buran | c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

max time kernel
51s
max time network
105s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
25/03/2025, 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RansomwareSamples/Zeppelin_08_03_2021_813KB.exe
Size

812KB
MD5

5181f541a6d97bab854d5eba326ea7d9
SHA1

16d9967a2658ac765d7acbea18c556b927b810be
SHA256

b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83
SHA512

c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa
SSDEEP

6144:73KIrUL3UE1S5mY5/i+i6thb2/VMpfkgXkJX/h/O11/vMLZ935PFXwz6Ui:DTru3FS5C/VMpfkg2ROs9dSz6

Score

10^/10

buran zeppelin defense_evasion discovery execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 186-544-3C6 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Buran family
buran

Detects Zeppelin payload 13 IoCs

resource	yara_rule
behavioral29/memory/336-8-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral29/memory/3212-14-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral29/memory/3212-22-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral29/memory/3212-27-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral29/memory/5680-30-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral29/memory/5580-215-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral29/memory/5580-5252-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral29/memory/5580-9476-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral29/memory/5580-14214-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral29/memory/5580-19979-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral29/memory/5580-25838-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral29/memory/5580-25995-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral29/memory/3212-26020-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Zeppelin family
zeppelin
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (788) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation	Zeppelin_08_03_2021_813KB.exe

