Date post: | 11-Mar-2023 |
Category: |
Documents |
Upload: | khangminh22 |
View: | 0 times |
Download: | 0 times |
ID: 450141Sample Name:vnMQDhyZya.binCookbook: default.jbsTime: 00:31:14Date: 17/07/2021Version: 33.0.0 White Diamond
233333333356666666677888899999999
1010101010101010101111111111111212121212
121212121212131313
1313
Table of Contents
Table of ContentsWindows Analysis Report vnMQDhyZya.bin
OverviewGeneral InformationDetectionSignaturesClassification
Process TreeMalware Configuration
Threatname: CryLockYara Overview
Dropped FilesMemory Dumps
Sigma OverviewJbx Signature Overview
AV Detection:Spam, unwanted Advertisements and Ransom Demands:Hooking and other Techniques for Hiding and Protection:Malware Analysis System Evasion:
Mitre Att&ck MatrixBehavior GraphScreenshots
ThumbnailsAntivirus, Machine Learning and Genetic Malware Detection
Initial SampleDropped FilesUnpacked PE FilesDomainsURLs
Domains and IPsContacted DomainsContacted IPs
General InformationSimulations
Behavior and APIsJoe Sandbox View / Context
IPsDomainsASNJA3 FingerprintsDropped Files
Created / dropped FilesStatic File Info
GeneralFile IconStatic PE Info
GeneralEntrypoint PreviewData DirectoriesSectionsResourcesImportsPossible Origin
Network BehaviorCode ManipulationsStatisticsSystem Behavior
Analysis Process: vnMQDhyZya.exe PID: 4580 Parent PID: 5692GeneralFile Activities
File CreatedFile Written
DisassemblyCode Analysis
Copyright Joe Security LLC 2021 Page 2 of 13
Windows Analysis Report vnMQDhyZya.bin
Overview
General Information
Sample Name:
vnMQDhyZya.bin (renamed file extension from bin to exe)
Analysis ID: 450141
MD5: 23755a33694adc…
SHA1: 33a68ea32f34ab6…
SHA256: e001f6a5b2d4d26…
Tags: crylock exe ransomware
Infos:
Most interesting Screenshot:
Detection
CryLockCryLock
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%
Signatures
Antivirus / Scanner detection for sub
Antivirus / Scanner detection for sub
Antivirus / Scanner detection for sub
Antivirus / Scanner detection for sub
Antivirus / Scanner detection for sub
Antivirus / Scanner detection for sub
Antivirus / Scanner detection for subAntivirus / Scanner detection for sub……
Found malware configuration
Found malware configuration
Found malware configuration
Found malware configuration
Found malware configuration
Found malware configuration
Found malware configurationFound malware configuration
Found ransom note / readme
Found ransom note / readme
Found ransom note / readme
Found ransom note / readme
Found ransom note / readme
Found ransom note / readme
Found ransom note / readmeFound ransom note / readme
Icon mismatch, binary includes an ic
Icon mismatch, binary includes an ic
Icon mismatch, binary includes an ic
Icon mismatch, binary includes an ic
Icon mismatch, binary includes an ic
