buran | 389080a33305c9ae736daa068edd380c5c0cd7af03529cda8f852c6b2353cd70

Analysis

max time kernel
151s
max time network
150s
platform
windows10_x64
resource
win10v20210408
submitted
31-08-2021 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

389080a33305c9ae736daa068edd380c5c0cd7af03529cda8f852c6b2353cd70.exe
Size

271KB
MD5

465332d74b980baf4b1addc8f0a22f00
SHA1

cafa9267dceff6593a01a69a13da760d55fdb281
SHA256

389080a33305c9ae736daa068edd380c5c0cd7af03529cda8f852c6b2353cd70
SHA512

08b647afe383f55acc0c50d94a977fed9c7ac156932f96a3d6bda23c7ca17d45a0dd1ba209dc899efcc1427c2125f09313d11fa3e4520065a0905f7c9bebc311

Score

10^/10

buran smokeloader backdoor discovery evasion persistence ransomware spyware stealer themida trojan

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. PAY FAST 500$=0.013 btc or the price will increase tomorrow bitcoin address bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8 To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? [email protected] TELEGRAM @ payfast290 Your personal ID: B7E-2E1-DD3 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Family

smokeloader

Version

2020

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 6 IoCs

Processes:

AFD.exeE3A.exeexplorer.exesbtwfctsbtwfctexplorer.exe

pid	Process
1220	AFD.exe
1952	E3A.exe
3156	explorer.exe
3732	sbtwfct
2144	sbtwfct
580	explorer.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

E3A.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	E3A.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	E3A.exe

Deletes itself 1 IoCs

Processes:

pid	Process
8

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/files/0x0004000000015534-122.dat	themida
behavioral1/files/0x0004000000015534-123.dat	themida
behavioral1/memory/1952-132-0x0000000000E90000-0x0000000000E91000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

AFD.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	AFD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start"	AFD.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

E3A.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	E3A.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	Process
File opened (read-only)	\??\Q:	explorer.exe
File opened (read-only)	\??\H:	explorer.exe
File opened (read-only)	\??\G:	explorer.exe
File opened (read-only)	\??\B:	explorer.exe
File opened (read-only)	\??\A:	explorer.exe
File opened (read-only)	\??\X:	explorer.exe
File opened (read-only)	\??\U:	explorer.exe
File opened (read-only)	\??\T:	explorer.exe
File opened (read-only)	\??\P:	explorer.exe
File opened (read-only)	\??\O:	explorer.exe
File opened (read-only)	\??\K:	explorer.exe
File opened (read-only)	\??\Z:	explorer.exe
File opened (read-only)	\??\V:	explorer.exe
File opened (read-only)	\??\S:	explorer.exe
File opened (read-only)	\??\N:	explorer.exe
File opened (read-only)	\??\J:	explorer.exe
File opened (read-only)	\??\I:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\Y:	explorer.exe
File opened (read-only)	\??\R:	explorer.exe
File opened (read-only)	\??\M:	explorer.exe
File opened (read-only)	\??\L:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\W:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
26	geoiptool.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

E3A.exe

pid	Process
1952	E3A.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

389080a33305c9ae736daa068edd380c5c0cd7af03529cda8f852c6b2353cd70.exesbtwfct

description	pid	Process	procid_target
PID 900 set thread context of 764	900	389080a33305c9ae736daa068edd380c5c0cd7af03529cda8f852c6b2353cd70.exe	75
PID 3732 set thread context of 2144	3732	sbtwfct	95

Drops file in Program Files directory 64 IoCs

Processes:

explorer.exe

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar.payfast290.B7E-2E1-DD3	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ppd.xrm-ms	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\OneConnectAppList.targetsize-20.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-72_altform-colorize.png	explorer.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\DenySelect.ADT.payfast290.B7E-2E1-DD3	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF.payfast290.B7E-2E1-DD3	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\dd_arrow_small2x.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-gb\ui-strings.js.payfast290.B7E-2E1-DD3	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT.payfast290.B7E-2E1-DD3	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\msipc.dll.mui.payfast290.B7E-2E1-DD3	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	explorer.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_13h.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\lc_60x42.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.payfast290.B7E-2E1-DD3	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe.payfast290.B7E-2E1-DD3	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html.payfast290.B7E-2E1-DD3	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\cloud_icon.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-150.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_2015.7906.42257.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\BLUEPRNT.ELM	explorer.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.b93b0697.pri	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2875_24x24x32.png	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\config.ini.payfast290.B7E-2E1-DD3	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarWideTile.scale-200.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\RunningLate.scale-64.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\es-ES.PhoneNumber.ot	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\export.svg	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ui-strings.js	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\ui-strings.js	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_zh_4.4.0.v20140623020002.jar	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\Rotate.scale-140.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-fr\ui-strings.js	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fi-fi\ui-strings.js	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookbig.gif.payfast290.B7E-2E1-DD3	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\powerpointmui.msi.16.en-us.vreg.dat.payfast290.B7E-2E1-DD3	explorer.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\vlc.mo.payfast290.B7E-2E1-DD3	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\Bin\LightedTextured_PixelLighting_VS.fxo	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\gy_60x42.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\TXP_Flight.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\ui-strings.js.payfast290.B7E-2E1-DD3	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-oob.xrm-ms.payfast290.B7E-2E1-DD3	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\WT61ES.LEX.payfast290.B7E-2E1-DD3	explorer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-fr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif.payfast290.B7E-2E1-DD3	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ads_win10_300x250.scale-200.jpg	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-150.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\ui-strings.js	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-oob.xrm-ms.payfast290.B7E-2E1-DD3	explorer.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\vlc.mo.payfast290.B7E-2E1-DD3	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-100.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\acrobat_pdf.svg	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\S_ThumbUpOutline_22_N.svg	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-phn.xrm-ms.payfast290.B7E-2E1-DD3	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\casual.dotx.payfast290.B7E-2E1-DD3	explorer.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\Attribution\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\resources.pri	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-80_altform-unplated.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ko-kr\ui-strings.js.payfast290.B7E-2E1-DD3	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

