Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

279dbb1984...e9.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    893s
  • max time network
    810s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    26/01/2025, 14:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    279dbb1984d32a99caf4a0b82a1519e1bacabed43af723398c631a7d17352fe9.exe

  • Size

    2.5MB

  • MD5

    6e5c33671c42d3c85f7b629a50ae7d9b

  • SHA1

    0bb791b555684804334bcf75a5013d9625b9edb6

  • SHA256

    279dbb1984d32a99caf4a0b82a1519e1bacabed43af723398c631a7d17352fe9

  • SHA512

    015c1ccf3c3a3f0b3749fc9d7e9e26bbc63f92f5b5613293a19594fd785792f10f37a628e4c40deb601913fde67b89f84536e96331dc2863dabec7dd454928d7

  • SSDEEP

    49152:wgwRVifu1DBgutBPNkByRxgX6kzTbcPIMpD+fTVR8u:wgwRVvguPPm0RDuXfTVRl

Score
10/10
mimicdefense_evasiondiscoveryevasionexecutionpersistenceransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\CONTACT.txt

Ransom Note
I encrypted your system with a vulnerability in your system. If you want your information, you must pay us. The ransomware project I use on your system is a completely private project. it cannot be broken. unsolvable. People who say they can help you often come to us and they ask us for help on your behalf . In this case, you have to pay more than what you normally pay. If you contact us directly, the fee you will pay will be lower. You may not trust us . but we are trying our best to help you. We can direct you to a company whose data we opened and helped within 48 hours. We want you to know that we have references all over the world. We do not work in a specific region or country. The company we will direct you to can be from any part of the world. We may also share various images and videos with you. We will open the encrypted data. this is our job. We get paid and we help. We cover your vulnerabilities. We ensure your safety and give advice. It is not just your data that you will buy from us. also your safety Our aim is to return the hacked systems back to you. But we want to be rewarded for our services. The most important thing we want from you. be quick . Respond quickly when communicating and quickly conclude the case. We don't want to waste time. We can prove to you that we can open encrypted data. You can send the sample file you want with .png ,jpg,avi,pdf file extensions that are not important to you. We will send the file back to you in working condition. Our file limit is 3 . we can't open more for you for free. You can send us your database files. After we have your database file working, we can send you a screenshot of the table you want. If you want to talk to us instantly, you can contact us via qtox. qtox program address: https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe My qtox address is: E12919AB09D54CB3F6903091580F0C4AADFB6396B1E6C7B8520D878275F56E7803D963E639AE Email address: [email protected] Dcrypter ID : 2XlD-6SfdHUvKwZfx8av58Ks4pNpBRooceynPXZlqDA*EncryptedDATA ONE When you contact us, share your contact number with us.
URLs

https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe

Signatures

  • Detects Mimic ransomware 1 IoCs
  • Mimic

    Ransomware family was first exploited in the wild in 2022.