Icon mismatch, binary includes an ic
Icon mismatch, binary includes an icIcon mismatch, binary includes an ic……
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for submMulti AV Scanner detection for subm……
Yara detected CryLock ransomware
Yara detected CryLock ransomware
Yara detected CryLock ransomware
Yara detected CryLock ransomware
Yara detected CryLock ransomware
Yara detected CryLock ransomware
Yara detected CryLock ransomwareYara detected CryLock ransomware
Contains functionality to detect slee
Contains functionality to detect slee
Contains functionality to detect slee
Contains functionality to detect slee
Contains functionality to detect slee
Contains functionality to detect slee
Contains functionality to detect sleeContains functionality to detect slee……
Deletes shadow drive data (may be
Deletes shadow drive data (may be
Deletes shadow drive data (may be
Deletes shadow drive data (may be
Deletes shadow drive data (may be
Deletes shadow drive data (may be
Deletes shadow drive data (may be Deletes shadow drive data (may be ……
Contains functionality for read data f
Contains functionality for read data f
Contains functionality for read data f
Contains functionality for read data f
Contains functionality for read data f
Contains functionality for read data f
Contains functionality for read data fContains functionality for read data f……
Contains functionality to call native f
Contains functionality to call native f
Contains functionality to call native f
Contains functionality to call native f
Contains functionality to call native f
Contains functionality to call native f
Contains functionality to call native fContains functionality to call native f……
Contains functionality to check if a w
Contains functionality to check if a w
Contains functionality to check if a w
Contains functionality to check if a w
Contains functionality to check if a w
Contains functionality to check if a w
Contains functionality to check if a wContains functionality to check if a w……
Contains functionality to detect sand
Contains functionality to detect sand
Contains functionality to detect sand
Contains functionality to detect sand
Contains functionality to detect sand
Contains functionality to detect sand
Contains functionality to detect sandContains functionality to detect sand……
Contains functionality to dynamically
Contains functionality to dynamically
Contains functionality to dynamically
Contains functionality to dynamically
Contains functionality to dynamically
Contains functionality to dynamically
Contains functionality to dynamicallyContains functionality to dynamically……
Contains functionality to enumerate
Contains functionality to enumerate
Contains functionality to enumerate
Contains functionality to enumerate
Contains functionality to enumerate