Deletes itself 1 IoCs

pid	Process
936	notepad.exe

Executes dropped EXE 3 IoCs

pid	Process
3212	spoolsv.exe
5680	spoolsv.exe
5580	spoolsv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\spoolsv.exe\" -start"	Zeppelin_08_03_2021_813KB.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	spoolsv.exe
File opened (read-only)	\??\G:	spoolsv.exe
File opened (read-only)	\??\D:	spoolsv.exe
File opened (read-only)	\??\Z:	spoolsv.exe
File opened (read-only)	\??\S:	spoolsv.exe
File opened (read-only)	\??\R:	spoolsv.exe
File opened (read-only)	\??\O:	spoolsv.exe
File opened (read-only)	\??\J:	spoolsv.exe
File opened (read-only)	\??\B:	spoolsv.exe
File opened (read-only)	\??\Y:	spoolsv.exe
File opened (read-only)	\??\V:	spoolsv.exe
File opened (read-only)	\??\U:	spoolsv.exe
File opened (read-only)	\??\T:	spoolsv.exe
File opened (read-only)	\??\Q:	spoolsv.exe
File opened (read-only)	\??\N:	spoolsv.exe
File opened (read-only)	\??\K:	spoolsv.exe
File opened (read-only)	\??\I:	spoolsv.exe
File opened (read-only)	\??\X:	spoolsv.exe
File opened (read-only)	\??\M:	spoolsv.exe
File opened (read-only)	\??\H:	spoolsv.exe
File opened (read-only)	\??\A:	spoolsv.exe
File opened (read-only)	\??\W:	spoolsv.exe
File opened (read-only)	\??\P:	spoolsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
28	iplogger.org
26	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.deps.json	spoolsv.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\content-types.properties	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\classes.jsa	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\cldrdata.jar.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\mesa3d.md	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\accessibility.properties	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\logging.properties	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11cryptotoken.md.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\rt.jar.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\hijrah-config-umalqura.properties	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightRegular.ttf.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\currency.data	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklist.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\dnsns.jar	spoolsv.exe
File opened for modification	C:\Program Files\SelectWait.html.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_TW.properties.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\CIEXYZ.pf.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\cryptix.md	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_es.properties.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xerces.md.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\classlist	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml.186-544-3C6	spoolsv.exe
File created	C:\Program Files (x86)\.sys	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\jfxrt.jar	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-pl.xrm-ms.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\management\management.properties.186-544-3C6	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt.186-544-3C6	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zeppelin_08_03_2021_813KB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3704	WMIC.exe
3704	WMIC.exe
3704	WMIC.exe
3704	WMIC.exe
2356	WMIC.exe
2356	WMIC.exe
2356	WMIC.exe
2356	WMIC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	336	Zeppelin_08_03_2021_813KB.exe
Token: SeDebugPrivilege	336	Zeppelin_08_03_2021_813KB.exe
Token: SeIncreaseQuotaPrivilege	3704	WMIC.exe
Token: SeSecurityPrivilege	3704	WMIC.exe
Token: SeTakeOwnershipPrivilege	3704	WMIC.exe
Token: SeLoadDriverPrivilege	3704	WMIC.exe
Token: SeSystemProfilePrivilege	3704	WMIC.exe
Token: SeSystemtimePrivilege	3704	WMIC.exe
Token: SeProfSingleProcessPrivilege	3704	WMIC.exe
Token: SeIncBasePriorityPrivilege	3704	WMIC.exe
Token: SeCreatePagefilePrivilege	3704	WMIC.exe
Token: SeBackupPrivilege	3704	WMIC.exe
Token: SeRestorePrivilege	3704	WMIC.exe
Token: SeShutdownPrivilege	3704	WMIC.exe
Token: SeDebugPrivilege	3704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3704	WMIC.exe
Token: SeRemoteShutdownPrivilege	3704	WMIC.exe
Token: SeUndockPrivilege	3704	WMIC.exe
Token: SeManageVolumePrivilege	3704	WMIC.exe
Token: 33	3704	WMIC.exe
Token: 34	3704	WMIC.exe
Token: 35	3704	WMIC.exe
Token: 36	3704	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2356	WMIC.exe
Token: SeSecurityPrivilege	2356	WMIC.exe
Token: SeTakeOwnershipPrivilege	2356	WMIC.exe
Token: SeLoadDriverPrivilege	2356	WMIC.exe
Token: SeSystemProfilePrivilege	2356	WMIC.exe
Token: SeSystemtimePrivilege	2356	WMIC.exe
Token: SeProfSingleProcessPrivilege	2356	WMIC.exe
Token: SeIncBasePriorityPrivilege	2356	WMIC.exe
Token: SeCreatePagefilePrivilege	2356	WMIC.exe
Token: SeBackupPrivilege	2356	WMIC.exe
Token: SeRestorePrivilege	2356	WMIC.exe
Token: SeShutdownPrivilege	2356	WMIC.exe
Token: SeDebugPrivilege	2356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2356	WMIC.exe
Token: SeRemoteShutdownPrivilege	2356	WMIC.exe
Token: SeUndockPrivilege	2356	WMIC.exe
Token: SeManageVolumePrivilege	2356	WMIC.exe
Token: 33	2356	WMIC.exe
Token: 34	2356	WMIC.exe
Token: 35	2356	WMIC.exe
Token: 36	2356	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3704	WMIC.exe
Token: SeSecurityPrivilege	3704	WMIC.exe
Token: SeTakeOwnershipPrivilege	3704	WMIC.exe
Token: SeLoadDriverPrivilege	3704	WMIC.exe
Token: SeSystemProfilePrivilege	3704	WMIC.exe
Token: SeSystemtimePrivilege	3704	WMIC.exe
Token: SeProfSingleProcessPrivilege	3704	WMIC.exe
Token: SeIncBasePriorityPrivilege	3704	WMIC.exe
Token: SeCreatePagefilePrivilege	3704	WMIC.exe
Token: SeBackupPrivilege	3704	WMIC.exe
Token: SeRestorePrivilege	3704	WMIC.exe
Token: SeShutdownPrivilege	3704	WMIC.exe
Token: SeDebugPrivilege	3704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3704	WMIC.exe
Token: SeRemoteShutdownPrivilege	3704	WMIC.exe
Token: SeUndockPrivilege	3704	WMIC.exe
Token: SeManageVolumePrivilege	3704	WMIC.exe
Token: 33	3704	WMIC.exe
Token: 34	3704	WMIC.exe
Token: 35	3704	WMIC.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 336 wrote to memory of 3212	336	Zeppelin_08_03_2021_813KB.exe	86
PID 336 wrote to memory of 3212	336	Zeppelin_08_03_2021_813KB.exe	86
PID 336 wrote to memory of 3212	336	Zeppelin_08_03_2021_813KB.exe	86
PID 336 wrote to memory of 936	336	Zeppelin_08_03_2021_813KB.exe	87
PID 336 wrote to memory of 936	336	Zeppelin_08_03_2021_813KB.exe	87
PID 336 wrote to memory of 936	336	Zeppelin_08_03_2021_813KB.exe	87
PID 336 wrote to memory of 936	336	Zeppelin_08_03_2021_813KB.exe	87
PID 336 wrote to memory of 936	336	Zeppelin_08_03_2021_813KB.exe	87
PID 336 wrote to memory of 936	336	Zeppelin_08_03_2021_813KB.exe	87
PID 3212 wrote to memory of 5784	3212	spoolsv.exe	91
PID 3212 wrote to memory of 5784	3212	spoolsv.exe	91
PID 3212 wrote to memory of 5784	3212	spoolsv.exe	91
PID 3212 wrote to memory of 392	3212	spoolsv.exe	92
PID 3212 wrote to memory of 392	3212	spoolsv.exe	92
PID 3212 wrote to memory of 392	3212	spoolsv.exe	92
PID 3212 wrote to memory of 3912	3212	spoolsv.exe	93
PID 3212 wrote to memory of 3912	3212	spoolsv.exe	93
PID 3212 wrote to memory of 3912	3212	spoolsv.exe	93
PID 3212 wrote to memory of 4828	3212	spoolsv.exe	94
PID 3212 wrote to memory of 4828	3212	spoolsv.exe	94
PID 3212 wrote to memory of 4828	3212	spoolsv.exe	94
PID 3212 wrote to memory of 5044	3212	spoolsv.exe	95
PID 3212 wrote to memory of 5044	3212	spoolsv.exe	95
PID 3212 wrote to memory of 5044	3212	spoolsv.exe	95
PID 3212 wrote to memory of 5076	3212	spoolsv.exe	97
PID 3212 wrote to memory of 5076	3212	spoolsv.exe	97
PID 3212 wrote to memory of 5076	3212	spoolsv.exe	97
PID 3212 wrote to memory of 5580	3212	spoolsv.exe	98
PID 3212 wrote to memory of 5580	3212	spoolsv.exe	98
PID 3212 wrote to memory of 5580	3212	spoolsv.exe	98
PID 3212 wrote to memory of 5680	3212	spoolsv.exe	100
PID 3212 wrote to memory of 5680	3212	spoolsv.exe	100
PID 3212 wrote to memory of 5680	3212	spoolsv.exe	100
PID 5784 wrote to memory of 3704	5784	cmd.exe	105
PID 5784 wrote to memory of 3704	5784	cmd.exe	105
PID 5784 wrote to memory of 3704	5784	cmd.exe	105
PID 5076 wrote to memory of 2356	5076	cmd.exe	106
PID 5076 wrote to memory of 2356	5076	cmd.exe	106
PID 5076 wrote to memory of 2356	5076	cmd.exe	106

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Zeppelin_08_03_2021_813KB.exe
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Zeppelin_08_03_2021_813KB.exe bcdedit /set shutdown /r /f /t 2
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5784
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    - System Location Discovery: System Language Discovery
    PID:392
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5044
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2356
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:5580
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:5680
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1668
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png

Filesize
65KB

MD5
be83dff3d24a7b6f2bc960a5a5515c03

SHA1
cee9734a8fbd181d1101dc2d3f0070fb24f139ed

SHA256
f6a3211cda81d904d1007352485aac70c159aa12031a343fe0cc45ad4c871a7b

SHA512
0b53fe85e98dcd2fe0b0e8a24af5502576b9fe7e8fd2aae41a11cb38a87351be06d7b340f3e52c870323b4094c1cb1aef43641540a423d505238b7bb4f51b7b6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_bow.png

Filesize
52KB

MD5
80319bb5bf22504b31c92dda25f530ef

SHA1
09cb8d016a770b4edddaa36976e73fe0120665f8

SHA256
dfb2ef312eaa081eeaa7463c96942034b92fe37a45a76d3001788b59a73b076e

SHA512
3da4cf20fd34ebf73ba3c9f0eaece2faa5c4332fe6b08788ea50986a8e6b42224be158c3839d67aad442e4ffcc79c23dd14ea767d6204f9626a2b27860975c57

