf47beb40e8298777fbb5308abfe16479e4

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything2.ini
                                                                Filesize

                                                                550B

                                                                MD5

                                                                51014c0c06acdd80f9ae4469e7d30a9e

                                                                SHA1

                                                                204e6a57c44242fad874377851b13099dfe60176

                                                                SHA256

                                                                89ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5

                                                                SHA512

                                                                79b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything32.dll
                                                                Filesize

                                                                84KB

                                                                MD5

                                                                3b03324537327811bbbaff4aafa4d75b

                                                                SHA1

                                                                1218bd8165a2e0ec56a88b5a8bb4b27e52b564e7

                                                                SHA256

                                                                8cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880

                                                                SHA512

                                                                ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything32.dll
                                                                Filesize

                                                                84KB

                                                                MD5

                                                                3b03324537327811bbbaff4aafa4d75b

                                                                SHA1

                                                                1218bd8165a2e0ec56a88b5a8bb4b27e52b564e7

                                                                SHA256

                                                                8cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880

                                                                SHA512

                                                                ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything64.dll
                                                                Filesize

                                                                3.0MB

                                                                MD5

                                                                607e58bd01a843958ca6d890b80412ae

                                                                SHA1

                                                                ed8b3cb3e47e46479ad20d84675901448788b33c

                                                                SHA256

                                                                83b3488020127bead102071c6aa0148e78f253fe73cdbc5123a8cbcffdaac2fc

                                                                SHA512

                                                                8e640b22e6ed34f9c500eb0b2a40e50c036072182e2c7db50094b79cfeb6fdad52a1d5ea6b9b87b7aade45ca357e165f587d352942bdb33c1586e89b94555926

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\sdel.exe
                                                                Filesize

                                                                350KB

                                                                MD5

                                                                803df907d936e08fbbd06020c411be93

                                                                SHA1

                                                                4aa4b498ae037a2b0479659374a5c3af5f6b8d97

                                                                SHA256

                                                                e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c

                                                                SHA512

                                                                5b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\sdel64.exe
                                                                Filesize

                                                                448KB

                                                                MD5

                                                                e2114b1627889b250c7fd0425ba1bd54

                                                                SHA1

                                                                97412dba3cbeb0125c71b7b2ab194ea2fdff51b2

                                                                SHA256

                                                                5434dfdb731238edcb07a8c3a83594791536dda7a63c29f19be7bb1d59aedd60

                                                                SHA512

                                                                76ca5f677bc8ee1485f3d5b028b3a91f74344e9ff7af3c62a98e737a9888bd35389b3e6bf7b8b67747e0f64e1c973c0708864f12de1388b95f5c31b4e084e2e1

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\session.tmp
                                                                Filesize

                                                                32B

                                                                MD5

                                                                92292a58958c697f118d5683d78183a9

                                                                SHA1

                                                                14b0c7d9f5648433c81e7370153338ecc016cb77

                                                                SHA256

                                                                17449855f63a1e035d27d629bc11767ed8041fa1f6d00caa1e7329c8d929ba9c

                                                                SHA512

                                                                e53ded1693cb63ff39dbacc6d321ad1861a572ddfb20384088c8808d2e017ea3f22157f23d8944e2f6c5aa29660d053c0074ece025e8ee99bd235f122bb56466

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q5vqsj0k.gzw.ps1
                                                                Filesize

                                                                60B

                                                                MD5

                                                                d17fe0a3f47be24a6453e9ef58c94641

                                                                SHA1

                                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                SHA256

                                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                SHA512

                                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\7za.exe
                                                                Filesize

                                                                772KB

                                                                MD5

                                                                b93eb0a48c91a53bda6a1a074a4b431e

                                                                SHA1

                                                                ac693a14c697b1a8ee80318e260e817b8ee2aa86

                                                                SHA256

                                                                ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142

                                                                SHA512

                                                                732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\DC.exe
                                                                Filesize

                                                                802KB

                                                                MD5

                                                                ac34ba84a5054cd701efad5dd14645c9

                                                                SHA1

                                                                dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

                                                                SHA256

                                                                c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

                                                                SHA512

                                                                df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\DC.exe
                                                                Filesize

                                                                802KB

                                                                MD5

                                                                ac34ba84a5054cd701efad5dd14645c9

                                                                SHA1

                                                                dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

                                                                SHA256

                                                                c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

                                                                SHA512

                                                                df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\Everything.db
                                                                Filesize