    ransomwaremimic
  • Mimic family
    mimic
  • UAC bypass 3 TTPs 4 IoCs
    defense_evasiontrojan
  • Clears Windows event logs 1 TTPs 3 IoCs
    defense_evasionransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (165) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes System State backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
    persistence
  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies system executable filetype association 2 TTPs 10 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    defense_evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Power Settings 1 TTPs 15 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in Windows directory 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 62 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 62 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 38 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 13 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\279dbb1984d32a99caf4a0b82a1519e1bacabed43af723398c631a7d17352fe9.exe
    "C:\Users\Admin\AppData\Local\Temp\279dbb1984d32a99caf4a0b82a1519e1bacabed43af723398c631a7d17352fe9.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3132
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" i
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2676
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" x -y -p3198034431885414182 Everything64.dll
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1060
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2024x100.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2024x100.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3636
      • C:\Users\Admin\AppData\Local\{CAF0D3AB-74BF-C734-32F8-FF5729CAE91D}\soyezpruden.exe
        "C:\Users\Admin\AppData\Local\{CAF0D3AB-74BF-C734-32F8-FF5729CAE91D}\soyezpruden.exe"
        3⤵
        • UAC bypass
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1912
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c DC.exe /D
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4040
          • C:\Users\Admin\AppData\Local\{CAF0D3AB-74BF-C734-32F8-FF5729CAE91D}\DC.exe
            DC.exe /D
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1872
        • C:\Users\Admin\AppData\Local\{CAF0D3AB-74BF-C734-32F8-FF5729CAE91D}\soyezpruden.exe
          "C:\Users\Admin\AppData\Local\{CAF0D3AB-74BF-C734-32F8-FF5729CAE91D}\soyezpruden.exe" -e watch -pid 1912 -!
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1228
        • C:\Users\Admin\AppData\Local\{CAF0D3AB-74BF-C734-32F8-FF5729CAE91D}\soyezpruden.exe
          "C:\Users\Admin\AppData\Local\{CAF0D3AB-74BF-C734-32F8-FF5729CAE91D}\soyezpruden.exe" -e ul1
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2080
        • C:\Users\Admin\AppData\Local\{CAF0D3AB-74BF-C734-32F8-FF5729CAE91D}\soyezpruden.exe
          "C:\Users\Admin\AppData\Local\{CAF0D3AB-74BF-C734-32F8-FF5729CAE91D}\soyezpruden.exe" -e ul2
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4648
        • C:\Users\Admin\AppData\Local\{CAF0D3AB-74BF-C734-32F8-FF5729CAE91D}\Everything.exe
          "C:\Users\Admin\AppData\Local\{CAF0D3AB-74BF-C734-32F8-FF5729CAE91D}\Everything.exe" -startup
          4⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4028
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -H off
          4⤵
          • Power Settings
          PID:2148
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
          4⤵
          • Power Settings
          PID:3748
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
          • Power Settings
          PID:780
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
          4⤵
          • Power Settings
          PID:3852
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
          4⤵
          • Power Settings
          PID:1976
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
          • Power Settings
          PID:4668
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
          4⤵
          • Power Settings
          PID:3036
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
          4⤵
          • Power Settings
          PID:2800
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
          • Power Settings
          PID:668
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
          4⤵
          • Power Settings
          PID:4884
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
          4⤵
          • Power Settings
          PID:3964
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
          • Power Settings
          PID:4212
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
          4⤵
          • Power Settings
          PID:4284
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
          4⤵
          • Power Settings
