Overview

overview

10

Static

static

42ea94ee3a...26.exe

windows7_x64

10

42ea94ee3a...26.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    23-12-2020 19:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42ea94ee3adca8b82fba15ecdde25f26.exe

  • Size

    214KB

  • MD5

    42ea94ee3adca8b82fba15ecdde25f26

  • SHA1

    ca17412cd44d186db91c4b2fa7df03363533ffd2

  • SHA256

    332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a

  • SHA512

    cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874

Score
10/10
buranpersistenceransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: uspex1@cock.li and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: uspex1@cock.li Reserved email: uspex2@cock.li telegram:uspex12345 Your personal ID: 97C-605-5F5 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

uspex1@cock.li

uspex2@cock.li

Signatures

  • Buran

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    ransomwareburan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 15046 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 86 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\42ea94ee3adca8b82fba15ecdde25f26.exe
    "C:\Users\Admin\AppData\Local\Temp\42ea94ee3adca8b82fba15ecdde25f26.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1072
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -start
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Modifies system certificate store
      • Suspicious use of WriteProcessMemory
      PID:576
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1816
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1060
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
        3⤵
          PID:640
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
            PID:1572
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
            3⤵
              PID:1700
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:460
              • C:\Windows\SysWOW64\vssadmin.exe
                vssadmin delete shadows /all /quiet
                4⤵
                • Interacts with shadow copies
                PID:1188
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1628
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                wmic shadowcopy delete
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:548
              • C:\Windows\SysWOW64\vssadmin.exe
                vssadmin delete shadows /all /quiet
                4⤵
                • Interacts with shadow copies
                PID:1088
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -agent 0
              3⤵
              • Executes dropped EXE
              • Modifies extensions of user files
              • Drops file in Program Files directory
              PID:812
            • C:\Windows\SysWOW64\notepad.exe
              notepad.exe
              3⤵
                PID:1740
            • C:\Windows\SysWOW64\notepad.exe
              notepad.exe
              2⤵
              • Deletes itself
              PID:1460
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:316

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          File Deletion

          2
          T1107

          Modify Registry

          2
          T1112

          Install Root Certificate

          1
          T1130

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          Peripheral Device Discovery

          1
          T1120

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Web Service

          1
          T1102

          Impact

          Inhibit System Recovery

          2
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
            MD5

            4e19bf0c03ce3953fdb5be54e6a22f35

            SHA1

            385b3bebf4d6df49a2d99ee9486921bb6bebfed8

            SHA256

            f4f869d5f04bba7bfed5ce6a0f32037621f46ef35afcb8cf6a9bb2a9c181edfe

            SHA512

            23bb6feb476ec5ef55fe7b1544fc9cf2bda0c14798070897f90a0a6df062dbe57109de99caac0e32c0586b41de51b11170484abfd0e297372cd392858e3426a8

            Download Submit
          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
            MD5

            75b88d0202e859a52bf202eafebbe0c4

            SHA1

            24a1603ccba645ded249983df14897803b538fb6

            SHA256

            835effde837d6182dd65867cb76119b6418ffa6868ab235dbbdc028ddb32ca20

            SHA512

            a37db7e053e819850b013862ce105e74a078081dd99bfe672406c9c3cba68f8e2e8cf7edea98402785e1751ddc0b21f5842b7be2873e8664bfd416cb20bee1f9

            Download Submit
          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
            MD5

            71938f18af4460ae7dfc95eaa7f86c41

            SHA1

            3c728520871d891f4ed95ae676fb4ef7d2202f45

            SHA256

            577745264b01a9e92767ed05946bf7825077e8303874f32893c09443c66cde65

            SHA512

            679f66ace333ec45c4541a226e482059f3fed3dcbd6b005c77fc8458f2c241294a95d6e3a6972e84978ce291eacec23c22f5e5295b5155b874cf5fcb53c8474c

            Download Submit
          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
            MD5

            3fc2d2222f4b1fbaa147af7fe0a2d257

            SHA1

            8b2d1ac402716cd3117f0cbc1f77bec71c908037

            SHA256

            1ef4aa55b1053d27658cc9af38c180b14b253ff98b9990598e15e50dcb8d1b5b

            SHA512

            e3ceef88cdf9ea2c15c589004249f83f94b77cd11e6f969836402a70e7f50cf385a38d547ca172b00b5ae8fe1112761f3762d44ad27a4809b3991836f90d6c02

            Download Submit
          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
            MD5