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png

Filesize
52KB

MD5
09d07ae2a1c4dbdb72e553415aeaec21

SHA1
4b16107781f3fbe8f1da5eddb190560535decdda

SHA256
1dcb9243a25abe0a6bbaf382a0afe853d378328d40ded6a762987e1bbf5285d6

SHA512
f89ad9fe2717a9c387b684c8281624771a589f392a13e22e41cad9e62c2373d6ab51a9f7f3f1fe371ce4b08cb3781f4b5db8e16f46aeed983cd1c5548e63dfe0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png

Filesize
52KB

MD5
e7e3127de9cdb4d5c755c000b917c10e

SHA1
b8e8b8d50a4a9e1b5edeb9c045935c053a31db43

SHA256
0eeb1786bcf8d5fd304df96711ae1dfa07a76252127a5e7de6650d7cc946c01e

SHA512
a9dd129b249864efafe7d55ca417cb7fd17aa5044db6769c42b55ae19e49651de2695ea6f922f4618801dd70fca9d258c7b827f0a2e09cdb62089b616de6c282

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\ui-strings.js

Filesize
30KB

MD5
5c661ef97984253dea8d142956f156cc

SHA1
e71da83762aa204198f95cfa7664b9eb351a3f57

SHA256
7ffb589fab47412d14eaa0579737c72e6e3c341b75d024c1335c47e8c85e552b

SHA512
ed16b394e5b60c8ce0c7bdc2c323a3b8190428d000d5e78107d02e6860d490335327aeda1fa96b6b8f1bfb985bf7cc5aa3379bc19487c2fa8b889b2164d3ea1e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js

Filesize
35KB

MD5
7c05c6946df1d4292771d42b6519c0ed

SHA1
b31bbb73c44ab3ba165c22c07201f507e9d7905d

SHA256
8afd85c3daf0aad72c2be2202f08765aa089ad389fa4f26f40fbfcf19edd5342

SHA512
c66e3fcd27426449c6b1855f716844a4375ae96a82fa0002ca95f022f712c37c7eea10f251d26868e5659835ed0ad512de7186cd14b34e6808be0ee311c2f8ee

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\ui-strings.js

Filesize
11KB

MD5
e44b7a289924fcec6606f7ff1a429cd6

SHA1
a3a652f0e2c59a66271bd3c77f3c3b6e3d597873

SHA256
d6c87ef776aa056483a5ba0449049ee8eda2e78c884d76a643761598f49bf66c

SHA512
437b8da3846c01c436a21bf0b31a12388f313966c177e33025baa2033428fd6992c8f9fc32784e9097caa63f06beecca4448cfeb6afadf5da5e3524d2f5620fa

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js

Filesize
7KB

MD5
48b400ceb6ee0cd364d108a0a05618c8

SHA1
ee47932d68d6b7fab49338e5762af79a57fc3523

SHA256
c438bf9f51e9441d14f60f32eb7463fb19d79366e8c3ed2a3b102e1c30c440f6

SHA512
6f308e2b9c2ec6e9adc7b28a727c8898c98bfbb35d2199741023045c6f86787a0e85320ce3b263894d079821b1d7d62eed3fb1103b82f54b123344d90a7b2554

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png

Filesize
17KB

MD5
3a71916254c902b33d72e98207e64105

SHA1
971936767690b7c3e4b9e7723947a2f614b37af1

SHA256
34eddde436bea7cb0386d20fcdcbfa6e72b4c727d8ec79f3c478136ca4066bac

SHA512
ecb98c28899656c9fce101a4382b363ff1281f46c27c5ab3c6b3cd686e12219343a92b656f8ebc7a308623f1500fdd13db008ba3f85f899c4734d6561e94163c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js

Filesize
176KB

MD5
08a5afde0bbb2274634b88e8729f81f0

SHA1
69de30865709be9c0445bcbb4aad86cd7bd29727

SHA256
7c69914068fe67e7a35d86d6a9e41b1b042b0038f6ab7c11ae066d8b35556327

SHA512
5cf8219212cd0c22f2571a59ab6476afe9eea70f0dd2cd03eeba48769edc5267757adfde089f662fec6fda19f2a70b0172c75cbee5fa8061915b32c27e5647b0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js

Filesize
378KB

MD5
b6fbbe2dc80cc8509d0d45902a573d4b

SHA1
3865ededbf7811a6066ed903c9d4dcb412c7221e

SHA256
d0f280f2393b8d53ecf93e45dfe85ca0610b53ce28f91fd4146e1149a0f0dc46

SHA512
3c44591914b663c54f078b699bd9d4b1414f8afd1587f3bf6f6263185060d401010f38f5ce2830eb40cc25373743d0fcec9af51f97269179815e627c9643c229

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.js

Filesize
388KB

MD5
a90c1bd0a60b8c688c1441635608302f

SHA1
8b65587e00e02e6da89c65d528c0f6b0f40f10a2

SHA256
3018e3da2471de3514a368b1b7e42b463aabbeaedefcdf090531326914f91b6e

SHA512
152e82d3cfe53fb4b08f47884afc10455e892b962112222b568c4663db733a35da3d34c4f9c2fe01aab16aeec254aba9e0d2ca97e1c55242736852f1dae82a6d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js

Filesize
11KB

MD5
a103ee4c3d0db765449dcb6625f901ea

SHA1
7b6152257675deae519431bf9a6d07ef627d81a6

SHA256
bc6e54a5c69e3900b1491bbec4200fadaf6cc26e39dd4a61432905d9d2a4c31e

SHA512
bb8d0b84d7b31b4d1e6ef92721cd70cb144ede9b9da892279afec9ea9f556175591966f75ac443ead893813992089c3333e324c66353f35d097eaf3c26c6cb9e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js

