buran | 2abd335516a4a9e4fb06c9d8ed05bf9c7a22fc6ae4c05a583ca2aadf34fca524

Analysis

max time kernel
151s
max time network
153s
platform
windows10_x64
resource
win10v20210410
submitted
31-08-2021 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2abd335516a4a9e4fb06c9d8ed05bf9c7a22fc6ae4c05a583ca2aadf34fca524.exe
Size

271KB
MD5

2ac2d205677f7511bfcf371574a65bad
SHA1

0ca6c3949b40989649411bdde8a9b162b2f11ae3
SHA256

2abd335516a4a9e4fb06c9d8ed05bf9c7a22fc6ae4c05a583ca2aadf34fca524
SHA512

f82b77d0ee1defce0852a59b9050ef9316d9ad180d3cfcb09e045187dff40d5ac7acbdba53c9f930f80edba19395eabc96534d90a18dd4e44673326dbd266434

Score

10^/10

buran smokeloader backdoor discovery evasion persistence ransomware spyware stealer themida trojan

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. PAY FAST 500$=0.013 btc or the price will increase tomorrow bitcoin address bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8 To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? [email protected] TELEGRAM @ payfast290 Your personal ID: 166-96C-5A1 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Family

smokeloader

Version

2020

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 4 IoCs

Processes:

7209.exe7546.exeservices.exeservices.exe

pid	Process
3920	7209.exe
3152	7546.exe
2272	services.exe
2396	services.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

services.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\EnableHide.tiff	services.exe
File opened for modification	C:\Users\Admin\Pictures\SetUse.tiff	services.exe
File opened for modification	C:\Users\Admin\Pictures\SubmitUnpublish.tiff	services.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7546.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7546.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7546.exe

Deletes itself 1 IoCs

Processes:

pid	Process
3052

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/files/0x0004000000015518-122.dat	themida
behavioral1/files/0x0004000000015518-124.dat	themida
behavioral1/memory/3152-126-0x0000000000FA0000-0x0000000000FA1000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7209.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\services.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\services.exe\" -start"	7209.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run	7209.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

7546.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7546.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

services.exe

description	ioc	Process
File opened (read-only)	\??\L:	services.exe
File opened (read-only)	\??\X:	services.exe
File opened (read-only)	\??\W:	services.exe
File opened (read-only)	\??\V:	services.exe
File opened (read-only)	\??\U:	services.exe
File opened (read-only)	\??\R:	services.exe
File opened (read-only)	\??\O:	services.exe
File opened (read-only)	\??\N:	services.exe
File opened (read-only)	\??\H:	services.exe
File opened (read-only)	\??\E:	services.exe
File opened (read-only)	\??\A:	services.exe
File opened (read-only)	\??\Y:	services.exe
File opened (read-only)	\??\T:	services.exe
File opened (read-only)	\??\P:	services.exe
File opened (read-only)	\??\K:	services.exe
File opened (read-only)	\??\J:	services.exe
File opened (read-only)	\??\I:	services.exe
File opened (read-only)	\??\Z:	services.exe
File opened (read-only)	\??\G:	services.exe
File opened (read-only)	\??\S:	services.exe
File opened (read-only)	\??\Q:	services.exe
File opened (read-only)	\??\M:	services.exe
File opened (read-only)	\??\F:	services.exe
File opened (read-only)	\??\B:	services.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
26	geoiptool.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

7546.exe

pid	Process
3152	7546.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2abd335516a4a9e4fb06c9d8ed05bf9c7a22fc6ae4c05a583ca2aadf34fca524.exe

description	pid	Process	procid_target
PID 3736 set thread context of 2124	3736	2abd335516a4a9e4fb06c9d8ed05bf9c7a22fc6ae4c05a583ca2aadf34fca524.exe	76

Drops file in Program Files directory 64 IoCs

Processes:

services.exe

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.scale-150.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench_1.1.0.v20140512-1820.jar	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ul-oob.xrm-ms	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL058.XML	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\osmuxmui.msi.16.en-us.vreg.dat.payfast290.166-96C-5A1	services.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Resources\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\WindowsPhoneReservedAppInfo.xml	services.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsBadge.contrast-white_scale-200.png	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_18.svg	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\cs-cz\ui-strings.js	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\ui-strings.js.payfast290.166-96C-5A1	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.properties	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ppd.xrm-ms	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Spider\Goal_5.jpg	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Images\Generic_placeholder.png	services.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Outlook.scale-150.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-100.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ru.jar	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms.payfast290.166-96C-5A1	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Sybase.xsl.payfast290.166-96C-5A1	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\FreeCell\Tips_1.jpg	services.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\3569_40x40x32.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailLargeTile.scale-125.png	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_download_pdf_18.svg.payfast290.166-96C-5A1	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-black_scale-200.png	services.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA	services.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosMedTile.scale-100.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\klondike\Blizzard-of_Bliss_Unearned_small.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PeopleSmallTile.scale-125.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorSmallTile.scale-100.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-40_altform-unplated.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\MANIFEST.MF	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM	services.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxMediumTile.scale-100.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml.payfast290.166-96C-5A1	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ppd.xrm-ms.payfast290.166-96C-5A1	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-20.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsStoreLogo.scale-100.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-24.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\Rename.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionLargeTile.scale-150.png	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Review_RHP.aapp	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-modules-profiler_visualvm.jar	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Fues\Popup_2.jpg	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Backgrounds\Background3.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_DogNose.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2017.130.1208.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\jaccess.jar	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL.payfast290.166-96C-5A1	services.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\OneConnectBadgeLogo.scale-100.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\vg_16x11.png	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reminders_18.svg.payfast290.166-96C-5A1	services.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\es-es\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator_2.0.0.v20131217-1203.jar.payfast290.166-96C-5A1	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml.payfast290.166-96C-5A1	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\officemui.msi.16.en-us.vreg.dat	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionMedTile.scale-200.png	services.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe

Drops file in Windows directory 1 IoCs

Processes:

services.exe

description	ioc	Process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2abd335516a4a9e4fb06c9d8ed05bf9c7a22fc6ae4c05a583ca2aadf34fca524.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2abd335516a4a9e4fb06c9d8ed05bf9c7a22fc6ae4c05a583ca2aadf34fca524.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2abd335516a4a9e4fb06c9d8ed05bf9c7a22fc6ae4c05a583ca2aadf34fca524.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2abd335516a4a9e4fb06c9d8ed05bf9c7a22fc6ae4c05a583ca2aadf34fca524.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exe

pid	Process
1344	vssadmin.exe
4116	vssadmin.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

7209.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	7209.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	7209.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2abd335516a4a9e4fb06c9d8ed05bf9c7a22fc6ae4c05a583ca2aadf34fca524.exe

pid	Process
2124	2abd335516a4a9e4fb06c9d8ed05bf9c7a22fc6ae4c05a583ca2aadf34fca524.exe
2124	2abd335516a4a9e4fb06c9d8ed05bf9c7a22fc6ae4c05a583ca2aadf34fca524.exe
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
3052

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

2abd335516a4a9e4fb06c9d8ed05bf9c7a22fc6ae4c05a583ca2aadf34fca524.exe

pid	Process
2124	2abd335516a4a9e4fb06c9d8ed05bf9c7a22fc6ae4c05a583ca2aadf34fca524.exe
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7209.exe7546.exeWMIC.exeWMIC.exe

description	pid	Process
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeDebugPrivilege	3920	7209.exe
Token: SeDebugPrivilege	3920	7209.exe
Token: SeDebugPrivilege	3152	7546.exe
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeIncreaseQuotaPrivilege	4056	WMIC.exe
Token: SeSecurityPrivilege	4056	WMIC.exe
Token: SeTakeOwnershipPrivilege	4056	WMIC.exe
Token: SeLoadDriverPrivilege	4056	WMIC.exe
Token: SeSystemProfilePrivilege	4056	WMIC.exe
Token: SeSystemtimePrivilege	4056	WMIC.exe
Token: SeProfSingleProcessPrivilege	4056	WMIC.exe
Token: SeIncBasePriorityPrivilege	4056	WMIC.exe
Token: SeCreatePagefilePrivilege	4056	WMIC.exe
Token: SeBackupPrivilege	4056	WMIC.exe
Token: SeRestorePrivilege	4056	WMIC.exe
Token: SeShutdownPrivilege	4056	WMIC.exe
Token: SeDebugPrivilege	4056	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4056	WMIC.exe
Token: SeRemoteShutdownPrivilege	4056	WMIC.exe
Token: SeUndockPrivilege	4056	WMIC.exe
Token: SeManageVolumePrivilege	4056	WMIC.exe
Token: 33	4056	WMIC.exe
Token: 34	4056	WMIC.exe
Token: 35	4056	WMIC.exe
Token: 36	4056	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2228	WMIC.exe
Token: SeSecurityPrivilege	2228	WMIC.exe
Token: SeTakeOwnershipPrivilege	2228	WMIC.exe
Token: SeLoadDriverPrivilege	2228	WMIC.exe
Token: SeSystemProfilePrivilege	2228	WMIC.exe
Token: SeSystemtimePrivilege	2228	WMIC.exe
Token: SeProfSingleProcessPrivilege	2228	WMIC.exe
Token: SeIncBasePriorityPrivilege	2228	WMIC.exe
Token: SeCreatePagefilePrivilege	2228	WMIC.exe
Token: SeBackupPrivilege	2228	WMIC.exe
Token: SeRestorePrivilege	2228	WMIC.exe
Token: SeShutdownPrivilege	2228	WMIC.exe
Token: SeDebugPrivilege	2228	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2228	WMIC.exe
Token: SeRemoteShutdownPrivilege	2228	WMIC.exe
Token: SeUndockPrivilege	2228	WMIC.exe
Token: SeManageVolumePrivilege	2228	WMIC.exe
Token: 33	2228	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

pid	Process
3052

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid	Process
3052
3052
3052
3052