Contains functionality to enumerate
Contains functionality to enumerate Contains functionality to enumerate ……
Contains functionality to query locale
Contains functionality to query locale
Contains functionality to query locale
Contains functionality to query locale
Contains functionality to query locale
Contains functionality to query locale
Contains functionality to query localeContains functionality to query locale……
Contains functionality to read the cli
Contains functionality to read the cli
Contains functionality to read the cli
Contains functionality to read the cli
Contains functionality to read the cli
Contains functionality to read the cli
Contains functionality to read the cliContains functionality to read the cli……
Contains functionality to retrieve info
Contains functionality to retrieve info
Contains functionality to retrieve info
Contains functionality to retrieve info
Contains functionality to retrieve info
Contains functionality to retrieve info
Contains functionality to retrieve infoContains functionality to retrieve info……
Contains functionality to shutdown /
Contains functionality to shutdown /
Contains functionality to shutdown /
Contains functionality to shutdown /
Contains functionality to shutdown /
Contains functionality to shutdown /
Contains functionality to shutdown / Contains functionality to shutdown / ……
Detected potential crypto function
Detected potential crypto function
Detected potential crypto function
Detected potential crypto function
Detected potential crypto function
Detected potential crypto function
Detected potential crypto functionDetected potential crypto function
Extensive use of GetProcAddress (o
Extensive use of GetProcAddress (o
Extensive use of GetProcAddress (o
Extensive use of GetProcAddress (o
Extensive use of GetProcAddress (o
Extensive use of GetProcAddress (o
Extensive use of GetProcAddress (oExtensive use of GetProcAddress (o……
Found potential string decryption / a
Found potential string decryption / a
Found potential string decryption / a
Found potential string decryption / a
Found potential string decryption / a
Found potential string decryption / a
Found potential string decryption / aFound potential string decryption / a……
May check if the current machine is
May check if the current machine is
May check if the current machine is
May check if the current machine is
May check if the current machine is
May check if the current machine is
May check if the current machine isMay check if the current machine is……
PE file contains strange resources
PE file contains strange resources
PE file contains strange resources
PE file contains strange resources
PE file contains strange resources
PE file contains strange resources
PE file contains strange resourcesPE file contains strange resources
