17b4d01d32c64a62e36496829da323fe308437048ca87143de7365fabd4194fd

Analysis

max time kernel
300s
max time network
286s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dircrypt.deobf.exe
Size

321KB
MD5

d224637a6b6e3001753d9922e749d00d
SHA1

bacb2313289e00a1933b7984dd1cbef01c8019ee
SHA256

9c67320f0a29796abfb5b53ef2fa2fbcb56b33cff6cdb3f96a8d303685e17263
SHA512

08eb7f64f852bbb3403d26a6cbcaa28a5747070b499464bed45b3578fd8ebb31ee97fc15f99a14fab9c01585ba5abeded3bd95aa80c73ce76c5af19bf587c4b0
SSDEEP

6144:rHpp6ZEmJSr/49JSpIGOGsX5HWY7ydvxHlcaAy0iWYOcG4BDhnxD28ixv7uDphY+:zuYQJUaGsX7/Qwgylf

Score

10^/10

discovery evasion persistence trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

dircrypt.deobf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,,C:\\Program Files (x86)\\MSBuild\\RAucFYDn.exe"	dircrypt.deobf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,,C:\\Program Files (x86)\\MSBuild\\RAucFYDn.exe"	dircrypt.deobf.exe

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

bSZnuDjX.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	bSZnuDjX.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	bSZnuDjX.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	bSZnuDjX.exe

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

bSZnuDjX.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	bSZnuDjX.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	bSZnuDjX.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	bSZnuDjX.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"	bSZnuDjX.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

bSZnuDjX.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bSZnuDjX.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bSZnuDjX.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

bSZnuDjX.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	bSZnuDjX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	bSZnuDjX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	bSZnuDjX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	bSZnuDjX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	bSZnuDjX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	bSZnuDjX.exe

Disables Task Manager via registry modification
evasion

Drops startup file 4 IoCs

Processes:

dircrypt.deobf.exebSZnuDjX.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FHmqlevl.exe	dircrypt.deobf.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FHmqlevl.exe	bSZnuDjX.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FHmqlevl.exe	bSZnuDjX.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FHmqlevl.exe	dircrypt.deobf.exe

Executes dropped EXE 2 IoCs

Processes:

bSZnuDjX.exeDirtyDecrypt.exe

pid process

2060 bSZnuDjX.exe
3068 DirtyDecrypt.exe
Loads dropped DLL 4 IoCs

Processes:

dircrypt.deobf.exebSZnuDjX.exe

pid process

540 dircrypt.deobf.exe
540 dircrypt.deobf.exe
2060 bSZnuDjX.exe
2060 bSZnuDjX.exe

pid	process
540	dircrypt.deobf.exe
540	dircrypt.deobf.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

bSZnuDjX.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	bSZnuDjX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	bSZnuDjX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	bSZnuDjX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	bSZnuDjX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	bSZnuDjX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	bSZnuDjX.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dircrypt.deobf.exebSZnuDjX.exeDirtyDecrypt.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\NrjwTJTT = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OSSbQHGL.exe"	dircrypt.deobf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\NrjwTJTT = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OSSbQHGL.exe"	bSZnuDjX.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\DirtyDecrypt = "\"C:\\Users\\Admin\\AppData\\Roaming\\Dirty\\DirtyDecrypt.exe\" /hide"	DirtyDecrypt.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

bSZnuDjX.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bSZnuDjX.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bSZnuDjX.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral10/memory/2060-30-0x00000000020E0000-0x00000000020F4000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe	upx
behavioral10/memory/3068-191-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

Processes:

dircrypt.deobf.exebSZnuDjX.exe

description	ioc	process
File created	C:\Program Files (x86)\MSBuild\RAucFYDn.exe	dircrypt.deobf.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RAucFYDn.exe	dircrypt.deobf.exe
File created	C:\Program Files (x86)\Dirty\DirtyDecrypt.exe	bSZnuDjX.exe
File opened for modification	C:\Program Files (x86)\Dirty\DirtyDecrypt.exe	bSZnuDjX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

dircrypt.deobf.exebSZnuDjX.exeDirtyDecrypt.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dircrypt.deobf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bSZnuDjX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DirtyDecrypt.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bSZnuDjX.exe

pid	process
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe
2060	bSZnuDjX.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

