buran | 41d6fb7f590167acde5cb8d7f3c38fcdc0bcc4c33027b594003967b18e761101

Analysis

max time kernel
217s
max time network
129s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
21-11-2022 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb.exe
Size

189KB
MD5

f1ebb4dbdfc6ec7a53bcefabdc7fb6de
SHA1

b76bc50249e7420ac0f4f64e83d1a58da2068eaa
SHA256

bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb
SHA512

8608689d716fe8ed44348b4382cf4aed67de6dd4a9da2d92a8fcbd731ccf1a7f42e60ce35376ccef81b67414f2f8ea8bbcd3b2054d78f344ad92d1f4f29ca788
SSDEEP

3072:t3blGV9hulKmhbfvjv69vF6nHynNPFW7Lifa81Hh7Gl8emNiq8q/f+2L:t3bq9UlKgPuEyNFWSb1Hg6l8q/ffL

Score

10^/10

buran ransomware

Malware Config

Extracted

Path

\??\Z:\WE CAN RECOVER YOUR DATA.txt

Family

buran

Ransom Note

YOUR FILES ARE ENCRYPTED Your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: 1. Visit qtox.github.io 2. Download and install qTOX on your PC. 3. Open it, click "New Profile" and create profile. 4. Click "Add friends" button and search our contact - DA639EF141F3E3C35EA62FF284200C29FA2E7E597EF150FDD526F9891CED372CBB9AB7B8BEC8 and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Your personal ID: 2054B482 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Executes dropped EXE 1 IoCs

Processes:

bevjxskb.exe

pid	Process
620	bevjxskb.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

bevjxskb.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\SubmitDisconnect.tiff	bevjxskb.exe
File opened for modification	C:\Users\Admin\Pictures\DisableLock.tiff	bevjxskb.exe

Loads dropped DLL 2 IoCs

Processes:

bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb.exe

pid	Process
1340	bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb.exe
1340	bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

bevjxskb.exe

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-4063495947-34355257-727531523-1000\desktop.ini	bevjxskb.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

bevjxskb.exe

description	ioc	Process
File opened (read-only)	\??\H:	bevjxskb.exe
File opened (read-only)	\??\X:	bevjxskb.exe
File opened (read-only)	\??\A:	bevjxskb.exe
File opened (read-only)	\??\T:	bevjxskb.exe
File opened (read-only)	\??\V:	bevjxskb.exe
File opened (read-only)	\??\E:	bevjxskb.exe
File opened (read-only)	\??\F:	bevjxskb.exe
File opened (read-only)	\??\G:	bevjxskb.exe
File opened (read-only)	\??\Q:	bevjxskb.exe
File opened (read-only)	\??\R:	bevjxskb.exe
File opened (read-only)	\??\S:	bevjxskb.exe
File opened (read-only)	\??\Y:	bevjxskb.exe
File opened (read-only)	\??\K:	bevjxskb.exe
File opened (read-only)	\??\L:	bevjxskb.exe
File opened (read-only)	\??\N:	bevjxskb.exe
File opened (read-only)	\??\W:	bevjxskb.exe
File opened (read-only)	\??\Z:	bevjxskb.exe
File opened (read-only)	\??\B:	bevjxskb.exe
File opened (read-only)	\??\I:	bevjxskb.exe
File opened (read-only)	\??\J:	bevjxskb.exe
File opened (read-only)	\??\M:	bevjxskb.exe
File opened (read-only)	\??\O:	bevjxskb.exe
File opened (read-only)	\??\P:	bevjxskb.exe
File opened (read-only)	\??\U:	bevjxskb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 64 IoCs