            306f0acdaeda4b6fa4ee7e0ff14c9c66

            SHA1

            b136a05887f4bbde922e33456e429433ace7b9e9

            SHA256

            24b12ee7970420913cedd14ca91348b712cbed29f2262948e8373b6304ed81e7

            SHA512

            f6345c0cc21d11e082f867b519105999c98f9ae12b68a910380bffb4b9e49230f22bb28b27aef1653b900146684fe4dbba4b00cf27da66dc5d1baf52f77bbde1

            Download Submit
          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            MD5

            e1bfe6682d4cf02a279a877dac241e8d

            SHA1

            1ca4b55964a91e4ce1c541a806cd47543c0627c3

            SHA256

            09cbbaeb2f05f5b0b75a962f26cee4a32d43fab5c584edb3e15ad510c89d5c6d

            SHA512

            aadf153575bfcc56968907ffce7b6afa420ca19a68ac35344ed60450763c9786b9217ad9ef11e333c11b0717e31daea62626070c8a573cf4316f4bb38f5db361

            Download Submit
          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
            MD5

            3197ac0aa1ca7c0ce3be5c3d1dfadfbd

            SHA1

            3bccda379551b7b6ae12fd96746c8e97369a2e39

            SHA256

            94dc3cde36785ce21cc717a03b8667cd707e47423878748f15c3c8ebac4f3af7

            SHA512

            efb9d323c0839a798b851ab51f1f369ca9b4f77984db43cc6277e66f2cc83a52f4d0c0b4e8a429fb3dd531d36046d9ff5c4701f929a62eafeda2417c157e4322

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3O0J2C38\VHQQT43W.htm
            MD5

            8615e70875c2cc0b9db16027b9adf11d

            SHA1

            4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

            SHA256

            da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

            SHA512

            cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7ISB2KAC\JGHAK302.htm
            MD5

            b1cd7c031debba3a5c77b39b6791c1a7

            SHA1

            e5d91e14e9c685b06f00e550d9e189deb2075f76

            SHA256

            57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

            SHA512

            d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\~temp001.bat
            MD5

            ef572e2c7b1bbd57654b36e8dcfdc37a

            SHA1

            b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

            SHA256

            e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

            SHA512

            b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
            MD5

            42ea94ee3adca8b82fba15ecdde25f26

            SHA1

            ca17412cd44d186db91c4b2fa7df03363533ffd2

            SHA256

            332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a

            SHA512

            cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
            MD5

            42ea94ee3adca8b82fba15ecdde25f26

            SHA1

            ca17412cd44d186db91c4b2fa7df03363533ffd2

            SHA256

            332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a

            SHA512

            cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
            MD5

            42ea94ee3adca8b82fba15ecdde25f26

            SHA1

            ca17412cd44d186db91c4b2fa7df03363533ffd2

            SHA256

            332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a

            SHA512

            cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874

            Download Submit
          • C:\Users\Admin\Desktop\CloseStart.ttc.97C-605-5F5
            MD5

            9e2e4068d7389a0cd468e7e4c852389c

            SHA1

            723f6e967be27453df93a0d056793fc687acfb7d

            SHA256

            07e19573fcd0942a0acb040ae8601bb4399685a36678ca836618ab9a424b5ccb

            SHA512

            535cb3e78cd567f39a26757faa015dfdc7767f3858cf64f16ad1a4b16c06295542ea3a4e60238e10b12774b89e985e3507e5a1567f28b72a9fb361ba4ef44bd8

            Download Submit
          • C:\Users\Admin\Desktop\CompareFind.docx.97C-605-5F5
            MD5

            fe4604da29e769e78f48cc1e5eeca10f

            SHA1

            c2e878cc8e15c9567ab5dba59f99d0435d3b0a6e

            SHA256

            a6742d31628fa3e5aba348da91bf02d7667a4142d23193617a8257d92bd51ec3

            SHA512

            b8695cb309c7d68f777a0a32030ee672118e3d9fe39214edf38ecf58ecf73137b70f9be2125882d1e8d146ea7f54a45b2e3a3f4ea6d2df798974ee928a6057ae

            Download Submit
          • C:\Users\Admin\Desktop\CompleteStep.ico.97C-605-5F5
            MD5

