Overview

overview

10

Static

static

10

2025-01-09...er.exe

windows7-x64

10

2025-01-09...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-01-2025 10:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-09_278a2191a39df795ad5e9c5ae93c6c41_cobalt-strike_medusalocker.exe

  • Size

    1.3MB

  • MD5

    278a2191a39df795ad5e9c5ae93c6c41

  • SHA1

    1f01d489c57eb590f7d0900d601898685d904666

  • SHA256

    417a5b53e3615d371bce0f5270911486d81b9784403c61b1343b0540ed97ddb4

  • SHA512

    f2f4f6f2d41f071ea64bd9d01032791132e852c31f0fcf7be840f88ccc68dc08e9785909c911f03b25e53eb32cfc3a001a5a7aa89b8ed69cc8e11b4275d31d3d

  • SSDEEP

    12288:QmHAIqyfF/5ebyz1dpPlRnMRTD410ALP68kG3Jz4S9FUmnyJtgoiOHmabd8ornXl:HHRFfauvpPXnMKqJtfiOHmUd8QTH1

Score
10/10
credential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\da-DK\!!!HOW_TO_DECRYPT!!!.mht

Ransom Note
From: =?utf-8?B?0RFQctTF0YDQcNC60IXQvdC+IEludGVybmV0IED4cGxvseVyIDEz?= Subject: Date: San, 00 Jan 2000 00:00:00 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft MimeOLE =EF=BB=BF<!DOCTYPE HTML> <!DOCTYPE html PUBLIC "" "">=20 <HTML lang=3D"ru">=20 <HEAD>=20 <META = content=3D"IE = 3D11.0000" http-equiv=3D"X - UA - Compatible">=20 <META charset=3D"utf-8">=20 <TITLE>!!!HOW_TO_DECRYPT!!!</TITLE>=20 <LINK href=3D"style.css" rel=3D"stylesheet">=20 <META name=3D"GENERATOR" content=3D"MSHTML 11.00.10570.1001">=20 </HEAD>=20 <BODY>=20 <p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><span class=3DSpellE><b>=20 <span lang=3DEN-US style=3D'font-size:20.0pt;font-family:"Times New Roman","serif";mso-bidi-font-family:Arial;color:#C9211E'>=20 All your valiable data has been encrypted!</span></b></span></p><BR><BR>=20 <p class=3DMsoNormal style=3D'text-align:justify;text-justify:inter-ideograph'>=20 <span class=3DSpellE><span lang=3DEN-US style=3D'font-size:13.0pt;font-family:"Times New Roman","serif";mso-bidi-font-family:Arial'>=20 Hello!<BR>Sorry, but we have inform you that your order has been blocked due to the issue of securities. Make sure your data is not blocked.=20 All your valuable files were encrypted with strong encryption algorithms AES-256 + RSA-2048 + CHACHA and renamed. You can read about these algorithms in Google.=20 Your unique encryption key is stored securely on our server and your data can be decrypted quickly and securely.<BR><BR>=20 We can prove that we can decrypt all of your data. Please just send us 3 small encrypted files which are randomly stored on your server.=20 We will decrypt these files and send them to you as a proof. Please note that files for free test decryption should not contain valuable information.<BR><BR>=20 As you know information is the most valuable resource in the world. That's why all of your confidential data was uploaded to our servers.=20 If you need proof, just write us and we will show you that we have your files. If you will not start a dialogue with us in 72 hours=20 we will be forced to publish your files in the Darknet. Your customers and partners will be informed about the data leak by email or phone.<BR><BR>=20 This way, your reputation will be ruined. If you will not react, we will be forced to sell the most important information such as databases=20 to interested parties to generate some profit.<BR><BR>Please understand that we are just doing our job. We don't want to harm your company.=20 Think of this incident as an opportunity to improve your security. We are opened for dialogue and ready to help you. We are professionals,=20 please don't try to fool us.<BR></span></span></p><BR><BR><p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><b>=20 <span lang=3DEN-US style=3D'font-size:14.0pt;font-family:"Times New Roman","serif";mso-bidi-font-family:Arial'>=20 If you want to resolve this situation,<BR>please write to ALL of these 2 email addresses:<BR>=20 [email protected]<BR>[email protected]<BR>In subject line please write your ID: 6558281558436675638</span></b></p><BR><BR>=20 <p class=3DMsoNormal style=3D'text-align:justify;text-justify:inter-ideograph'><b>=20 <span lang=3DEN-US style=3D'font-family:"Times New Roman","serif";mso-bidi-font-family: Arial;color:#C9211E'>=20 Important!<BR>=20 * We asking to send your message to ALL of our 2 email adresses because for various reasons, your email may not be delivered.<BR>=20 * Our message may be recognized as spam, so be sure to check the spam folder.<BR>=20 * If we do not respond to you within 24 hours, write to us from another email address. Use Gmail, Yahoo, Hotmail, or any other well-known email service.<BR>=20 Important<BR>=20 * Please don't waste the time, it will result only additinal damage to your company!<BR>=20 * Please do not try to decrypt the files yourself. We will not be able to help you if files will be modified.<BR>=20 </span></b></p>=20 <BR>=20 </BODY><BR>=20 </HTML>
URLs