          PID:3800
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb61
          4⤵
          • Power Settings
          PID:4748
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -ExecutionPolicy Bypass "Get-VM | Stop-VM"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:3376
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -ExecutionPolicy Bypass "Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:420
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -ExecutionPolicy Bypass "Get-Volume | Get-DiskImage | Dismount-DiskImage"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:4232
        • C:\Windows\SYSTEM32\bcdedit.exe
          bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:4528
        • C:\Windows\SYSTEM32\bcdedit.exe
          bcdedit.exe /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1128
        • C:\Windows\SYSTEM32\wbadmin.exe
          wbadmin.exe DELETE SYSTEMSTATEBACKUP
          4⤵
          • Deletes System State backups
          • Drops file in Windows directory
          PID:2116
        • C:\Windows\SYSTEM32\wbadmin.exe
          wbadmin.exe delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:3744
        • C:\Users\Admin\AppData\Local\{CAF0D3AB-74BF-C734-32F8-FF5729CAE91D}\Everything.exe
          "C:\Users\Admin\AppData\Local\{CAF0D3AB-74BF-C734-32F8-FF5729CAE91D}\Everything.exe" -startup
          4⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1172
        • C:\Users\Admin\AppData\Local\{CAF0D3AB-74BF-C734-32F8-FF5729CAE91D}\sdel64.exe
          "C:\Users\Admin\AppData\Local\{CAF0D3AB-74BF-C734-32F8-FF5729CAE91D}\sdel64.exe" -accepteula -p 1 -c C:\
          4⤵
          • Executes dropped EXE
          PID:2184
        • C:\Users\Admin\AppData\Local\{CAF0D3AB-74BF-C734-32F8-FF5729CAE91D}\sdel64.exe
          "C:\Users\Admin\AppData\Local\{CAF0D3AB-74BF-C734-32F8-FF5729CAE91D}\sdel64.exe" -accepteula -p 1 -c F:\
          4⤵
          • Executes dropped EXE
          PID:2484
        • C:\Users\Admin\AppData\Local\{CAF0D3AB-74BF-C734-32F8-FF5729CAE91D}\sdel64.exe
          "C:\Users\Admin\AppData\Local\{CAF0D3AB-74BF-C734-32F8-FF5729CAE91D}\sdel64.exe" -accepteula -p 1 -c Z:\
          4⤵
          • Executes dropped EXE
          PID:2660
        • C:\Windows\SysWOW64\wevtutil.exe
          wevtutil.exe cl security
          4⤵
          • Clears Windows event logs
          • System Location Discovery: System Language Discovery
          PID:3800
        • C:\Windows\SysWOW64\wevtutil.exe
          wevtutil.exe cl system
          4⤵
          • Clears Windows event logs
          • System Location Discovery: System Language Discovery
          PID:2300
        • C:\Windows\SysWOW64\wevtutil.exe
          wevtutil.exe cl application
          4⤵
          • Clears Windows event logs
          • System Location Discovery: System Language Discovery
          PID:4748
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /d /c "C:\Users\Admin\AppData\Local\{CAF0D3AB-74BF-C734-32F8-FF5729CAE91D}\sd.bat"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4936
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.2 -n 5
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:5044
          • C:\Windows\SysWOW64\fsutil.exe
            fsutil file setZeroData offset=0 length=20000000 "C:\Users\Admin\AppData\Local\{CAF0D3AB-74BF-C734-32F8-FF5729CAE91D}\soyezpruden.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2352
          • C:\Users\Admin\AppData\Local\{CAF0D3AB-74BF-C734-32F8-FF5729CAE91D}\sdel64.exe
            sdel64.exe -accepteula -p 3 -q soyezpruden.exe
            5⤵
            • Executes dropped EXE
            PID:2136
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1724
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:4076
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
        PID:1336
      • C:\Windows\System32\vdsldr.exe
        C:\Windows\System32\vdsldr.exe -Embedding
        1⤵
          PID:4992
        • C:\Windows\System32\vds.exe
          C:\Windows\System32\vds.exe
          1⤵
          • Checks SCSI registry key(s)
          PID:3580
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
          • Suspicious use of FindShellTrayWindow
          PID:3168
          • C:\Windows\explorer.exe
            explorer.exe /LOADSAVEDWINDOWS
            2⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Checks SCSI registry key(s)
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            PID:2928
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:2996
        • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
          "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
          1⤵
          • Enumerates system info in registry
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:2060

