buran | 8bbca691909fe991f844a2842a81cc07ae7a55a0bdc505488eeb0b8de0d86e30

Analysis

max time kernel
151s
max time network
141s
platform
windows10_x64
resource
win10v20210410
submitted
27-08-2021 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bbca691909fe991f844a2842a81cc07ae7a55a0bdc505488eeb0b8de0d86e30.exe
Size

265KB
MD5

1c8cfa6f9fe0ea0bd7c02e4c0a4aaf31
SHA1

ac937ada39fc833b8a0be20001ab7a71c3795318
SHA256

8bbca691909fe991f844a2842a81cc07ae7a55a0bdc505488eeb0b8de0d86e30
SHA512

7529a41f265cb34a98c8d9f8ecec4666d093ee82bc296bada6a78f4e564a3775fa66d38cb22ea150b14d0b549812279f83dbdb12ae998952924c51945ad360c6

Score

10^/10

buran raccoon redline smokeloader 20d9c80657d1d0fda9625cbd629ba419b8a34404 word1 backdoor discovery infostealer persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. PAY FAST 500$=0.013 btc or the price will increase tomorrow bitcoin address bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8 To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? [email protected] TELEGRAM @ payfast290 Your personal ID: 1E2-168-453 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Family

smokeloader

Version

2020

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Extracted

Family

raccoon

Botnet

20d9c80657d1d0fda9625cbd629ba419b8a34404

Attributes

url4cnc
https://telete.in/hfuimoneymake

rc4.plain

Extracted

Family

redline

Botnet

WORD1

94.26.249.88:1902

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4012-140-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/4012-141-0x000000000041A68E-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Downloads MZ/PE file

Executes dropped EXE 7 IoCs

Processes:

CD58.exeD279.exeD336.exeexplorer.exeexplorer.exebduuwaibduuwai

pid	Process
3616	CD58.exe
3756	D279.exe
3244	D336.exe
200	explorer.exe
2284	explorer.exe
1312	bduuwai
780	bduuwai

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

explorer.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\OptimizeDebug.tiff	explorer.exe
File opened for modification	C:\Users\Admin\Pictures\RepairGet.tiff	explorer.exe
File opened for modification	C:\Users\Admin\Pictures\WatchReceive.tiff	explorer.exe

Deletes itself 1 IoCs

Processes:

pid	Process
3044

Loads dropped DLL 5 IoCs

Processes:

CD58.exe

pid	Process
3616	CD58.exe
3616	CD58.exe
3616	CD58.exe
3616	CD58.exe
3616	CD58.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

D279.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run	D279.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start"	D279.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	Process
File opened (read-only)	\??\Y:	explorer.exe
File opened (read-only)	\??\X:	explorer.exe
File opened (read-only)	\??\V:	explorer.exe
File opened (read-only)	\??\P:	explorer.exe
File opened (read-only)	\??\O:	explorer.exe
File opened (read-only)	\??\N:	explorer.exe
File opened (read-only)	\??\L:	explorer.exe
File opened (read-only)	\??\G:	explorer.exe
File opened (read-only)	\??\A:	explorer.exe
File opened (read-only)	\??\W:	explorer.exe
File opened (read-only)	\??\R:	explorer.exe
File opened (read-only)	\??\M:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\S:	explorer.exe
File opened (read-only)	\??\K:	explorer.exe
File opened (read-only)	\??\J:	explorer.exe
File opened (read-only)	\??\I:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\Z:	explorer.exe
File opened (read-only)	\??\U:	explorer.exe
File opened (read-only)	\??\T:	explorer.exe
File opened (read-only)	\??\Q:	explorer.exe
File opened (read-only)	\??\H:	explorer.exe
File opened (read-only)	\??\B:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
27	geoiptool.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

8bbca691909fe991f844a2842a81cc07ae7a55a0bdc505488eeb0b8de0d86e30.exeD336.exebduuwai

description	pid	Process	procid_target
PID 3892 set thread context of 3612	3892	8bbca691909fe991f844a2842a81cc07ae7a55a0bdc505488eeb0b8de0d86e30.exe	76
PID 3244 set thread context of 4012	3244	D336.exe	85
PID 1312 set thread context of 780	1312	bduuwai	120

Drops file in Program Files directory 64 IoCs

Processes:

explorer.exe

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.scale-100.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_2017.222.1920.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pl-pl\ui-strings.js	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ru-ru\ui-strings.js	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-attach.jar	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Audio\CoinsFlyToBar_D.wav	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x86__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\AppCore\Location\Shifter\Relicensing Statement.txt	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\RadialControl\TiltUp_E809_Normal_White_64x64.png	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar.payfast290.1E2-168-453	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.scale-200.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Square71x71\PaintSmallTile.scale-400.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-72_altform-unplated.png	explorer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\AppStore_icon.svg	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2_40x40x32.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxBadge.scale-150.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\LargeTile.scale-125.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsLargeTile.scale-200.png	explorer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\da-dk\ui-strings.js	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar.payfast290.1E2-168-453	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActions.exsd	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1914_24x24x32.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions.png.payfast290.1E2-168-453	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Images\computer_black.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.b93b0697.pri	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\acrobat_pdf.svg	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\uk-ua\ui-strings.js.payfast290.1E2-168-453	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-execution_ja.jar.payfast290.1E2-168-453	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.wink.scale-200.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\PopUp\Pop_up_Warning.png	explorer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pl-pl\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\SearchEmail.png	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ppd.xrm-ms	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\msipc.dll.mui	explorer.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\proof.es-es.msi.16.es-es.vreg.dat	explorer.exe
File opened for modification	C:\Program Files\TestInvoke.mp2v	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-awt_zh_CN.jar	explorer.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	explorer.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaSansDemiBold.ttf	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-80_altform-unplated.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\ui-strings.js.payfast290.1E2-168-453	explorer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pl-pl\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\CardBacks\CardBack3.png	explorer.exe
File created	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x86__8wekyb3d8bbwe\microsoft.system.package.metadata\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\LinkedInboxSmallTile.scale-125.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\WideTile.scale-100_contrast-white.png	explorer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\it-it\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pl-pl\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\s_agreement_filetype.svg.payfast290.1E2-168-453	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\SUCTION.WAV	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\download.svg	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\ui-strings.js	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\AppStore_icon.svg.payfast290.1E2-168-453	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\autumn_11s.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsMedTile.scale-200.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16_altform-unplated_contrast-white.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\WideTile.scale-200.png	explorer.exe

