Overview

overview

10

Static

static

10

6f21a85894...18.exe

windows7-x64

10

6f21a85894...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-10-2024 13:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f21a85894e91b7082407e08e7c231c8_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    6f21a85894e91b7082407e08e7c231c8

  • SHA1

    f576ed4ae101088abcb2b6b9b0649b972b023546

  • SHA256

    f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31

  • SHA512

    deada7181f11badc0d64d1cab50951eab6472c178382b2ceff52a8aae447578a97f640e4a74b34889146df7c435a2a29f72f140e50f8345543ef422e4cd41a44

  • SSDEEP

    12288:QmHAIqyfF/5ebyz1dpPlRnMRTD410ALP68kG3Jz4S9FUmnyJtgoiOHmabd8ornX3:HHRFfauvpPXnMKqJtfiOHmUd8QTH

Score
10/10
credential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\da-DK\!!!HOW_TO_DECRYPT!!!.mht

Ransom Note
From: =?utf-8?B?0RFQctTF0YDQcNC60IXQvdC+IEludGVybmV0IED4cGxvseVyIDEz?= Subject: Date: San, 00 Jan 2000 00:00:00 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft MimeOLE =EF=BB=BF<!DOCTYPE HTML> <!DOCTYPE html PUBLIC "" "">=20 <HTML lang=3D"ru">=20 <HEAD>=20 <META = content=3D"IE = 3D11.0000" http-equiv=3D"X - UA - Compatible">=20 <META charset=3D"utf-8">=20 <TITLE>!!!HOW_TO_DECRYPT!!!</TITLE>=20 <LINK href=3D"style.css" rel=3D"stylesheet">=20 <META name=3D"GENERATOR" content=3D"MSHTML 11.00.10570.1001">=20 </HEAD>=20 <BODY>=20 <p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><span class=3DSpellE><b>=20 <span lang=3DEN-US style=3D'font-size:20.0pt;font-family:"Times New Roman","serif";mso-bidi-font-family:Arial;color:#C9211E'>=20 All your valiable data has been encrypted!</span></b></span></p><BR><BR>=20 <p class=3DMsoNormal style=3D'text-align:justify;text-justify:inter-ideograph'>=20 <span class=3DSpellE><span lang=3DEN-US style=3D'font-size:13.0pt;font-family:"Times New Roman","serif";mso-bidi-font-family:Arial'>=20 Hello!<BR>Sorry, but we have inform you that your order has been blocked due to the issue of securities. Make sure your data is not blocked.=20 All your valuable files were encrypted with strong encryption algorithms AES-256 + RSA-2048 + CHACHA and renamed. You can read about these algorithms in Google.=20 Your unique encryption key is stored securely on our server and your data can be decrypted quickly and securely.<BR><BR>=20 We can prove that we can decrypt all of your data. Please just send us 3 small encrypted files which are randomly stored on your server.=20 We will decrypt these files and send them to you as a proof. Please note that files for free test decryption should not contain valuable information.<BR><BR>=20 As you know information is the most valuable resource in the world. That's why all of your confidential data was uploaded to our servers.=20 If you need proof, just write us and we will show you that we have your files. If you will not start a dialogue with us in 72 hours=20 we will be forced to publish your files in the Darknet. Your customers and partners will be informed about the data leak by email or phone.<BR><BR>=20 This way, your reputation will be ruined. If you will not react, we will be forced to sell the most important information such as databases=20 to interested parties to generate some profit.<BR><BR>Please understand that we are just doing our job. We don't want to harm your company.=20 Think of this incident as an opportunity to improve your security. We are opened for dialogue and ready to help you. We are professionals,=20 please don't try to fool us.<BR></span></span></p><BR><BR><p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><b>=20 <span lang=3DEN-US style=3D'font-size:14.0pt;font-family:"Times New Roman","serif";mso-bidi-font-family:Arial'>=20 If you want to resolve this situation,<BR>please write to ALL of these 2 email addresses:<BR>=20 [email protected]<BR>[email protected]<BR>In subject line please write your ID: 5001512921698683093</span></b></p><BR><BR>=20 <p class=3DMsoNormal style=3D'text-align:justify;text-justify:inter-ideograph'><b>=20 <span lang=3DEN-US style=3D'font-family:"Times New Roman","serif";mso-bidi-font-family: Arial;color:#C9211E'>=20 Important!<BR>=20 * We asking to send your message to ALL of our 2 email adresses because for various reasons, your email may not be delivered.<BR>=20 * Our message may be recognized as spam, so be sure to check the spam folder.<BR>=20 * If we do not respond to you within 24 hours, write to us from another email address. Use Gmail, Yahoo, Hotmail, or any other well-known email service.<BR>=20 Important<BR>=20 * Please don't waste the time, it will result only additinal damage to your company!<BR>=20 * Please do not try to decrypt the files yourself. We will not be able to help you if files will be modified.<BR>=20 </span></b></p>=20 <BR>=20 </BODY><BR>=20 </HTML>
URLs