Queries the volume information (nam
Queries the volume information (nam
Queries the volume information (nam
Queries the volume information (nam
Queries the volume information (nam
Queries the volume information (nam
Queries the volume information (namQueries the volume information (nam……
Sample file is different than original
Sample file is different than original
Sample file is different than original
Sample file is different than original
Sample file is different than original
Sample file is different than original
Sample file is different than original Sample file is different than original ……
Uses 32bit PE files
Uses 32bit PE files
Uses 32bit PE files
Uses 32bit PE files
Uses 32bit PE files
Uses 32bit PE files
Uses 32bit PE filesUses 32bit PE files
Uses code obfuscation techniques (
Uses code obfuscation techniques (
Uses code obfuscation techniques (
Uses code obfuscation techniques (
Uses code obfuscation techniques (
Uses code obfuscation techniques (
Uses code obfuscation techniques (Uses code obfuscation techniques (……
Classification
Ransomware
Spreading
Phishing
Banker
Trojan / Bot
Adware
Spyware
Exploiter
Evader
Miner
clean
clean
clean
clean
clean
clean
clean
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
malicious
malicious
malicious
malicious
malicious
malicious
malicious
System is w10x64
vnMQDhyZya.exe (PID: 4580 cmdline: 'C:\Users\user\Desktop\vnMQDhyZya.exe' MD5: 23755A33694ADC76023DD0B7607BC03D)
cleanup
{
"Extensions":
"ods,xar,xlr,xls,xlsb,xlsm,xlsx,xlt,xltm,xltx,asp,accdb,b2,crypt,crypt5,crypt6,crypt7,crypt8,crypt12,dat,db,dbf,dbx,kdc,log,mdb,mdf,sdf,sis,sql,awb,bin,cdi,cdr,css,csv,eap,efx,g
am,gbr,ged,gtp,mpp,msc,mts,one,otf,nbk,nbp,ndb,prf,prj,rtp,sav,scppy,sgml,tax2010,tbl,tmp,ts,vcd,xml,xsl,xslt,1cd,epf,erf,^^^,$er,4dd,4dl,accdc,accde,accdr,accdt,accft,adb,ade,a
df,adp,alf,ask,btr,cat,cdb,ckp,cma,cpd,crypt9,dacpac,dad,dadiagrams,daschema,db-shm,db-
wal,db3,dbc,dbs,dbt,dbv,dcb,dct,dcx,ddl,dlis,dp1,dqy,dsk,dsn,dtsx,dxl,eco,ecx,edb,epim,exb,fcd,fdb,fic,fmp,fmp12,fmpsl,fol,fp3,fp4,fp5,fp7,fpt,frm,gdb,grdb,gwi,hdb,his,ib,idb,ih
x,itdb,itw,jet,jtx,kdb,kexi,kexic,kexis,lgc,lwx,maf,maq,mar,marshal,mas,mav,mpd,mrg,mud,mwb,myd,ndf,nnt,nrmlib,ns2,ns3,ns4,nsf,nv,nv2,nwdb,nyf,odb,oqy,ora,orx,owc,p96,p97,pan,pd
b,pdm,pnz,qry,qvd,rbf,rctd,rod,rodx,rpd,rsd,sas7bdat,sbf,scx,sdb,sdc,spq,sqlite,sqlite3,sqlitedb,te,teacher,temx,tmd,tps,trc,trm,udb,udl,usr,v12,vis,vpd,vvv,wdb,wmdb,wrk,xdb,xld
,xmlff,
{pb,~hm,17t,1pe,1ph,3dmdef,3dp,3dr,3dt,3dw,3me,3pe,4dv,4fs,5vw,73c,73l,8xg,8xk,8xs,8xv,a5l,a5w,a65,aam,aao,ab,ab1,ab3,abcd,abi,abkprj,abp,aby,aca,acc,acf,acg,acq,acr,acz,adcp,ad
dism,adi,adif,adt,adu,adv,advs,adx,aes,afe,aff,aft,agd,aggr,aifb,alc,ald,aldf,ali,amb,amc,aml,amm,amsorm,an1,an8,anime,anme,ans,ansym,anx,apalbum,aph,aplibrary,arc,arff,arn,art,