sbtwfct389080a33305c9ae736daa068edd380c5c0cd7af03529cda8f852c6b2353cd70.exe

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sbtwfct
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sbtwfct
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	389080a33305c9ae736daa068edd380c5c0cd7af03529cda8f852c6b2353cd70.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	389080a33305c9ae736daa068edd380c5c0cd7af03529cda8f852c6b2353cd70.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	389080a33305c9ae736daa068edd380c5c0cd7af03529cda8f852c6b2353cd70.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sbtwfct

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exe

pid	Process
4056	vssadmin.exe
1300	vssadmin.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

AFD.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	AFD.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	AFD.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

389080a33305c9ae736daa068edd380c5c0cd7af03529cda8f852c6b2353cd70.exe

pid	Process
764	389080a33305c9ae736daa068edd380c5c0cd7af03529cda8f852c6b2353cd70.exe
764	389080a33305c9ae736daa068edd380c5c0cd7af03529cda8f852c6b2353cd70.exe
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
8

Suspicious behavior: MapViewOfSection 20 IoCs

Processes:

389080a33305c9ae736daa068edd380c5c0cd7af03529cda8f852c6b2353cd70.exesbtwfct

pid	Process
764	389080a33305c9ae736daa068edd380c5c0cd7af03529cda8f852c6b2353cd70.exe
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
2144	sbtwfct

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AFD.exeE3A.exeWMIC.exeWMIC.exe

description	pid	Process
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeDebugPrivilege	1220	AFD.exe
Token: SeDebugPrivilege	1220	AFD.exe
Token: SeDebugPrivilege	1952	E3A.exe
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeIncreaseQuotaPrivilege	2628	WMIC.exe
Token: SeSecurityPrivilege	2628	WMIC.exe
Token: SeTakeOwnershipPrivilege	2628	WMIC.exe
Token: SeLoadDriverPrivilege	2628	WMIC.exe
Token: SeSystemProfilePrivilege	2628	WMIC.exe
Token: SeSystemtimePrivilege	2628	WMIC.exe
Token: SeProfSingleProcessPrivilege	2628	WMIC.exe
Token: SeIncBasePriorityPrivilege	2628	WMIC.exe
Token: SeCreatePagefilePrivilege	2628	WMIC.exe
Token: SeBackupPrivilege	2628	WMIC.exe
Token: SeRestorePrivilege	2628	WMIC.exe
Token: SeShutdownPrivilege	2628	WMIC.exe
Token: SeDebugPrivilege	2628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2628	WMIC.exe
Token: SeRemoteShutdownPrivilege	2628	WMIC.exe
Token: SeUndockPrivilege	2628	WMIC.exe
Token: SeManageVolumePrivilege	2628	WMIC.exe
Token: 33	2628	WMIC.exe
Token: 34	2628	WMIC.exe
Token: 35	2628	WMIC.exe
Token: 36	2628	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3708	WMIC.exe
Token: SeSecurityPrivilege	3708	WMIC.exe
Token: SeTakeOwnershipPrivilege	3708	WMIC.exe
Token: SeLoadDriverPrivilege	3708	WMIC.exe
Token: SeSystemProfilePrivilege	3708	WMIC.exe
Token: SeSystemtimePrivilege	3708	WMIC.exe
Token: SeProfSingleProcessPrivilege	3708	WMIC.exe
Token: SeIncBasePriorityPrivilege	3708	WMIC.exe
Token: SeCreatePagefilePrivilege	3708	WMIC.exe
Token: SeBackupPrivilege	3708	WMIC.exe
Token: SeRestorePrivilege	3708	WMIC.exe
Token: SeShutdownPrivilege	3708	WMIC.exe
Token: SeDebugPrivilege	3708	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3708	WMIC.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
8

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

389080a33305c9ae736daa068edd380c5c0cd7af03529cda8f852c6b2353cd70.exeAFD.exesbtwfctexplorer.exe