Drops file in Windows directory 1 IoCs

Processes:

explorer.exe

description	ioc	Process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8bbca691909fe991f844a2842a81cc07ae7a55a0bdc505488eeb0b8de0d86e30.exebduuwai

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8bbca691909fe991f844a2842a81cc07ae7a55a0bdc505488eeb0b8de0d86e30.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8bbca691909fe991f844a2842a81cc07ae7a55a0bdc505488eeb0b8de0d86e30.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8bbca691909fe991f844a2842a81cc07ae7a55a0bdc505488eeb0b8de0d86e30.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bduuwai
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bduuwai
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bduuwai

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
4028	timeout.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exe

pid	Process
3744	vssadmin.exe
584	vssadmin.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8bbca691909fe991f844a2842a81cc07ae7a55a0bdc505488eeb0b8de0d86e30.exe

pid	Process
3612	8bbca691909fe991f844a2842a81cc07ae7a55a0bdc505488eeb0b8de0d86e30.exe
3612	8bbca691909fe991f844a2842a81cc07ae7a55a0bdc505488eeb0b8de0d86e30.exe
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
3044

Suspicious behavior: MapViewOfSection 20 IoCs

Processes:

8bbca691909fe991f844a2842a81cc07ae7a55a0bdc505488eeb0b8de0d86e30.exebduuwai

pid	Process
3612	8bbca691909fe991f844a2842a81cc07ae7a55a0bdc505488eeb0b8de0d86e30.exe
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
780	bduuwai

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

D336.exeD279.exeRegSvcs.exeWMIC.exeWMIC.exevssvc.exe

description	pid	Process
Token: SeDebugPrivilege	3244	D336.exe
Token: SeDebugPrivilege	3756	D279.exe
Token: SeDebugPrivilege	3756	D279.exe
Token: SeDebugPrivilege	4012	RegSvcs.exe
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeIncreaseQuotaPrivilege	3816	WMIC.exe
Token: SeSecurityPrivilege	3816	WMIC.exe
Token: SeTakeOwnershipPrivilege	3816	WMIC.exe
Token: SeLoadDriverPrivilege	3816	WMIC.exe
Token: SeSystemProfilePrivilege	3816	WMIC.exe
Token: SeSystemtimePrivilege	3816	WMIC.exe
Token: SeProfSingleProcessPrivilege	3816	WMIC.exe
Token: SeIncBasePriorityPrivilege	3816	WMIC.exe
Token: SeCreatePagefilePrivilege	3816	WMIC.exe
Token: SeBackupPrivilege	3816	WMIC.exe
Token: SeRestorePrivilege	3816	WMIC.exe
Token: SeShutdownPrivilege	3816	WMIC.exe
Token: SeDebugPrivilege	3816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3816	WMIC.exe
Token: SeRemoteShutdownPrivilege	3816	WMIC.exe
Token: SeUndockPrivilege	3816	WMIC.exe
Token: SeManageVolumePrivilege	3816	WMIC.exe
Token: 33	3816	WMIC.exe
Token: 34	3816	WMIC.exe
Token: 35	3816	WMIC.exe
Token: 36	3816	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1660	WMIC.exe
Token: SeSecurityPrivilege	1660	WMIC.exe
Token: SeTakeOwnershipPrivilege	1660	WMIC.exe
Token: SeLoadDriverPrivilege	1660	WMIC.exe
Token: SeSystemProfilePrivilege	1660	WMIC.exe
Token: SeSystemtimePrivilege	1660	WMIC.exe
Token: SeProfSingleProcessPrivilege	1660	WMIC.exe
Token: SeIncBasePriorityPrivilege	1660	WMIC.exe
Token: SeCreatePagefilePrivilege	1660	WMIC.exe
Token: SeBackupPrivilege	1660	WMIC.exe
Token: SeRestorePrivilege	1660	WMIC.exe
Token: SeShutdownPrivilege	1660	WMIC.exe
Token: SeDebugPrivilege	1660	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1660	WMIC.exe
Token: SeRemoteShutdownPrivilege	1660	WMIC.exe
Token: SeUndockPrivilege	1660	WMIC.exe
Token: SeManageVolumePrivilege	1660	WMIC.exe
Token: 33	1660	WMIC.exe
Token: 34	1660	WMIC.exe
Token: 35	1660	WMIC.exe
Token: 36	1660	WMIC.exe
Token: SeBackupPrivilege	3904	vssvc.exe
Token: SeRestorePrivilege	3904	vssvc.exe
Token: SeAuditPrivilege	3904	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3816	WMIC.exe
Token: SeSecurityPrivilege	3816	WMIC.exe
Token: SeTakeOwnershipPrivilege	3816	WMIC.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3044