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        3
        T1059

        PowerShell

        1
        T1059.001

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Active Setup

        1
        T1547.014

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Event Triggered Execution

        2
        T1546

        Change Default File Association

        1
        T1546.001

        Image File Execution Options Injection

        1
        T1546.012

        Power Settings

        1
        T1653

        Privilege Escalation

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Boot or Logon Autostart Execution

        2
        T1547

        Active Setup

        1
        T1547.014

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Event Triggered Execution

        2
        T1546

        Change Default File Association

        1
        T1546.001

        Image File Execution Options Injection

        1
        T1546.012

        Defense Evasion

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Impair Defenses

        1
        T1562

        Disable or Modify Tools

        1
        T1562.001

        Indicator Removal

        3
        T1070

        Clear Windows Event Logs

        1
        T1070.001

        File Deletion

        2
        T1070.004

        Modify Registry

        6
        T1112

        Credential Access

        Discovery

        Peripheral Device Discovery

        2
        T1120

        Query Registry

        4
        T1012

        Remote System Discovery

        1
        T1018

        System Information Discovery

        5
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        System Network Configuration Discovery

        1
        T1016

        Internet Connection Discovery

        1
        T1016.001

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Inhibit System Recovery

        3
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\USERS\ADMIN\DESKTOP\ADDLOCK.XLSX.ENCRYPTEDDATA
          Filesize

          12KB

          MD5

          241f9f0da1df0759f53af2ac7fc3a2f3

          SHA1

          0c1ea77b5b7819487e91a74d4fc1d441048990cc

          SHA256

          f42d5c03059759a96513be114aa71efd08be5e9ee68147419df69d4749c487a3

          SHA512

          7108a0034487b6f6a1c21a8222e46aabef7c158c593a7ccfd7cc5bac10006dcdf5a779af68509e48db90d2ab58469ebe403af270b8eb898e25b8d33c66170bf5

          Download Submit

        • C:\USERS\ADMIN\DESKTOP\COMPAREUNLOCK.EMF.ENCRYPTEDDATA
          Filesize

          417KB

          MD5

          681feeba1877fee047f84146fd9e269f

          SHA1

          999dd0e4891e5c141e7b6f88ede94c1efed0ad44

          SHA256

          302e00ac7955c69d1f0d811ce4f5821f2c9ea14bb3f600efe720382310e6a31e

          SHA512

          6a717f2d72d6b2da93b1bd078f29198751dbb8f947106612df64ec8272be12ad243bdc233fddd3bd38b07a8d945e3765945ceb1d5ed9694545b792495b994298

          Download Submit

        • C:\USERS\ADMIN\DESKTOP\CONFIRMCHECKPOINT.XLSX.ENCRYPTEDDATA
          Filesize

          12KB

          MD5

          a2922653f459ac04362a18a86a5fbb6e

          SHA1

          bd7d37f4056b19d030cabd000df4df7179231aa7

          SHA256

          f1edbfbdd1daab174bbd76fd43ce104745549df30c0ec7945051bc05baf06d82

          SHA512

          9f7ca0797c6af3a74ad76671dcdb9aab896a303afdede556c979f28711866bb3dc54319930c028fd2791323ba1ceaa5b502e44f6bd814541f1d26d82e7d23e77

          Download Submit

        • C:\USERS\ADMIN\DESKTOP\DISABLEREDO.WAX.ENCRYPTEDDATA
          Filesize

          502KB

          MD5

          a6ced5b32e7df9e308cd424fba866d9a

          SHA1

          09abbe84fd86fe4e9154117491d577c6985a3365

          SHA256

          54b3e273f335c24d1d72eb3c7120ab8315c638524bc71d6226b909583ecfbe6c

          SHA512

          20bf7b65e22625cbb0b598a8de1f7bd1f137cf77b1e86e91971d87667e39bfe1892848e1e180605806fc472ff949f912a5fad4257222493de9eb741c86fee05f

          Download Submit

        • C:\USERS\ADMIN\DESKTOP\DISMOUNTSPLIT.TIF.ENCRYPTEDDATA
          Filesize

          383KB

          MD5

          f453548ff8bf6a57995dcf613f17abf9

          SHA1

          f82feb1c37deae78d46963e10397cccf6b50d0ee

          SHA256

          6a45d36adcd0a8f8534c7d8b980fadcec6dcb0824c3aeb4271dfe85a468d842b

          SHA512

          2b382155986f15af7ed1cf5862b41fe9c61fdd71cf2fb2a8acd55ef2d9b014f4d5cbce76ae5383f99c4f864b20cfe5af0b71933e77fc10ea81fe5a22d815a5c7