            6b94f23b1ceb9f5fdf97096cd2fcefdc

            SHA1

            6669460c1d020290a8ad4fbca102bbddcfd5dbdb

            SHA256

            1d776ebd125b0fc7f43df2e29788204ee9a3897e1ac029364a37f4eafc3017aa

            SHA512

            76d8997cc47ab4a5351000664ed982c63eb78e1955cb7b67fae7ea63044d544fa8f70870979055695cee00fe5896f9fee76f751a4ffd2c9e9f9b72bca131f183

            Download Submit
          • C:\Users\Admin\Desktop\ConvertToGrant.vsw.97C-605-5F5
            MD5

            e2eafaff57ca6b94594915fc3bf4a991

            SHA1

            ae3ed0257c51f9b977d84119f6892488e2be3608

            SHA256

            a4a5032775f0e6cf2319b4249ac85ccea17e9741fcd7efab438a944d366f3650

            SHA512

            49d21a2cf3283eb3595b4db30d066dec65bba7d0ad462082b3cf6a61554628e0e024e395d03d044099620f81ccbfa2aeec7c9cd29c130a8aa14aabe66d409a48

            Download Submit
          • C:\Users\Admin\Desktop\ConvertUninstall.eprtx.97C-605-5F5
            MD5

            3a828daff9b6bbcc017f3420eeaab645

            SHA1

            c460ef1a11ee799ebf968146296d8f09efbb0bcb

            SHA256

            0bbe16c686dc702dc27e0f40de6c87b7be66ec27d19d1bc93754452b1203f51d

            SHA512

            e4e437c7b2b3deb9ce11a1f8d3f249dcaf1794ec57ec690a00517f9280dadf3d05a7066f84c87dd203ac1dbfebfa1c749dc0fc443055d42e852931a39e99be7f

            Download Submit
          • C:\Users\Admin\Desktop\DisconnectPop.xltx.97C-605-5F5
            MD5

            c35fe65aa97ee58ab3d9ac5deac74e2d

            SHA1

            58c91724bf9e6c9544710f2c2d070f3ccdcbfb2d

            SHA256

            4e70106524322a534815f5b224d29ef4ba979d51af345a502729bf4bbeee67fc

            SHA512

            a6815bc08fac5d6fcbdb1a027814b9a9ab5cba3c0b302c4762b6b3b514633cda7a1395fc12ea3739fdc98bb28018cd6e6da559efc7d8af130fe49ecebf3c6320

            Download Submit
          • C:\Users\Admin\Desktop\EditSave.cab.97C-605-5F5
            MD5

            a9479acca4cc7ceb1f5be254481cc8ad

            SHA1

            aecaa718fdae24e8ed2a05fc7d3ee7ce9f651856

            SHA256

            c346aaf5be5456ba442ad9be797ff203def5eba83e514cb1db47987ba11ec419

            SHA512

            20f7f3ee7bc5636395df2e73daf258324bdcb39413acb7be29f5d4c7bdb9d5749c7b20eb070c2a8a3a77a22d0e848b91f4c32a69497320328cfdde333267017d

            Download Submit
          • C:\Users\Admin\Desktop\EnableAdd.zip.97C-605-5F5
            MD5

            2f996b23a85afdc04580751f2e6c55a6

            SHA1

            a8968b1025e23e0f445e95e276be141d5b814857

            SHA256

            04ecebc818305fd1b348a042cd5e5762996b9026f955e7c485fa8352e0b7cd0e

            SHA512

            56e2b613781d54c86a7447db58a6196005faa841fc3b1f8a1ea5398f74dace40d1b20b4f5fd3864c533c59fc3054577e31c1698e719abc62bb06576c2a0a7ce9

            Download Submit
          • C:\Users\Admin\Desktop\ExitResolve.au.97C-605-5F5
            MD5

            244312be245764776b443c9430c22740

            SHA1

            7746affcb61ca9edcfc86fa05bb9c19bd08ff22b

            SHA256

            21cc1d1f8909a9e4c21f4e8aec53efcf222a018c4a695ce22b96d159ad569315

            SHA512

            e1777f6b9b6b891dfe812a268ac5ae5a0690d7cd16b7f52a0296e4a64c3439397ce5414e360fc66504875ba4858fca63f6dcd37f89ca6ce33ddd24fb0880cca6

            Download Submit
          • C:\Users\Admin\Desktop\HideCheckpoint.svgz.97C-605-5F5
            MD5

            b367369a3e690bee86f80e1abf7b36fc

            SHA1

            c630a2bd4e730945e3455d76e88db2411ce91cc1

            SHA256

            20fbcdb730a5d5ab371a37823c8b526fa82e08aec094b4f302eb0ba29959e4f6

            SHA512

            41c797358f7263a8c2f028eb044cdd4506d7ac4f49946e7c3276ba42815067ab370e53ca0b7bf9ee60c13285eba2b9e9e93437ceb8162ad7c927d64a33e9f3b6