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8bbca691909fe991f844a2842a81cc07ae7a55a0bdc505488eeb0b8de0d86e30.exeD336.exeD279.exeCD58.execmd.exe

description	pid	Process	procid_target
PID 3892 wrote to memory of 3612	3892	8bbca691909fe991f844a2842a81cc07ae7a55a0bdc505488eeb0b8de0d86e30.exe	76
PID 3892 wrote to memory of 3612	3892	8bbca691909fe991f844a2842a81cc07ae7a55a0bdc505488eeb0b8de0d86e30.exe	76
PID 3892 wrote to memory of 3612	3892	8bbca691909fe991f844a2842a81cc07ae7a55a0bdc505488eeb0b8de0d86e30.exe	76
PID 3892 wrote to memory of 3612	3892	8bbca691909fe991f844a2842a81cc07ae7a55a0bdc505488eeb0b8de0d86e30.exe	76
PID 3892 wrote to memory of 3612	3892	8bbca691909fe991f844a2842a81cc07ae7a55a0bdc505488eeb0b8de0d86e30.exe	76
PID 3892 wrote to memory of 3612	3892	8bbca691909fe991f844a2842a81cc07ae7a55a0bdc505488eeb0b8de0d86e30.exe	76
PID 3044 wrote to memory of 3616	3044		80
PID 3044 wrote to memory of 3616	3044		80
PID 3044 wrote to memory of 3616	3044		80
PID 3044 wrote to memory of 3756	3044		81
PID 3044 wrote to memory of 3756	3044		81
PID 3044 wrote to memory of 3756	3044		81
PID 3044 wrote to memory of 3244	3044		82
PID 3044 wrote to memory of 3244	3044		82
PID 3044 wrote to memory of 3244	3044		82
PID 3044 wrote to memory of 2108	3044		83
PID 3044 wrote to memory of 2108	3044		83
PID 3044 wrote to memory of 2108	3044		83
PID 3044 wrote to memory of 2108	3044		83
PID 3044 wrote to memory of 1648	3044		84
PID 3044 wrote to memory of 1648	3044		84
PID 3044 wrote to memory of 1648	3044		84
PID 3244 wrote to memory of 4012	3244	D336.exe	85
PID 3244 wrote to memory of 4012	3244	D336.exe	85
PID 3244 wrote to memory of 4012	3244	D336.exe	85
PID 3244 wrote to memory of 4012	3244	D336.exe	85
PID 3244 wrote to memory of 4012	3244	D336.exe	85
PID 3244 wrote to memory of 4012	3244	D336.exe	85
PID 3244 wrote to memory of 4012	3244	D336.exe	85
PID 3244 wrote to memory of 4012	3244	D336.exe	85
PID 3044 wrote to memory of 2776	3044		87
PID 3044 wrote to memory of 2776	3044		87
PID 3044 wrote to memory of 2776	3044		87
PID 3044 wrote to memory of 2776	3044		87
PID 3044 wrote to memory of 3704	3044		88
PID 3044 wrote to memory of 3704	3044		88
PID 3044 wrote to memory of 3704	3044		88
PID 3756 wrote to memory of 200	3756	D279.exe	89
PID 3756 wrote to memory of 200	3756	D279.exe	89
PID 3756 wrote to memory of 200	3756	D279.exe	89
PID 3756 wrote to memory of 3468	3756	D279.exe	90
PID 3756 wrote to memory of 3468	3756	D279.exe	90
PID 3756 wrote to memory of 3468	3756	D279.exe	90
PID 3756 wrote to memory of 3468	3756	D279.exe	90
PID 3756 wrote to memory of 3468	3756	D279.exe	90
PID 3756 wrote to memory of 3468	3756	D279.exe	90
PID 3044 wrote to memory of 1564	3044		91
PID 3044 wrote to memory of 1564	3044		91
PID 3044 wrote to memory of 1564	3044		91
PID 3044 wrote to memory of 1564	3044		91
PID 3044 wrote to memory of 1080	3044		92
PID 3044 wrote to memory of 1080	3044		92
PID 3044 wrote to memory of 1080	3044		92
PID 3616 wrote to memory of 1992	3616	CD58.exe	93
PID 3616 wrote to memory of 1992	3616	CD58.exe	93
PID 3616 wrote to memory of 1992	3616	CD58.exe	93
PID 1992 wrote to memory of 4028	1992	cmd.exe	95
PID 1992 wrote to memory of 4028	1992	cmd.exe	95
PID 1992 wrote to memory of 4028	1992	cmd.exe	95
PID 3044 wrote to memory of 2132	3044		96
PID 3044 wrote to memory of 2132	3044		96
PID 3044 wrote to memory of 2132	3044		96
PID 3044 wrote to memory of 2132	3044		96
PID 3044 wrote to memory of 2248	3044		97

C:\Users\Admin\AppData\Local\Temp\8bbca691909fe991f844a2842a81cc07ae7a55a0bdc505488eeb0b8de0d86e30.exe
"C:\Users\Admin\AppData\Local\Temp\8bbca691909fe991f844a2842a81cc07ae7a55a0bdc505488eeb0b8de0d86e30.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Users\Admin\AppData\Local\Temp\8bbca691909fe991f844a2842a81cc07ae7a55a0bdc505488eeb0b8de0d86e30.exe
  "C:\Users\Admin\AppData\Local\Temp\8bbca691909fe991f844a2842a81cc07ae7a55a0bdc505488eeb0b8de0d86e30.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3612