          Download Submit

        • C:\USERS\ADMIN\DESKTOP\ENABLETRACE.WMF.ENCRYPTEDDATA
          Filesize

          349KB

          MD5

          95a2c369c36f37a754709faf1cca65d3

          SHA1

          8841f9c76cb56186c019ad8ba8a5b4561ec56e90

          SHA256

          42f1f7b9c3d1ec14c7b5d1ab0081a0f9f4594c54a08d255e2ac5e554ad94c8e7

          SHA512

          b4a36c58b133212056fd0182dd6e649ff37abd824828e5093c46089bf759f1f15d1e2e41535cd0e4199d5bc00f7eb7204d2d0ec430fa988fcc2431a96939f30b

          Download Submit

        • C:\USERS\ADMIN\DESKTOP\ENTERPUBLISH.MP2V.ENCRYPTEDDATA
          Filesize

          639KB

          MD5

          7a1e91dc4d303b6e70145ac1cdb68673

          SHA1

          7fcbd59c404cec79eed9ae518561d79ea160ce2d

          SHA256

          5f80d0bdcce346df3a1b4df05bff980262b47680afffe38e57921ca440d79c51

          SHA512

          0723dc43a65f1e9e9f462dcfa7849d101de9933201a303adc585dc4202b35115ed41c92f68aa770531e71f8fa3a10720e569391542965f1c373192ab0890e182

          Download Submit

        • C:\USERS\ADMIN\DESKTOP\INVOKEFORMAT.EDRWX.ENCRYPTEDDATA
          Filesize

          571KB

          MD5

          be072abbbda7e0a1f5cb32c284514a80

          SHA1

          c173f538965fdfdad2eea04bfa62cd8169df0ad3

          SHA256

          2d0d508028a25bfd3c896f158080806dfb922ce9896a110c62f362d339be8901

          SHA512

          ef0b9d775a000d93b9fbd68c96fb643c7f82911ad3e177265ed53fe47909422eed45b848112aa5a3b48d5d1b0a68a6085b00e45d4da7b1628fd6acef9c208de6

          Download Submit

        • C:\USERS\ADMIN\DESKTOP\JOINSWITCH.MPP.ENCRYPTEDDATA
          Filesize

          332KB

          MD5

          08f54d01d6eee31d38e16ea4ff063954

          SHA1

          00a11c1b07538822ff2f84f5a3bb179731e67197

          SHA256

          50b337aa3972fdfc5d0024764780b1ab1e784ead705d1d4f2c3b70a73a6a84d6

          SHA512

          a02fc6797df43874913e507f872840f9afd1463e319dcd742dcb93462255a726e3b7fd20bd8b11d8ee81893fc395ebb70a6139d2adc51f66a1a04ad4cee8c9f0

          Download Submit

        • C:\USERS\ADMIN\DESKTOP\MOUNTCHECKPOINT.DOCX.ENCRYPTEDDATA
          Filesize

          16KB

          MD5

          dbcc32f03fa20b62c210cbc995cc3063

          SHA1

          068de2d09e4b824b4307ea7ef68e64c8e7fd7891

          SHA256

          064efdddf61139df7a452b39deafeed21ce93cc4b7fff8040e4db8e87a452c65

          SHA512

          c709cec6d013a85960d2a964295ec8e7d60e3340878c535fa1a92e661769b67e67243fa7f0bd1df1c25bd98626a5035b0319c36be7f2711c98f025024ea63e2f

          Download Submit

        • C:\USERS\ADMIN\DESKTOP\RENAMERECEIVE.DOCX.ENCRYPTEDDATA
          Filesize

          21KB

          MD5

          33631a4d5d8eb3fbf815df7d659feea0

          SHA1

          a3a71795f50032fdc001372754712adfcd6889ff

          SHA256

          a13253b714e0b7ce1d21ec301cfcc70a1125476993368f6b50827449e6b53817

          SHA512

          7a5db717bf78559eafce695d96f06308e2b76135179ea90b06607f9e7b01a19f43d9271d003637bf6983c77cb5b5ef973c1427acec5e4d18e59ae980bd75d285