description	pid	Process	procid_target
PID 900 wrote to memory of 764	900	389080a33305c9ae736daa068edd380c5c0cd7af03529cda8f852c6b2353cd70.exe	75
PID 900 wrote to memory of 764	900	389080a33305c9ae736daa068edd380c5c0cd7af03529cda8f852c6b2353cd70.exe	75
PID 900 wrote to memory of 764	900	389080a33305c9ae736daa068edd380c5c0cd7af03529cda8f852c6b2353cd70.exe	75
PID 900 wrote to memory of 764	900	389080a33305c9ae736daa068edd380c5c0cd7af03529cda8f852c6b2353cd70.exe	75
PID 900 wrote to memory of 764	900	389080a33305c9ae736daa068edd380c5c0cd7af03529cda8f852c6b2353cd70.exe	75
PID 900 wrote to memory of 764	900	389080a33305c9ae736daa068edd380c5c0cd7af03529cda8f852c6b2353cd70.exe	75
PID 8 wrote to memory of 1220	8		79
PID 8 wrote to memory of 1220	8		79
PID 8 wrote to memory of 1220	8		79
PID 8 wrote to memory of 1952	8		80
PID 8 wrote to memory of 1952	8		80
PID 8 wrote to memory of 1952	8		80
PID 8 wrote to memory of 1676	8		82
PID 8 wrote to memory of 1676	8		82
PID 8 wrote to memory of 1676	8		82
PID 8 wrote to memory of 1676	8		82
PID 8 wrote to memory of 2196	8		83
PID 8 wrote to memory of 2196	8		83
PID 8 wrote to memory of 2196	8		83
PID 8 wrote to memory of 4000	8		84
PID 8 wrote to memory of 4000	8		84
PID 8 wrote to memory of 4000	8		84
PID 8 wrote to memory of 4000	8		84
PID 8 wrote to memory of 3892	8		85
PID 8 wrote to memory of 3892	8		85
PID 8 wrote to memory of 3892	8		85
PID 8 wrote to memory of 3952	8		86
PID 8 wrote to memory of 3952	8		86
PID 8 wrote to memory of 3952	8		86
PID 8 wrote to memory of 3952	8		86
PID 1220 wrote to memory of 3156	1220	AFD.exe	87
PID 1220 wrote to memory of 3156	1220	AFD.exe	87
PID 1220 wrote to memory of 3156	1220	AFD.exe	87
PID 1220 wrote to memory of 3932	1220	AFD.exe	88
PID 1220 wrote to memory of 3932	1220	AFD.exe	88
PID 1220 wrote to memory of 3932	1220	AFD.exe	88
PID 1220 wrote to memory of 3932	1220	AFD.exe	88
PID 1220 wrote to memory of 3932	1220	AFD.exe	88
PID 1220 wrote to memory of 3932	1220	AFD.exe	88
PID 8 wrote to memory of 692	8		89
PID 8 wrote to memory of 692	8		89
PID 8 wrote to memory of 692	8		89
PID 8 wrote to memory of 500	8		90
PID 8 wrote to memory of 500	8		90
PID 8 wrote to memory of 500	8		90
PID 8 wrote to memory of 500	8		90
PID 8 wrote to memory of 4028	8		91
PID 8 wrote to memory of 4028	8		91
PID 8 wrote to memory of 4028	8		91
PID 8 wrote to memory of 2724	8		92
PID 8 wrote to memory of 2724	8		92
PID 8 wrote to memory of 2724	8		92
PID 8 wrote to memory of 2724	8		92
PID 3732 wrote to memory of 2144	3732	sbtwfct	95
PID 3732 wrote to memory of 2144	3732	sbtwfct	95
PID 3732 wrote to memory of 2144	3732	sbtwfct	95
PID 3732 wrote to memory of 2144	3732	sbtwfct	95
PID 3732 wrote to memory of 2144	3732	sbtwfct	95
PID 3732 wrote to memory of 2144	3732	sbtwfct	95
PID 3156 wrote to memory of 60	3156	explorer.exe	96
PID 3156 wrote to memory of 60	3156	explorer.exe	96
PID 3156 wrote to memory of 60	3156	explorer.exe	96
PID 3156 wrote to memory of 736	3156	explorer.exe	97
PID 3156 wrote to memory of 736	3156	explorer.exe	97

C:\Users\Admin\AppData\Local\Temp\389080a33305c9ae736daa068edd380c5c0cd7af03529cda8f852c6b2353cd70.exe
"C:\Users\Admin\AppData\Local\Temp\389080a33305c9ae736daa068edd380c5c0cd7af03529cda8f852c6b2353cd70.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:900
- C:\Users\Admin\AppData\Local\Temp\389080a33305c9ae736daa068edd380c5c0cd7af03529cda8f852c6b2353cd70.exe
  "C:\Users\Admin\AppData\Local\Temp\389080a33305c9ae736daa068edd380c5c0cd7af03529cda8f852c6b2353cd70.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:764

C:\Users\Admin\AppData\Local\Temp\AFD.exe
C:\Users\Admin\AppData\Local\Temp\AFD.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:60
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:736
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:3700
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:192
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:4056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    PID:1220
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3708
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1300
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:580
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2180
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:3932

C:\Users\Admin\AppData\Local\Temp\E3A.exe
C:\Users\Admin\AppData\Local\Temp\E3A.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1676

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2196

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4000

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3892

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3952

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:692

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:500

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4028

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2724

C:\Users\Admin\AppData\Roaming\sbtwfct
C:\Users\Admin\AppData\Roaming\sbtwfct
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Users\Admin\AppData\Roaming\sbtwfct
  C:\Users\Admin\AppData\Roaming\sbtwfct
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:2144

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
bc382383b6c90d20dba3f58aa0f40ade

SHA1
b626e4d049d88702236910b302c955eecc8c7d5f

SHA256
bf25937b534e738f02e5ec01592dd9a72d79e67bc32f3a5e157a0608f5bbd117

SHA512
651e85acf56ec7bffdc10941ba3bcebea5aede44d479e4db5d61160de2b975c484499a95564adaf90f350d6a1bf3aa97774019f1464045114cbb97806fc76c2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
a2981517afbb3ebe48d2168b07274f47