C:\Users\Admin\AppData\Local\Temp\CD58.exe
C:\Users\Admin\AppData\Local\Temp\CD58.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\CD58.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:4028

C:\Users\Admin\AppData\Local\Temp\D279.exe
C:\Users\Admin\AppData\Local\Temp\D279.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  PID:200
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:3972
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    PID:1304
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3816
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:584
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Modifies extensions of user files
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:2312
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3744
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2472
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:3468

C:\Users\Admin\AppData\Local\Temp\D336.exe
C:\Users\Admin\AppData\Local\Temp\D336.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4012

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2108

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1648

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2776

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3704

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1564

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1080

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2132

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2248

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1084

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Users\Admin\AppData\Roaming\bduuwai
C:\Users\Admin\AppData\Roaming\bduuwai
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1312
- C:\Users\Admin\AppData\Roaming\bduuwai
  C:\Users\Admin\AppData\Roaming\bduuwai
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
4bb27cecc67b86cdab0cf2ab4b43044b

SHA1
073143084f75776416d212ad583ac5eb3ddefc59

SHA256
2b7bf1be63dc02e9666242ffbec6b5f0b529bc14d657da8eae3279a418ed094d

SHA512
d49829ef07f5d3ef17df97c80b5df2a8ff018260a80295f290cf0231817b2e45e4f7388be7031ca60f20eb5987848b017a28f4c3b2fe05513f23d278de334e37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
6443a9583d6025c87f1f6432a860f296

SHA1
89327b657aa8ab1f12f68d752d470cd8f8a9d4c6

SHA256
7067bb32cd9576f9fb35bcc15eec4b8dee50896004650b4d188b4a239c0c1555

SHA512
d159914abeb571caf409c7c5761451999f6952f72b86488e9b246f7eec3cf58135beff2636c17b81d17dc4c0fdc76fa83d5e0c161915d751f7378ded66c6e268

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
9fc83e81ca6f225e9025e1f8703d5867

SHA1
d1701d13d047af616d3a1f4a0c7e1bb25a93b60b

SHA256
eaa50f85fe7dc93ac78758e5f296fdad41115bc75ae7c999a1e6c3f48a37a2a5

SHA512
eb00e53a3211cc3f25bb231b97dee9b10d92cd8d9ca834f4b4724cb3a9025b5fc1d2d4e0b5a39098f8f8ecfc842765f9df937ab75693a2088f3bdd7a9c2cbd18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
30a1425aa892462a34fe41047bff6e5b

SHA1
bc5fa087ec6c219f3d1ab3f5acf4d1b3bfc30c96

SHA256
ad74571ced33e4149569ddc3e62976eeac75bf7d33761e7a04382ccaf689eef1

SHA512
043585957450abd34baccbe0cc61e1032f07d69df4326a8b354d14ef240365a77cfb52cb7d17f8905b14fbbb874211a085f212039b3597476bd0519fbea6b6d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
ba9f72495cbe62f1f31da1c2ebc33461

SHA1
88e9360ebd5a66fee1ba09141dea12c43df37452

SHA256
24c7f240c420cc4627d056c07861eff0763b653497de714739b757570d39a4a9

SHA512
7f9461d3d2b5627f0768ae997419e3cc037269c804ae5fcf942235c1b1c0da8ede8fa8e2710bad15971c10f45e56f309468adf11e5c628e76146888ed4184ad1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
2f1627aebb6e6a251115540a0dbc75bd

SHA1
f8e86b368bdacaad9155ce47ccc79fafd0f4ba9e

SHA256
058100c0ccd22b4198697cec6a6c52269e9f106418243ce4e84b5726d0f96476

SHA512
1c3a6efc5487e4b65c57943074a358cd96382c49c240c9f4797d37a298a22135933f189764f6dd7569c8a436bc503675b668d10fe43d8b37c949f5e3b4456011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GDGLHSEM\HWJUMXLN.htm

MD5
6b17a59cec1a7783febae9aa55c56556

SHA1
01d4581e2b3a6348679147a915a0b22b2a66643a

SHA256
66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

SHA512
3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U0EJMF7X\TIHI1T49.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\CD58.exe

MD5
536185da02430df13f57ed88b87924ca

SHA1
a7d7256672a539e099bb7d281e9ee46edba2e6b1

SHA256
dce6658df0355c0ca22eb7bab3418c27d7f8885786e3453a0eb17912a35a7b47

SHA512
44dc06fd79ec90fe5f4856198e0ead596cf96a4696a66f6558bcaa2c9f5e6a4cb8f24a6127d96ca3d0470bc22d5a6a1b2fae6a9354403cca8bcf97a687d4cbfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CD58.exe

MD5
536185da02430df13f57ed88b87924ca

SHA1
a7d7256672a539e099bb7d281e9ee46edba2e6b1

SHA256
dce6658df0355c0ca22eb7bab3418c27d7f8885786e3453a0eb17912a35a7b47

SHA512
44dc06fd79ec90fe5f4856198e0ead596cf96a4696a66f6558bcaa2c9f5e6a4cb8f24a6127d96ca3d0470bc22d5a6a1b2fae6a9354403cca8bcf97a687d4cbfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\D279.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D279.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D336.exe

MD5
79ed4e7916483d3c00d3f7cd288ea0da

SHA1
f3188a2bdc1200385e91f9f60056c68c4267975d

SHA256
c022e44bdb6682c05caac92f5182e4e4d5db6ee81f64083a24b3a8f100c1c362

SHA512
baa1657194150e789a271341cae0e2e7f421b86dde9253f5a495d9b54ea4d144dda18cd95f64b6889542562c2ef6f90aebde0b976a443047929632286f217a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D336.exe