Filesize
13KB

MD5
23222a23188d6c09bf29328221967b37

SHA1
7633273f89d122c9a1bcb11cc877730246cdbc1d

SHA256
c4c99545384a69819932c4579422f89671357ee9a3b562a541cf8c8c332e5be6

SHA512
bbcda240990dac280cab9b2ea849d61391dfb0920ca582e64f5c0d63ddaaf92ce7bd983c59cb36fd61f00e055830241d7557ea6baafcd00a23c9aa1ee6c7a9ef

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons.png

Filesize
10KB

MD5
e7039f674379835e3258714a4f7e3194

SHA1
87a55b5f3dc45ec75f75faad326760f768cfc626

SHA256
cb10a77dc6a78ea89c593a545e14cb8c64ff3ed3c672e4ac0ec1d4040e345538

SHA512
5ac62783491702e67afea095b1a3a4d7fd2bdc696070fb9e10f618c2fef642cd897441092eb06acff1bf3dbcaa7d4ed5f132528635e51b452132413c28bcbc33

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\ui-strings.js

Filesize
7KB

MD5
c1ca1c8053c67a6f397bc8b756e51e4a

SHA1
7238b9ad065dcf88516bc43e2a6b77c36e34c03f

SHA256
1a6c492a63f5a0f263e8bf1dade4d02974ef974b7b2a586ec2eaa276377dd835

SHA512
be960abf530a4fd6efab6b84c9a10da2b25190fabda6dfe1e3c0579b68d45b6ac47ff0a997f1cd779b2ed73207f48393839538f06658e5a8daf9db4e2fa6e863

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf

Filesize
382KB

MD5
27d0d8eae54681b9e45569001ca2a6e7

SHA1
2e76ff6ad2e1ed95c534b750b3bbcdeaace9d0ef

SHA256
da6635be620826294ff1abc074645fc4c38ccd28f6fb40c97212a794f5903256

SHA512
286746c1745547a3d77dcaa86437887261f6f53c6f00d7a5afde168f4d5851bb2884d482ba9dbee9b25ede3be044ae2838a29053c3aa855d443ee4f1a0090faf

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf

Filesize
56KB

MD5
7c11938bf8de8f77a2df4dcf2c3c8662

SHA1
f17f14091c1efe7717c92ae263fd3c51378585c5

SHA256
c10073d7f4d139d114c259a67a34466866219ee45a08910619c50a2edd5e43b1

SHA512
39558a85816acd46bf418dc6e54be6dbf02f6cb0452204d1e2e59346529f8be64947333e096b26ee3e69d9bdc31ca8cf392b669c03a159ff4b5e7948158c154f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
ba557f816a90129defb751759bd2a429

SHA1
923f7803b7557d8082df8fb8baf9709e37630e07

SHA256
a279b01a46e0255e24c34b7b56e27d67f2d2e8ddab7d4ae2d26b2d1c645e6ab6

SHA512
a8022dfcada78c5e64d6b00299deab61d747d7b50d9fe6b12521743bd82d46a6429c616d33a8ebf7649e7d3a1bdbcfe6930024768d26c73678fb6ab9cf1ff7e3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\ui-strings.js

Filesize
18KB

MD5
d922f4d104b37367772fd97ca0ab5f47

SHA1
b4c939b96c690ba1646b667948642616dad5ec63

SHA256
36a3faf24c04fc04df8265d61cfb9f2e810acda48ba35826259d253056a9127e

SHA512
9058db29c2cef1dd47741ff585055262a1ed699d1f14bbd3bd84fa2788ac1d46c6250688a25e4a557e8d6c8e923a5ebe4d651c29b3111eb907f5aafdbea70cd0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\ui-strings.js

Filesize
16KB

MD5
d36b78e027fd0564fd4eb3c6b334c29f

SHA1
e10c229120ad6d9459908a26fc2f89714362439d

SHA256
f4a11645162685d6e896f24dc12713cf4fcdf086bf8f804712d9ca78e2096a00

SHA512
779e29dfb286c65fd72f109fa69f08e8badd131004d7940dea07b32881589cbfd1e55a0c1d245ec24997775ca4195b8dd92470ed7e9d92274c235460ea56bbfe

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\ui-strings.js

Filesize
18KB

MD5
a6d7ea5375438270a157217e5b4c7cb6

SHA1
decea9d6daa60c8e078788dafe40657654dcfd80

SHA256
62a84bb50e5a06080a848e743d332aa7e3235b67c3764970e082cb23ca02c11f

SHA512
7f5cba4672de67767a9864c01f725ec6abc97718f5417668fefecddb59982f353a7aade02c972eafe916046ebcb0151ab212bb004e74e6dc0430522c9424ab7b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js

Filesize
10KB

MD5
947c447adf100d6fecb08d26c20b1438

SHA1
abbf5a640c85aff358e75390b5c494e308eef674

SHA256
8a3c55ef10edc92bec791b7800ebca22520b88fa99d870608dcacb206b87f16f

SHA512
e71b2d9825a27b219e9e5a14671a7e7f60eb30b21b25be4f7157875e8854c988e8b6b7255318d5c8586df6741efd72050d94180a3dd3393ed1d6c533b4e49919

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\ui-strings.js

Filesize
12KB

MD5
30b7ac3415853aeb12f4f293e7f0a407

SHA1
fe3fdaca335ea44c0da27dfd91ecc4cf0b564f11

SHA256
95dc4660bea98082c37fc4d99ef8d020539df483228ee26cd209f9462e6bc277

SHA512
1402af3cfccf35e22c5f645213d3818cd6451313b76abda1d22be9953cec7c09e5208a8c437a55ef981672864d11a319ad34d2377d1833d8e0c31b2287836da2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\ui-strings.js

Filesize
16KB

MD5
84816dbe72fb2bb47e04dab70fd30917

SHA1
2c7e2da3f95a473bcb85c460a99bc9d248a51203

SHA256
4abafe6630407ab989670423e6ca3e6de3af4e6e6a8e780dca4a171021a111b9

SHA512
0c3a787b6734f083a7622a29e82a5f4d1d9fef3057b4017319103844545ffa4949baaac58d150c6a00dd9c2c7a0aa384507530d487570e892712721f7c92ae28