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2abd335516a4a9e4fb06c9d8ed05bf9c7a22fc6ae4c05a583ca2aadf34fca524.exe7209.exeservices.exe

description	pid	Process	procid_target
PID 3736 wrote to memory of 2124	3736	2abd335516a4a9e4fb06c9d8ed05bf9c7a22fc6ae4c05a583ca2aadf34fca524.exe	76
PID 3736 wrote to memory of 2124	3736	2abd335516a4a9e4fb06c9d8ed05bf9c7a22fc6ae4c05a583ca2aadf34fca524.exe	76
PID 3736 wrote to memory of 2124	3736	2abd335516a4a9e4fb06c9d8ed05bf9c7a22fc6ae4c05a583ca2aadf34fca524.exe	76
PID 3736 wrote to memory of 2124	3736	2abd335516a4a9e4fb06c9d8ed05bf9c7a22fc6ae4c05a583ca2aadf34fca524.exe	76
PID 3736 wrote to memory of 2124	3736	2abd335516a4a9e4fb06c9d8ed05bf9c7a22fc6ae4c05a583ca2aadf34fca524.exe	76
PID 3736 wrote to memory of 2124	3736	2abd335516a4a9e4fb06c9d8ed05bf9c7a22fc6ae4c05a583ca2aadf34fca524.exe	76
PID 3052 wrote to memory of 3920	3052		80
PID 3052 wrote to memory of 3920	3052		80
PID 3052 wrote to memory of 3920	3052		80
PID 3052 wrote to memory of 3152	3052		81
PID 3052 wrote to memory of 3152	3052		81
PID 3052 wrote to memory of 3152	3052		81
PID 3052 wrote to memory of 3932	3052		83
PID 3052 wrote to memory of 3932	3052		83
PID 3052 wrote to memory of 3932	3052		83
PID 3052 wrote to memory of 3932	3052		83
PID 3052 wrote to memory of 3064	3052		84
PID 3052 wrote to memory of 3064	3052		84
PID 3052 wrote to memory of 3064	3052		84
PID 3052 wrote to memory of 2380	3052		85
PID 3052 wrote to memory of 2380	3052		85
PID 3052 wrote to memory of 2380	3052		85
PID 3052 wrote to memory of 2380	3052		85
PID 3052 wrote to memory of 4084	3052		86
PID 3052 wrote to memory of 4084	3052		86
PID 3052 wrote to memory of 4084	3052		86
PID 3920 wrote to memory of 2272	3920	7209.exe	87
PID 3920 wrote to memory of 2272	3920	7209.exe	87
PID 3920 wrote to memory of 2272	3920	7209.exe	87
PID 3920 wrote to memory of 3176	3920	7209.exe	88
PID 3920 wrote to memory of 3176	3920	7209.exe	88
PID 3920 wrote to memory of 3176	3920	7209.exe	88
PID 3920 wrote to memory of 3176	3920	7209.exe	88
PID 3920 wrote to memory of 3176	3920	7209.exe	88
PID 3920 wrote to memory of 3176	3920	7209.exe	88
PID 3052 wrote to memory of 384	3052		89
PID 3052 wrote to memory of 384	3052		89
PID 3052 wrote to memory of 384	3052		89
PID 3052 wrote to memory of 384	3052		89
PID 3052 wrote to memory of 2232	3052		90
PID 3052 wrote to memory of 2232	3052		90
PID 3052 wrote to memory of 2232	3052		90
PID 3052 wrote to memory of 1364	3052		91
PID 3052 wrote to memory of 1364	3052		91
PID 3052 wrote to memory of 1364	3052		91
PID 3052 wrote to memory of 1364	3052		91
PID 3052 wrote to memory of 2192	3052		92
PID 3052 wrote to memory of 2192	3052		92
PID 3052 wrote to memory of 2192	3052		92
PID 3052 wrote to memory of 2648	3052		93
PID 3052 wrote to memory of 2648	3052		93
PID 3052 wrote to memory of 2648	3052		93
PID 3052 wrote to memory of 2648	3052		93
PID 2272 wrote to memory of 1832	2272	services.exe	95
PID 2272 wrote to memory of 1832	2272	services.exe	95
PID 2272 wrote to memory of 1832	2272	services.exe	95
PID 2272 wrote to memory of 2188	2272	services.exe	96
PID 2272 wrote to memory of 2188	2272	services.exe	96
PID 2272 wrote to memory of 2188	2272	services.exe	96
PID 2272 wrote to memory of 804	2272	services.exe	107
PID 2272 wrote to memory of 804	2272	services.exe	107
PID 2272 wrote to memory of 804	2272	services.exe	107
PID 2272 wrote to memory of 1012	2272	services.exe	98
PID 2272 wrote to memory of 1012	2272	services.exe	98