as,ashprj,asm,asnd,asr,ast,atf,atomsvc,ats,avc,avhdx,avj,avl,avp,aw,awbr,awdb,awg,azz,azzx,bafl,bar,baserproj,bc,bcc,bci,bcl,bcm,bct,bdc,bdf,bdic,bed,bfx,bgl,bgt,bho,bim,binary,
bionix,bjo,bk,blb,bld,blg,bln,blockplt,blogthis,bluebutton,bm2,bms,bnk,bok,book,box,bpd,bpdx,bphys,bpj,bplx,bpm,brain,brd,brf,brl,brn,brs,brw,bsd,bsdl,btf,btif,btinstall,btm,bul
,bvp,c3d,c4p,caf,camm,cap,capt,capx,car,cav,cawr,cbg,cbmap,cbz,cca,cch,ccld,ccp,cct,cdf,cdm,cdp,cdpz,cdx,cdxml,cef,cel,celtx,cfa,cfb,cfs,cfx,cgd,chg,chk,chr,cif,circ,ckt,cl2,cla
sslist,clb,cld,clg,clix,clk,clkm,clks,clktk,clkv,clm,clp,clx,cm10,cm5,cmap,cmbl,cml,cmr,cms,cna,col,collab,contact,cpaa,cpf,cpk,cpmz,cptx,cram,crev,crtx,cry,cs,csa,ctb,ctf,ctl,c
tm,ctp,ctproject,ctt,ctv,ctv3,cub,cube,cursorfx,curxptheme,cva,cvd,cvn,cwk,cww,cxa,cxd,cxf,cxr,cxt,cyo,cys,czi,czp,da2,daf,dal,dam,dap,das,dbd,dbgsym,dcf,dcl,dcm,dcmd,dcmf,dcpf,
dcpr,ddb,ddc,ddcx,ddt,def,deproj,des,det,develve,deviceinfo,dex,dfm,dfproj,dgs,dhcd,dia,dict,dif,dig,dii,dip,dita,ditamap,ditaval,dkt,dl,dlc,dlt,dltemp,dm2,dmc,dmm,dmmx,dmo,dmpr
,dmr,dmsp,dna,dng,dockzip,dot,dpb,dpn,dps,dpt,dpx,dr,drf,drl,drscan,dsb,dsc,dsd,dsl,dsx,dsy,dsz,dt,dtd,dtp,dtr,dupeguru,dvb,dvc,dvdproj,dvds,dvo,dwi,dws,e2p,eas,ebm,ebuild,ec0,e
c3,ec4,ecc,ecl,ect,edat,edat2,edf,edfx,edg,edi,eep,ef,efp,eglib,egp,ekb,els,em,emb,embl,emd,emlxpart,emrg,emrg2,enc,enex,enl,enlx,enq,env,enw,epp,epw,er1,erd,erg,erp,ersx,es,es2
,esb,ese,esp,esq,est,esx,et,ete,etng,ett,ev,ev3,ev3p,ev3s,evx,evy,ews,exif,exl,exm,exp,exx,f04,f06,fa,familyfile,far,fas,fasta,fbk,fbq,fcpbundle,fcpevent,fcpproject,fcpxdest,fcp
xml,fcs,fct,fdf,fdm,fdt,fdx,fes,ffd,fff,ffindex,ffo,ffwp,fg3,fhc,fid,fig,fil,fingnet,flam3,flame,flg,flipchart,flk,fll,flm,flo,flow,flp,flt,flwa,fmat,fmc,fmt,fnbk,fnm,fnrecipes,
fo,fob,fodp,folx,fop,fox,fpa,fpp,fpr,fpsl,fqc,frameset,frd,frl,fro,fsa,fsc,fsif,fss,fstab,ftl,ftm,ftw,fwdict,fxf,fxg,fxp,g1m,g3m,ga3,gadgeprj,gal,gallery,gan,gb,gbk,gbl,gbo,gbp,
gbs,gc,gcg,gcproj,gcw,gcx,gdbtable,gdf,gdt,gdtb,gedata,gedcom,gen,genbank,gexf,gfi,gform,gfs,ggb,gis,gla,gld,glo,gls,gmap,gmbl,gml,gmp,gms,gno,gnp,gnutar,gp3,gpf,gpi,gpj,gpp,gpr
,gpscan,gra,grade,graphml,graphmlz,grd,grf,grib,grib2,grind,grindx,grk,grp,grr,grt,grv,gs,gtable,gtar,gtl,gtm,gto,gts,gui,guides,gwk,gwp,gxl,gxt,h10,h11,h12,h13,h14,h15,h16,h17,
h2o,h2w,h4,h5,h6x,h77t,haas,hal,hcc,hce,hci,hcl,hcr,hcu,hcx,hcxs,hda,hdf,hdi,hdl,hdpmx,hds,hdumx,helpindex,hif,hin,hjt,hkdb,hl,hm3,hml,hmt,hmxp,hmxz,hol,hpp,hs2,hsdt,hsk,hst,htb
,htg,huh,hvc,hyv,i5z,ias,iba,ibcd,ibg,icalevent,icaltodo,icg,ichat,icr,id2,id3tag,idx,ies,ifaith,ifiction,ifm,ifs,igc,igg,igma,ign,igq,ii,iif,ilg,ilogicvb,ima,image,imp,imr,imt,