          Download Submit

        • C:\USERS\ADMIN\DESKTOP\REPAIREXIT.PPTX.ENCRYPTEDDATA
          Filesize

          690KB

          MD5

          a9774752930f6e39a9a53832d649ef09

          SHA1

          c3d8a26c24c803286c3839652a3fea25e5117732

          SHA256

          f9497163042674f2e911df555a5bb59e5a0491d1bf096d3bb3eef5c914e6d0e2

          SHA512

          5ba8c779997b5d5e5870c68c64d1500f906185a39242a5f26d06c38ae9a6147251000d8c41e1dad63ae4928fd79f6da1a06eb960280cee7aefac82e19e0defd1

          Download Submit

        • C:\USERS\ADMIN\DESKTOP\RESETASSERT.WAX.ENCRYPTEDDATA
          Filesize

          298KB

          MD5

          b89de94b922408b0f9dc9ff158809dc6

          SHA1

          b9f9cc9d8c0c7bda94236600b834c721fcf5852d

          SHA256

          d86880e9f1c6f700f287fead08bd140b1bfefa29cab6534b0d76d0037365aad1

          SHA512

          a907994e266d866e0b6ddf603cf7cc89b11e8f4dab0efb8bfbb48525ecd91844ff94f5c812e7c19ad39dfce7076e496a6936b66c13bf33b943be1a3baaf26202

          Download Submit

        • C:\Users\Admin\AppData\Local\CONTACT.txt
          Filesize

          2KB

          MD5

          517ada80ffc870c0868383c38df8c562

          SHA1

          e0d8109805d7a17313e725d9dc759103af65f43a

          SHA256

          716ba933f9329f3c14fab6b6e03a555689413b971cab0fac7c55ab146bdc6009

          SHA512

          65d09680a895c47b651da6fd5a7d743b6f40bbd61c57ba4a8e01cbf57c35fc5ddff209e3b31679fd7b0d9e5018d32bd2362e0b77df0a9ec578e51854b1ee556c

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          627073ee3ca9676911bee35548eff2b8

          SHA1

          4c4b68c65e2cab9864b51167d710aa29ebdcff2e

          SHA256

          85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

          SHA512

          3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          d0a4a3b9a52b8fe3b019f6cd0ef3dad6

          SHA1

          fed70ce7834c3b97edbd078eccda1e5effa527cd

          SHA256

          21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

          SHA512

          1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          6ce69296d926b8ec5e0ae5edb6b33f49

          SHA1

          5fe40331cdd433754cd17b4f4ffb329bd91f480f

          SHA256

          1c714447684a4f855b4d065c8f2bbf73eccdc87ba75945f2ea66e0f074fdc696

          SHA512

          c2eedd6731292f0a5e74343f5e7b7218e64d9577ddc1570aa061c773b44a48af51f1ec423531739e31d6d6e9d56e0f4bd87edd4962c4352adc22432521cc7c9b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
          Filesize

          300B

          MD5

          8b94712ac2de46946128d950642939f6

          SHA1

          cee8561e7ca51da7d0542de9a4881ec7a586121f

          SHA256

          bc0a6f1d29f6a261001f529443dc7d7a6d185fc47051747b4756e13eee2e06c0

          SHA512

          d1bd9079e545c5e4a673cfd3cca0a408ff0cc3612ff05d0784687c914d7fd35b9881f5faa9725833feeed26bc88aa6a7f5210a352b2ffd941de3bf167274c150

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2024x100.exe
          Filesize

          2.0MB

          MD5

          998f5066a7f8786a3060f4d8fc12bcb7

          SHA1

          9e647e1f7b8f5750711fec983e8054ad9e648e49

          SHA256

          a657c69bf3969600caabda76ccdb943900c0a8645bb5bac4de4f62d27b83d758

          SHA512

          7d2e2c998247b3683a0ed674a6f09118aded4d43a1219b9c45571a752f0406a62a1b63799ee1660b6ef037a4957a77e711486a46eb2b68285d509b716595b1be

