Overview

overview

10

Static

static

f9fcc0cddd...d5.exe

windows7_x64

10

f9fcc0cddd...d5.exe

windows10_x64

10

Analysis

  • max time kernel
    79s
  • max time network
    12s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    17-12-2020 08:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe

  • Size

    450KB

  • MD5

    efc275dbc9e66fbbc84cfac31aeabfd0

  • SHA1

    46458fe09b1d29198cb1c143d5f8d517850493f5

  • SHA256

    f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5

  • SHA512

    45e8578bd9c58e522fe7c6680d972ce510d3fe483a70583bf192ebd1a946da8c492d5aecb126778defcaffb66550b91b047c7a9934a6b3e88c2da36a4754596e

Score
10/10
buranpersistenceransomware

Malware Config

Extracted

Path

C:\!!! HOW TO BACK YOUR FILES !!!.TXT

Family

buran

Ransom Note
YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US: China.Helper@aol.com ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER: Your personal ID: 1B9-E69-EAA Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Buran

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    ransomwareburan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 15290 IoCs
  • Drops file in Windows directory 1 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious use of AdjustPrivilegeToken 85 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe
    "C:\Users\Admin\AppData\Local\Temp\f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:884
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -start
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2044
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:528
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
          PID:1284
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
          3⤵
            PID:1288
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
            3⤵
              PID:1260
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1488
              • C:\Windows\SysWOW64\vssadmin.exe
                vssadmin delete shadows /all /quiet
                4⤵
                • Interacts with shadow copies
                PID:1152
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -agent 0
              3⤵
              • Executes dropped EXE
              • Modifies extensions of user files
              • Drops file in Program Files directory
              • Drops file in Windows directory
              PID:828
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1600
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                wmic shadowcopy delete
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1056
              • C:\Windows\SysWOW64\vssadmin.exe
                vssadmin delete shadows /all /quiet
                4⤵
                • Interacts with shadow copies
                PID:1264
            • C:\Windows\SysWOW64\notepad.exe
              notepad.exe
              3⤵
                PID:644
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1356

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          File Deletion

          2
          T1107

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          Peripheral Device Discovery

          1
          T1120

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Inhibit System Recovery

          2
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\~temp001.bat
            MD5

            49f30697c634c40272e3aa13c370279f

            SHA1

            bd543555d20162a2afcfb3a0f85cde37b7faf0db

            SHA256

            c4b9272708e65c60dcd4d94a9e5f0327590963911bf3c66b27de9666a050cfe3

            SHA512

            ee541518a003f153492457e3dfae6d0f05ac6d2f93360dc5708ed8f81ba19df612b8ef5a77495c0313e59162220936e41b4687bbf6df62e9c917054925e248bc

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
            MD5

            efc275dbc9e66fbbc84cfac31aeabfd0

            SHA1

            46458fe09b1d29198cb1c143d5f8d517850493f5

            SHA256

            f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5

            SHA512

            45e8578bd9c58e522fe7c6680d972ce510d3fe483a70583bf192ebd1a946da8c492d5aecb126778defcaffb66550b91b047c7a9934a6b3e88c2da36a4754596e

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
            MD5

            efc275dbc9e66fbbc84cfac31aeabfd0

            SHA1

            46458fe09b1d29198cb1c143d5f8d517850493f5

            SHA256

            f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5

            SHA512

            45e8578bd9c58e522fe7c6680d972ce510d3fe483a70583bf192ebd1a946da8c492d5aecb126778defcaffb66550b91b047c7a9934a6b3e88c2da36a4754596e

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
            MD5

            efc275dbc9e66fbbc84cfac31aeabfd0

            SHA1

            46458fe09b1d29198cb1c143d5f8d517850493f5

            SHA256

            f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5

            SHA512

            45e8578bd9c58e522fe7c6680d972ce510d3fe483a70583bf192ebd1a946da8c492d5aecb126778defcaffb66550b91b047c7a9934a6b3e88c2da36a4754596e

            Download Submit
          • C:\Users\Admin\Desktop\AssertExpand.wm.1B9-E69-EAA
            MD5