            Download Submit
          • C:\Users\Admin\Desktop\ImportCompare.wvx.97C-605-5F5
            MD5

            17dcb1057d9967eab41758049c15a121

            SHA1

            9506fed1b35ce38f1c1de1d0b47f6372956c47ff

            SHA256

            0ad50f080a7e86b84ff5f33bcf67b4465a46c51951c223c5aab70e26e43a2893

            SHA512

            802f27de5b98149f89535c487a39c12f190b4abd4968ee5e457c46cd41d459d2f0c79ce9144d092d3540031862d06b0f8618a980e4014f78971d8703b116547d

            Download Submit
          • C:\Users\Admin\Desktop\LockFind.php.97C-605-5F5
            MD5

            1349fac4f130dfbea31ec0a34a3f4779

            SHA1

            7ec85e4dae84bf943c2fe0cd5c73c3b22eb5f70b

            SHA256

            6da75a594d2840ab7df2a697f47b6f97bc13d1af882481966213a6cc857a27b3

            SHA512

            4bebf76c4e3ae363b8e4a24eee9856f59de0e2c3965fda46643d54cbbb493440cf8e4b1bc87385009f44a9e0ad79669c12b8397ad4815989c17a5fb3cbdbf8a4

            Download Submit
          • C:\Users\Admin\Desktop\MergeStop.ex_.97C-605-5F5
            MD5

            3314c5997f009c46af2871db985ca92b

            SHA1

            e384a44b84b68d5e87d80700c33b334df52ab6f7

            SHA256

            368460b0fe9131193de7c2667c00d5cd073e7840812e71b880f82f21f9d3f467

            SHA512

            05a97409533188810742de833522fd6d9a3cce8978d8640091c7a18ed1b02a862bb2528dfbcaa6a1bb9d8defc4fab58d60d6a09206e3c66965d84d7a1e213c75

            Download Submit
          • C:\Users\Admin\Desktop\RegisterExpand.DVR.97C-605-5F5
            MD5

            284c402213fb17de929d94aed95524d4

            SHA1

            c7945cd4c71b278d3c09fcb393df272a46c15bb1

            SHA256

            ba97c6455027438e9db21dee55ba0b2237eaadf1605e9b4eea53c095e9b7af3a

            SHA512

            2befe7779d348f808582843d0d92066a295e74aeeb52ddc859cd3c00fb783987220a80b45ceb2a46a5dce22c030e01563dc335a8074c5634b54a000b668a76cd

            Download Submit
          • C:\Users\Admin\Desktop\RestartRedo.m3u.97C-605-5F5
            MD5

            00633c1bad568954ba51f7091d313ebc

            SHA1

            3e5a418a2442d2b675345b10c73602fb0679a1cf

            SHA256

            5dcda620b9ece67bf435ad5c7792b8259f66c55fc63a708c32217dbe8c488bff

            SHA512

            9a33b181162be92bdaaab9e50b6111314f0de325680b2c0a877855866d8849efca67f137ce476a06965cc0c81ad9de415a55b79c9c078f952bc090d5f8108f04

            Download Submit
          • C:\Users\Admin\Desktop\RestoreStep.jfif.97C-605-5F5
            MD5

            ff7f1f7980ad6e7ce076c60da1b626db

            SHA1

            7d508a258eff7618e335e24b6a63d0dc6a97ba24

            SHA256

            f8f54b2f0eac603ca97eb381643b5e2cf849075126cf9f14bd450bdcb24a38bc

            SHA512

            a6d330f304460786a2754235e75507444aa8d21407a0e3da862cf523de5c3948c7e7ab4f0da0833166e6f2ab99344e8bedd3108e79bd61fde7a10ae9a106e0ba

            Download Submit
          • C:\Users\Admin\Desktop\SendRedo.vb.97C-605-5F5
            MD5

            4406764d0e6ef883eb532e82c4168577

            SHA1

            3773136bc858d4204e9eca605248b8d7e04d4c26

            SHA256

            7b117aaf894160f41d522859e0eeaa6d67383726bcfac7d1141072e4b5fce108

            SHA512

            34c5f22a361706da1d8486a5038e525eb0da976a7ac8fdf44fcfe3ae312d7e4f1b4221b644b073e9339e70d03b61e58b40be679290e7d6c82e68bdc8c3d1fb9f