MD5
79ed4e7916483d3c00d3f7cd288ea0da

SHA1
f3188a2bdc1200385e91f9f60056c68c4267975d

SHA256
c022e44bdb6682c05caac92f5182e4e4d5db6ee81f64083a24b3a8f100c1c362

SHA512
baa1657194150e789a271341cae0e2e7f421b86dde9253f5a495d9b54ea4d144dda18cd95f64b6889542562c2ef6f90aebde0b976a443047929632286f217a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Roaming\bduuwai

MD5
1c8cfa6f9fe0ea0bd7c02e4c0a4aaf31

SHA1
ac937ada39fc833b8a0be20001ab7a71c3795318

SHA256
8bbca691909fe991f844a2842a81cc07ae7a55a0bdc505488eeb0b8de0d86e30

SHA512
7529a41f265cb34a98c8d9f8ecec4666d093ee82bc296bada6a78f4e564a3775fa66d38cb22ea150b14d0b549812279f83dbdb12ae998952924c51945ad360c6

Download Submit
C:\Users\Admin\AppData\Roaming\bduuwai

MD5
1c8cfa6f9fe0ea0bd7c02e4c0a4aaf31

SHA1
ac937ada39fc833b8a0be20001ab7a71c3795318

SHA256
8bbca691909fe991f844a2842a81cc07ae7a55a0bdc505488eeb0b8de0d86e30

SHA512
7529a41f265cb34a98c8d9f8ecec4666d093ee82bc296bada6a78f4e564a3775fa66d38cb22ea150b14d0b549812279f83dbdb12ae998952924c51945ad360c6

Download Submit
C:\Users\Admin\AppData\Roaming\bduuwai

MD5
1c8cfa6f9fe0ea0bd7c02e4c0a4aaf31

SHA1
ac937ada39fc833b8a0be20001ab7a71c3795318

SHA256
8bbca691909fe991f844a2842a81cc07ae7a55a0bdc505488eeb0b8de0d86e30

SHA512
7529a41f265cb34a98c8d9f8ecec4666d093ee82bc296bada6a78f4e564a3775fa66d38cb22ea150b14d0b549812279f83dbdb12ae998952924c51945ad360c6

Download Submit
C:\Users\Admin\Desktop\CompressUpdate.m3u.payfast290.1E2-168-453

MD5
d382700c965cf4edc05af20762f47a10

SHA1
d6624e07e108a9f2c710ac6dda5252ac8250e9d6

SHA256
f517baadc48a3dbe1ad409fc5e35e03ab0fe5a6172b54e6b8aa944f4bd9fbf2b

SHA512
5da073d40cb3cfb3f6d7b743f37934795f98a879e61b2f39b99305c79dde0bb884f490fabf278e7068cc5e8f4b1e1dbeaffc81ee995efd14fb6063d6a4bfa3cc

Download Submit
C:\Users\Admin\Desktop\ConvertFromEnter.vstm.payfast290.1E2-168-453

MD5
577494b4e410f304fafbc608371b6d75

SHA1
92dfdaa730a395e6b17dc9ff3c1a6f72aadcc6f8

SHA256
5c5316f40c677f315d91af8e035ae9e7d07d36a5581e95233a8ea4432c63cb85

SHA512
735a8ba7daac64f2bf6ab870f302259059455622cc416871346ede88d7c5dd207fe114cd371ac5e65a627d5648c0f20c0e6c240bbad91fd4e4f47833c950f5ad

Download Submit
C:\Users\Admin\Desktop\ConvertProtect.png.payfast290.1E2-168-453

MD5
5d948bd0b487b984045fa257e29f9661

SHA1
39ccbe693708f043d1b05545f15a6a176d9cc40e

SHA256
205518b0c47a1b98ee72761fed0cf457768f72f1f52255f9bf8bdf011773f19c

SHA512
ab0171e4428c677482914165cc55c38ca1fce6a03913a463f0d05a73b15353ccd5aa934c75df014b484d64ed91ab8d723f7c3cc99f92630e9b2dd71de9387760

Download Submit
C:\Users\Admin\Desktop\DenyOpen.html.payfast290.1E2-168-453

MD5
29c86ed3d5bdee62d0bb0e2b633f5fdc

SHA1
34c379b575a8d36e745b34436f0c2a19f426513b

SHA256
214e601e7b9716c93573748d358ecdad6fdb2b09c6df139d380aa3ad6c8814de

SHA512
17750f5bc2952b5e713a87afa84295d18f4e3d4371235a0a84a06615db2a1e7b511475f1b10b6d36a737cc883b68e46c281724c26f2481e5de5b144f3bb1d30b

Download Submit
C:\Users\Admin\Desktop\EnableRedo.wdp.payfast290.1E2-168-453

MD5
835878badb309925f935d6011db54036

SHA1
9e0c5147a5cd9fe676433d488f898f1d65f99124

SHA256
3182695becc87dfbeed89904cd04cd9f4dacfedbe4c5884499d0d81007728973

SHA512
c69c4c0e56ecd33b5722aea357cfe1666acb10303c7d49b1e8b9a0610d292e074ea4dcf537ea1ea812558b8b9c3f03ce2411c7f0f592feeca3d9627b11cc8a0e

Download Submit
C:\Users\Admin\Desktop\GetSearch.zip.payfast290.1E2-168-453

MD5
f38d04ac9c1f35f6bc9db66b3b7f0b98

SHA1
c4eee00a137bd68875475350e3cfac3dc68e8db2

SHA256
0f80da86745a7d7e879c754763c0efdb387d0077ccecbda88d2297eb60549e10

SHA512
52027e403f3e3dff396c7f64b3465bbd3cc8fdded16895b44b55a175d9007066bffc37b800a5b2828b9d2ecb197a584154f3e48fd266bebadf942630bfeabb54