Processes:

bevjxskb.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana.css	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_zh_4.4.0.v20140623020002.jar.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Copenhagen	bevjxskb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_mid_over.gif.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.css	bevjxskb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WORDREP.XML.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0171847.WMF.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_ja.jar	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Atikokan	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue.css.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00382_.WMF.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187895.WMF	bevjxskb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSansBold.ttf.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar	bevjxskb.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\WE CAN RECOVER YOUR DATA.txt	bevjxskb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_K_COL.HXK	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Macquarie.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Hovd.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-3.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\utilityfunctions.js	bevjxskb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_zh_CN.jar	bevjxskb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\bdcmetadataresource.xsd	bevjxskb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_zh_CN.jar.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PDDom.api.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02794_.WMF.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Choibalsan	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-options-api.jar.[2054B482].sonickwall	bevjxskb.exe
File created	C:\Program Files\Java\jre7\lib\fonts\WE CAN RECOVER YOUR DATA.txt	bevjxskb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.lng.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200289.WMF	bevjxskb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR49F.GIF	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ko.properties	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4.ssl_1.0.0.v20140827-1444.jar.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATHEDITOR_K_COL.HXK	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\NOTICE	bevjxskb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185670.WMF.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0202045.JPG.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\2 Right.accdt	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00336_.WMF	bevjxskb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIcons.jpg	bevjxskb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0205582.WMF.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	bevjxskb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR1B.GIF.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vilnius	bevjxskb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.HK.XML.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png	bevjxskb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01563_.WMF	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml	bevjxskb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\PAB.SAM	bevjxskb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\GIGGLE.WAV.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Bougainville.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Marquesas.[2054B482].sonickwall	bevjxskb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01130_.WMF	bevjxskb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_zh_4.4.0.v20140623020002.jar	bevjxskb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXE

pid	Process
1524	PING.EXE
1056	PING.EXE

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

bevjxskb.exe

pid	Process
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe
620	bevjxskb.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bevjxskb.exevssvc.exe

description	pid	Process
Token: SeTakeOwnershipPrivilege	620	bevjxskb.exe
Token: SeBackupPrivilege	1728	vssvc.exe
Token: SeRestorePrivilege	1728	vssvc.exe
Token: SeAuditPrivilege	1728	vssvc.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb.exebevjxskb.execmd.execmd.exe

description	pid	Process	procid_target
PID 1340 wrote to memory of 620	1340	bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb.exe	27
PID 1340 wrote to memory of 620	1340	bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb.exe	27
PID 1340 wrote to memory of 620	1340	bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb.exe	27
PID 1340 wrote to memory of 620	1340	bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb.exe	27
PID 620 wrote to memory of 1012	620	bevjxskb.exe	31
PID 620 wrote to memory of 1012	620	bevjxskb.exe	31
PID 620 wrote to memory of 1012	620	bevjxskb.exe	31
PID 620 wrote to memory of 1012	620	bevjxskb.exe	31
PID 1012 wrote to memory of 972	1012	cmd.exe	33
PID 1012 wrote to memory of 972	1012	cmd.exe	33
PID 1012 wrote to memory of 972	1012	cmd.exe	33
PID 1012 wrote to memory of 972	1012	cmd.exe	33
PID 620 wrote to memory of 1916	620	bevjxskb.exe	39
PID 620 wrote to memory of 1916	620	bevjxskb.exe	39
PID 620 wrote to memory of 1916	620	bevjxskb.exe	39
PID 620 wrote to memory of 1916	620	bevjxskb.exe	39
PID 1916 wrote to memory of 1524	1916	cmd.exe	41
PID 1916 wrote to memory of 1524	1916	cmd.exe	41
PID 1916 wrote to memory of 1524	1916	cmd.exe	41
PID 1916 wrote to memory of 1524	1916	cmd.exe	41
PID 1916 wrote to memory of 1056	1916	cmd.exe	42
PID 1916 wrote to memory of 1056	1916	cmd.exe	42
PID 1916 wrote to memory of 1056	1916	cmd.exe	42
PID 1916 wrote to memory of 1056	1916	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb.exe
"C:\Users\Admin\AppData\Local\Temp\bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340
- C:\ProgramData\Installed Updates.{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}\bevjxskb.exe
  "C:\ProgramData\Installed Updates.{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}\bevjxskb.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C CSCRIPT.EXE //E:JScript "C:\Users\Admin\AppData\Local\Temp\PRNALLRP.SYS"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Windows\SysWOW64\cscript.exe
      CSCRIPT.EXE //E:JScript "C:\Users\Admin\AppData\Local\Temp\PRNALLRP.SYS"
      4⤵
      PID:972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c for /l %i in (1,1,1000) do (ping -n 2 localhost & del "C:\ProgramData\Installed Updates.{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}\bevjxskb.exe" & if not exist "C:\ProgramData\Installed Updates.{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}\bevjxskb.exe" exit)
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 localhost
      4⤵
      Runs ping.exe
      PID:1524
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 localhost
      4⤵
      Runs ping.exe
      PID:1056