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\ui-strings.js

Filesize
18KB

MD5
9193445f9d73d8d6255b32f9b18a535e

SHA1
ca3e4024f37aec85f7da9cb1e34292d3f278f792

SHA256
096acd9ba001b107f5ed68af5751de0684fa3a3c4c66e33db1009050dbdb81bc

SHA512
97bdc215a50c00efb968115a9f28725f580afcb2ca021ecb6702bbed039a2da884158feda86502a160d5a3f7ada3d1bcbc4a694f3aa972bd9e958ae57360e374

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\ui-strings.js

Filesize
16KB

MD5
d6b2a4ef235aad36ab78da615da12984

SHA1
f775cba03ca31596947a433eeb4cd3af4ca9691d

SHA256
3a08b34d41f8a15536d7646ddfc6fe3c5614e6057406e9b918ea9977bf99420c

SHA512
cac358010e9800725fedab16c2b466b71f8e379465d2b292ea5aad405ab9bb424fec005efc930799da7619b7a0d3a7541cd20a1a52c1e18b02c8e49e8cdfd81f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\ui-strings.js

Filesize
18KB

MD5
65668157c8ddb2e846fafdc826b941dc

SHA1
f375e56c6528da61b83d0b9aa945ac859636069f

SHA256
f70e34aaa739add62804b0971eb2ce72498759b71ab6156a598fe13148baf39d

SHA512
48a1fcd4a5242f803dd09928ca9bd4899048be9e4bcf843ce54040da16fac301abd73fe2db60d2c9fe843722b764ddf99f1f1c8900608b672bcbf06f304f98dd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\ui-strings.js

Filesize
20KB

MD5
07bf83c89d9012bb36387ce1943fb2b0

SHA1
3ad5608f8236dfa88f21644668ce4102b0d3d3ff

SHA256
b902e2b096148806f2fb141a758d33a40073a735d79fef38b1bfe6335588a0ef

SHA512
b5dbccbec463dad51fce4b472ae2ff6f6c559adf3675a1b4e231c89215a65c99abf53a2f126481f71de9b8989c129a18c366464e97654f115cf1ed633506349d

Download Submit
C:\Program Files\7-Zip\Lang\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
935B

MD5
324b887870023d3604c769e6fe4cc772

SHA1
dcb6b67e65b4f57bacaf1cd194cd3bf19b6ed848

SHA256
884fa6272c1b10995e3cfdde9d9c2548a626089f83c469f1b760509875b0dd3f

SHA512
94c86fdd8c974e73aa268eb95f33dd66c7f8b900cb02f7263389dca6def69c641ae9d520c1eafe9dafbb7e80d583efd427d0fd2d584b385a23c58ef79d1db4e9

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe

Filesize
4.1MB

MD5
2864315cc5db1dea8969ddc42b581d9e

SHA1
b700f7f5dd61b48ec3764723217f46199990559f

SHA256
76edec5df67299322d09ab014735da56461b1f72d4a432886c99b18e769c74f7

SHA512
951e613686c5d8d8abd0000363fe0c690b9134925754b65e6a5d4c08ef16ac713c9661cdcb12d26fe83298cc89660e101a17b2c2fd30b15466b24af3ca175e02

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX

Filesize
293KB

MD5
0295ababd6e0c51d571eb1b113dbeb59

SHA1
08a8f5eadce151b72577d513191329ab4cfed9b2

SHA256
628095ba8e0f93eb6737f39ba15bc3a738af3d67a9fc0b350e3b39485d5df21d

SHA512
800842fd13bb11baff87a8d733a4fd8091f0707f9a42a4b580b8d15f3fa12eb53dc340f945b606432fc29f1f7c36e1b6454040984c955ff927cf97e9503a2dac

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi

Filesize
2.4MB

MD5
b9b25f425f94973bc222da1a902a9080

SHA1
2247fc696764ff9fd1212d0c57efc880e36b5f82

SHA256
8bdea03c45c30729f06cf07f5bc68c6de3b20b7a9bd29c41c3263db5c47c56d2

SHA512
c49f58d98b6e0c362ca5dce9ff86d06cd7030a4f1d7cddd7cef80ebd57c8cf7f84e496771c67b8f9c6f4e21d1be2d05638a36480370e9e29960485bbcec9ffc1

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe

Filesize
1016KB

MD5
c54c45a09f0e23699ff7d41927218c38

SHA1
7035039630c61a6fa5f9d0aef2e8fd24f0f1dce3

SHA256
6217484d0275c547c3d95248dc5b6c393bcf12ab4660a6d07c2908a26e6ba99f

SHA512
5f68c14f819d6ffd2be49cab6ac0fc0d6c44878fc31d44122748d8aaf290495b97fb0194b8a6a89707942a6152ca9478f1e1539048c60ff37e975ac04ce919a6

Download Submit
C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo

Filesize
607KB

MD5
9563f515d9fea9a784af7c20fa3e772a

SHA1
a581c23b04bd7ba8e893ce5877937429dc493b53

SHA256
17bbe72801787802d35d83ffbab645136bb779a9e747d056314c2fad7b50120d

SHA512
e64b4292c3c4a106e83be06b0242ae669d8df6250554071fcaafb9b3cdbcbea26f827b7541d3d7f5b80808fd897c3c2e459a5bc8c9b4e02570877a989e045cff

Download Submit
C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\vlc.mo

Filesize
611KB

MD5
02eda0a469aca17df2c7a12921bc0387

SHA1
6b53699ada3d053a3d26b697eb15de78d22ccaee

SHA256
97daed93f2e0c77eff6fdb034639077d56ed7fceec9887f1bd245f9212ec61f1

SHA512
f5e722d9bf97d246e3747ccb4bb5fd95eb3105235d29292c0ef6916d6bcd355750a2703d46f6e1a51dfb7f0d41dea306161d09d621c6dbbc80edd61ff413ce59

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo

Filesize
674KB

MD5
5eb90bd3ed872d040dc242dbaa879288

SHA1
1cc20e01b0bda70ca0fd80b265d00f2a1136f836

SHA256
bd6da56d376caae1397fcd999784b19599fdad193f1d160182bd3d54adb36bd6

SHA512
0d1148702f6d5d1e23c31bf2d8940d084dd84c4b96818996d11f1d79f7f453841e7121e49133aee4497e188fd1aa4d9fc1239963a7c4650b5c6d966354484b93