in,incp,ini,ink,inp,ins,inx,ip,ipalias,iphoto,iplb,ipmeta,ipr,iproject,iq4,iqmol,irock,irp,irr,irx,is1,is2,isf,ish1,ish2,ish3,ispc,ist,ite,itl,itlp,itm,itmsp,itn,itx,iup,ivc,ivd
,ivs,ivt,iw,iwxdata,ix2,ixb,jasper,jbi,jbr,jclic,jdat,jdb,jef,jgcscs,jmp,jnt,joboptions,joined,jph,jrprint,jrxml,jsd,jsda,jtbackup,jude,kal,kap,kbits,kbs,kdbx,kdz,keb,kelgfile,k
ey,key-
tef,keychain,keytab,kgtemp,kid,kismac,kma,kms,kmy,kno,kpf,kpp,kpr,kpx,kpz,krc,ksm,kth,kvtml,l,l3dw,l6t,la,label,laccdb,las,lav,lay,lbl,lbx,lcd,lcm,ld2,ldf,ldif,lef,lev,lex,lfp,l
gf,lgh,lgi,lgl,lhr,lib,lib4d,lif,life,lin,list,livereg,liveupdate,lix,llb,lmf,lms,lmx,lng,lnt,loc,lp7,lpdb,lpk,lpkg,lpmd,lpp,lqm,lrcat,lrdata,lrlib,lrlibrary,lrm,lrtoolkit,ls3,l
sa,lsd,lsf,lsl,lsp,lsr,lst,lsu,lud,lut,lutx,lvm,lvw,lw4,lwd,lxf,lxk,ly,lyt,m,mai,map,mat,mba,mbd,mbg,mbp,mbx,mc1,mcat,mcd,mcdx,mcmac,mcp,md,md8,mdc,mdd,mdj,mdl,mdm,mdsx,mdx,meg,
mega,mem,menc,merlin2,met,mex,mf4,mfa,mfe,mfl,mfo,mfp,mft,mfu,mfv,mgourmet,mgourmet4,mindnode,mjk,mlb,mlm,mls,mm,mmap,mmc,mmf,mml,mmm,mmp,mmw,mnc,mng,mnk,mno,mny,mod,moho,mol,mo
ney,mosaic,mox,mph,mpj,mpkt,mppz,mpr,mps,mpx,mpz,ms10,msb,msct,msf,msp,mss,mtf,mtff,mth,mtm,mtw,mtxt,mum,mup,mvm,mw,mwf,mws,mwx,mx,mxad,mxc2,mxi,myi,myo,nam,nap,nas,nbe,nc,ncorx
Process Tree
Malware Configuration
Threatname: CryLock
Copyright Joe Security LLC 2021 Page 3 of 13
ney,mosaic,mox,mph,mpj,mpkt,mppz,mpr,mps,mpx,mpz,ms10,msb,msct,msf,msp,mss,mtf,mtff,mth,mtm,mtw,mtxt,mum,mup,mvm,mw,mwf,mws,mwx,mx,mxad,mxc2,mxi,myi,myo,nam,nap,nas,nbe,nc,ncorx
,nct,ndif,ndk,nds,ndx,nessus,net,neta,netspd,netspm,nfi,nfl,nfo,nfs,nitf,nl,nlogo,nlogo3d,nma,nmea,nmind,nmm,nmp,nni,nnp,not,notebook,np,npl,npr,npt,npy,nrb,nrc,nrd,nrf,nrl,nrm,
nrt,nru,nrx,nsq,nsr,nst,nt,ntf,ntx,nupkg,nvdl,nvl,nvm,nvram,nwcab,nwcp,nwelicense,nwo,nwp,nws,oab,obb,obd,obj,occ,ocimf,od,odc,odf,odp,odt,odx,oeaccount,oem,ofc,ofm,oft,ofx,ogg,
oggu,ogm,ogmu,ogs,olk,olk14event,olk14group,olk14note,olk14task,oll,olm,olt,omcs,omp,ond,ont,ontx,oo3,op,op2,op4,opal,opax,opd,opf,opj,opju,opx,or2,or3,or4,or5,or6,org,osz,ot,ot
l,otln,otp,otx,out,ova,ovf,ovolog,ovx,owx,p3,p7x,pab,paf,pat,paw,pbd,pbix,pbk,pc,pcap,pcapng,pcb,pcc,pcd,pch,pck,pcr,pct,pd4,pd5,pdas,pdd,pdfig,pdo,pds,pdw,pdx,pep,pes,pex,pez,p
f,pfc,pfl,phb,phd,phm,pj2,pjm,pjt,pka,pkb,pkh,pks,pkt,planner,pln,pls,plt,plw,pmatrix,pml,pmm,pmo,pmr,pnproj,pns,pod,poi,popshape,por,pot,potm,potx,pp,pp2,ppf,ppp,ppr,pps,ppsm,p
psx,ppt,pptm,pptx,prc,prdx,printcd2,prn,prnx,pro4,pro4pl,pro4plx,pro4x,pro5,pro5pl,pro5plx,pro5x,prs,prt,prv,prx,psa,psf,psm,pspd,pss,pst,psv,psw,pswx,ptb,ptf,ptn,ptz,pvd,pvw,px
f,pxj,pxl,q07,q08,q09,q3d,qb,qb2005,qb2006,qb2007,qb2009,qb2010,qb2011,qb2012,qb2013,qb2014,qb2015,qb2016,qb2017,qba,qbj,qbr,qbw,qbxml,qby,qdat,qdb,qdf,qdf-