                                                                12.8MB

                                                                MD5

                                                                dde6949cee3ee596fe91f1966294f6e2

                                                                SHA1

                                                                b677b460b9da2a0acd4075e09bafbed161598841

                                                                SHA256

                                                                1a23ef373cf5b0410f986e7d000c0d984bf3d68e8cc25f6e638d69377e6cef8e

                                                                SHA512

                                                                be595a60788c028cf627ccebeafc513e38ab291e37c53d6bb51234549edeb4a669a80f0e7cd8e234286f31a734156af706827d4595c01fe34b504d37ae76891c

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\Everything.exe
                                                                Filesize

                                                                1.7MB

                                                                MD5

                                                                c44487ce1827ce26ac4699432d15b42a

                                                                SHA1

                                                                8434080fad778057a50607364fee8b481f0feef8

                                                                SHA256

                                                                4c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405

                                                                SHA512

                                                                a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\Everything.exe
                                                                Filesize

                                                                1.7MB

                                                                MD5

                                                                c44487ce1827ce26ac4699432d15b42a

                                                                SHA1

                                                                8434080fad778057a50607364fee8b481f0feef8

                                                                SHA256

                                                                4c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405

                                                                SHA512

                                                                a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\Everything.exe
                                                                Filesize

                                                                1.7MB

                                                                MD5

                                                                c44487ce1827ce26ac4699432d15b42a

                                                                SHA1

                                                                8434080fad778057a50607364fee8b481f0feef8

                                                                SHA256

                                                                4c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405

                                                                SHA512

                                                                a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\Everything.ini
                                                                Filesize

                                                                548B

                                                                MD5

                                                                742c2400f2de964d0cce4a8dabadd708

                                                                SHA1

                                                                c452d8d4c3a82af4bc57ca8a76e4407aaf90deca

                                                                SHA256

                                                                2fefb69e4b2310be5e09d329e8cf1bebd1f9e18884c8c2a38af8d7ea46bd5e01

                                                                SHA512

                                                                63a7f1482dc15d558e1a26d1214fcecca14df6db78c88735a67d1a89185c05210edc38b38e3e014dac817df88968aaf47beb40e8298777fbb5308abfe16479e4

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\Everything.ini
                                                                Filesize

                                                                20KB

                                                                MD5

                                                                26034d9575da7323049077ee829b552e

                                                                SHA1

                                                                6fc5d439dbcc1cb61f6547ecb954cd0b5efa77c8

                                                                SHA256

                                                                83bdafc18971ec60810867a7a756952950acb2c9fda6f257631320f3c77e38ac

                                                                SHA512

                                                                d9c4f0d0a4ec565c6f0065b5876f7a9ab8e9d7e9b5b7246621f5127269602266eea7fb1ad8431fdbe2f6bf6c50649be050369805fbc946a1f8c53cbed276c929

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\Everything2.ini
                                                                Filesize

                                                                550B

                                                                MD5

                                                                51014c0c06acdd80f9ae4469e7d30a9e

                                                                SHA1

                                                                204e6a57c44242fad874377851b13099dfe60176

                                                                SHA256

                                                                89ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5

                                                                SHA512

                                                                79b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\Everything32.dll
                                                                Filesize

                                                                84KB

                                                                MD5

                                                                3b03324537327811bbbaff4aafa4d75b

                                                                SHA1

                                                                1218bd8165a2e0ec56a88b5a8bb4b27e52b564e7

                                                                SHA256

                                                                8cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880

                                                                SHA512

                                                                ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\Everything32.dll
                                                                Filesize

                                                                84KB

                                                                MD5

                                                                3b03324537327811bbbaff4aafa4d75b

                                                                SHA1

                                                                1218bd8165a2e0ec56a88b5a8bb4b27e52b564e7

                                                                SHA256

                                                                8cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880

                                                                SHA512

                                                                ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\Everything32.dll
                                                                Filesize

                                                                84KB

                                                                MD5

                                                                3b03324537327811bbbaff4aafa4d75b

                                                                SHA1

                                                                1218bd8165a2e0ec56a88b5a8bb4b27e52b564e7

                                                                SHA256

                                                                8cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880

                                                                SHA512

                                                                ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\Everything32.dll
                                                                Filesize

                                                                84KB

                                                                MD5

                                                                3b03324537327811bbbaff4aafa4d75b

                                                                SHA1

                                                                1218bd8165a2e0ec56a88b5a8bb4b27e52b564e7

                                                                SHA256

                                                                8cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880

                                                                SHA512

                                                                ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\Everything32.dll
                                                                Filesize

                                                                84KB

                                                                MD5

                                                                3b03324537327811bbbaff4aafa4d75b

                                                                SHA1

                                                                1218bd8165a2e0ec56a88b5a8bb4b27e52b564e7

                                                                SHA256

                                                                8cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880

                                                                SHA512

                                                                ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\Everything64.dll
                                                                Filesize