Download Submit
C:\Users\Admin\Desktop\JoinDisable.gif.payfast290.1E2-168-453

MD5
5bf0db2ac5ddcb9062c267d94f3b4c12

SHA1
63787637fd9e077d9a5b2a6d99b546d04dd6d2e1

SHA256
b86ee6ea0dd5768d90ab7ba561d4d4cb4226f97be0927ad66c9ef97c54c219ee

SHA512
699d25315b30ce7c3da14402b263c93b43cb21e8c943f46fc998edf0cf4bc010c54b95fdb7d86f81bab022dc721b359a5cac122a2dcab501e67312263e2ca62c

Download Submit
C:\Users\Admin\Desktop\MeasureConnect.mov.payfast290.1E2-168-453

MD5
332502e257321ed387fa16cd6f795a18

SHA1
b88e5d6880be61dfe303e9b8b872f3f6736a317b

SHA256
54826c374e8ac19cc7b2a38e9dc10b936539f5ccfb12ffd3ede3e3ca275baf8a

SHA512
ae25a70d540122031ec0cfcb4441af65404a482161f4dabbbc5dd30ab4f8b18fd63113c68713b8948932c32c10c7eee5041185c64a8959687b0cbb9e49ea3f84

Download Submit
C:\Users\Admin\Desktop\MergeRename.temp.payfast290.1E2-168-453

MD5
7352e06ac20c741278cd5e7dbaec115f

SHA1
1f3bf57b2791008873b2ddd40158b3fbe2ff1eef

SHA256
36f0c5f1efffd3abfb11dd10201a9e706cff4619533e4ce0cd64069f8f76d87f

SHA512
b038130af307191e96474b505632186e7559170af7f503def14afce052a9b54da87c916a4972f8dcce7358900fa6676af441ea72af83472eca4ea227a58207c1

Download Submit
C:\Users\Admin\Desktop\RedoClose.au3.payfast290.1E2-168-453

MD5
9ee05a6b8e47b1d0ef03cbfa7e656e2f

SHA1
7635870e0332719c4933cb9997628795fe055711

SHA256
e0817c2990fff3e462a380e88dea0de14438005e81f92ef03698412e263e6918

SHA512
8a7d7ee4ae2cd4cf6eca699b3d8bd37d06103a5d3e6b5d7882b19d778678a3e7381c79ca7c647f32b316b9fd023d604b290ed4790d82d96b34d21153c42da6c2

Download Submit
C:\Users\Admin\Desktop\RedoStart.crw.payfast290.1E2-168-453

MD5
2dc9dcfca3e83ca59e0dca358a7fb007

SHA1
445b26004c011f6e544f32a78d90ec4b54db83ec

SHA256
5386e53a4705fa5f64507acbe7086e2e7cc467b9fb4732e06ed80d8c12a60da7

SHA512
86d534ea9a4db72d88312512551447d0d4e82b85a877c628b00e09cbb3158f11921ead0c071b1d8d1f6e603b2e2876c0f75b095f18b9ccaf93f50a95deed48bd

Download Submit
C:\Users\Admin\Desktop\RepairRedo.vbe.payfast290.1E2-168-453

MD5
6965f5b9d41a77057cfb4bba05418e04

SHA1
f546f366a8d39b1f9659d080474ad55340b3cadf

SHA256
1df1d560ac5280391679732532bdf23004684ab57732cd72f77962dca074eee5

SHA512
73c031ed0f41a22f797150f5e84c78da9b1c6b44479da761bfff083777896fa9e44b6471bc9410a2534bc1884a3cb845d88ac9b31a5148ef021d116838a061a5

Download Submit
C:\Users\Admin\Desktop\ResetInvoke.ppsx.payfast290.1E2-168-453

MD5
a3856d019c75d7ee7789f39ce1a4c81c

SHA1
f983912b1bdc5b52978c75b0437e6a52d34dc3c9

SHA256
54c55929036fe2134379dbc4165e978eddb23e5751337781e2a0c67423187143

SHA512
9f70a1116b03ef5ea8f3b05a23375a68b58811c49d2db9400b9fff546c1b847be393eb4866f70614fabc3ff00a30c27f94747477afc0d5218073d563aec2d7cd

Download Submit
C:\Users\Admin\Desktop\RestoreSelect.ram.payfast290.1E2-168-453

MD5
0779cfe6a5b0b1a749844ae474460d16

SHA1
685771625be2a6287461905891c3aea6e7c05ad1

SHA256
f231a2298b1dd18f1cede31569d6d97fa25445ed25735b7750366b493e5d1406

SHA512
f0b5865dc3da8a555d64b004881685a321e59c3efd2288d1629cd48d9a221b4191d8994a8ea98d3e1836f3154619ab7dec98f666bd92dea7facbbb95db1beb15

Download Submit
C:\Users\Admin\Desktop\RevokeGroup.scf.payfast290.1E2-168-453

MD5
d8595e83ee03b7e4dadddae7ba2228d5

SHA1
9b842eab8deb9ec46f1607e3f16a6c471ec9fc4c

SHA256
07397494b32952d045a6954b10b925267cc08d1586c1c801e858f217e6b035d9

SHA512
8683d7515534c1d2f158e6116226508ae3872b2850fba07f8f105a6e5288bcb591e40b00c74a9575f029b445373f24a1c1895c1e023466428e5a314c2bf89703