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\vlc.mo

Filesize
1.1MB

MD5
3dbd0268312c2576c7b4578120cffd39

SHA1
a576e388fb88fdbb752a512ebaf87f415b1a8085

SHA256
99ee64670aebdcc893079ee363fd474efa02dd3eace5d903c96e029234e95e2f

SHA512
98947a6793a82c945a18c6926570e9ab9c0e0bd646f555d01f9c6b5b20e311154c5488b26826efd450497a9a54f5ebd4c5942f08df41d3195c2a6650b58b4c9c

Download Submit
C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo

Filesize
596KB

MD5
bd1e0d8f2c41c5e556e29524a29bcd10

SHA1
e315ae217ed3bfe212d793fcebc7ed92152e7d0f

SHA256
98f2f8b156514368552c4eae5d153e8e58ed60600595e1d91d9b86cae3117ecc

SHA512
72bbd06f68118eee9ac8df90c6f4dcd3d7b86cf4bcfab5fa92456cc1cafa50c198130ec7ff78971a7592b53ae649035cf80b1411011e89000ae5d58fba49f94f

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\vlc.mo

Filesize
617KB

MD5
271be28e259e8ad5d8c3c4b96400ecfa

SHA1
7aeb312582bafd34715d511dec73b52183f88c12

SHA256
5c46997f7f1f5c186422a6b39ce52f4e984d6efbf69368024f6dcccd3b777cd4

SHA512
61581d1c8fdb70448be4108b61032fc61d32d39057266e6b27cd9582b7ea1fcc31f02b07c627557243c3b83366d1f28c3b86644895614b4687fcb9a889a5fdf2

Download Submit
C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo

Filesize
781KB

MD5
367bcbab4f3862d057737e481b8d455a

SHA1
408de1d6039b4d0c955325881dc906c6d9d7bf80

SHA256
95ccdc22b10bba46b5bc757e72d11cde176d31ecee432253a524beb3f02b4322

SHA512
779df8eac223541165c550d4e861ee4d735d0aa9efb0a17abcec9d19a0ac3d6621d9b8f2f7534f8214cd25cad69d05b5cc62d37b877ea07d3ffacf057f643f94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BZ35VGM2\GX9LE38E.htm

Filesize
114B

MD5
e89f75f918dbdcee28604d4e09dd71d7

SHA1
f9d9055e9878723a12063b47d4a1a5f58c3eb1e9

SHA256
6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023

SHA512
8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
406B

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe

Filesize
812KB

MD5
5181f541a6d97bab854d5eba326ea7d9

SHA1
16d9967a2658ac765d7acbea18c556b927b810be

SHA256
b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83

SHA512
c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa

Download Submit
C:\Users\Admin\Desktop\ApproveUpdate.mov.186-544-3C6

Filesize
272KB

MD5
18b4fde33e77b483caf9646515f3a9c3

SHA1
f24c15a7d9fec27794b7d83068e216ee3374c036

SHA256
bdb06bd0a338d1dca52a54f34611ef729c5661c5dc97c373d4bc42ddaad487c0

SHA512
7d928f178b9548337cbc21bdf4150016d903a4acda9ffe9e78d78f34adfc0ec02b566fb446b500dd93b671e252856dfcf5b9b9e0782192ea28e812e91f9ec871

Download Submit
C:\Users\Admin\Desktop\AssertShow.xhtml.186-544-3C6

Filesize
342KB

MD5
aa6ac11e3b3c657e2d0363b1cc06135a

SHA1
7711325300e93752ba0f40f16dbf42351665e8e1

SHA256
2bbc28f28ac0560030c184f577dbefe757706d9c0de24dc69929d78e08153031

SHA512
17951cd6c267f12e9189ec86188277be63a6df2b52bb06bb0126473f6988597507f04c59cba5aef6a617004b32743c6b023d3493f57aaf16023e97dcdc748a30

Download Submit
C:\Users\Admin\Desktop\CompleteSkip.wmf.186-544-3C6

Filesize
411KB

MD5
5a7cabdff6ecfd78178d247c82e7d24a

SHA1
812840398b31f9e812175f9492df23ac1686e8fd

SHA256
42eb8a04804e38bcdc9e447e35a588bbbb7de63c95e667c8c979fbd3fc77ee94

SHA512
87617d39a4bfe43d99c60b5f65cc9886d4614e7903f7a36f4cd934e1fe76190627b43b7e05883976bfaf94bee0d67c802135ae736c7f135b65031cff53800b0a

Download Submit
C:\Users\Admin\Desktop\CompressConvertFrom.xlsx.186-544-3C6

Filesize
15KB

MD5
cfcadcb209fb75f138387ba39d5be161

SHA1
728389ac274a915a0ce8da6d1553a0a7467425af

SHA256
e1975ec2a0daafcc606343f0587980071433efec0609ba81fc0605de5e1f4639

SHA512
7f96b22047fcc4522eac7e1415be9a27d6277ac0d8aa4f85d834a71867c2857cc21ab837bb4d238979624196b9940650944c9fe4bd5e73332759a83f8c421f41

Download Submit
C:\Users\Admin\Desktop\ConfirmEdit.zip.186-544-3C6

Filesize
533KB

MD5
d0b92c38354a312dfe834b44827941a6

SHA1
fd469dc61ded671964e99ef61d9af1404cc87b83

SHA256
52abbad3973511c6dc407d067c311dd1810b6c3e00494e59dc14a306df496115

SHA512
efe2024b6e7f3bf5ec618bdf8f7d542c94b9ff5e4babcc48b627a8298948f9db0e435ba1f053e630a582141b1559e091200686452c7c17571f491b230007174b

Download Submit
C:\Users\Admin\Desktop\ConfirmRevoke.wm.186-544-3C6

Filesize
324KB

MD5
a7ae3fcbf7d0187b3db77c9fe346508b

SHA1
538cb810b3bae9a22d08076acb0cb14ca076458e

SHA256
12722878ef2c04832b7124409d73ec3b748121bfd70f6fc45fb332a4a9ea5b12

SHA512
3af0af3c744c52ba56272275b6fe78cf4b510d1bec487574dc7c5d076c4c0c9885739f9e4c2af565065ded96d455407ec57ef82295f0520248e477ffc40d4057