C:\Users\Admin\AppData\Local\Temp\2abd335516a4a9e4fb06c9d8ed05bf9c7a22fc6ae4c05a583ca2aadf34fca524.exe
"C:\Users\Admin\AppData\Local\Temp\2abd335516a4a9e4fb06c9d8ed05bf9c7a22fc6ae4c05a583ca2aadf34fca524.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Users\Admin\AppData\Local\Temp\2abd335516a4a9e4fb06c9d8ed05bf9c7a22fc6ae4c05a583ca2aadf34fca524.exe
  "C:\Users\Admin\AppData\Local\Temp\2abd335516a4a9e4fb06c9d8ed05bf9c7a22fc6ae4c05a583ca2aadf34fca524.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2124

C:\Users\Admin\AppData\Local\Temp\7209.exe
C:\Users\Admin\AppData\Local\Temp\7209.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:1832
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:1012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:1952
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1344
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    PID:3456
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2228
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:4116
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Modifies extensions of user files
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:804
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4320
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:3176

C:\Users\Admin\AppData\Local\Temp\7546.exe
C:\Users\Admin\AppData\Local\Temp\7546.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3932

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3064

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2380

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4084

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:384

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2232

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1364

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2192

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2648

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
bc382383b6c90d20dba3f58aa0f40ade

SHA1
b626e4d049d88702236910b302c955eecc8c7d5f

SHA256
bf25937b534e738f02e5ec01592dd9a72d79e67bc32f3a5e157a0608f5bbd117

SHA512
651e85acf56ec7bffdc10941ba3bcebea5aede44d479e4db5d61160de2b975c484499a95564adaf90f350d6a1bf3aa97774019f1464045114cbb97806fc76c2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
a2981517afbb3ebe48d2168b07274f47

SHA1
78e0fa382ca97436ec5c43209a2e391b41d356ab

SHA256
f5ef795d1577213ce930034afc93387232cc95dfe53db40db0ed65fbb44bcfae

SHA512
4e939a2270036ebf0eaec96ba231eb38cb4e2389064a30e5f3b9e5e5581d363ab934431e69978e015f25f3352d17e3b3242d02357aa034838a94912fa8d6ba15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
0465994d32988b4ff5811340c4905188

SHA1
7b4043cbd9509bc78b08863ad22b720632686785

SHA256
b33b95c79ca7fc2da4e43282f29ec14db42bdafd53c8888de793cea52caa20bb

SHA512
04654263a6391c84e0fd230a992dbd107f905599a066d124055591ce19a9d74b61627bb9d4dc9df89f396b12f795b649f0331e4aad39304a5ad0e0bccc36ad43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
b48c7d228d6470c460510154869c147b

SHA1
6c3eb1a2ead2fa3e4bab426886ef67998c817425

SHA256
849157ed8b930e94f75edde0cdb451b78ccc579747de21c3a65e45271566dcf9

SHA512
2fbef74ada1a682cd9b70ba1183234d1c3ea27e1f7c87ea912899d52588a1a2a95a8627639c8d94c051bf32d0e9b369ca1d0f0f6ce0cd7cc97428ecab779d7b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
c59a619b76076f4be350ac8f58855389

SHA1
5ef4cc7bbad70f90ca4e1b6f73830c62e2ffb65b

SHA256
201e4a3ef88847e9a2815aeb992f2f9eb6f656d20780015d8e41112389d17fce

SHA512
56ab988005ecec9c69d20a16f9e8000c5b6183b1ba63b12c1ba5b96afefd07b02a64335a924f3680eee95ff614f3d0ba8b83160c64b3ecad4105be0755777465

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
12c304d24c614771a81669bdff193d3d

SHA1
f655e8289d6d0740f8c092a6c50c762bdd39cab4

SHA256
cc86fd1fc91b20c7cbb84950a322cde29dbd8a3b24223364bcea866c7e05c179

SHA512
03c10a555e027ebb064a90c9d7ee4bec17427ee36a8e9fc062acad591f857804d34108d180ecf9d0f2e00f1cd33811e842ed11f2471cd9efaed58ec063b7878d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GDGLHSEM\XQLN1MZ1.htm

MD5
6b17a59cec1a7783febae9aa55c56556

SHA1
01d4581e2b3a6348679147a915a0b22b2a66643a

SHA256
66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

SHA512
3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U0EJMF7X\8GJKZAUL.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\7209.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7209.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7546.exe

MD5
47a68cf6b107308db52aa7335cfe44a4

SHA1
ffcc95c0e88766768e1eb0eed3388f48ce6306f7

SHA256
52d699631ae78b87cc151948a6626394d0a428f8d99004ef5c747c8cc9a56735

SHA512
a46a607a5130b23ed000d585458918e6933f016eb20b916f01e9e3aa065e2ae720ea5922ae2a5b1baf6f890f85c04f69638248e15614815c78355d88c6e61702

Download Submit
C:\Users\Admin\AppData\Local\Temp\7546.exe

MD5
47a68cf6b107308db52aa7335cfe44a4

SHA1
ffcc95c0e88766768e1eb0eed3388f48ce6306f7

SHA256
52d699631ae78b87cc151948a6626394d0a428f8d99004ef5c747c8cc9a56735

SHA512
a46a607a5130b23ed000d585458918e6933f016eb20b916f01e9e3aa065e2ae720ea5922ae2a5b1baf6f890f85c04f69638248e15614815c78355d88c6e61702