Download Submit
C:\Users\Admin\Desktop\RevokePush.m3u.payfast290.1E2-168-453

MD5
be3dbdd3bd94796f2efbb1b7e8e005b0

SHA1
a444b2b815702ca6865e9fa26babcb4e2a5a9691

SHA256
43193a587e56b7988ca2ef5fe1fd6b2a2eb49e5f8094a74ee4a1ba12f0b9de18

SHA512
b352d0052ab2db1015ea9a298259797b886d7fac21bf2d362150421025a048f91189413874f426d4526294980354ec8390028877de9e3c1bd603354bcf1e2288

Download Submit
C:\Users\Admin\Desktop\SearchPing.ico.payfast290.1E2-168-453

MD5
31f1fe35f46c87778911b39e08386f3f

SHA1
ae64dba94172230f135d5882c8e59529b57bbe47

SHA256
02fc5656290606fe12d2d2eeb7d4317e536f0c9637a24c0f5763643ee854c461

SHA512
25cda0793f74ad2780d3f3b810584b2e98a48a2c66a1eee15478c49767082737e3c98ba653cb7f2bd898e08d88460687915f7655c887a375f1892e2a62e375fc

Download Submit
C:\Users\Admin\Desktop\ShowMove.xps.payfast290.1E2-168-453

MD5
c8fff01ba2f592b9580cd63a22754ad3

SHA1
75d96f1800646c1238c0f999a23a0baaac34b5ef

SHA256
a8e2c1f419b08d5c5d8d8fcd31189f2f6d2a2cfbc9849930115d536118484dc0

SHA512
5cb3ec985b07514ef34a86e1d38a15f23667be28affe4423a0c2b2cbfd6bc69835c867bb527789e69a2711976d4c8ed866a9174d7fa1e4c5020873b79d638909

Download Submit
C:\Users\Admin\Desktop\StartMeasure.pcx.payfast290.1E2-168-453

MD5
ca20710516c243c85d9a987f389732ff

SHA1
c0b6c8a9676b8bfdba123ba46eacb739d0f52634

SHA256
67846171f2f19ade297405150fc5bb301171596b7f2aaaa49471b7ec320d4814

SHA512
1884366933f3678ce9712faa29f82eb9ece71874cafddc208fa268b05046cc2ff83860a8876ed5d240460ff1fcf920ba8e78f4b4d0433ed1ee1130e5356edfcf

Download Submit
C:\Users\Admin\Desktop\StopSplit.ttc.payfast290.1E2-168-453

MD5
def6428841e1636386fce9d332542322

SHA1
76816972419d4624a79b8eb510efff1e72535608

SHA256
a68781fefe1112a8a06a55e7f9dd2fcba1a24cb442e86d0f2fb681df3b3b4402

SHA512
3292316c9ffe901bd5cc68a13325a669ab4ecb91e0ee9e85089c64c97867080feca4788b00956d4f27f5e62e4c5d34b012f9d3fbd8310dce1f480fc24d5267e4

Download Submit
C:\Users\Admin\Desktop\UndoRequest.otf.payfast290.1E2-168-453

MD5
e0938070cde14cad07ee000078d63e57

SHA1
b37f001b89aa5fd90e3440e5c26443411d59c232

SHA256
57b6224a377f34fd85864dc2a5945962397d914db15f5f4fcacdfb6197a8b195

SHA512
3bacd8de00afe87bbe7bfb9cb3af4323fe4aacca073a1a6a2c1263b01eeb347d041301d049058d351a45640d0c8483481d4cfc84ccec36d6a3383bdabc7cfea1

Download Submit
C:\Users\Admin\Desktop\UnpublishShow.M2T.payfast290.1E2-168-453

MD5
4a6914b99945a6fab36f00ba0f1d1516

SHA1
72e616de260a4fa16ee52def5a096d5f0ae3af9f

SHA256
6fed571eee85761cb53eddfe029e29528199ce4bfaf46ac3397f9e8300dfbacf

SHA512
efc7a7b1ed1cadc16149e619e8fee33d716cabdf1db90c0b17ee9985ec874c05712d926e5198e4cec0a51433d048421d6a75fe540cd668c56db5db9adec52975

Download Submit
C:\Users\Admin\Desktop\WatchStop.mov.payfast290.1E2-168-453

MD5
90af43cc760e472951439d55a12e66dd

SHA1
ed1300d3c7af02993728dcc9db86abc8f972c992

SHA256
61c5c6e79295b673968f4733fc951d7ecda105ecae421177e19a335f35a1dc13

SHA512
d4dfe845108c8d6381aa7764580f132b90418701e641eab865615625cf81a9908d91e6a6d9b87bafb98d54ec0e23dfd0812a59fe0aef7a8e6627f66330d3c764

Download Submit
\Users\Admin\AppData\LocalLow\aD1rF3aM8r\freebl3.dll

MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\aD1rF3aM8r\mozglue.dll

MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\aD1rF3aM8r\nss3.dll

MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\aD1rF3aM8r\softokn3.dll

MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
memory/200-160-0x0000000000000000-mapping.dmp