SHA1
78e0fa382ca97436ec5c43209a2e391b41d356ab

SHA256
f5ef795d1577213ce930034afc93387232cc95dfe53db40db0ed65fbb44bcfae

SHA512
4e939a2270036ebf0eaec96ba231eb38cb4e2389064a30e5f3b9e5e5581d363ab934431e69978e015f25f3352d17e3b3242d02357aa034838a94912fa8d6ba15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
0465994d32988b4ff5811340c4905188

SHA1
7b4043cbd9509bc78b08863ad22b720632686785

SHA256
b33b95c79ca7fc2da4e43282f29ec14db42bdafd53c8888de793cea52caa20bb

SHA512
04654263a6391c84e0fd230a992dbd107f905599a066d124055591ce19a9d74b61627bb9d4dc9df89f396b12f795b649f0331e4aad39304a5ad0e0bccc36ad43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
2bb3242b7872fd21893eb6be521e1a52

SHA1
6bf43f7f3135d462b2c6eb9812b14f931bc17b54

SHA256
9ff6689c92b962ef911a24911cf4ac5a2f5ffc152898e7ad440e30c42d7f5e80

SHA512
427d56556eeb1f8fd458960c2af984c50a2a436d281cd896ea0267a9e743795e90ac7ab2cb7c7b37ce3a1831d7d37ac8712519ffa8225b0aca7aabbe460bf7a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
0144ffd79878c926ddbaee46eb99603e

SHA1
6067e3ac23545c6a555117c1f9655fd843fd3a13

SHA256
bbbb5dcf77923a428b481c873bec0fe59bea35213428be989dbd39bfa6b190e2

SHA512
57a11b74dd15b1e5606a61eed2f63f13011d5bc5ba1672fb0fb74416d12e37dd268910da25b9caa0313780f25d534a0c92d4f9e0edb142bdeb00bf05dca9a657

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
b8a33b6347c4ecf75e9257a5ce6afe48

SHA1
f44c1494ce56e211eed869eb58ccdc7e5d26a359

SHA256
46c77db87979b4f8d599c84f4d020016268b33f0018d52f335750259395dcda5

SHA512
6742118e5afd3e3c3aac45d09ff862895dfffe368054d7d58f27f728ff1a935f39868eb42afe5bd322333420fcfff0289d1f237a0bc29c0b36f317313527c1ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DRMDU4BX\PJQQKLLX.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZIIA2USJ\NB91308E.htm

MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\AFD.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AFD.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3A.exe

MD5
47a68cf6b107308db52aa7335cfe44a4

SHA1
ffcc95c0e88766768e1eb0eed3388f48ce6306f7

SHA256
52d699631ae78b87cc151948a6626394d0a428f8d99004ef5c747c8cc9a56735

SHA512
a46a607a5130b23ed000d585458918e6933f016eb20b916f01e9e3aa065e2ae720ea5922ae2a5b1baf6f890f85c04f69638248e15614815c78355d88c6e61702

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3A.exe

MD5
47a68cf6b107308db52aa7335cfe44a4

SHA1
ffcc95c0e88766768e1eb0eed3388f48ce6306f7

SHA256
52d699631ae78b87cc151948a6626394d0a428f8d99004ef5c747c8cc9a56735

SHA512
a46a607a5130b23ed000d585458918e6933f016eb20b916f01e9e3aa065e2ae720ea5922ae2a5b1baf6f890f85c04f69638248e15614815c78355d88c6e61702

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Roaming\sbtwfct

MD5
465332d74b980baf4b1addc8f0a22f00

SHA1
cafa9267dceff6593a01a69a13da760d55fdb281

SHA256
389080a33305c9ae736daa068edd380c5c0cd7af03529cda8f852c6b2353cd70

SHA512
08b647afe383f55acc0c50d94a977fed9c7ac156932f96a3d6bda23c7ca17d45a0dd1ba209dc899efcc1427c2125f09313d11fa3e4520065a0905f7c9bebc311

Download Submit
C:\Users\Admin\AppData\Roaming\sbtwfct

MD5
465332d74b980baf4b1addc8f0a22f00

SHA1
cafa9267dceff6593a01a69a13da760d55fdb281

SHA256
389080a33305c9ae736daa068edd380c5c0cd7af03529cda8f852c6b2353cd70

SHA512
08b647afe383f55acc0c50d94a977fed9c7ac156932f96a3d6bda23c7ca17d45a0dd1ba209dc899efcc1427c2125f09313d11fa3e4520065a0905f7c9bebc311

Download Submit
C:\Users\Admin\AppData\Roaming\sbtwfct

MD5
465332d74b980baf4b1addc8f0a22f00

SHA1
cafa9267dceff6593a01a69a13da760d55fdb281

SHA256
389080a33305c9ae736daa068edd380c5c0cd7af03529cda8f852c6b2353cd70

SHA512
08b647afe383f55acc0c50d94a977fed9c7ac156932f96a3d6bda23c7ca17d45a0dd1ba209dc899efcc1427c2125f09313d11fa3e4520065a0905f7c9bebc311