dircrypt.deobf.exebSZnuDjX.exeDirtyDecrypt.exe

description	pid	process
Token: SeSecurityPrivilege	540	dircrypt.deobf.exe
Token: SeDebugPrivilege	540	dircrypt.deobf.exe
Token: SeTcbPrivilege	540	dircrypt.deobf.exe
Token: SeSecurityPrivilege	2060	bSZnuDjX.exe
Token: SeDebugPrivilege	2060	bSZnuDjX.exe
Token: SeTcbPrivilege	2060	bSZnuDjX.exe
Token: SeSecurityPrivilege	3068	DirtyDecrypt.exe
Token: SeDebugPrivilege	3068	DirtyDecrypt.exe
Token: SeTcbPrivilege	3068	DirtyDecrypt.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

dircrypt.deobf.exebSZnuDjX.exe

description	pid	process	target process
PID 540 wrote to memory of 2060	540	dircrypt.deobf.exe	bSZnuDjX.exe
PID 540 wrote to memory of 2060	540	dircrypt.deobf.exe	bSZnuDjX.exe
PID 540 wrote to memory of 2060	540	dircrypt.deobf.exe	bSZnuDjX.exe
PID 540 wrote to memory of 2060	540	dircrypt.deobf.exe	bSZnuDjX.exe
PID 2060 wrote to memory of 3068	2060	bSZnuDjX.exe	DirtyDecrypt.exe
PID 2060 wrote to memory of 3068	2060	bSZnuDjX.exe	DirtyDecrypt.exe
PID 2060 wrote to memory of 3068	2060	bSZnuDjX.exe	DirtyDecrypt.exe
PID 2060 wrote to memory of 3068	2060	bSZnuDjX.exe	DirtyDecrypt.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

bSZnuDjX.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bSZnuDjX.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bSZnuDjX.exe

C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe
"C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540
- C:\Users\Admin\AppData\Local\Temp\bSZnuDjX.exe
  "C:\Users\Admin\AppData\Local\Temp\bSZnuDjX.exe"
  2⤵
  - Modifies firewall policy service
  - Modifies security service
  - UAC bypass
  - Windows security bypass
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2060
- - C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe
    "C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bSZnuDjX.exe

Filesize
321KB

MD5
d224637a6b6e3001753d9922e749d00d

SHA1
bacb2313289e00a1933b7984dd1cbef01c8019ee

SHA256
9c67320f0a29796abfb5b53ef2fa2fbcb56b33cff6cdb3f96a8d303685e17263

SHA512
08eb7f64f852bbb3403d26a6cbcaa28a5747070b499464bed45b3578fd8ebb31ee97fc15f99a14fab9c01585ba5abeded3bd95aa80c73ce76c5af19bf587c4b0

Download Submit
C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe

Filesize
24KB

MD5
1d27a7210f54a047264f23c7506e9506

SHA1
4116e4e8f34e5e7f3fc6cf23cffd04fb027a1527

SHA256
431111e367629bea37db016682c6354303360cd1419c033a22a26115121ccfe9

SHA512
077054eb1afbe2fd375d409176b61bdc407c8ef10351b4d00ccdc5c02f87a2f99c319a81baa99d92cd8f0bfd32bdf95b54dc6ea4b288a8dc5d9bec9b08523700

Download Submit
C:\Users\Admin\Desktop\ApproveExport.jpeg

Filesize
290KB

MD5
6c495c1017d0c1eb3879ac4dc37fd6da

SHA1
f65ec861a7b68c5494350ba664e55df11af5531b

SHA256
4e3adbfb4d12e7aa7cfa52b339dd76a299b4dc8dfe186972840aad498486b4bd

SHA512
535d9bac63d8ec21cded7f6041652f7fcc858eb5807308e34e71b350f8bfb6a5e69ea5481691bdc8ca4bcc758222216924c24d1c0c68319356d805235af0df60

Download Submit
C:\Users\Admin\Desktop\BackupSet.docx

Filesize
30KB

MD5
aab72581a50cfbe138cf8bb1ac82bbc5

SHA1
61ca70a3f6de9f126c507c84203d905b419f314b

SHA256
5f509b223ebb06ab91dae4f1a5b66dc6cf9c0011f14128431d2c8951de0aa0ba

SHA512
75db8202d76c5ce4d8aac4f76d6f57ea05a50f47853c6fc0c0eeb4ed46f2d5630d3413e250839d724ad1fad225f95a54f57c1ee25127355de8627b0cbb6e86bf