Download
memory/584-210-0x0000000000000000-mapping.dmp

Download
memory/780-214-0x0000000000402FAB-mapping.dmp

Download
memory/1052-199-0x0000000000000000-mapping.dmp

Download
memory/1080-176-0x0000000000000000-mapping.dmp

Download
memory/1080-178-0x00000000010A0000-0x00000000010AC000-memory.dmp

Filesize
48KB

Download
memory/1080-177-0x00000000010B0000-0x00000000010B6000-memory.dmp

Filesize
24KB

Download
memory/1084-189-0x0000000000390000-0x0000000000399000-memory.dmp

Filesize
36KB

Download
memory/1084-188-0x00000000003A0000-0x00000000003A5000-memory.dmp

Filesize
20KB

Download
memory/1084-187-0x0000000000000000-mapping.dmp

Download
memory/1304-203-0x0000000000000000-mapping.dmp

Download
memory/1564-174-0x0000000002AF0000-0x0000000002AF9000-memory.dmp

Filesize
36KB

Download
memory/1564-173-0x0000000002B00000-0x0000000002B05000-memory.dmp

Filesize
20KB

Download
memory/1564-165-0x0000000000000000-mapping.dmp

Download
memory/1648-139-0x00000000009E0000-0x00000000009EC000-memory.dmp

Filesize
48KB

Download
memory/1648-138-0x00000000009F0000-0x00000000009F7000-memory.dmp

Filesize
28KB

Download
memory/1648-135-0x0000000000000000-mapping.dmp

Download
memory/1660-209-0x0000000000000000-mapping.dmp

Download
memory/1736-201-0x0000000000000000-mapping.dmp

Download
memory/1992-179-0x0000000000000000-mapping.dmp

Download
memory/2108-129-0x0000000000000000-mapping.dmp

Download
memory/2108-133-0x0000000000300000-0x000000000036B000-memory.dmp

Filesize
428KB

Download
memory/2108-132-0x0000000002A00000-0x0000000002A74000-memory.dmp

Filesize
464KB

Download
memory/2132-183-0x0000000002AD0000-0x0000000002AD9000-memory.dmp

Filesize
36KB

Download
memory/2132-181-0x0000000000000000-mapping.dmp

Download
memory/2132-182-0x0000000002AE0000-0x0000000002AE4000-memory.dmp

Filesize
16KB

Download
memory/2248-185-0x00000000006C0000-0x00000000006C5000-memory.dmp

Filesize
20KB

Download
memory/2248-184-0x0000000000000000-mapping.dmp

Download
memory/2248-186-0x00000000006B0000-0x00000000006B9000-memory.dmp

Filesize
36KB

Download
memory/2284-204-0x0000000000000000-mapping.dmp

Download
memory/2312-202-0x0000000000000000-mapping.dmp

Download
memory/2472-240-0x0000000000000000-mapping.dmp

Download
memory/2472-241-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2680-200-0x0000000000000000-mapping.dmp

Download
memory/2776-148-0x0000000000160000-0x0000000000167000-memory.dmp

Filesize
28KB

Download
memory/2776-146-0x0000000000000000-mapping.dmp

Download
memory/2776-149-0x0000000000150000-0x000000000015B000-memory.dmp

Filesize
44KB

Download
memory/3044-117-0x00000000010B0000-0x00000000010C6000-memory.dmp

Filesize
88KB

Download
memory/3044-216-0x00000000010F0000-0x0000000001106000-memory.dmp

Filesize
88KB

Download
memory/3244-127-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/3244-124-0x0000000000000000-mapping.dmp

Download
memory/3244-136-0x0000000005550000-0x0000000005563000-memory.dmp

Filesize
76KB

Download
memory/3244-134-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/3468-175-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/3468-163-0x0000000000000000-mapping.dmp

Download
memory/3612-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3612-115-0x0000000000402FAB-mapping.dmp

Download
memory/3616-130-0x0000000002660000-0x00000000026EF000-memory.dmp

Filesize
572KB

Download
memory/3616-131-0x0000000000400000-0x00000000023EC000-memory.dmp

Filesize
31.9MB

Download
memory/3616-118-0x0000000000000000-mapping.dmp

Download
memory/3704-153-0x0000000000000000-mapping.dmp

Download
memory/3704-159-0x00000000001B0000-0x00000000001BF000-memory.dmp

Filesize
60KB

Download
memory/3704-158-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/3744-207-0x0000000000000000-mapping.dmp

Download
memory/3756-121-0x0000000000000000-mapping.dmp

Download
memory/3816-208-0x0000000000000000-mapping.dmp

Download
memory/3892-116-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/3972-198-0x0000000000000000-mapping.dmp

Download
memory/4012-144-0x0000000005B50000-0x0000000005B51000-memory.dmp

Filesize
4KB

Download
memory/4012-192-0x0000000006F00000-0x0000000006F01000-memory.dmp

Filesize
4KB

Download
memory/4012-141-0x000000000041A68E-mapping.dmp

Download
memory/4012-150-0x0000000005540000-0x0000000005B46000-memory.dmp

Filesize
6.0MB

Download
memory/4012-145-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/4012-190-0x0000000006C80000-0x0000000006C81000-memory.dmp

Filesize
4KB

Download
memory/4012-147-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/4012-197-0x00000000083B0000-0x00000000083B1000-memory.dmp

Filesize
4KB

Download
memory/4012-196-0x0000000007330000-0x0000000007331000-memory.dmp

Filesize
4KB

Download
memory/4012-195-0x0000000007270000-0x0000000007271000-memory.dmp

Filesize
4KB

Download
memory/4012-194-0x0000000007150000-0x0000000007151000-memory.dmp

Filesize
4KB

Download
memory/4012-152-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/4012-193-0x0000000007DB0000-0x0000000007DB1000-memory.dmp

Filesize
4KB

Download
memory/4012-140-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4012-151-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/4012-191-0x0000000007380000-0x0000000007381000-memory.dmp

Filesize
4KB

Download
memory/4028-180-0x0000000000000000-mapping.dmp

Download