            38f278bc617730ff211303badb88ead9

            SHA1

            42ab906c951404116c2f9113cd1e5d44316eddda

            SHA256

            62f1d3afc5be44ed3380bc1fb2a48cc3a178d8c0acb337e2a136d05dc17af7cf

            SHA512

            bb934b6c2ec8c430fd8b60f7d96c45876a4f80e239a67cf8cab3f05d24021e3cbe57e3b9a607b3776998902ec85d82b7c66207c187681dc3345679e2c457abc8

            Download Submit
          • C:\Users\Admin\Desktop\BlockRequest.dxf.1B9-E69-EAA
            MD5

            138d5b3a3498b27dd9447a2d58612b93

            SHA1

            8346d314fea719f37ed97e2993bd561c9d1e80a8

            SHA256

            4ad0e384b44600a31637083ba9fa4cef93a644092ec04d4272db3cb70f4526ba

            SHA512

            0d1ad0196c095641975dccee3c4327f06feb22c5eb06c28b43c653bb83d7dff20d5e2a67cf55989c1ea6310813b065c5dbaefc92b65d376ac2fa87281a4851c2

            Download Submit
          • C:\Users\Admin\Desktop\BlockStart.mht.1B9-E69-EAA
            MD5

            0547d0396c3f72c1e54b0164baae7ef5

            SHA1

            723c5d9f931402d399bd7f3bd4bdcff0c2face0a

            SHA256

            ab1686949fe2c82acd5394178ae44fe0af34b650d9308a306c72ebca4239f2f9

            SHA512

            d17b548ceda6b8bb038e0f0499343294c6d0854ff0579f71bbf66b00a73c1f45952143ac442f46eceff6b6d3441937c92e9ef3197b00fb7e24dee050380d231d

            Download Submit
          • C:\Users\Admin\Desktop\CloseOptimize.AAC.1B9-E69-EAA
            MD5

            0029a0404e6f9ff0b0ee9b54f55e7c87

            SHA1

            fca0d4d838dcc710faeb448878abdd776d9e6ae3

            SHA256

            6971ce74aa39ecba40211c2a1d4dd4874a465190db7ce98e8ad3297b3ff31a76

            SHA512

            6b908c110d399f1c14e305481d6d7b4b1ddb2e7d0000f59d33b98a1571dea8ec3e17e1e64e0494ad2edb39253f9aa8314c01e40c2b54f82f303e6bf342b62a54

            Download Submit
          • C:\Users\Admin\Desktop\CompressTrace.jpg.1B9-E69-EAA
            MD5

            6787e4498a11c945d094ee0a5fb52219

            SHA1

            501e7473a084fffdf0cbe6c779f1e42359c7f569

            SHA256

            d763adc0acf6c06ee27ab15362ea242ac739c21eea7ddfb5db934e7839f5908e

            SHA512

            86170d66f36d039f62b207fc3fda2f550d30bd28aaae64261bcce7d03c55a6634b59eba2d0810c928159f8790218918fb606bf126e71a2d953499892d9318efa

            Download Submit
          • C:\Users\Admin\Desktop\ConvertFromResume.potx.1B9-E69-EAA
            MD5

            9bf70856ec4f3390647d209e26c8dd72

            SHA1

            9367462770ae0ddbbc041c7f475cbf5fa3798160

            SHA256

            f3773ddd9b2821880755fd9adf965e9cbb6880d9ae924561539906ef8ee0c9a9

            SHA512

            e88c9e48e41ca12e720e62be307a4a722e39b5bf7fc01541d9f0fef3edff503940a2defc4e68f2816dfc95d78daadb09160a889e5a9ed5b82c30a340296583f8

            Download Submit
          • C:\Users\Admin\Desktop\DisableUndo.cab.1B9-E69-EAA
            MD5

            2808a5c9b50cb41c7b0c7dd1ef52e8ec

            SHA1

            0e6e1c08d4b02dc1acc7dfa69fc71f9a5b601bcc

            SHA256

            2668e95de4d8278af28933186c199a03ee33d3a2acd26fcf0abc3cc2a505885c

            SHA512

            f80d47a4ff8cf61335c6019a6d705f313a98f60de997cdd6e5bc36cf609537c1eec4fc50fc946e12f427a2f35c1a676b09abb4cdb4b96a5e51beb559a21a4a78