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\Desktop\AssertGet.sql.payfast290.166-96C-5A1

MD5
4b303546801cb2c0a19594216d2f2173

SHA1
7809bf04e41c744a10ad7735a44621d745c09993

SHA256
515590e2f40949b317f74ad6db28b61770e3e08d294cd086c62f67797f208a57

SHA512
0ab53fa9c764f3e2d4f92029fbaeb88e2350a4b2b3f2f95d81b8edf150bcef5a50f75da39f72d57f85e4c8ff4608f980ff73be1553a8ad68d532ab57b3696ee6

Download Submit
C:\Users\Admin\Desktop\CloseMeasure.ico.payfast290.166-96C-5A1

MD5
4540cc4774999a69a8e5a935b5cc9136

SHA1
638efaedff864e2b940daf4e37b043ac9eb5c7fd

SHA256
6d6543a274d597b2ab69de8c86e7d2806fb51342310de9a5a7619fea589bce9a

SHA512
775732bd1bcf50ca725cbc8ab7d9b8ab425dfa9767108917bf73560f8e560d2bbb77e4bfe9332764f0c76aa135433b64c0c91a13b358d796d0bcd3d9e1cb06ce

Download Submit
C:\Users\Admin\Desktop\CompareDeny.xsl.payfast290.166-96C-5A1

MD5
866e647ff9846e4f00c0067df3d2dcbb

SHA1
a2c54e7bc238e9b650b77313a97fd59b6f9a7039

SHA256
252ac38c452db3964ebb1600cac7a380ebe188959581d3a9e58a20c486fe38e6

SHA512
3286f213cbf40a651ff8f7ab1c3a666ab8a0ed8348040db3de86665b2e67b427ecbd95857f87f0590f0383dc0d1b160d52fe4ce464c9956b0e4daaa7cefa98d9

Download Submit
C:\Users\Admin\Desktop\CompressDisconnect.jpg.payfast290.166-96C-5A1

MD5
62709851da640cab7075f4176406d2e4

SHA1
542ce76b5c0629c5851213b28ebed4d211d7a287

SHA256
47bbff36d19fa6b13448b03fb9464b3055d5f3f8fb9d42cf499704f7974b4713

SHA512
f1ef0ab6aac88f17d23bf2d274c27b6560cf3ca3a3b98e220931717a32f872aeb827a1e8c3e2a53cf0b11a903609f7dcf7cde5f181faaa67179d44275c991c14

Download Submit
C:\Users\Admin\Desktop\DisconnectUnblock.dot.payfast290.166-96C-5A1

MD5
e1fce3b48c8142c660197d677218604b

SHA1
6a0c042aae81f800aac316e22b12cf3356edf934

SHA256
e032dafcc0f0aa2adbc0a32128b4848401b3552553b54697aeae7978ad846e2f

SHA512
57a91648f45808736fd856e2c5330da0725d1f787be40f2d9906e510904d2264e4945dce12ab640a608470f51aeeeadbde6720ea405d17ffcb4f126404a6af4f

Download Submit
C:\Users\Admin\Desktop\EnableInstall.mp2v.payfast290.166-96C-5A1

MD5
0cb8529ade63fef1c5aaaf8f55f4564f

SHA1
6fca56e709f26ad0694c3262964f2a1fd70ee32c

SHA256
e5d09b5471dfaf9b0a0043fef1bd83e5a2e9825c689117bcf5bce09961629b34

SHA512
587d78afd525a9e325b71ef607786a5ba8d74aa232d5e8647e3b96cf8eec36f93ff65e9fee85a5a1bbb51580466229a871356f14c15b27cf36d949a0ef794107

Download Submit
C:\Users\Admin\Desktop\ExpandRename.crw.payfast290.166-96C-5A1

MD5
2cfe25494c04d4d6d1aa5d594d8b1aa7

SHA1
b1c87bcdb7a764da3ddbf69433e910c63f5de0fc

SHA256
ba5df9a5fa2747a12ee37da95586be0f0a8841d345eaa6b35527a98d902d80c8

SHA512
04f46625caf8cc161e29b4c20a1f74bdfee659200c648aad66594a245114547361dccca36999452b581a6399e070dd16347ac0ea35cab8629b28dd59fa959319

Download Submit
C:\Users\Admin\Desktop\GrantHide.xml.payfast290.166-96C-5A1

MD5
1f63697c91dc2cc4171071e8e8f42dce

SHA1
8ce76fd38a52b295bdaef5c764f4f3dadd9457ed

SHA256
16123585e321577aa92557149342e0986cf19cc49d0b2beeef79a81b266d7e18

SHA512
40103becb71ac880f0e60a9d4c9b1a386140e0de248645a7217df2e3e552da5b85f5aa541123157f1218f6fa73221c4200a69de98e1aac3bb3ace0d52d41e8c6