Download Submit
C:\Users\Admin\Desktop\AddReceive.htm.payfast290.B7E-2E1-DD3

MD5
0150c23884b1d283d7d41c595d4d068a

SHA1
aef5d38753d33628985ee363c26b5dd96a03b394

SHA256
9e801ae843951a08be95aa354738c995b09d42267ff0c7b20e7cefcf628fe00b

SHA512
0317cf1aebd2976707f722077686556dfbfba07f3c70721077835ac50310cb868f510dd4b46f79a25e071d47307f58d5178bc7ca5ec191e4cdb1213d519e4d31

Download Submit
C:\Users\Admin\Desktop\AddShow.pps.payfast290.B7E-2E1-DD3

MD5
f4e8981b1bbafd666f9fbf43aba8c2d7

SHA1
0f9a73283a0817bfef40f3b1fae355228c6d82a8

SHA256
3917311af39c97167921676b8111a8264a03fa10ecb1d29d37b4951251c3816f

SHA512
a541311656fa366fb86aeb218dca32fd9bae79c45d694b127de1ba979a06db2c47572dc08d077f7732a25e26f632c62a6d0aa8cacbd87a62b59c538ea6de6e44

Download Submit
C:\Users\Admin\Desktop\ApproveResume.rmi.payfast290.B7E-2E1-DD3

MD5
ae0a9728f7b7385c4a5354adc673ce30

SHA1
64b1feae0aae94badb4e30e262ce1dcf1b807110

SHA256
77c11e83511a46b1621f82494031f15dfe71607906de9f74192a7273c5a2416f

SHA512
f39d09ccfa29da900073c05e9c41557edd7f1882a65f41c847eca665623388f926ad0b6a5510571e09094c586f48cbc83ae750819520311a0979393ba6fbf335

Download Submit
C:\Users\Admin\Desktop\ApproveSplit.vstx.payfast290.B7E-2E1-DD3

MD5
b1b133f58da08fd466bce7d8855aa3aa

SHA1
9e3c22652c118e33e43fe6c95c750c7d4b25d742

SHA256
0387cdcae1212e3894a35448b9508dd96ff8c01f2c2ea1a73c4797dd78158af6

SHA512
b534497a481a7d7d98683b5e4d9db5cce9b7f037b0a92510a646f4a4c6e4d7f7eb75d6a79418142e21770ab90b2c15cca7c1e543e9c6ee9db93079e099b10898

Download Submit
C:\Users\Admin\Desktop\CompareShow.snd.payfast290.B7E-2E1-DD3

MD5
0dc73c15d61384e476c4ae4cfb3aa602

SHA1
a233a4acbaf3dbd1c639fa9f9c42c030d8ee87bc

SHA256
9dc64886a785d976cfe6c4e61dff876f28335da66f42d1d19ff8dde22e436525

SHA512
19aacba57bd68a1b716bc84fdb86e03574b02829ca284a4cc66b536072ae8359a6232a2a7e6deb7a1a77703840bdcbeb300862cc9a31039cf109c16fba9b6a14

Download Submit
C:\Users\Admin\Desktop\CompressResume.mp4v.payfast290.B7E-2E1-DD3

MD5
0957f18954eb834518affc60e63fff55

SHA1
b8c79a5d9ac6bf1f9ce7ef3b48ac0568274b64a9

SHA256
a3fd25dedf9af2fa49a42d2c6e5f7273a5555cc362f1de06bff974468111a7ca

SHA512
31559d5295b4aedd6cf75607ab8388950ea9e7960c22cf101f4b374999fc04c299a81d33647c1a0d315b535ec997dde8823b72b7bf11aa0be79fbcae3318b654

Download Submit
C:\Users\Admin\Desktop\ConfirmUpdate.mpe.payfast290.B7E-2E1-DD3

MD5
5f67c2ea816b96c45c5827396c45e2da

SHA1
b60bc9ac4676363dda59da469fc19dfbcd8c53cb

SHA256
d987418f3b23351ea4fc17d1e94548f54b7e19eccf16961db26afad810af44bd

SHA512
0b6ee4770276a2a3c3549424204a6fe33180c3a69602099430b9725f31c1ec50b4a5ffe4d9004a8a8cffdf51ecd2742d7093bc2959baddbc30d139cc2e89c372

Download Submit
C:\Users\Admin\Desktop\DisableSplit.ods.payfast290.B7E-2E1-DD3

MD5
59519124f20a305b8e55fb1e68972e74

SHA1
d9102155b057d7f90e856edaf45bf53e476ac71c

SHA256
4f376feb698f65d0f3dff0d4bf1d0336facca13a6ce4950f4029ad6a5fa87cef

SHA512
168652cfffe2f0e8998f9bcf55533666ecc8487c91e971ffdbfaef9a3c1d9608b1147ae4058932b07abe893f81605f98f84a994b67fbd9024ffb31cab38c00e4

Download Submit
C:\Users\Admin\Desktop\MountSearch.dxf.payfast290.B7E-2E1-DD3

MD5
117143c593ff735a8822c81dff2c8177

SHA1
b167f14e9f3e2fc73132058256c26c550dc369b9

SHA256
b20d2cfa9d2f1e9c421784eda3e99f710df348cec7c29043b1f87f2e0c8d33d3

SHA512
2596b81c571af1f2cd0fe33f47bf7ec45b9906e44fbf8ed9649ca5d9573971e7cbf725b412778615cb7a191d25468ad709a4b874ccfa4c70b3803274559aa547