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Installed Updates.{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}\bevjxskb.exe

Filesize
189KB

MD5
f1ebb4dbdfc6ec7a53bcefabdc7fb6de

SHA1
b76bc50249e7420ac0f4f64e83d1a58da2068eaa

SHA256
bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb

SHA512
8608689d716fe8ed44348b4382cf4aed67de6dd4a9da2d92a8fcbd731ccf1a7f42e60ce35376ccef81b67414f2f8ea8bbcd3b2054d78f344ad92d1f4f29ca788

Download Submit
C:\ProgramData\Installed Updates.{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}\bevjxskb.exe

Filesize
189KB

MD5
f1ebb4dbdfc6ec7a53bcefabdc7fb6de

SHA1
b76bc50249e7420ac0f4f64e83d1a58da2068eaa

SHA256
bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb

SHA512
8608689d716fe8ed44348b4382cf4aed67de6dd4a9da2d92a8fcbd731ccf1a7f42e60ce35376ccef81b67414f2f8ea8bbcd3b2054d78f344ad92d1f4f29ca788

Download Submit
C:\Users\Admin\AppData\Local\Temp\PRNALLRP.SYS

Filesize
175B

MD5
98a1a4dbdf75466df301906093847417

SHA1
3e8c7656887496694512e118795f4d28894d8f6e

SHA256
7f8367fc0177355741b1def74b2f1d81d99571f674a014896478815c9fb4d3bd

SHA512
d61cd7cbc63e28189a800efa46f82c5f4a1e513dc945b65e57d4a79308c04ab86945dd48249190456caa582891377e4e75ba678d4b28c28d4d0656d87d31519b

Download Submit
\ProgramData\Installed Updates.{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}\bevjxskb.exe

Filesize
189KB

MD5
f1ebb4dbdfc6ec7a53bcefabdc7fb6de

SHA1
b76bc50249e7420ac0f4f64e83d1a58da2068eaa

SHA256
bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb

SHA512
8608689d716fe8ed44348b4382cf4aed67de6dd4a9da2d92a8fcbd731ccf1a7f42e60ce35376ccef81b67414f2f8ea8bbcd3b2054d78f344ad92d1f4f29ca788

Download Submit
\ProgramData\Installed Updates.{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}\bevjxskb.exe

Filesize
189KB

MD5
f1ebb4dbdfc6ec7a53bcefabdc7fb6de

SHA1
b76bc50249e7420ac0f4f64e83d1a58da2068eaa

SHA256
bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb

SHA512
8608689d716fe8ed44348b4382cf4aed67de6dd4a9da2d92a8fcbd731ccf1a7f42e60ce35376ccef81b67414f2f8ea8bbcd3b2054d78f344ad92d1f4f29ca788

Download Submit
memory/620-57-0x0000000000000000-mapping.dmp

Download
memory/972-61-0x0000000000000000-mapping.dmp

Download
memory/1012-60-0x0000000000000000-mapping.dmp

Download
memory/1056-67-0x0000000000000000-mapping.dmp

Download
memory/1340-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download
memory/1524-65-0x0000000000000000-mapping.dmp

Download
memory/1916-64-0x0000000000000000-mapping.dmp

Download