Download Submit
C:\Users\Admin\Desktop\HideUnlock.rm.payfast290.166-96C-5A1

MD5
0d88df3ec1a33dafe9238a1d1a23ef8c

SHA1
d56a5635982d2e34a6e26972a475a07543067493

SHA256
609c04344b0b4e716195dbcaaae5bbfc2869915a32fc3e29dd9bee6a43bf3003

SHA512
f494dc404260a26a3ca23dc8e589af921861cbc5b2be46e67ab966e722a3e54929b2b73cc14fee04be054a2c53593281bd3d6cb1b763fa28791e0a72b59675a7

Download Submit
C:\Users\Admin\Desktop\InitializeUse.htm.payfast290.166-96C-5A1

MD5
961f9adcdc6ab5eb92b88d7305eefcff

SHA1
981cc27efac74d74d7a1689479fbe354e4a9c226

SHA256
b1eec7faaf231302523f2a0e3b39be9acbe46d70acd68ebe55a09daf7f36629c

SHA512
c53f098848d86cb129d08f588d1be5e421ef23ded4e198fcbfd8fae0bed98205e03c462c19c59ff17a2a8d34bae585767717a923ba971bdb95b009a4c7caeaea

Download Submit
C:\Users\Admin\Desktop\InstallApprove.shtml.payfast290.166-96C-5A1

MD5
4ff79fadbda2fcb86681b92cd31203a7

SHA1
36cb572c497467b8910fcf41c281d92115ddd599

SHA256
a7379974699985b47e93cb6e7f6181a8df7322a7773275e12833740941233e65

SHA512
31e805a24510072036538343f1c183fff29418ff6c6da05317db4ecbddd09e9a767f4a0482f1b745c5bac1f0da362b0ae0a9da68c0b6d6a7f9ea4b7e04a8aab3

Download Submit
C:\Users\Admin\Desktop\InstallGroup.odt.payfast290.166-96C-5A1

MD5
eb531254b42babfb45362315bbf3137c

SHA1
584458f85d12257b8f9e69ae5d48460c5be04a22

SHA256
fca0c60c49a4b475d1b4787c647e71fac574adfec1bd18fc86ac7da422e7212c

SHA512
7be613b58c1e439a340593502175b1c99bbf1c23011634d1ef09ef709f97d9823443a474759cb9df73311d48db71124d0853dee5c50bfe5a9c0b360552d2427a

Download Submit
C:\Users\Admin\Desktop\OptimizeConnect.mhtml.payfast290.166-96C-5A1

MD5
704c3b9ea493d8b3ac63d0e03fd79148

SHA1
be0bef8d484cff2a67f44b2730431efc3801882f

SHA256
413947227149159ddbb76172f2134790b1845888d4e7771b5681261bdfd3128a

SHA512
0fd687b8f4d248e8fdd6fbaf36886f351226fcbd97388af72c477b52c800f90a41e94fbfa299fc2f6092174e36e525e00e3d47074c8d12e25e6f1e7d94b748a3

Download Submit
C:\Users\Admin\Desktop\OptimizeSplit.jfif.payfast290.166-96C-5A1

MD5
b25a8ab877757f85e80a562ba7d63a04

SHA1
fd6ad7d173b6bc2182bef4ed81dbb6dd48c8e120

SHA256
5a6a98d95a54c0795cc12023bd41f4a8881be272fd2f21b28318965d8e977865

SHA512
1ee8ebb7476f3d96a6472b8cbd69ce22c185cdc3f66d57ef2ce072c85d9ef17ca93787201c6b3740427b87760bb20817ee76b0f9e9a58b854a450e1cc66732d7

Download Submit
C:\Users\Admin\Desktop\PublishSplit.eprtx.payfast290.166-96C-5A1

MD5
0c556625500bd5093c0bdcde55bb611c

SHA1
587d3333ed94406df32d904be16654992ab50dfc

SHA256
39509bc5f93432ddbbd1f1f460c46561414c205109a6fe988a79d29a9abdd9d4

SHA512
d75654bbb25631ce4c0a4cafe875726ed3a226efd6083b772fea5f271fc3032c100671b647487e19c2b096643e36b2f099a10e5a3a333c794e8b0aa5bebca8e2

Download Submit
C:\Users\Admin\Desktop\RequestUnprotect.bmp.payfast290.166-96C-5A1

MD5
4af479529ccb2080e910ced1d8abdb7d

SHA1
7c93cde7359c0c4756da51f31bfca2944b62097e

SHA256
a818c37acae728e105f2f5fbe3ec945d517e57e1564fa5eb857f0b38d88b746e

SHA512
b3a3242ceabb163409f6cdb84fb11dd7865a7ba4b634ae6a3960a0555308b52ed05aa0da6f2f6d99e0ea40c71a6490bf7516b1f68b0b5f2c55a2d043a2a8f894