Download Submit
C:\Users\Admin\Desktop\MoveRegister.cfg.payfast290.B7E-2E1-DD3

MD5
16fc8c19d6eafc39eadbc7a5fdbc5ca5

SHA1
bee8fab4c195de761eb8556b6b27f7449e702851

SHA256
92e325f1018911c6a840773e46c182a719f0c6d2dfc7246f51c19e312e8d3feb

SHA512
dae22e4fd20bfe850ac6e201c1f07bf512e6d9b9f74b88cc0e47752925e90db95bc531e5773a02bf03c3fb7169abdcc79caf4884b22c8a9f7875cb891bcd8122

Download Submit
C:\Users\Admin\Desktop\OpenResize.mp4v.payfast290.B7E-2E1-DD3

MD5
720f6c35e9c0bf35bbc015d4fb56fd2e

SHA1
d687952ccbe05d0e0915b97d1ff22132bcb5b47b

SHA256
feb6977f8b7b92ea241a39a35200b245e3f3219e7eb93dc19699b546a3afb841

SHA512
35e0ea0a9fa94609852c6660cbfa777ab5fafdd6a5a25d7f99c1443526fb99d550227a42712cae01636f106e6468d606604a58274f78c573992ee73c16bd5c1d

Download Submit
C:\Users\Admin\Desktop\OptimizeRequest.ps1.payfast290.B7E-2E1-DD3

MD5
29423a0e84d2b964e1940d572a56ab1b

SHA1
5a0a8fe6fb509f44d60c67aeba8d8ef54987d30d

SHA256
c9c8165f5c26da782969669a1d5d65e62902ffe50cb5951b1c4e9f0bcda14bc7

SHA512
eaddf651da979ac778d5293ddb4163a8aafdbfc3ef059750a3dc735c9e6d8fab82e22cb7e6e3694e37801efb9f405a88d7a14940b85cd77fe6ffd0a981db0bd1

Download Submit
C:\Users\Admin\Desktop\ProtectConfirm.jpeg.payfast290.B7E-2E1-DD3

MD5
ae87acab8e8b9ff9c25948de5f03a4e5

SHA1
cdf75d293c6614aa6b90ecd549d403d8d27e4235

SHA256
0a44f711209e13fcc82c4fa1d25f3e0435d4ca7a3bdd12995cc62112f8081545

SHA512
0fae5d15f8253de48cdec3e18ad19c99510429aac30bf8c27edf0acf8be7a0fe6307302c2756bea3f2b839807b8076ac55860f51edb046139aa0990ec09748d1

Download Submit
C:\Users\Admin\Desktop\PushOpen.tif.payfast290.B7E-2E1-DD3

MD5
a648a36f846fab45d2436fef6a6617c0

SHA1
87d6551a263cb73f5fa49273049687ecd044d4e5

SHA256
e42dc59f4858e54c838f8ff218e5699dbea6323d3e37d3bddcde12547aefafe7

SHA512
b0ee0fb53cb4afeffd65a041a487e7b1161e175f83ced193fca2b36d2813cc6bf67e3e32f639e893d139343bc6cf28229e3824bddee4fe90caf61ba4d028b43b

Download Submit
C:\Users\Admin\Desktop\RenameExpand.docm.payfast290.B7E-2E1-DD3

MD5
7934d8fa0b741d63a7dbe4e056565f77

SHA1
cde9fa4808bd39a5a09b4aac6bca01f8abb60091

SHA256
26aa0398347efecd8e19d59e81a88b30d11e2327481452f5d4397b37c00d3e05

SHA512
f9112a3e92a3dc95b77c84328bc18df227b4beef56b114abad210cfe57a17979a589a84fb70a16f75f6e1e2dfb1eeed266629658814cbec910313143d56d84e1

Download Submit
C:\Users\Admin\Desktop\RenameMount.easmx.payfast290.B7E-2E1-DD3

MD5
c30c91092e401795dd2e928e171effcb

SHA1
9c5b062aef8512ba1fb2f29224be3ffc91556ff6

SHA256
f6d7fc36ba458087cd770bfb11dc37858d45c5062cabed1c2be968128a89db3f

SHA512
f71ae81d2fddc4bc95d079e13614148cc2a0afd8a915f5db646f294f0c7fec0ab0cfcb8c2601656780de840781a6ed7afc0f23d409d3ff55865669d02c64eb98

Download Submit
C:\Users\Admin\Desktop\RequestUnblock.inf.payfast290.B7E-2E1-DD3

MD5
f4eebf1bdb2f9d8e42bcdc28a21c2ea0

SHA1
060e38dc8b78734fd28991c3f688631b0ff69bd2

SHA256
65abefd86ca90c4170a3e18fab3fd3fc998515823516110e2cce2d8e439210f7

SHA512
24f271c72eb42919640834648802391ed36ed5166ee8e6f2488e3f8708849d8162e42f29368a1b66f8a1c2daa09389ef27e6825c6f394a40f18a25085d415814

Download Submit
C:\Users\Admin\Desktop\ResetExit.svgz.payfast290.B7E-2E1-DD3

MD5
1da78b783289d538b1270267205a2a63

SHA1
152f558403c8280ed2fd66c4830a730bc7b99e88

SHA256
c7ac432a624f9e39bfd339665689c4116be723645718ff0278d3e2c13b79e7ff

SHA512
67c319d4f5aff5b72fc19fe49d7fa239ed879bdebf1f5e0a0e8030d34e834795c5695bfe1b795f2a572fbeeb573e919602a894237e36cf5a2144dc1b31d1df5b