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
          Filesize

          772KB

          MD5

          b93eb0a48c91a53bda6a1a074a4b431e

          SHA1

          ac693a14c697b1a8ee80318e260e817b8ee2aa86

          SHA256

          ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142

          SHA512

          732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DC.exe
          Filesize

          802KB

          MD5

          ac34ba84a5054cd701efad5dd14645c9

          SHA1

          dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

          SHA256

          c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

          SHA512

          df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.exe
          Filesize

          1.7MB

          MD5

          c44487ce1827ce26ac4699432d15b42a

          SHA1

          8434080fad778057a50607364fee8b481f0feef8

          SHA256

          4c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405

          SHA512

          a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.ini
          Filesize

          548B

          MD5

          742c2400f2de964d0cce4a8dabadd708

          SHA1

          c452d8d4c3a82af4bc57ca8a76e4407aaf90deca

          SHA256

          2fefb69e4b2310be5e09d329e8cf1bebd1f9e18884c8c2a38af8d7ea46bd5e01

          SHA512

          63a7f1482dc15d558e1a26d1214fcecca14df6db78c88735a67d1a89185c05210edc38b38e3e014dac817df88968aaf47beb40e8298777fbb5308abfe16479e4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything2.ini
          Filesize

          550B

          MD5

          51014c0c06acdd80f9ae4469e7d30a9e

          SHA1

          204e6a57c44242fad874377851b13099dfe60176

          SHA256

          89ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5

          SHA512

          79b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything32.dll
          Filesize

          84KB

          MD5

          3b03324537327811bbbaff4aafa4d75b

          SHA1

          1218bd8165a2e0ec56a88b5a8bb4b27e52b564e7

          SHA256

          8cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880

          SHA512

          ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything64.dll
          Filesize

          1.5MB

          MD5

          e563623045abcd13bfbb038d44427e6f

          SHA1

          62d7a3647f86fe10ce5e505bd18f2c73cda59881

          SHA256

          dd01fd9d72360dba150c48e30a598673b9b60edbad01ad65d1aba66fe42fd41d

          SHA512

          9aea7f0666a76cb3163a9d97140b7aea529a7cc518c62e19f6e4f53ce7138c9cf2676bf778932687855236b7e7a9e6551691a9b73e57fe61fd73e7376f6c99dd

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\sdel.exe
          Filesize

          350KB

          MD5

          803df907d936e08fbbd06020c411be93

          SHA1

          4aa4b498ae037a2b0479659374a5c3af5f6b8d97

          SHA256

          e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c

          SHA512

          5b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\sdel64.exe
          Filesize

          448KB

          MD5

          e2114b1627889b250c7fd0425ba1bd54

          SHA1

          97412dba3cbeb0125c71b7b2ab194ea2fdff51b2

          SHA256

          5434dfdb731238edcb07a8c3a83594791536dda7a63c29f19be7bb1d59aedd60

          SHA512

          76ca5f677bc8ee1485f3d5b028b3a91f74344e9ff7af3c62a98e737a9888bd35389b3e6bf7b8b67747e0f64e1c973c0708864f12de1388b95f5c31b4e084e2e1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xtrd0lua.hpl.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\{CAF0D3AB-74BF-C734-32F8-FF5729CAE91D}\Everything.db
          Filesize

          15.0MB

          MD5

          2cdf58acd4733c79efa86a0bc8e2b889

          SHA1

          d4000516fb04d80a062b5e39fb9528d4d811d1e4

          SHA256

          d02de8c59b9fed8dc79f58240a1344ea61dc71c18dbda58cb62ed169b42b2ab4

          SHA512

          37383a423d61fc252dd795505e705eecebb894feedb8fbc4759690c9616964406a17f2dfce589e587cb88b262ecc13e382943d30f5324b4289c066143375006a

          Download Submit

        • C:\Users\Admin\AppData\Local\{CAF0D3AB-74BF-C734-32F8-FF5729CAE91D}\Everything.db.tmp
          Filesize