                                                                3.0MB

                                                                MD5

                                                                607e58bd01a843958ca6d890b80412ae

                                                                SHA1

                                                                ed8b3cb3e47e46479ad20d84675901448788b33c

                                                                SHA256

                                                                83b3488020127bead102071c6aa0148e78f253fe73cdbc5123a8cbcffdaac2fc

                                                                SHA512

                                                                8e640b22e6ed34f9c500eb0b2a40e50c036072182e2c7db50094b79cfeb6fdad52a1d5ea6b9b87b7aade45ca357e165f587d352942bdb33c1586e89b94555926

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\FreeWorld.exe
                                                                Filesize

                                                                3.5MB

                                                                MD5

                                                                dbf9675bd273e982ca5de58ac32de399

                                                                SHA1

                                                                5e6df45bdc8d4a5f711988672cc43643fb35a876

                                                                SHA256

                                                                75975b0c890f804dab19f68d7072f8c04c5fe5162d2a4199448fc0e1ad03690b

                                                                SHA512

                                                                f32ca912f9d5f6a1e1b4615be9ed03b1a823fb961bdd96e5caaaf6beb217dbe8418635c979355c84444ab944cccbef36a606fed8fdd50e42a4786d4930d60631

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\FreeWorld.exe
                                                                Filesize

                                                                3.5MB

                                                                MD5

                                                                dbf9675bd273e982ca5de58ac32de399

                                                                SHA1

                                                                5e6df45bdc8d4a5f711988672cc43643fb35a876

                                                                SHA256

                                                                75975b0c890f804dab19f68d7072f8c04c5fe5162d2a4199448fc0e1ad03690b

                                                                SHA512

                                                                f32ca912f9d5f6a1e1b4615be9ed03b1a823fb961bdd96e5caaaf6beb217dbe8418635c979355c84444ab944cccbef36a606fed8fdd50e42a4786d4930d60631

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\FreeWorld.exe
                                                                Filesize

                                                                3.5MB

                                                                MD5

                                                                dbf9675bd273e982ca5de58ac32de399

                                                                SHA1

                                                                5e6df45bdc8d4a5f711988672cc43643fb35a876

                                                                SHA256

                                                                75975b0c890f804dab19f68d7072f8c04c5fe5162d2a4199448fc0e1ad03690b

                                                                SHA512

                                                                f32ca912f9d5f6a1e1b4615be9ed03b1a823fb961bdd96e5caaaf6beb217dbe8418635c979355c84444ab944cccbef36a606fed8fdd50e42a4786d4930d60631

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\FreeWorld.exe
                                                                Filesize

                                                                3.5MB

                                                                MD5

                                                                dbf9675bd273e982ca5de58ac32de399

                                                                SHA1

                                                                5e6df45bdc8d4a5f711988672cc43643fb35a876

                                                                SHA256

                                                                75975b0c890f804dab19f68d7072f8c04c5fe5162d2a4199448fc0e1ad03690b

                                                                SHA512

                                                                f32ca912f9d5f6a1e1b4615be9ed03b1a823fb961bdd96e5caaaf6beb217dbe8418635c979355c84444ab944cccbef36a606fed8fdd50e42a4786d4930d60631

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\FreeWorld.exe
                                                                Filesize

                                                                3.5MB

                                                                MD5

                                                                dbf9675bd273e982ca5de58ac32de399

                                                                SHA1

                                                                5e6df45bdc8d4a5f711988672cc43643fb35a876

                                                                SHA256

                                                                75975b0c890f804dab19f68d7072f8c04c5fe5162d2a4199448fc0e1ad03690b

                                                                SHA512

                                                                f32ca912f9d5f6a1e1b4615be9ed03b1a823fb961bdd96e5caaaf6beb217dbe8418635c979355c84444ab944cccbef36a606fed8fdd50e42a4786d4930d60631

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\FreeWorld.exe
                                                                Filesize

                                                                3.5MB

                                                                MD5

                                                                dbf9675bd273e982ca5de58ac32de399

                                                                SHA1

                                                                5e6df45bdc8d4a5f711988672cc43643fb35a876

                                                                SHA256

                                                                75975b0c890f804dab19f68d7072f8c04c5fe5162d2a4199448fc0e1ad03690b

                                                                SHA512

                                                                f32ca912f9d5f6a1e1b4615be9ed03b1a823fb961bdd96e5caaaf6beb217dbe8418635c979355c84444ab944cccbef36a606fed8fdd50e42a4786d4930d60631

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\sdel.exe
                                                                Filesize