http-equiv=3D"X

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (643) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes System State backups 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Drops file in Drivers directory 13 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 39 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 13 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f21a85894e91b7082407e08e7c231c8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6f21a85894e91b7082407e08e7c231c8_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4796
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
      2⤵
      • Interacts with shadow copies
      PID:3032
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
      2⤵
      • Interacts with shadow copies
      PID:4064
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:2848
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3668
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:5016
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3504
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1596
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:4680
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:5004
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3416
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1292
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1504
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1772
    • C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe /set {default} recoveryenabled No
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:4560
    • C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:3892
    • C:\Windows\SYSTEM32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP
      2⤵
      • Deletes System State backups
      • Drops file in Windows directory
      PID:2248
    • C:\Windows\SYSTEM32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
      2⤵
      • Deletes System State backups
      • Drops file in Windows directory
      PID:4776
    • C:\Windows\System32\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3100
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\6F21A8~1.EXE >> NUL
      2⤵
        PID:3056
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3320
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
      1⤵
      • Drops file in System32 directory
      PID:4564

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    Windows Management Instrumentation

    1
    T1047

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Direct Volume Access

    1
    T1006

    Indicator Removal

    4
    T1070

    File Deletion

    4
    T1070.004

    Modify Registry

    2
    T1112

    Credential Access

    Credentials from Password Stores

    2
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Windows Credential Manager

    1
    T1555.004

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Browser Information Discovery

    1
    T1217

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Inhibit System Recovery

    4
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2367C848C1C8A11F6F3502EDA2855348.1btc
      Filesize

      824B

      MD5

      c6d1b029bbc73df4c01db53d62913cf1

      SHA1

      4f33eea1c71186e3b473abbe77dea6521c53c114

      SHA256

      f159237289a90a489a1659157565c897db146708a464cb10a6a7a7041cbdeb47

      SHA512

      d7a55ff9ce222c51c7a1a3d764be3e7f9af522d1875284d9226d89772eeda157cdf9b7e287975daf0e5440638552e58d6f6df394758de77666815c9c8213f7ca

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\398EE64D66758B5715368AA94044B13A.1btc
      Filesize

      710B

      MD5

      79fe052413814bfd6c2e992f4f2ffb98

      SHA1

      b7248aaa63b3ccacb8412b20c73938857f6b8580

      SHA256

      2a6f83235a602b8578fd2b4e9468b3843f75b8130eda85a700f8bffe4743fc01

      SHA512

      656d042935f746cdff6f7e20ca57723cefefb1981371c90da41a9b0a291eac0a7da45fb127dec1d5ec805b00ae45533bc4fd0685a56d3840de962a3bf1aab519

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.1btc
      Filesize

      814B

      MD5

      9d99efdc6ab76a1250aa5f5d6ee527c1

      SHA1

      432ea83f5a5470a974e81f8c1461478374c643f0

      SHA256

      d6a0cdf5a8ef5c3c338a234af64034a44363a60611098b20582710d1bee8d311

      SHA512

      2cc1df216d7a473f9b8ba01ca86cccae5e75639647f6e9ba441145a544c3a76334672ff8e82d122dc665773cfcc298a584faa83d80027b5062e9bf2b5ae93d48

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.1btc
      Filesize

      840B

      MD5

      c4b40eb0f9570c08746604db822f59f8

      SHA1

      8a27e76da875f7811a81dc0c9138b7185f914a12

      SHA256

      06ada74e632f25634dbc27e666431542817a0fa75bed880a9f9554f78e9c519e

      SHA512

      90f3e01c2151a8a4801c7265bfb88701ce3cc331d8af40cd4d9ce80f2e761ca26fcbfe604755bcf37181a29390c83e2a3a118eb7ad20ddfa52a8a7ffe8f073f7