Download Submit
C:\Users\Admin\Desktop\ResetImport.dot.payfast290.B7E-2E1-DD3

MD5
3813bbf224363877ccf7bf3a39956a26

SHA1
3df941bb9355fbc0ba7beff96b9b31bbec179938

SHA256
caad992a19e6212cf8ea88076be1cb2d97046fcf407872409422be2a6e4c62c9

SHA512
c91a7a29da8b2f32aa6fed338028e1cb4442aa545cfd71174ba4271f80f7876de495fde631f4f33346ddb9216bc4f3c5269d67deb13c8454a091466176c308b0

Download Submit
C:\Users\Admin\Desktop\RestartExit.avi.payfast290.B7E-2E1-DD3

MD5
ac8984d5b9d7e6405fd919346f7f164e

SHA1
c672e09d12b2b4be6aa693570ebece290a9985e3

SHA256
2ea4d197de56f61da96b61512de48b050600b1cb501aef4e92923bea715098c4

SHA512
a4cb6cc0c8076e62dacad92d6fe850aa2f2037dbd87478e4b22c56692dce58ac35a79b555520e31484b79559445a2d3640e7d4b1c1a32104e7f598f011cac490

Download Submit
C:\Users\Admin\Desktop\SaveDismount.DVR-MS.payfast290.B7E-2E1-DD3

MD5
66fbb37522240de858770bd8e90da3e1

SHA1
3c7a2a4855ad5c96d74afa368595358b84e7eed1

SHA256
88d841eaceccedf03bd10f70df982e414e4f6ff267c8d7754c0e02513d6a002f

SHA512
939c24821417720331682992530b4ed0128b66f31f6848fe3d0d9f038089add25c975754db74336aa74233f910265e8a68940ebbb6b800db3221c91750d0739e

Download Submit
C:\Users\Admin\Desktop\SaveGroup.aif.payfast290.B7E-2E1-DD3

MD5
d5a995f58024f263c7ab4cc892e67240

SHA1
e29df69d5570697c08afd56415282e3efc55d460

SHA256
b4df2de1f2c1561292312894191cae9d4cb223ff3f60f2adbaf73b7fe535cefe

SHA512
a5d8c69f33ee00bb1354faf1dc2abb01e6360c78261c36b16a07e2ba86bba7914bf48623718d1e06203306c9de811e9eabdcab3a5690feb5ad6ea3c184095a3c

Download Submit
C:\Users\Admin\Desktop\TraceRemove.search-ms.payfast290.B7E-2E1-DD3

MD5
80158abea0af3da35edd4ee4fb9275ec

SHA1
4af67dc0b1484c4c9895379d718a0c4a863b37dd

SHA256
f5d8cd20b48faf7920896016b74cb3f58ef4d12d62dfd376caa093d48dcdfc94

SHA512
bab14077b0759c8cdf8ad5e4ecb4061c0666a4ca7f9ecb592507f7eea8629b20a4ee31124b0c82b592e50a705e8cfdcba3b7075a008954135c7a65d03c21a99c

Download Submit
C:\Users\Admin\Desktop\UnlockWatch.js.payfast290.B7E-2E1-DD3

MD5
037fcc5ca04a0bcc8696151d401bb337

SHA1
e6938a928e2c71534ecde73ffd2ecfbcbcad19cc

SHA256
b68619d560fe8eaeb13430cfe7f4a9d046d63f3a94750c75eb651701a208ee64

SHA512
b663389197c0360b84c972ae42a7e7d906f5b115e2d814ca9bab6ec4c8d3045635baac7b87922187da6e00347dd6d90de77b5f3017150beabb6fcd31fe3eec9f

Download Submit
C:\Users\Admin\Desktop\UseResolve.ttc.payfast290.B7E-2E1-DD3

MD5
e9da0ccb006faf735ffbb504bf34ace5

SHA1
6c60be5476872a6503727737346d9abe553b6af2

SHA256
6008911ff52debfcdb488b68ef4aaf7ec70a14099a0924693c5246422ce64f68

SHA512
5518cba0f289acd132f6c96a9f6f1ad0000d83e8b45aa9d2f727f7f3bc2c0dcb4c47516d8d599a63d64e4aeb32e9bab5947f21e9768ec1e19abf034321e0ffa1

Download Submit
C:\Users\Admin\Desktop\WriteRevoke.vb.payfast290.B7E-2E1-DD3

MD5
33441314c51dbffde2aa7e996af13d84

SHA1
1a12ad6d2660dd58c9d855c9681d2044519c3935

SHA256
94b1ff7ace37cb86bfea9e9aa828a9dd006682978d5571518ca3a86f6c2df2fb

SHA512
908c8ec52af10a9d2cec83de28a987a60007e9a89addfb0fa665a4a7731d7698ea53854c03a3e577b3bca1f66c50631060c61a3031143be795cb94f77d1b6dbf