            Download Submit
          • C:\Users\Admin\Desktop\DismountSend.ppsx.1B9-E69-EAA
            MD5

            df32b192daf9c950997a4a8bcee5af08

            SHA1

            9189514ab29758cb0a3c2f61a9f6bd9e6c97e4aa

            SHA256

            3921adf493ceeb5339d976d32c271639942891a1e1cc76c24fdabb99235dc4a8

            SHA512

            767c178be62cd62321357a6851f77e845f3a64607bff98f3e86a3cb5ea5b9d2428dff1720e025bef9b18f6e23025e152a3693054368f9215a9091aa03467ae6d

            Download Submit
          • C:\Users\Admin\Desktop\EnableCheckpoint.asx.1B9-E69-EAA
            MD5

            bb300bf8576847ef672603070eac1c95

            SHA1

            139cd628a882812330cd011b669442e043129392

            SHA256

            0d821cd2d4520f20b8bcc01cb4f240213a4de049fbfb3df54e1d13d1fd1cf712

            SHA512

            5d818a914644df5c0cea3032de9a2a0a9eedad1484cd53807a8949fe4521c897e252714072313eb43b45cf02b299f0856e208ce5cf8ee71c35141563c5b93003

            Download Submit
          • C:\Users\Admin\Desktop\ExpandSubmit.MOD.1B9-E69-EAA
            MD5

            6976da2acb1802c2a53f73142c877945

            SHA1

            a372b970430ef9b5b28b767d7719cf82dccb12be

            SHA256

            857869aecaf0220b89930c61822ee80e4099004bb3902a379c1eb9e587c91196

            SHA512

            348e891a283eb6d46293f4b3f5ca5b8adc9f555b92190490ca690ae6986edebc8c1176e8474061d88553745c167f46fb7a6ce4cda52eda27fbd4ab9105c7b1ff

            Download Submit
          • C:\Users\Admin\Desktop\ExportApprove.i64.1B9-E69-EAA
            MD5

            544ee402b1b60869cc0fe9b1a494e5ef

            SHA1

            c9685786fc071b965272b573769b7f2215b251ea

            SHA256

            261421cd6845ec47effd6ef17dcbb0e0bdf3118fedd6481bc326ba544b2404c5

            SHA512

            f8f6e4d174fd3bdd217524ad0602b4e64ecd44a32c81302c7305f219955e292d4dbddfd8fde9e2a459fb7b309b4a297e6161a380fb0e387846cf8279d24a4348

            Download Submit
          • C:\Users\Admin\Desktop\ExportUnblock.odt.1B9-E69-EAA
            MD5

            53c5c36999386c6c2ebb309be699d806

            SHA1

            8c5800da08aa8a50f587c9377ca15b0163b81e01

            SHA256

            3b626cfea5c2322396cf20db380e3790b300ec992933d068ca35889740cfeeae

            SHA512

            0bff3236c53c5d1713f815b372c324fe214357527df1420127be55cc01f537148e2774bcd11993c3fd5571a1817b2265fa530af1632111c8f51c06e31375fe9c

            Download Submit
          • C:\Users\Admin\Desktop\GetAssert.sql.1B9-E69-EAA
            MD5

            81827a916c0a71ceef2649a33c886155

            SHA1

            6f279611e05a251e92a91d019af19b1d5b8b64f5

            SHA256

            ff7e0a2c5ae942b8bee2d973b30ef2fdbc04afdb1dde03f92eb8b637edca1bbd

            SHA512

            adadaa7cbcb0f3988d5e37467a1e7abb58e0c30ca79a7c0780a32cfa5c97eb162503625c812c79a3049cc8cd661a8544f7231a2de17c33b3dd319d4096a17d09

            Download Submit
          • C:\Users\Admin\Desktop\GroupProtect.3gp.1B9-E69-EAA
            MD5

            733c3ebd0ab1199ff7a985625c2ac36e

            SHA1

            3e5db21e4ad65bceca5f09a116298fb8116cc73b

            SHA256

            ab111ea3e0a203a38e33677c97a448e56c7a84cd8585c45a67e89b00b2849e26

            SHA512

            ed5f6f4daa3e2a948a81532f065be398e1533213f375c9149cdfc3490cefdc28527aa8b24c1375a581226ad2d43350242efd8dc2b5157738f3aae4855b01ae09

            Download Submit
          • C:\Users\Admin\Desktop\InvokeApprove.mp4.1B9-E69-EAA
            MD5