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F.1btc
      Filesize

      700B

      MD5

      a548d17838c9142ec9431a6f0e410583

      SHA1

      cded9507d984aca6335b9bd1e7e723f6122523b6

      SHA256

      281e7178f9f0932dd79c388a8b7099ae16864890e4b7178da527d08b4ffe07aa

      SHA512

      0e99c5d953e00e539e671126e362709531d857675bf9cb9643f7c3122bc33a1fb324a200ca8a047a8a22fd4eb7adf117f3b0c11d80b4b3051798e62d79c0445b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7.1btc
      Filesize

      770B

      MD5

      f845bcdb71a89a49d174d0a206d2318a

      SHA1

      6dec24ed94d2963ef9afd52b56a38b2f52bdc615

      SHA256

      2b7f185a05b048de5b9666e157daa571c472b06eff0a6ae4aff45e6d8b29f6ae

      SHA512

      4e0a662b98d980fba068d8b165ffcaa2382dc779797c869050277d97c42ea7ca78c6183a0ca7406dbb9c99f2c3ded29a62ecb879a7f07dec4d0b93a74a0a3855

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
      Filesize

      290B

      MD5

      cea9d0f07d49400dfde25ad0f53fa849

      SHA1

      625fdd67914952f7fc12f095f1ffb4327cb49e9c

      SHA256

      2f8aa86c600b00101fba9c9c738fa88d5a889132ab47e7b6f8e4e22216ce027f

      SHA512

      933f28eb6fc1ac6a1cad7e4368ad42e6c35a4a8c67cf4f48989c707e0aaebb07c6ca55bdfd2b2c8e8c891b96c372d2c0d440bb28b25cbc623f22560662695720

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.1btc
      Filesize

      842B

      MD5

      3edb197c3951f87f31aaeb795fcb5300

      SHA1

      31cf4e165eafcee4828da74c2971ba94a47d15c2

      SHA256

      8a5f4ec41e8f16c42bcd37dced380298bd6fd64ef2472033f718a7431c4a42dc

      SHA512

      2159956ab5ad5d1aca2f08ba08f9e8ad5f0a540d18e7fe4feedd949a9f8182d5b69978093fc62bd63f683880fa992fc968000d712615320e8a1a07c7bab34446

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB5E2F83CE9B8330B0590B7CD2E5FF2E.1btc
      Filesize

      782B

      MD5

      1b9d13e557e3415672317050b183402d

      SHA1

      b9856d3b33cdeb483904df2284c3cbffbc70f03b

      SHA256

      5f0ca5de901ff3cf0a568bbd9cb6f01e7f815220ad3dc0693f85383577fb39e8

      SHA512

      b45ae9e06005a5df8a1f63d66d34391aa703009ee39edbb55cab02c881856cfcfbc38052610c34b3988e85dec8a3530d75df2f5c055166d43afa6fcacd50c944

      Download Submit

    • C:\Windows\System32\catroot2\dberr.txt
      Filesize

      37KB

      MD5

      7885ad9a53fbe7ec1ab99da1d3ed7adb

      SHA1

      a32e8a315db50b6b986c7e48762e4cf12cf88d79

      SHA256

      e9810552d93dfc741d6f8927d276bf719e3320464a9d6fcc6626dcbf0b65f7c0

      SHA512

      f8d5c7d02bb132a39a22648409f581bdb8eefd01bfccad8f6e756b1d34f9af62789821eda7559a6192b96c10d184ac96664e4bff1a6a4e8008071a455198f0cf

      Download Submit

    • C:\Windows\System32\catroot2\edb.log
      Filesize

      2.0MB

      MD5

      71c5cb69817a35b8fab502df741f722d

      SHA1

      39ab09566aa36f36d56a09fa94ada793ec9bade6

      SHA256

      170bd919c03482ec8462cbb349aacd8149479248f43dbd27ee3bd7bc7d0cb97c

      SHA512

      e35c95334f36c45c1b38d5898573a081760ac75b38e7c980e8aac26f4000575d347b0bdb996655f1fb236b760f068a9efad415931bb832e9d6e0f24b0897a775

      Download Submit

    • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.1btc
      Filesize

      850B

      MD5

      3405765922d85c60945035b0816fec19

      SHA1

      6b6f2f90aa522d8bb9c3c295fb133540fce78bab

      SHA256

      ec4c512b2860e8b76733d668fce9d8f0b777b5a342b32c83a1e78a588ef6d4d1

      SHA512

      39ac5435be29bd6425be00560ac64a74805fbfbd07b267c82baef955ecb758fed5ed63133563bbe47cec0a83cd1f8ef8b81709d597a4c2f0530a085892651017