            Download Submit
          • C:\Users\Admin\Desktop\ShowSave.tif.97C-605-5F5
            MD5

            e7ed2b846530b80a5c4070a97cbdd9d3

            SHA1

            5ef8d2d7cfabfe04123242a290cd89bf8a4808fd

            SHA256

            0657077ef4564a3d65a0eac9c8be85a4f135c93789f6af6294684250b77f0021

            SHA512

            6354552a23b8101e0e788942a091c024e39e7cb56a2f831a7fb1741d5837029f624bbd9f6ee81d97c564a110615d10b6e7aebc7f75355d353928c9e43a76b7db

            Download Submit
          • C:\Users\Admin\Desktop\SuspendProtect.TS.97C-605-5F5
            MD5

            6f22bc182fc3e838c2bceb1f71d749ab

            SHA1

            2ae6d7b48a437f464a01b6df52bfc6742a3c90ba

            SHA256

            47beea45fc5f3c9aa4e0b4e6f6ddafe3785a35a6d3481ff28ec3116c1e1b8ab0

            SHA512

            5dfaee0a58dd2bbdce6324a5768149a55c02769d9ecaa6b18837fd3b7b6c20e73ef252bc18940a5bd8f6ef4fd42e2753b2fca4d4d18090483b2042bd66af0ca0

            Download Submit
          • C:\Users\Admin\Desktop\UndoDisable.easmx.97C-605-5F5
            MD5

            b2f14907c252fa4dc0cb0bbfda21866a

            SHA1

            ff0af2d936a4d712d0184bf17b3379bbda5eaaf3

            SHA256

            4e73138f71773ec62a0c4451cd87078bc8ef576572df05d7726dac5976f1be5c

            SHA512

            1e03d887c00bc1da006b6ccbb53d53cb326b03e7cc7efa2e9edafcc0b73b42ddde010e9376b1f48a1430c3b33382f5feaa72da942b36ddf4ea81aef9771a4dba

            Download Submit
          • C:\Users\Admin\Desktop\UninstallUse.rtf.97C-605-5F5
            MD5

            76f58a85c0813413db3d23362b85ff25

            SHA1

            3d825ca76b73edae2e5631f6aee3dc6056e82c1d

            SHA256

            80322ba8defd33df1d5aa9963ca3e3f4efb9fc396c64636f35bbb0fcebbf1acd

            SHA512

            8f13e98007a1ce8aa7cc3a02969a9ffc03205a6ef02593947fc9cb14c34ac26923025a233409f16c39e5957fc5047ac201082468349346e9310d1ab6d5882741

            Download Submit
          • \Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
            MD5

            42ea94ee3adca8b82fba15ecdde25f26

            SHA1

            ca17412cd44d186db91c4b2fa7df03363533ffd2

            SHA256

            332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a

            SHA512

            cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874

            Download Submit
          • \Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
            MD5

            42ea94ee3adca8b82fba15ecdde25f26

            SHA1

            ca17412cd44d186db91c4b2fa7df03363533ffd2

            SHA256

            332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a

            SHA512

            cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874

            Download Submit
          • memory/460-22-0x0000000000000000-mapping.dmp
            Download
          • memory/548-30-0x0000000000000000-mapping.dmp
            Download
          • memory/576-5-0x0000000000000000-mapping.dmp
            Download
          • memory/640-19-0x0000000000000000-mapping.dmp
            Download
          • memory/672-2-0x000007FEF7800000-0x000007FEF7A7A000-memory.dmp
            Filesize

            2.5MB

            Download
          • memory/812-25-0x0000000000000000-mapping.dmp
            Download
          • memory/1060-27-0x0000000000000000-mapping.dmp
            Download
          • memory/1088-31-0x0000000000000000-mapping.dmp
            Download
          • memory/1188-28-0x0000000000000000-mapping.dmp
            Download
          • memory/1460-8-0x0000000000000000-mapping.dmp
            Download
          • memory/1460-7-0x00000000000A0000-0x00000000000A1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1572-20-0x0000000000000000-mapping.dmp
            Download
          • memory/1628-23-0x0000000000000000-mapping.dmp
            Download
          • memory/1700-21-0x0000000000000000-mapping.dmp
            Download
          • memory/1816-18-0x0000000000000000-mapping.dmp
            Download