            463fc51037411a1ca4997140d157b109

            SHA1

            efdf6b9003b82824c3b878d209752a6dbf42de34

            SHA256

            0ca8393b61b50481f4be8797a0523449f899ddc57644a9eff3610161d2816c16

            SHA512

            3ee329c48ceb6c93bfe09100d33ca84453a29f98cb785a06455e54fb8d0658613271fec85f9a70bdded2a36b9c5aee2d614dedf9ebd269825584d3a85d8c688b

            Download Submit
          • C:\Users\Admin\Desktop\MoveResolve.aiff.1B9-E69-EAA
            MD5

            f144004d4b85b6a1ee53fc2a2a2aa1f6

            SHA1

            074f4f32a33cb5947c18c88cbaf286e9980c5fe6

            SHA256

            1b34a18debf27b3f43db73409fd58a6792ef25f22207fe6d4382635db32c4851

            SHA512

            3930943524fabf3bea1f4ef875b24ab7a1d5f5c689942e5beec4b55b08f7103a58fcda51cd3a5cd3e1a518c322008c5f3eb0219c311a8d1d2531c93c4016cfe9

            Download Submit
          • C:\Users\Admin\Desktop\NewAdd.js.1B9-E69-EAA
            MD5

            94aa11c83ca8e91597faf4d5945673fb

            SHA1

            29e91ccdd273b2c5b638a5ec2322c3f9a957098d

            SHA256

            4c2c36284057714b8b4432a61c7ec6751469a58f0da18e308a551478ce804eaf

            SHA512

            0b755b2c7cdd311e9294f1d832b1a6b8b688c83d10a5257128e3256582b58daed8b31d9626ab9eeea4bf6aa0e56c2c57922ef7f42acab6c79b8811d0e0255762

            Download Submit
          • C:\Users\Admin\Desktop\PublishSync.potm.1B9-E69-EAA
            MD5

            7de0a0d6288dda5e7d93e4292924a332

            SHA1

            a761cce618f079313dbb109b6068346576dafd99

            SHA256

            9f2edad26a5bcc01e0bf3da309374a133afa3fcf33f2c7fce9e416d5a048f588

            SHA512

            82f7f3ab2c9a446a330f3780034e6100a9e486a78e9f4366acfbd34eaf1acf4223d45b7f4aec7e57d6c794e2c3485eee9962f8ae1b776bbce7f4e0660d755486

            Download Submit
          • C:\Users\Admin\Desktop\PushUnpublish.mp4v.1B9-E69-EAA
            MD5

            0d0ca0051520a9a62b605e3cfe1f62e3

            SHA1

            f4f31371c21d21b7395f3e91ce6ee04cf7f15880

            SHA256

            54d74c657e0e58dc00aafa4dcc76b58a7d7bdb1881fbd33359b97d34c0d37404

            SHA512

            4bef390dd24b8f7a62446db39b7b3538c61b9a1ac505c209cf470467135332f8c882784cf402a419c2db8f50b34f3233f1b2116c4dd330b2e3fd051bcbabb638

            Download Submit
          • C:\Users\Admin\Desktop\ResetPublish.AAC.1B9-E69-EAA
            MD5

            e261909d7486187c9d1e4aa481bd7486

            SHA1

            1e07fe6d8fe8b2f52ea5b657f99969f4ce9afeba

            SHA256

            cbc199a6bc9a6def682e9b54691eef568f79991d2450f242c6fe8d108e46b5e9

            SHA512

            8b370c3708f7ee477c523c948698b9cc0f2c44cd797ea025b0d67a411360ca98bb04484476dad67c8a1603776041958ad463c54fe4d0e78267db6624ac7b3cff

            Download Submit
          • C:\Users\Admin\Desktop\ResolveCompress.odt.1B9-E69-EAA
            MD5

            bc2866ab3f0ebc63b6a5a6d21bf60b7d

            SHA1

            843648cf2744e9198ac07ea36a6b003c7d12027c

            SHA256

            d76774fc819e7721505bf343eaea9b66b44c8a941ba1f4aede0702c9df468500

            SHA512

            ef776e2b1fd0d5f807aaa0bacbd915921d13aaaf4ee84a91fb1987d3cfdc17a2eab5367877290529832d9d8cad929d780aec7db5170bba69d613498828d690a8