Download Submit
memory/8-186-0x0000000000700000-0x0000000000716000-memory.dmp

Filesize
88KB

Download
memory/8-117-0x0000000000680000-0x0000000000696000-memory.dmp

Filesize
88KB

Download
memory/60-187-0x0000000000000000-mapping.dmp

Download
memory/192-191-0x0000000000000000-mapping.dmp

Download
memory/500-165-0x0000000000000000-mapping.dmp

Download
memory/500-167-0x0000000002580000-0x0000000002589000-memory.dmp

Filesize
36KB

Download
memory/500-166-0x0000000002590000-0x0000000002594000-memory.dmp

Filesize
16KB

Download
memory/580-193-0x0000000000000000-mapping.dmp

Download
memory/692-155-0x0000000000000000-mapping.dmp

Download
memory/692-164-0x0000000000770000-0x000000000077C000-memory.dmp

Filesize
48KB

Download
memory/692-163-0x0000000000780000-0x0000000000786000-memory.dmp

Filesize
24KB

Download
memory/736-188-0x0000000000000000-mapping.dmp

Download
memory/764-115-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/764-116-0x0000000000402FAB-mapping.dmp

Download
memory/900-114-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/1220-118-0x0000000000000000-mapping.dmp

Download
memory/1220-192-0x0000000000000000-mapping.dmp

Download
memory/1300-199-0x0000000000000000-mapping.dmp

Download
memory/1676-124-0x0000000000000000-mapping.dmp

Download
memory/1676-127-0x0000000002A00000-0x0000000002A74000-memory.dmp

Filesize
464KB

Download
memory/1676-128-0x0000000002780000-0x00000000027EB000-memory.dmp

Filesize
428KB

Download
memory/1952-141-0x0000000006170000-0x0000000006171000-memory.dmp

Filesize
4KB

Download
memory/1952-175-0x0000000008290000-0x0000000008291000-memory.dmp

Filesize
4KB

Download
memory/1952-145-0x00000000061B0000-0x00000000061B1000-memory.dmp

Filesize
4KB

Download
memory/1952-142-0x0000000006320000-0x0000000006321000-memory.dmp

Filesize
4KB

Download
memory/1952-121-0x0000000000000000-mapping.dmp

Download
memory/1952-180-0x0000000008180000-0x0000000008181000-memory.dmp

Filesize
4KB

Download
memory/1952-174-0x0000000007B90000-0x0000000007B91000-memory.dmp

Filesize
4KB

Download
memory/1952-176-0x0000000007B10000-0x0000000007B11000-memory.dmp

Filesize
4KB

Download
memory/1952-179-0x0000000007E10000-0x0000000007E11000-memory.dmp

Filesize
4KB

Download
memory/1952-178-0x0000000008CC0000-0x0000000008CC1000-memory.dmp

Filesize
4KB

Download
memory/1952-139-0x0000000006330000-0x0000000006331000-memory.dmp

Filesize
4KB

Download
memory/1952-138-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/1952-129-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1952-134-0x0000000006940000-0x0000000006941000-memory.dmp

Filesize
4KB

Download
memory/1952-132-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/1952-177-0x0000000007E50000-0x0000000007E51000-memory.dmp

Filesize
4KB

Download
memory/2144-184-0x0000000000402FAB-mapping.dmp

Download
memory/2180-226-0x0000000000000000-mapping.dmp

Download
memory/2196-130-0x0000000000DE0000-0x0000000000DE7000-memory.dmp

Filesize
28KB

Download
memory/2196-131-0x0000000000DD0000-0x0000000000DDC000-memory.dmp

Filesize
48KB

Download
memory/2196-126-0x0000000000000000-mapping.dmp

Download
memory/2628-198-0x0000000000000000-mapping.dmp

Download
memory/2724-173-0x00000000032B0000-0x00000000032B9000-memory.dmp

Filesize
36KB

Download
memory/2724-172-0x00000000032C0000-0x00000000032C5000-memory.dmp

Filesize
20KB

Download
memory/2724-171-0x0000000000000000-mapping.dmp

Download
memory/2860-190-0x0000000000000000-mapping.dmp

Download
memory/3156-149-0x0000000000000000-mapping.dmp

Download
memory/3700-189-0x0000000000000000-mapping.dmp

Download
memory/3708-197-0x0000000000000000-mapping.dmp

Download
memory/3892-143-0x0000000000500000-0x0000000000509000-memory.dmp

Filesize
36KB

Download
memory/3892-140-0x0000000000000000-mapping.dmp

Download
memory/3892-144-0x00000000004F0000-0x00000000004FF000-memory.dmp

Filesize
60KB

Download
memory/3932-162-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3932-152-0x0000000000000000-mapping.dmp

Download
memory/3952-148-0x0000000002580000-0x0000000002589000-memory.dmp

Filesize
36KB

Download
memory/3952-147-0x0000000002590000-0x0000000002595000-memory.dmp

Filesize
20KB

Download
memory/3952-146-0x0000000000000000-mapping.dmp

Download
memory/4000-137-0x0000000003050000-0x000000000305B000-memory.dmp

Filesize
44KB

Download
memory/4000-136-0x0000000003060000-0x0000000003067000-memory.dmp

Filesize
28KB

Download
memory/4000-135-0x0000000000000000-mapping.dmp

Download
memory/4028-168-0x0000000000000000-mapping.dmp

Download
memory/4028-169-0x0000000000BE0000-0x0000000000BE5000-memory.dmp

Filesize
20KB

Download
memory/4028-170-0x0000000000BD0000-0x0000000000BD9000-memory.dmp

Filesize
36KB

Download
memory/4056-195-0x0000000000000000-mapping.dmp

Download