backup,qdfm,qdfx,qdp,qdt,qel,qf,qfilter,qfx,qif,qm,qmbl,qmtf,qpb,qpf,qph,qrc,qrmx,qrp,qs,qsd,quiz,quox,qvf,qvp,qvw,qxf,ral,ray,rbt,rcd,rcg,rcx,rda,rdata,rdb,rdf,rdg,rdlx,rdx,reb
,rec,redif,ref,reference,rel,rep,ret,rez,rf1,rfa,rfo,rge,rgmc,rgo,rhistory,rl,rmd,rmuf,rmx,rng,rnq,roadtrip,roca,rodz,rog,roi,rou,rox,roxio,roz,rp,rpa,rpp,rpprj,rpres,rpt,rptr,r
pyb,rrt,rsc,rsf,rsm,rso,rsp,rsv,rsw,rta,rte,rtstn,rtttl,rtwsh,ruel,rupaf,rvl,rvt,rwd,rwg,rws,s85,saf,sah,sar,sbc,sbd,sbw,sbx,sc4,sc45,sca,scd,scf,scg,scgc,scgp,scgs,sch,scm,scn,
scz,sdl,sdlxliff,sdp,sds,sdz,se1,seed,sen,seo,seq,ses,sfd,sff,show,shw,shx,sidx,sim,skv,skx,sldtm,sle,slk,slp,slx,sm,smc,smp,smpkg,smx,snag,snapshot,sp,spb,speccy,spj,spk,sps,sp
t,spub,spv,sq,sqd,sqf,sqr,srf,ssc,ssd,ssp,ssv,sta,stc,stdl,stk,stl,stm,stp,stproj,str,stt,stu,sty,styk,stykz,sub,sum,svd,svf,swk,sx,sxi,syn,t01,t02,t03,t04,t05,t06,t07,t08,t09,t
10,t11,t12,t13,t14,t15,t16,t17,t18,t2,t2k,t2ks,t2kt,ta4,ta5,ta6,ta7,ta8,tab,tac,tag,tar,tardist,tax,tax08,tax09,tax10,tax11,tax12,tax13,tax15,tax16,tax17,tax2008,tax2009,tax2011
,tax2012,tax2013,tax2014,tax2015,tax2016,tax2017,tax2018,tax2019,tb,tbd,tbk,tbx,tc,tcc,tclogs,tcnet,tcx,tda,tdb,tde,tdl,tdm,tdms,tdt,te3,ted,tef,ter,terrn,terrn2,tet,tfa,tfd,tgc
,tgd,tgf,tie,time,timeline,tjp,tkfl,tl5,tlp,tlx,tmr,tmw,tmx,tmzip,top,topc,totalsdb,tpb,tpd,tpf,tqs,tra,trd,trf,trk,trs,trx,tsk,tsl,tsr,tst,tsv,tt10,tt11,tt12,tt13,tt14,tt15,tt1
6,tt17,tt18,ttd,ttk,ttmd,ttskey,tvc,tvdownload,twb,twbx,twh,twm,twz,twzip,txa,txd,txf,txn,txtrpt,tyimport,tyset,u10,u11,u12,ubj,ubox,uccapilog,ud,udc,udeb,uds,ulf,ulp,ulz,umf,uo
p,update,upoi,upr,useq,ustar,uvf,uvw,uwl,uwrf,val,vault,vbpf1,vbw,vce,vcf,vcrd,vcs,vct,vdb,vdf,vdx,vec,vff,vfs,vi,vibe,vip,vle,vlg,vmsd,vmsn,vmss,vmt,voi,vok,voxb,vpol,vpp,vpx,v
rd,vs,vsch,vscontent,vssm,vssx,vsv,vsx,vtx,vud,vvf,vxml,vym,vzm,w02,wab,wac,wallet,wb1,wb2,wb3,wcat,wcd,wcf,wd3,wdf,wdq,wea,webapp,wfm,wgt,whf,wid,wjr,wk1,wk2,wk3,wk4,wk5,wke,wl
x,wnk,wpc,wpf,wpk,wpo,wpost,ws,wsi,wsm,wtb,wtml,wtr,wvp,xaf,xaiml,xappl,xas,xbc,xbd,xbk,xbrl,xbt,xcsl,xdf,xdna,xdp,xds,xef,xem,xer,xfd,xfdf,xflow,xfo,xfr,xft,xgml,xgmml,xgp,xlc,
xle,xlf,xlgc,xliff,xlw,xmap,xmcd,xmct,xmd,xmi,xmind,xmlper,xmp,xmpz,xmwx,xmzx,xpdl,xpg,xpj,xpll,xpm,xpr,xpt,xrb,xrdml,xrff,xrp,xry,xsc,xsf,xsvf,xtg,xtm,xtp,xum,xvct,xxd,xyz,xyzv
,yam,ychat,ygf,yka,yrcbkm,yrcdat,yumtx,zap,zdb,zdc,zdct,zim,zix,zma,zmc,zpl,_xls,_xlsx,123,12m,aws,bks,cell,dfg,dis,edx,edxz,ess,fm,fods,fp,gnm,gnumeric,gsheet,hcdt,nb,ncss,numb
ers,ogw,ogwu,ots,pmd,qpw,sxc,tmv,tmvt,uos,wki,wkq,wks,wku,wq1,wq2,wr1,xl,xlshtml,xlsmhtml,xlthtml,|||sqml,7z,ace,arj,cab,cbr,deb,exe,gz,gzip,jar,pak,pkg,rar,rpm,sh,sib,sisx,sit,
sitx,spl,tar-
gz,tgz,zip,zipx,0,000,001,a00,a01,a02,ain,alz,apz,ar,archiver,arduboy,ari,b1,b64,b6z,ba,bdoc,bh,bndl,boo,bundle,bz,bz2,bza,bzip,bzip2,c00,c01,c02,c10,cb7,cba,cbt,cp9,cpgz,cpt,ct