Download Submit
C:\Users\Admin\Desktop\RestoreShow.xls.payfast290.166-96C-5A1

MD5
37d1d1e75c6cad5581f71fa60cf93162

SHA1
cd42ab1b05e518e442e255a0edc7d21c96506d8f

SHA256
71483979214eafe8692dc188047b211346d12b69d5b8e7cdee839820c47316f7

SHA512
c69148aa2573640296c9aff256c59d3269b9075968ada437e4802f07c44986fabd92a6016ae58397b47dcdbb406465279dc9e8e9b6fa828b766d59d2072fc8b2

Download Submit
C:\Users\Admin\Desktop\SaveSubmit.crw.payfast290.166-96C-5A1

MD5
de05a634d06076a37e3ac3e200a0fbc3

SHA1
42694a49b47c502cb80790047a99c8c5638c24f1

SHA256
eabe9c2afbd73960c751881902b616ce0b6e497da26988c44a91f442c6deeb09

SHA512
df946948afbcf158dbe26e224d69def03987a12f4bd1bc5d746ba296b69bea709893ad63dbb742a92d1c321f41c877ffbec6268193b3076e27a42c41d2b1b65d

Download Submit
C:\Users\Admin\Desktop\SearchGet.cab.payfast290.166-96C-5A1

MD5
f0d9d758917f564fe6d19fab814a8aa9

SHA1
f57df29ce65f076fc9acdb79b03f3b30b92586fa

SHA256
ef6074e9363f45ad8b0bc88da342572fbd9aaa023b6c3d227a0da6e3f309869a

SHA512
b38546a76f3a6c1c16f5beca1625a58c1350dcff2ec63de7975aecf78ef20321d6ac8a278b6c92dfdf8631698332e19fa825de47d84d5ffed0bcef93f1167180

Download Submit
C:\Users\Admin\Desktop\StopRedo.WTV.payfast290.166-96C-5A1

MD5
912f5092b421cbeaca8cefed921ac3f2

SHA1
ea4edf442a21eb1da43f1edf5669a41cb978314a

SHA256
39b5abb2e94646055810314ec6cb092de76911f5f3dca59047faa96435e2ba75

SHA512
5ca24460a281f629c9a62f96a5c4ba84710d1b2b979173f45466d8960f88412c484b100b7538dab18f8210be82232e10f828d825333e27ed54af9f328db8bcf2

Download Submit
C:\Users\Admin\Desktop\UnblockInitialize.dot.payfast290.166-96C-5A1

MD5
5009f0eb7eba960ed810cf121fdf6134

SHA1
083d23337a40668d22f7061581f9560c8b60f3f8

SHA256
8ef1351f77f4f823960115338981d348e50c2674242eff2553b31603c0930d6f

SHA512
4beb8d945ecff59c750bde2b3133fcb9f7c9fbf48d965a59d485d05406f5c7df12091e94449b14f6b0002d5172e4b39aa0bf6a3e90986df8f4d7af875b41f90d

Download Submit
C:\Users\Admin\Desktop\UnblockStep.dib.payfast290.166-96C-5A1

MD5
4861979041f57aa71257a8fdcaed112d

SHA1
af08258d4b02607d5494f93c948aa9a435450e4e

SHA256
cbb01be9e005cf97d28e85417dbf25f5eb11b1efee9da8b3bd8a7590b1c5f9ca

SHA512
ec492f65b59f6113ee0b11e588d6abc623ef98a7851ab348f89d28494fb0991ceab0acc14b9184fadd1abd544e58546de91952b866b2c350c7d6ccdf00dd54ae

Download Submit
C:\Users\Admin\Desktop\UpdateNew.wax.payfast290.166-96C-5A1

MD5
4ae8df6df31d6cf1308b47dbc8c0a931

SHA1
03afef5232bfe856aa0d2d7c4d19c0aa80f9fd60

SHA256
3a1710530d21827a1959e515576e123dc54897d7eec06f5a447bedd010a98071

SHA512
03d5ed7e79cfd6783fa2f34d9637b560bbd2cbd02369bdc3bd7095db6e3bde36feb8325b78438a330c27fd8ef6271cad243bbedcc959aa688d05e8e754f43c5c

Download Submit
C:\Users\Admin\Desktop\WatchGet.xhtml.payfast290.166-96C-5A1

MD5
35a78157666ef6d9618089b6d58be079

SHA1
2a0cef2f99bb77ecd808b21cfb7e8e57d4cdfe5d

SHA256
2ae0eb58c0bf2fb3a566036f62c7e906a3aefd23cfc171f5f9fafd60295c54a2

SHA512
bebffe03d6df1154f74ab63b30786012d9540e9c8d1ea0be2e7e13be82c7ceccdbb0470e5b32c69f48ce29fdced363a8a2bc1c21346b22768aa5795620105e8a