http-equiv=3D"X

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (662) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes System State backups 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Drops file in Drivers directory 13 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 39 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 13 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-09_278a2191a39df795ad5e9c5ae93c6c41_cobalt-strike_medusalocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-09_278a2191a39df795ad5e9c5ae93c6c41_cobalt-strike_medusalocker.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2144
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
      2⤵
      • Interacts with shadow copies
      PID:668
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
      2⤵
      • Interacts with shadow copies
      PID:4792
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:2628
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3200
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1980
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:868
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:2304
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3324
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:2300
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3456
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:4708
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3796
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1768
    • C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe /set {default} recoveryenabled No
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:2708
    • C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1384
    • C:\Windows\SYSTEM32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP
      2⤵
      • Deletes System State backups
      • Drops file in Windows directory
      PID:2240
    • C:\Windows\SYSTEM32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
      2⤵
      • Deletes System State backups
      • Drops file in Windows directory
      PID:3536
    • C:\Windows\System32\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3856
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2025-0~1.EXE >> NUL
      2⤵
        PID:2164
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2332
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
      1⤵
      • Drops file in System32 directory
      PID:3252

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    Windows Management Instrumentation

    1
    T1047

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Direct Volume Access

    1
    T1006

    Indicator Removal

    4
    T1070

    File Deletion

    4
    T1070.004

    Modify Registry

    2
    T1112

    Credential Access

    Credentials from Password Stores

    2
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Windows Credential Manager

    1
    T1555.004

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Browser Information Discovery

    1
    T1217

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Inhibit System Recovery

    4
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2367C848C1C8A11F6F3502EDA2855348.1btc
      Filesize

      824B

      MD5

      91e33bc0bb0a4aa7296a2d4fccc13e30

      SHA1

      0bbeca449079a7f2595e35f686f41c36e089ad59

      SHA256

      4cb0e3c1f9b4728b601078bb3b848338d7cdd36869ec7d70159eb031d467f92f

      SHA512

      c6972ce0f88dcb6f57e542ecb64c52dd4d338aed001625b8fb6db30f286ce27544673641801e759bb28560c83b441fa6ecb798cddf4e8d3176cfb8f252716f61

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\398EE64D66758B5715368AA94044B13A.1btc
      Filesize

      710B

      MD5

      93784be804f921a7d838451cfc6fadc2

      SHA1

      2a50b493cc7c8acdaf83ecb1f3006d191fcb2463

      SHA256

      77e8e28c5dc6c2df11cfeea0c9750e4b85660a8f13c6ff906d8ecc7a83b41df5

      SHA512

      c58e8757462569ce0d5f0da34343752ce9327e20af3b29d65e79cfeaf71ad44bd69fdd5629a96afaf61bb8dcbaaa8ebe23ce8da6c52065ce019b5eaefe357461

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.1btc
      Filesize

      814B

      MD5

      9f127522a5c2031ed8377dd9c4cc4adc

      SHA1

      dc78a4dd1a7d015e0d1e6853aed59cac0bb28a61

      SHA256

      8c8aa78babf3fef2340b1c29cad5d4959df4e30e2d3558dd36fbba72541872c0

      SHA512

      f199288427f8d04f060c821a9af837e50b357ba777fd70a63c15525d1c2a641193de9f06b6cb9a2ca759723a16b029db7ed4022a6cfcd7272b50591b443bdaf3

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.1btc
      Filesize

      840B

      MD5

      e601bce80de6abeed423ffb5cebffeea

      SHA1

      912cac4fc7d2ef92bd7b625e809a2dc24c438e57

      SHA256

      cf9b717807f95b9bb0ba1a244b1eb5627611513a2f0a9a11a180dcc33b15d0c0

      SHA512

      126333de63b503764b856fd5ec36dc7c7e9fffbebe40e7e660d5c82a101448fce123ccb02fb80ee7a525a4dcf1fe0951dabe749d7cce0b39bf7a893b0acebe0b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F.1btc
      Filesize