          15.0MB

          MD5

          486ab9d5927f8f59f1a9d13f87fec4e3

          SHA1

          7014e38ddf72bb7f02aa7169396ec7d9860c6cad

          SHA256

          9eea5e47e5d1578c58bf65065c76294caad252cf2dfa0eb5d02fc71fb45bf452

          SHA512

          09ef9d1c9864dd5c4f2242d580f03572248118b99eff319acc7573017cb53a59d9fbc6db8ba086f8ad48e188efe3ed9462a213db817367f1f2acd05462089adf

          Download Submit

        • C:\Users\Admin\AppData\Local\{CAF0D3AB-74BF-C734-32F8-FF5729CAE91D}\Everything.ini
          Filesize

          20KB

          MD5

          18ea61a356d151f2044b83e8cdefdac7

          SHA1

          e03e31d0f9854afad699a532b963becac60cc5c1

          SHA256

          10877cae5fe58263c0533e21b09194418ad6468694e7b0e19bc2a38bb4f2ecf3

          SHA512

          35e15fa05394a5eeeb092b7b110adfe291d7c9a12ec311728e3bfb9f3402cfd96e12535ad2022458f04e53cb0567c3b2aff70a8c536819c523aab16863a8cb5d

          Download Submit

        • C:\Users\Admin\AppData\Local\{CAF0D3AB-74BF-C734-32F8-FF5729CAE91D}\sd.bat
          Filesize

          318B

          MD5

          0e762010901e814252a94ebe6667f54b

          SHA1

          34db80b489ae27cbc4671459c5adffab2f9ee3ba

          SHA256

          61c86370a034e9b9ffef9a021111287180be2dcd993cd509acaa592d2fa1e8f7

          SHA512

          26f1bc545876518f858e68b95daff539a681e3bd3d6835d7761dd8e92aa4b8153f6c07d787eb7dadfffea24e5d069fa19981d5a57fe1c13a03068485517715c8

          Download Submit

        • C:\Users\Admin\AppData\Local\{CAF0D3AB-74BF-C734-32F8-FF5729CAE91D}\session.tmp
          Filesize

          32B

          MD5

          7d474a22c51ee271e02384011adc98ad

          SHA1

          c454e6321659ef63cd24964bf640c89f1e1483bc

          SHA256

          0c4cb654dc04030cbb790ad302ecdd7fbfdcec46254a7624f3299cf47b235eba

          SHA512

          2f86c6d18b1dd8f27209ecb81a24c37324071e750aa0e52d609bb766210736d44daff41ba67915055b414866425264f0ef31ea7d11544e8f38612dd266b9871f

          Download Submit

        • C:\Users\Admin\AppData\Local\{CAF0DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD
          Filesize

          2.0MB

          MD5

          96a7b3a1ee5df8f0a9c0628bd44d3ec9

          SHA1

          423430de9624811595b1c7868e8eb83af3c401f6

          SHA256

          d50268a9b953af7d6d75aed7e47bb149a6f13bfdff4ed065c27548e8f6f8ad4b

          SHA512

          72922787cf42b6f50a7401da65c2ce4884678c9bd8fb8b7a43a0e77ead2f61460ef985e1b3257acd541c2b82d644599efc00da84d2ac125c1a926ceab6235e00

          Download Submit

        • memory/2060-418-0x000001F2C7E40000-0x000001F2C7F40000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2060-419-0x000001F2C7E40000-0x000001F2C7F40000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2060-492-0x000001F2FA6B0000-0x000001F2FA7B0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2060-534-0x000001F2FBD20000-0x000001F2FBD40000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2060-535-0x000001F2FBED0000-0x000001F2FBFD0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2060-536-0x000001F2FB960000-0x000001F2FB980000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2060-620-0x000001F2FFCE0000-0x000001F2FFDE0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/3376-119-0x0000022DDF410000-0x0000022DDF432000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4232-139-0x000001A85B7B0000-0x000001A85B7BA000-memory.dmp

          Filesize

          40KB

          Download