Download Submit
memory/384-160-0x0000000001210000-0x0000000001215000-memory.dmp

Filesize
20KB

Download
memory/384-152-0x0000000000000000-mapping.dmp

Download
memory/384-161-0x0000000001200000-0x0000000001209000-memory.dmp

Filesize
36KB

Download
memory/804-183-0x0000000000000000-mapping.dmp

Download
memory/1012-184-0x0000000000000000-mapping.dmp

Download
memory/1344-190-0x0000000000000000-mapping.dmp

Download
memory/1364-167-0x0000000001010000-0x0000000001019000-memory.dmp

Filesize
36KB

Download
memory/1364-165-0x0000000000000000-mapping.dmp

Download
memory/1364-166-0x0000000001020000-0x0000000001024000-memory.dmp

Filesize
16KB

Download
memory/1832-181-0x0000000000000000-mapping.dmp

Download
memory/1952-185-0x0000000000000000-mapping.dmp

Download
memory/2124-115-0x0000000000402FAB-mapping.dmp

Download
memory/2124-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2188-182-0x0000000000000000-mapping.dmp

Download
memory/2192-168-0x0000000000000000-mapping.dmp

Download
memory/2192-169-0x00000000007A0000-0x00000000007A5000-memory.dmp

Filesize
20KB

Download
memory/2192-170-0x0000000000790000-0x0000000000799000-memory.dmp

Filesize
36KB

Download
memory/2228-192-0x0000000000000000-mapping.dmp

Download
memory/2232-164-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/2232-162-0x0000000000000000-mapping.dmp

Download
memory/2232-163-0x0000000000540000-0x0000000000546000-memory.dmp

Filesize
24KB

Download
memory/2272-146-0x0000000000000000-mapping.dmp

Download
memory/2380-137-0x0000000000000000-mapping.dmp

Download
memory/2380-139-0x0000000000990000-0x0000000000997000-memory.dmp

Filesize
28KB

Download
memory/2380-142-0x0000000000980000-0x000000000098B000-memory.dmp

Filesize
44KB

Download
memory/2396-187-0x0000000000000000-mapping.dmp

Download
memory/2648-178-0x0000000000600000-0x0000000000609000-memory.dmp

Filesize
36KB

Download
memory/2648-177-0x0000000000610000-0x0000000000615000-memory.dmp

Filesize
20KB

Download
memory/2648-173-0x0000000000000000-mapping.dmp

Download
memory/3052-117-0x0000000000790000-0x00000000007A6000-memory.dmp

Filesize
88KB

Download
memory/3064-129-0x0000000000000000-mapping.dmp

Download
memory/3064-138-0x00000000008E0000-0x00000000008E7000-memory.dmp

Filesize
28KB

Download
memory/3064-140-0x00000000008D0000-0x00000000008DC000-memory.dmp

Filesize
48KB

Download
memory/3152-141-0x00000000040A0000-0x00000000040A1000-memory.dmp

Filesize
4KB

Download
memory/3152-131-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-121-0x0000000000000000-mapping.dmp

Download
memory/3152-180-0x00000000082B0000-0x00000000082B1000-memory.dmp

Filesize
4KB

Download
memory/3152-126-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/3152-179-0x00000000080B0000-0x00000000080B1000-memory.dmp

Filesize
4KB

Download
memory/3152-132-0x00000000067D0000-0x00000000067D1000-memory.dmp

Filesize
4KB

Download
memory/3152-176-0x0000000008D50000-0x0000000008D51000-memory.dmp

Filesize
4KB

Download
memory/3152-175-0x0000000007F10000-0x0000000007F11000-memory.dmp

Filesize
4KB

Download
memory/3152-174-0x0000000007DF0000-0x0000000007DF1000-memory.dmp

Filesize
4KB

Download
memory/3152-172-0x0000000008320000-0x0000000008321000-memory.dmp

Filesize
4KB

Download
memory/3152-171-0x0000000007C20000-0x0000000007C21000-memory.dmp

Filesize
4KB

Download
memory/3152-133-0x00000000061C0000-0x00000000061C1000-memory.dmp

Filesize
4KB

Download
memory/3152-134-0x00000000062F0000-0x00000000062F1000-memory.dmp

Filesize
4KB

Download
memory/3152-135-0x0000000006220000-0x0000000006221000-memory.dmp

Filesize
4KB

Download
memory/3152-136-0x0000000006260000-0x0000000006261000-memory.dmp

Filesize
4KB

Download
memory/3176-149-0x0000000000000000-mapping.dmp

Download
memory/3176-159-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/3456-186-0x0000000000000000-mapping.dmp

Download
memory/3736-116-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/3920-118-0x0000000000000000-mapping.dmp

Download
memory/3932-128-0x0000000001140000-0x00000000011B4000-memory.dmp

Filesize
464KB

Download
memory/3932-123-0x0000000000000000-mapping.dmp

Download
memory/3932-130-0x00000000010D0000-0x000000000113B000-memory.dmp

Filesize
428KB

Download
memory/4056-189-0x0000000000000000-mapping.dmp

Download
memory/4084-143-0x0000000000000000-mapping.dmp

Download
memory/4084-144-0x0000000000950000-0x0000000000959000-memory.dmp

Filesize
36KB

Download
memory/4084-145-0x0000000000940000-0x000000000094F000-memory.dmp

Filesize
60KB

Download
memory/4116-193-0x0000000000000000-mapping.dmp

Download
memory/4320-218-0x0000000000000000-mapping.dmp

Download
memory/4320-219-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download