Download Submit
C:\Users\Admin\Desktop\ConvertToDisconnect.avi.186-544-3C6

Filesize
498KB

MD5
4d652d84ce95d7f3d6e462c8a07f00d6

SHA1
7ba4fc18d37a7fb33f53d0fc86c74da46ef29438

SHA256
373e5d867e5715321615a1bf15e7fc394f32d3c51deb598860e7b4b578c4742e

SHA512
8a05212da7c29ec74f89ca58dfd4e4b41ab3f3e89d0f799e0662c10c737d3ff4a23638f3879d06f0cb35bdf02aaf262ab22b18e4cbcc279878702c6d61cbe636

Download Submit
C:\Users\Admin\Desktop\CopyMerge.mp3.186-544-3C6

Filesize
568KB

MD5
f6f452b2fdb17d630e404e426eb840dc

SHA1
4220469fa9bbab39400c144efcee055a422ad4a1

SHA256
61c8cbcd0749aabf77ecc8d39f048da445b2ecc0fcc585bb3a217d985213efab

SHA512
9e4cb91c9273361eb87f7ae05a8c11721b761e4df4465c4b1f920a69eb569786359a8a2094279597fad932fcec58970820bcb1e31f80c1638d8d1b16190b82c0

Download Submit
C:\Users\Admin\Desktop\DisconnectTest.js.186-544-3C6

Filesize
786KB

MD5
ae6ad4c3f233c86db2d086a18a19cb26

SHA1
3e60396fceea8325867aeb6563ca44c775380273

SHA256
b9d07349945173ca53c4a9a6748786454f031f4b0180bbe5d53895464dca697c

SHA512
f5c6b6afe609ee7bed92f05b90a93c163ad538dc3aaec9cb8a9c9a54d79e2195ba05f58af1aac1894d7332b030f40053f1da6e62d3de2ab6a3ba4baf92c2b54b

Download Submit
C:\Users\Admin\Desktop\EditUnblock.wps.186-544-3C6

Filesize
289KB

MD5
ff7f63d4d634bb67d61939d42a298eac

SHA1
413b0b5f2222197b68fb6f3bad24168c896de36b

SHA256
3d904e5401b88f01607af8e63ec66e1d1ddce4e2af1bc3ef77252a2c35cf7f31

SHA512
4bc131e2380c51589d4ae4339bc02003163e7910e895a65ee00c12d41b078925331f071f9b2942f35aeadb07805dfa1b29a585a66365a6fa08177f5a84c25b1f

Download Submit
C:\Users\Admin\Desktop\ExitUnregister.txt.186-544-3C6

Filesize
429KB

MD5
1f6a2e251e1cbc41eb4bcf0429df2840

SHA1
937eeefe1d32a0b9a92a5d71f4b33aa361051ca8

SHA256
34ca1bfa6332230dcb5144d08a65ec39e80091dc78f7ccd620cf91628e31a7e1

SHA512
5986b4cd9a1944497b1462f2f6e013ce12a091ee2f0c787cb9acca2e30b4503646026a305f97bf7ee9b9256230d595f197b551fd237c595cc533bf5d3f5b6568

Download Submit
C:\Users\Admin\Desktop\LockDebug.dotm.186-544-3C6

Filesize
551KB

MD5
09d7b97658cb9b7f0d0f50ff433d1e6e

SHA1
32ad24b3c3bf25e7edf201c8f1abc3c12fcefa02

SHA256
c0f7b597d3dfd65fc4d9f0bb92c61c1b7e40cab75376cac115064c429d754775

SHA512
9cdec39e26a729d8a0f6209a7e10df8b69eac916d864eb569087999dbc4b3d2be379416491e088de9e99bdf53eb4e4348482c00b973a430c9b655ea9c7e344fe

Download Submit
C:\Users\Admin\Desktop\MoveUse.js.186-544-3C6

Filesize
394KB

MD5
4719beb4d31900f971494a024e5fb1db

SHA1
ff67063d7a6997a42f366edf96667f52f3aafefb

SHA256
4f15606f455102e9224700c3644f4f0be6e6f7d2e9342ee705f5b64aaee289a2

SHA512
ab336622f44ff550fb1e92fcc822a59081c9903cbfff76f6e183206ba2b81bb3a96d306fa556d1eca4d53826fcd830145628db10cf055b2f764dfd57f9a62752

Download Submit
C:\Users\Admin\Desktop\NewGet.midi.186-544-3C6

Filesize
307KB

MD5
0138db15486dfc307615321a501474c9

SHA1
64daf20b9dbe5e41f039d8befef2b6dcc9925d60

SHA256
880b23387e58139e4e8bd446d329969c20f7fba2ff2d3c8deed52dea1e2e7114

SHA512
785423cfab940164a8782e016afc8af853f07b1dd46fec061567d676cb511abb403fdede0549c9f734a444d4754837a783c0ad54656f4e85e36edcc3ceefde3a

Download Submit
C:\Users\Admin\Desktop\OptimizeApprove.ps1.186-544-3C6

Filesize
237KB

MD5
caa51ed5dc3ef624c59629ccf26562e9

SHA1
94d57f9aeb94fe400b43b6594fcccd25d7d73170

SHA256
6b8dfe30f7944d13f7317af65fc91f9ed6ee23a4caa6bf566d06cf083ab65079

SHA512
5e6a15293d149e950eaee14739ba2585bb8c1b653b4aaffe980dc4b0459ef64bcd2e68df1fd1cd9dc779804f562248fef749f76c53c1f498d2586fcc25d7fccf