      700B

      MD5

      27d3b5528d0403fbab1a151e45133476

      SHA1

      69d457e49d678aba8a52d421120ec1bf05213123

      SHA256

      8074e62dc198e88818406bd7b3e2b57aaf0e629849e83dae22fc33c449523640

      SHA512

      56b1f6351186dd11a2b8be506177480db1fe4b7845bfb14c85943f0f53aca25bf1d22cce44c3232ef839c2d15d4fcf7b4e94b5d5e970bb55b43c8315a94e5af5

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7.1btc
      Filesize

      770B

      MD5

      c73e5f0263df2ecb1319adafaf91b0e8

      SHA1

      776df49697809d940f7e6d8dabb9dee63229b5d6

      SHA256

      8acaf4e7c768a21300b0348b1ee9bf99e209ad162e4bdd17bd0f72b86c3bf5ab

      SHA512

      733fc4e156b50a02122b75bb63817766e1be0611dc74ae8048931a1cae3e1522ffaf24d514590ce8b5fb4bf52fed3c7bb77b3afc74749faf2da7ada7a86a9ebd

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
      Filesize

      290B

      MD5

      acf85b638b2bc7951edec22923d37187

      SHA1

      f77e4ba6134998a61e33957f1c4b822e67e23b60

      SHA256

      9636746fe47e2a57fd16c0d5ec55cb463229cb0ef3aa325c8c3f51a8d184f8e7

      SHA512

      2ffd0fa7d994622d70ec3cb85edbc05a42b852b91870f315348ea95e9f959d1ac789332f1840c85e697afca15427012e49e3ed8dc7a5bc90d2887417eb7efa01

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.1btc
      Filesize

      842B

      MD5

      bf427e6a38dcda5f0cadaa37755aeb81

      SHA1

      e1a3497ffec93e0ca01c483799acf4877339ef32

      SHA256

      5b339a9c66d632496159a2367f4610ec54c7d00c305a893e85bdb188999d083d

      SHA512

      baa38bdfead6e9cac79b5268939d3dd10fcc4c0c23b970eebf2a42342f789c62330e36ec1129b765034f96877be94ab70110fff4206b9de4980b20de1db3099e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB5E2F83CE9B8330B0590B7CD2E5FF2E.1btc
      Filesize

      782B

      MD5

      55878fef9564acadc58c923c2a030623

      SHA1

      fc1c14bcbcc9af3e958577cddb52cbdc328648d4

      SHA256

      cfc3047840bcbdf287b8fb1d9fbb3c47483a7016165492857cfa54a16312bdf8

      SHA512

      c31df1a805b058d0a5d16e69296dc065a638caf08f3c332027808d919b179718cc58457898dba7a8df7c44d474a70c0970b11780f79b662f5d3cfdb01dd0705b

      Download Submit

    • C:\Windows\System32\catroot2\dberr.txt
      Filesize

      37KB

      MD5

      12707256bc69b387e42cf2aed36f42f0

      SHA1

      12339acae05f2d8d14ffe992042b57f48061a8ff

      SHA256

      c999a2ab94d81e9dc3e560d77319c67df7f30f3fb5578041d6991727004683d9

      SHA512

      96cde2e75012d0f4b13bf0757d545acefb614d17561107258991e2963c05fd859798f89424fe9ee485dea9cc7d57dd559cc6af6eb9cb1e2241bbafb894678bed

      Download Submit

    • C:\Windows\System32\catroot2\edb.log
      Filesize

      2.0MB

      MD5

      ce60a3cd3d8d2ec167e7810b68bfbfa2

      SHA1

      7c600cc1078f82b9be7ed7b405740e4bbfab4589

      SHA256

      5d90df5fced6d1509c4e8e4a2e7f4bd6d1d7bac4a6c7297dc5386ff781751bd9

      SHA512

      7876ca29aa2ebd26773c4a86a7aee6d1362511a106f8b16e68c7c9bb80db501bdafaf04be8fe6c1ea652eb0ac81a2370274712086ab74269db415f14cccd2353

      Download Submit

    • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.1btc
      Filesize

      852B

      MD5

      051ebd81bdc6ca9e907a341431f03f46

      SHA1

      ad7457d6468ce76edbd814f14d83a33b68a91b57

      SHA256

      31262030955e6baff8d79b0e3a5e38875322f840a7ee3d7284849d4efe5b4c6b

      SHA512

      f8415a21ca745cddcac2e81eb79bce0f3399faa1e87403330a830692c147168ecd461831b24f89d2b98960e713ddd0e58d212b6f25dd2cdf39e79f4c7794b93f