                                                                350KB

                                                                MD5

                                                                803df907d936e08fbbd06020c411be93

                                                                SHA1

                                                                4aa4b498ae037a2b0479659374a5c3af5f6b8d97

                                                                SHA256

                                                                e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c

                                                                SHA512

                                                                5b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\sdel64.exe
                                                                Filesize

                                                                448KB

                                                                MD5

                                                                e2114b1627889b250c7fd0425ba1bd54

                                                                SHA1

                                                                97412dba3cbeb0125c71b7b2ab194ea2fdff51b2

                                                                SHA256

                                                                5434dfdb731238edcb07a8c3a83594791536dda7a63c29f19be7bb1d59aedd60

                                                                SHA512

                                                                76ca5f677bc8ee1485f3d5b028b3a91f74344e9ff7af3c62a98e737a9888bd35389b3e6bf7b8b67747e0f64e1c973c0708864f12de1388b95f5c31b4e084e2e1

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\session.tmp
                                                                Filesize

                                                                32B

                                                                MD5

                                                                92292a58958c697f118d5683d78183a9

                                                                SHA1

                                                                14b0c7d9f5648433c81e7370153338ecc016cb77

                                                                SHA256

                                                                17449855f63a1e035d27d629bc11767ed8041fa1f6d00caa1e7329c8d929ba9c

                                                                SHA512

                                                                e53ded1693cb63ff39dbacc6d321ad1861a572ddfb20384088c8808d2e017ea3f22157f23d8944e2f6c5aa29660d053c0074ece025e8ee99bd235f122bb56466

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\{F80F3179-4BBC-94CB-5061-C6804F78FA39}\session.tmp
                                                                Filesize

                                                                32B

                                                                MD5

                                                                92292a58958c697f118d5683d78183a9

                                                                SHA1

                                                                14b0c7d9f5648433c81e7370153338ecc016cb77

                                                                SHA256

                                                                17449855f63a1e035d27d629bc11767ed8041fa1f6d00caa1e7329c8d929ba9c

                                                                SHA512

                                                                e53ded1693cb63ff39dbacc6d321ad1861a572ddfb20384088c8808d2e017ea3f22157f23d8944e2f6c5aa29660d053c0074ece025e8ee99bd235f122bb56466

                                                                Download Submit

                                                              • memory/3364-151-0x00000242F35E0000-0x00000242F35F0000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/3364-157-0x00007FFEB6B20000-0x00007FFEB75E1000-memory.dmp

                                                                Filesize

                                                                10.8MB

                                                                Download

                                                              • memory/3364-147-0x00007FFEB6B20000-0x00007FFEB75E1000-memory.dmp

                                                                Filesize

                                                                10.8MB

                                                                Download

                                                              • memory/3364-153-0x00000242F35E0000-0x00000242F35F0000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/3736-150-0x0000021A7BDF0000-0x0000021A7BE00000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/3736-152-0x0000021A7BDF0000-0x0000021A7BE00000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/3736-133-0x00007FFEB6B20000-0x00007FFEB75E1000-memory.dmp

                                                                Filesize

                                                                10.8MB

                                                                Download

                                                              • memory/3736-114-0x0000021A7BDB0000-0x0000021A7BDD2000-memory.dmp

                                                                Filesize

                                                                136KB

                                                                Download

                                                              • memory/3736-146-0x0000021A7BDF0000-0x0000021A7BE00000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/3736-158-0x00007FFEB6B20000-0x00007FFEB75E1000-memory.dmp

                                                                Filesize

                                                                10.8MB

                                                                Download

                                                              • memory/3736-145-0x0000021A7BDF0000-0x0000021A7BE00000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/4472-148-0x00000219EEDA0000-0x00000219EEDB0000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/4472-199-0x00000219EEDA0000-0x00000219EEDB0000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/4472-200-0x00000219EEDA0000-0x00000219EEDB0000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/4472-201-0x00000219EEDA0000-0x00000219EEDB0000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/4472-198-0x00007FFEB6B20000-0x00007FFEB75E1000-memory.dmp

                                                                Filesize

                                                                10.8MB

                                                                Download

                                                              • memory/4472-240-0x00007FFEB6B20000-0x00007FFEB75E1000-memory.dmp

                                                                Filesize

                                                                10.8MB

                                                                Download

                                                              • memory/4472-149-0x00000219EEDA0000-0x00000219EEDB0000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/4472-144-0x00000219EEDA0000-0x00000219EEDB0000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/4472-143-0x00007FFEB6B20000-0x00007FFEB75E1000-memory.dmp

                                                                Filesize

                                                                10.8MB

                                                                Download