      Download Submit

    • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.1btc
      Filesize

      802B

      MD5

      97cbb7ae9e4f6d2b143f370de3ce8812

      SHA1

      1ceb2f569db2326026f83eecbd0285854eb07132

      SHA256

      7263ad910044c0fbef0e02222c8249511277a6d029593a123b567204feae7451

      SHA512

      1d19e07f9fb81bb8457d68ff4a53eba89b3d2bea6c66c141a75cf3bf543fe68e35b16de0cfa960b8e5d5c754eed3b268288122fd59c45dadbd01d15591546ed9

      Download Submit

    • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.1btc
      Filesize

      842B

      MD5

      5adc90ef5e2b3e8f3d729e0272936d58

      SHA1

      a91e285e2251925a8e9d4a92060d9522268f44f2

      SHA256

      105e02bf5a4a5874545ee094cc9b4ce91f64cbe60839ee776147666b8a4cf25a

      SHA512

      a18bc73d66c8a1aaa8da6751cf4228728ecbc40b344c135caf224b392a6c7101a9a6cc0af52593176b9a3b6a78e065bb50c51d3e8d47fd099d77aa808659b933

      Download Submit

    • \Device\HarddiskVolume1\Boot\da-DK\!!!HOW_TO_DECRYPT!!!.mht
      Filesize

      4KB

      MD5

      765822717d15a6c48f6e7eadd0c0ea86

      SHA1

      0cb13a8cd5d478663b6d5807cffd49bb5855c13b

      SHA256

      5175c649f0fbbbec5d64408f927f33e854473e03e49dcd36a27439df36502241

      SHA512

      191ca2bfa90ebbe1568c1508ff57dc14f096ba9b9712c73f4007ef88597c8d3a49e5906553419a51f2f35571e9e66a37afe413b65a3912cca6658bb499171827

      Download Submit

    • memory/4564-868-0x0000024CE2820000-0x0000024CE2821000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-877-0x0000024CE1E30000-0x0000024CE1E31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-844-0x0000024CE3160000-0x0000024CE3161000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-845-0x0000024CE3160000-0x0000024CE3161000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-847-0x0000024CE1BA0000-0x0000024CE1BA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-860-0x0000024CE4550000-0x0000024CE4551000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-861-0x0000024CE4550000-0x0000024CE4551000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-863-0x0000024CE4630000-0x0000024CE4631000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-866-0x0000024CE6140000-0x0000024CE6141000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-865-0x0000024CE6140000-0x0000024CE6141000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-864-0x0000024CE1E80000-0x0000024CE1E81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-842-0x0000024CE1C90000-0x0000024CE1C91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-869-0x0000024CE7550000-0x0000024CE7551000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-870-0x0000024CE2730000-0x0000024CE2731000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-871-0x0000024CE2730000-0x0000024CE2731000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-874-0x0000024CE2760000-0x0000024CE2761000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-873-0x0000024CE2760000-0x0000024CE2761000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-876-0x0000024CE86F0000-0x0000024CE86F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-879-0x0000024CE1DA0000-0x0000024CE1DA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-843-0x0000024CE29A0000-0x0000024CE29A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-878-0x0000024CE1E30000-0x0000024CE1E31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-881-0x0000024CE9770000-0x0000024CE9771000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-882-0x0000024CE1800000-0x0000024CE1801000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-883-0x0000024CE1800000-0x0000024CE1801000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-885-0x0000024CEA650000-0x0000024CEA651000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-886-0x0000024CEB5B0000-0x0000024CEB5B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-887-0x0000024CEB800000-0x0000024CEB801000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-888-0x0000024CEB800000-0x0000024CEB801000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-839-0x0000024CE1B60000-0x0000024CE1B61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-837-0x0000024CE1A10000-0x0000024CE1A11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-838-0x0000024CE1B40000-0x0000024CE1B41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-835-0x0000024CE1A10000-0x0000024CE1A11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-832-0x0000024CE1930000-0x0000024CE1931000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-831-0x0000024CE1910000-0x0000024CE1911000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-830-0x0000024CE17D0000-0x0000024CE17D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-828-0x0000024CE17D0000-0x0000024CE17D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-806-0x0000024CE1510000-0x0000024CE1511000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-798-0x0000024CE1730000-0x0000024CE1731000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4564-789-0x0000024CDD440000-0x0000024CDD450000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4564-783-0x0000024CDCD80000-0x0000024CDCD90000-memory.dmp

      Filesize

      64KB

      Download