Download Submit
C:\Users\Admin\Desktop\RedoInitialize.mht.186-544-3C6

Filesize
254KB

MD5
e2315325faa0ecefdbdfc4fa8793675f

SHA1
11df77cc6b02a9eefe4bd7c503c4b6de8bab0a92

SHA256
ff485660c6577b838d39ab8c6f90b1d36279038d30e56f3101e9e0a1bf7aa29a

SHA512
4f987057e74a5085023a11db1afa6cf9abe7777d284c59af05ad4f79ab16a0711e3dbd4f60599e1b374f204626e92652a0788f6c5e23c52b051ad92a479a52a2

Download Submit
C:\Users\Admin\Desktop\RegisterJoin.jpe.186-544-3C6

Filesize
376KB

MD5
8bf233e0e3a9d0e24b823fe8a2cd89c9

SHA1
3556caefa09df58d1725d7bece1ee59bc6854fc7

SHA256
5d7adc5011e8a36232c1d5f2b0b8f125fa6edbb8e65112271cc88a3a45e57edc

SHA512
0d52092861f22105bee2e5f29db9b50bc9dd2a425706c6f6e3e5c3ca3cb6dfff91c1b5e9cd9a849ae014ed2c5c69666c807436f2e11447e6d9344b0d786c25ae

Download Submit
C:\Users\Admin\Desktop\RepairConnect.aifc.186-544-3C6

Filesize
220KB

MD5
4a34663d175a7361751d0f11c834dcdf

SHA1
6cb2ed5b59c5940b4525838f37be3a8047c80941

SHA256
db9853137a8880f320e4d6aa3b8200d47459a78ff224155e5e7c0dfb3d1fd047

SHA512
7359ae9a8299bfda1844e260750d2fe3b4a4383215b5e7acc6f78f09c99524acd76d1a3043d9ada480531812d81f9905e66628537d1980dfd57d9449add1fb4e

Download Submit
C:\Users\Admin\Desktop\RestoreRestart.php.186-544-3C6

Filesize
481KB

MD5
11a335b13e27bda525718b8ffdef3058

SHA1
b924de6d694c050f75d270577714e9f5af765222

SHA256
02a1b602b75bed33ebb2974a9d912ffd9d48d34003e4c6661a99f597392f875a

SHA512
950a64bdbe0dbf4f70d424d593f2ce1f052de113e15ad2bdc6449e800d5eed78153f64f0c7352025e6d69fa87ca067c3101edfecdb918a80928bdee924114510

Download Submit
C:\Users\Admin\Desktop\ResumeOpen.doc.186-544-3C6

Filesize
359KB

MD5
7d7f5c7355f428fe6331eb6ef9c4e033

SHA1
c8510df7416ea4a23e0aa0f4b7b470676ad8ad89

SHA256
3f81191d1dc0f740a8d4a4f781482d1cdde1c7252bccd246efddaf8572cfc282

SHA512
fd918d107274145aad2be1605fd096ec759b2087c23ea80f61fe06313f915c4f6a0412623826c44f6fb726a2fe77de798f2d1fb736b445b5c26d81df556e4ea7

Download Submit
C:\Users\Admin\Desktop\TestDebug.gif.186-544-3C6

Filesize
516KB

MD5
e54fc25152d368835308f0ed90b2f4e7

SHA1
dcdf8d56483edcc6b0a4b29802485e0dd1eeef77

SHA256
b3c347a765200a187e46d172ed532f5207ab27a484d20b7327941265729eb863

SHA512
585521fd52b492c2fb96915aa00294e4e170ce28e8db156d0919e6d57354817d94ccc7f63ac866da09b9d2922de534270c01bbfc8b65c1cfd07af54d3da1da37

Download Submit
C:\Users\Admin\Desktop\UpdateEnter.jpg.186-544-3C6

Filesize
202KB

MD5
97fe326553888cdb242f420e7426d3ef

SHA1
8b7be4496b28ea749acbd63585a8d3a2adb59bb2

SHA256
59513d9333926a74f43e981be72b853524a5cde8da18a9a4aba53fe7b3b25d2f

SHA512
ba23395d0f93ec21fd46f7ef271d6918b7e9689c4e83ac4c311bea6ab10dcb7dadbfbd3db081137b65c82a82b3bf192c575eb1d6ffef0b51f7dc1918e7e9fd7e

Download Submit
C:\Users\Admin\Desktop\WriteRegister.mpe.186-544-3C6

Filesize
446KB

MD5
c721653749c1dbebcb37bac12b9e0f14

SHA1
1b33b555a0dce8a2a78cdf03b24f2ebd24f41aba

SHA256
24cf822e5cf691fceb7a9896bca1f7f88900faddb55fb49bc7a5c1cbd05e68bd

SHA512
5df5b2854a54b45164a52692cc17b51cd7db6f425d4e272e05300065621479a76d83273bbb32ba7cc1b9669d2d49289b7041f01b26773567794c5b84573997c9

Download Submit
C:\a5f1eda8760fc790760b7e5a7f56\.zeppelin

Filesize
513B

MD5
ca780293975fe54e0ac9932e9df4ceb0

SHA1
6d09fead02517635390d47cdc209e23b4826577f

SHA256
67631134ad4592e9aca132a7aa7fd1c34d7d110c033515893de84383cba55de8

SHA512
527c86e7db2d1cd3a104321b56909eadcf75fb84c59d1128c31c2dcd81fa7deedfedd1e4bc0e37b39557881719cb58e4820180d7dd3fff6baa1f22d26e45fd58

Download Submit
C:\e3fdda64d5d3944e27f92d88\2010_x64.log.html

Filesize
88KB

MD5
1304f094e835a052e017142130e34b70

SHA1
4cc158895a0f2347b504d78407f3eeee53bd708b

SHA256
36069f14a3f84bab8e29d075b7e1b0a06e5e2c6c82e430c4314b58d9d265ae71

SHA512
af8779d7abedd2ac141f837f44e51ad543210ea98d688e48a1adfbc87ade0dbe11530c75f707c90801b9063f0fed1cc7792b212b25137ff42d89362c43a62b2a

Download Submit
memory/336-8-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/336-0-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/936-5-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3212-26020-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/3212-14-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/3212-22-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/3212-27-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/5580-25995-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/5580-215-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/5580-5252-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/5580-9476-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/5580-19979-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/5580-14214-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/5580-25838-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/5680-30-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download