Download Submit
C:\Users\Admin\Desktop\EditRemove.xlsx

Filesize
21KB

MD5
889053644a2d54afe06e9e6b9bc0d8aa

SHA1
42fc407920d3bc35823cb15c2508140ac5fa3dd2

SHA256
2e1b96b9d74804881538bcbfd01c3840b6a3544adfd32ccb3223be890790e917

SHA512
938945ce806e871b9b15ba95f0e97d1e7ab1c897d812ccfec0be334ce660704c82f7a594e1400cbdd90ee0e0c6b5c2923e8af969893053b40e2f5d3d76d9f9fc

Download Submit
C:\Users\Admin\Desktop\HideTest.doc

Filesize
449KB

MD5
8c07eb556579f1324eab5a8446c4cdaa

SHA1
e98c5bc4c61a7794fa9323c9a51f82ed397fd3eb

SHA256
11745704f1ae744380e97703c7008d98348eab49758c01c1d4e986cb80e37e9a

SHA512
fe563b3e9a329b31af55473760c8259a9122553d90c0692492326a3ca07cb47a6590a7c5ae9e5425eece9b8eec57774c17f54a316c77b49f332e0175c6c347e7

Download Submit
C:\Users\Admin\Desktop\ResolveRestart.rtf

Filesize
686KB

MD5
b17fbe9a8d4318a0d18d0994c84354ad

SHA1
8d858ecb9753b02facd2ed031e76689874101ea3

SHA256
0e22485d3dc5c95891ee3a2e8ce975551f3c7149ddf2210c3a168dec48edea9d

SHA512
fa559299ed0a8abab56ec51670b8b8e961731c0c833e4d5fa55d19ab42d3165e464103b27a9088821f0c3893cf7caabd9028fdd82381ee8a31939f5c020770da

Download Submit
C:\Users\Admin\Documents\FormatRestart.doc

Filesize
318KB

MD5
ab56032667109d5671f470424566fea6

SHA1
7440cdb331e114c78108bffcb38de415092edc63

SHA256
84025723e4ad0d03206e58787ef518bf1e7d239d2884240dea7db05056f8a5b2

SHA512
bb3ec828d81007272d4ffbf903ac83940beb88b7038552619aa54f65131afeb91c51feb4c9c71d45881ff0c29345619074c4f8f22291832988ee39eca7927e2a

Download Submit
C:\Users\Admin\Documents\RemoveConfirm.docm

Filesize
802KB

MD5
36c42541a94cbbb811eb42ca4ff785da

SHA1
69c8389abf27434cd594c745cac9ccda94b6fe58

SHA256
f7290f92383522c147d0dd46ca2946f106eca00114fb03739d838f761e7506fe

SHA512
17476e0db1e1140b651a3949255f34ce8d28265c849aef8ec03a75158291293d5b6813d7baca210216cac279dc1131dec8de311a3edab4143c366de093b67192

Download Submit
C:\Users\Admin\Documents\WaitRepair.xls

Filesize
688KB

MD5
13f7446f485912cdf212ec9e6902db90

SHA1
79a4daac30ef8024c4bb1684cb10fdbcdc18d379

SHA256
b1584ed7a6f95a7a84232e786aeacca11e20d12174e69053e3dc8acb8bd0d80b

SHA512
bf683213000c5a4b2ce0451390c9e9ffadaea8f1a6fca3f843a1c265bb5c420d50ce4b09c337b62d617a02da3779420b3e542052d103eb1f54a9b654afb41c96

Download Submit
C:\Users\Admin\Music\UnprotectUnlock.xlsm

Filesize
998KB

MD5
e33fbc06b9c00c4066f8df39b07eb137

SHA1
140a0529550ae34dcd493869c2e8eb35de216454

SHA256
5043786fb6a9ca467388df4cd36ec7dd8ffd4a3d53c1d479bcd17b85e4a55a9f

SHA512
06c205eb2ae90202ee50e1b9064be8ef312dbc2b619e0f3fe301bb1d69dec763c08135ba097bc362e2bafdcacdb38f8599f728d65a812ecdc41b9b9f64ca03c7

Download Submit
memory/2060-30-0x00000000020E0000-0x00000000020F4000-memory.dmp

Filesize
80KB

Download
memory/2060-31-0x00000000020E0000-0x00000000020F4000-memory.dmp

Filesize
80KB

Download
memory/2060-148-0x00000000020E0000-0x00000000020F4000-memory.dmp

Filesize
80KB

Download
memory/2060-199-0x00000000020E0000-0x00000000020F4000-memory.dmp

Filesize
80KB

Download
memory/3068-191-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download