      Download Submit

    • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.1btc
      Filesize

      802B

      MD5

      de9b711ffea7fd20ee6736dc5435c2d7

      SHA1

      b448f3ce6edd52dc79c950748448c0b9cda9e7ac

      SHA256

      53626dca95548836808d0fec5e030d73bc4d9adf30941be8cf0576af85f1555c

      SHA512

      401e467748cf5bf5f405b9a5d057e66bc58c6f471e873a223cb02cce33decdac5a12e1c19b56130a1ce41b88dbf80f20328770455e8c33d9f517f89de4448426

      Download Submit

    • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.1btc
      Filesize

      842B

      MD5

      4fc5d91d736e875117d6e28f72d3bf68

      SHA1

      8861e7a7878b9f30ad66b23a64634ba8f85df532

      SHA256

      7729444e15bb792f8064e80e63e952a5751545dc88ae6360ca74a9ea0a91b98f

      SHA512

      dbfd4323f78e8312ae7a470127a4851c2f0d2b743e70bf8f48105ef9ccbda6b4e8aff3103f3e84048a549a616a32e67b973fb6c2b2d8844a616ba9d35f22ab37

      Download Submit

    • \Device\HarddiskVolume1\Boot\da-DK\!!!HOW_TO_DECRYPT!!!.mht
      Filesize

      4KB

      MD5

      19bdaeb93150fe045755ccfe6cb37491

      SHA1

      ea1f4fe409c632e140c9f2b838f9c1994a20bc71

      SHA256

      b10949104d4b6b9e2a4c52b6f4b485984b1de33fc1d918a57f7ecd39ec3f3963

      SHA512

      21d412bc87d24fa29c06e9252144dd3a165fda06254b4e84a0eb6d448b81d7a4c32fbfe455d70568793a90615a6cb25202f46bc25c4b0b0295812af0ce780de7

      Download Submit

    • memory/3252-900-0x000002A6F4A90000-0x000002A6F4A91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-909-0x000002A6F7E60000-0x000002A6F7E61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-889-0x000002A6F1690000-0x000002A6F1691000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-888-0x000002A6F1690000-0x000002A6F1691000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-891-0x000002A6F1C30000-0x000002A6F1C31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-892-0x000002A6EFF80000-0x000002A6EFF81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-893-0x000002A6EFF80000-0x000002A6EFF81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-895-0x000002A6F2A00000-0x000002A6F2A01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-896-0x000002A6F04C0000-0x000002A6F04C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-897-0x000002A6F3AD0000-0x000002A6F3AD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-898-0x000002A6F3AD0000-0x000002A6F3AD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-873-0x000002A6F0090000-0x000002A6F0091000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-901-0x000002A6F5B30000-0x000002A6F5B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-903-0x000002A6F63A0000-0x000002A6F63A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-902-0x000002A6F63A0000-0x000002A6F63A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-905-0x000002A6F6BD0000-0x000002A6F6BD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-907-0x000002A6F6E50000-0x000002A6F6E51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-910-0x000002A6F7E60000-0x000002A6F7E61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-912-0x000002A6F7E60000-0x000002A6F7E61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-887-0x000002A6F0DA0000-0x000002A6F0DA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-914-0x000002A6F8C90000-0x000002A6F8C91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-916-0x000002A6F8C90000-0x000002A6F8C91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-913-0x000002A6F8C90000-0x000002A6F8C91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-917-0x000002A6F9C60000-0x000002A6F9C61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-906-0x000002A6F6E50000-0x000002A6F6E51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-918-0x000002A6FAA60000-0x000002A6FAA61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-920-0x000002A6F2030000-0x000002A6F2031000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-919-0x000002A6F2030000-0x000002A6F2031000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-870-0x000002A6EFF60000-0x000002A6EFF61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-868-0x000002A6EFE10000-0x000002A6EFE11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-869-0x000002A6EFF40000-0x000002A6EFF41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-866-0x000002A6EFE10000-0x000002A6EFE11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-863-0x000002A6EFD30000-0x000002A6EFD31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-862-0x000002A6EFD10000-0x000002A6EFD11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-861-0x000002A6EFBD0000-0x000002A6EFBD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-859-0x000002A6EFBD0000-0x000002A6EFBD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-837-0x000002A6EF810000-0x000002A6EF811000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-829-0x000002A6EFA30000-0x000002A6EFA31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3252-820-0x000002A6EB740000-0x000002A6EB750000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3252-814-0x000002A6EB180000-0x000002A6EB190000-memory.dmp

      Filesize

      64KB

      Download