            Download Submit
          • C:\Users\Admin\Desktop\ResumeCompare.temp.1B9-E69-EAA
            MD5

            2857e4329f32ed6dfa6f6ebc813b9d96

            SHA1

            e9b277a4a4f96c12a9fafd8905eb08eafbd7e1fa

            SHA256

            3e5dc1503fa67240238e1f61be7bdc5c0eedbf50589d306caaee30f02e133abf

            SHA512

            f2cc91d19db608812e6f1e7bfde1e904b37dbe7b79062765f7c5fbcd4f4cc2a0376b97d6e0133a1f83f5f6de4ac46f618bcf6a1e952544b36374f42fd0843092

            Download Submit
          • C:\Users\Admin\Desktop\SelectWrite.css.1B9-E69-EAA
            MD5

            7d01e6697154fb51551bb2439f2ca60a

            SHA1

            13473d9cfe4868ac036f0e4d5d88865c8c7e21b6

            SHA256

            fedc6ffba7f2e52b1bfd440da7d4196e7cbab2d2ce44b70cd031ecb46440fa05

            SHA512

            1d84961adc477b222cc4bb005a08a9c65f2df431e5ce1aee583d6d31a59a80977554c4c1954ff9db1818cca74813f10b2869dec57258d58a6618fea697f298b3

            Download Submit
          • C:\Users\Admin\Desktop\SwitchUnprotect.shtml.1B9-E69-EAA
            MD5

            70584124596e340695681800b564eb06

            SHA1

            87fa3bc4d50394d5df0e532dd37b91b8e20cb9c4

            SHA256

            f100ddb243cdb9aa0b8f2451bb6fbac1d98b7e7ba3796580d02978b356fbc5da

            SHA512

            37aab9747e3db6485b4ccf9b5fb822a1a3a9176f316312c0e13e89a173d5e37a2d0186b827f5043efce84682ede65e557544b220b18b9c5d1660c7f843454d3f

            Download Submit
          • C:\Users\Admin\Desktop\UnpublishRevoke.pub.1B9-E69-EAA
            MD5

            d854d8b24e559d3cfbfc71223a7b1e5e

            SHA1

            ce1d45c256cf1b2a0c88658ce99aa8390797286e

            SHA256

            3a4b7f0b02b2a9cef565b0e4ed10389260ebaf21564c49c58255bb0e24f9619a

            SHA512

            df6fe0759f2bc2ba0fbeb2d5a984cbc2fc1b8f495641adc877635f447d1ed3c067e6b29acc434886b6759bc76d41ffb6876846e6738eace18f1fb5120ab81f27

            Download Submit
          • \Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
            MD5

            efc275dbc9e66fbbc84cfac31aeabfd0

            SHA1

            46458fe09b1d29198cb1c143d5f8d517850493f5

            SHA256

            f9fcc0cddd57b377a8aa65a713ddbe986cda2e188e037cbd706c81096059c9d5

            SHA512

            45e8578bd9c58e522fe7c6680d972ce510d3fe483a70583bf192ebd1a946da8c492d5aecb126778defcaffb66550b91b047c7a9934a6b3e88c2da36a4754596e

            Download Submit
          • memory/528-14-0x0000000000000000-mapping.dmp
            Download
          • memory/644-44-0x0000000000000000-mapping.dmp
            Download
          • memory/644-43-0x00000000000A0000-0x00000000000A1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/828-11-0x0000000000000000-mapping.dmp
            Download
          • memory/1056-16-0x0000000000000000-mapping.dmp
            Download
          • memory/1152-15-0x0000000000000000-mapping.dmp
            Download
          • memory/1260-8-0x0000000000000000-mapping.dmp
            Download
          • memory/1264-17-0x0000000000000000-mapping.dmp
            Download
          • memory/1284-7-0x0000000000000000-mapping.dmp
            Download
          • memory/1288-6-0x0000000000000000-mapping.dmp
            Download
          • memory/1488-9-0x0000000000000000-mapping.dmp
            Download
          • memory/1600-10-0x0000000000000000-mapping.dmp
            Download
          • memory/1636-3-0x0000000000000000-mapping.dmp
            Download
          • memory/2044-5-0x0000000000000000-mapping.dmp
            Download