x,cxarchive,czip,dar,dd,dgc,dist,dl_,dz,ecs,ecsbx,edz,efw,egg,epi,f,f3z,fdp,fp8,fzbz,fzpz,gca,gmz,gz2,gza,gzi,ha,hbc,hbc2,hbe,hki,hki1,hki2,hki3,hpk,hpkg,hyp,iadproj,ice,ipg,ipk
,ish,isx,ita,ize,j,jgz,jic,jsonlz4,kgb,kz,layout,lbr,lemon,lha,lhzd,libzip,lnx,lqr,lz,lzh,lzm,lzma,lzo,lzx,mint,mpkg,mzp,nex,npk,nz,oar,opk,oz,p01,pa,package,pae,paq6,paq7,par,p
ar2,pbi,pea,pet,pim,piz,psz,pup,puz,pwa,qda,r0,r00,r01,r02,r03,r04,r1,r2,r21,r30,rev,rk,rnc,rp9,rss,rz,s00,s01,s02,s7z,sea,sfs,sfx,shr,smpf,spd,sqx,sqz,taz,tbz,tbz2,tg,tlz,tlzma
,tx_,txz,tz,tzst,uc2,uha,uzip,vem,vmcz,voca,vpk,vsi,wa,waff,war,warc,wastickers,wdz,whl,wlb,wot,wux,xapk,xez,xip,xmcdz,xx,xz,xzm,y,yz,yz1,z,z01,z02,z03,z04,zi,zi_,zl,zoo,zpi,zsp
lit,zst,zw,zz,|||spi,v2i,sv2i,mobackup,tib,hqx,kwm,mim,mime,pub,uue,bak,dmp,gho,ghs,json,adame,adobe,aep,afp,asc,aurora,axx,b2a,bc5b,bfa,bhx,bip,bit,blower,bpk,bpw,bsk,btoa,bvd,
ccf,cdoc,cerber,cerber2,cgp,chml,cng,cpio,cryptra,dc4,dcd,dco,ddoc,dim,dime,dm,e4a,ecd,edoc,efl,efr,efu,emc,enx,esf,eslock,exc,extr,filebolt,film,fpenc,fsm,gdcb,gfe,gxk,gzquar,h
bx,hex,hid,hid2,htpasswd,idea,iwa,jac,jceks,jcrypt,jks,jmc,jmce,jmck,jmcp,jmcr,jmcx,kde,keystore,kkk,klq,kode,krab,ks,ksd,kxx,lastlogin,lcn,lilocked,litar,locked,locky,lvivt,meo
,mjd,mme,mse,null,nxl,odin,pdc,pfile,pfo,plp,psw6,pwv,rap,rdi,rsdf,rzk,rzx,safe,scb,sef,shy,sme,snk,spdf,suf,switch,uea,ufr,uu,uud,vdata,viivo,vlt,vp,wcry,werd,wls,wlu,wncry,wnr
y,wolf,wpe,wrypt,xmdx,xtbl,xxe,xxx,yenc,ykcol,ync,zepto,zps,zzzzz,__a,__b,~cw,$$$,$db,002,003,113,73b,aba,abbu,abf,abk,acp,aea,afi,asd,ashbak,asv,asvx,ba6,ba7,ba8,bac,backup,bac
kupdb,bak~,bak2,bak3,bakx,bbb,bbz,bck,bckp,bdb,bff,bif,bifx,bk1,bkc,bkf,bkp,bkup,bkz,blend1,blend2,bm3,bmk,bookexport,bpa,bpb,bpn,bps,bup,cbs,cbu,cenon~,ck9,cmf,crds,csd,csm,da0
,dash,dba,dbk,dss,fbc,fbf,fbu,fbw,fh,fhf,flka,flkb,fpsx,ftmb,ful,fwbackup,fza,fzb,gb1,gb2,gs-
bck,ibk,icbu,icf,inprogress,ipd,iv2i,j01,jbk,jdc,jpa,jps,kb2,lbf,lcb,ldabak,llx,mbf,mdbackup,mddata,mdinfo,msim,nb7,nba,nbak,nbd,nbf,nbi,nbs,nbu,nco,nda,nfb,nfc,noy,npf,nps,nrba
k,nrs,nwbak,obk,oeb,old,onepkg,ori,orig,oyx,paq,pbf,pbj,pbx5script,pvhd,qbb,qbk,qbm,qbmb,qbmd,qbx,qic,qsf,qv~,rbc,rbk,rbs,rgmb,rmbak,rrr,sbs,sbu,skb,sn1,sn2,sna,sns,spf,spg,sqb,
srr,stg,sv$,tibkp,tig,tis,tlg,trn,ttbk,uci,vbk,vbm,vbox-
prev,vpcbackup,vrb,w01,walletx,wbb,wbcat,wbk,win,wjf,wpb,wspak,wx,xlk,yrcbck,zbfx,|||apt,err,pwi,ttf,tex,text,txt,cdd,cpp,doc,docx,docm,dotm,dotx,epub,fb2,gpx,ibooks,indd,kml,mo
bi,mso,oxps,pages,pdf,pl,ps,rtf,sldm,snb,wpd,wps,xps,cfg,4ui,anh,ao,ap,article,av,avery,bcf,bcp,biz,blk,bmml,bpf,bro,btw,caj,cal,cbf,cd2,cdml,cl2arc,cl2doc,cl2lyt,cl2tpl,clkb,cl
kc,clkd,clt,cndx,comicdoc,comiclife,consis,cov,cpe,cph,cpy,crtr,cst,cvw,cw,cwt,de,dpd,dra,drmx,drmz,dtx,dwdoc,eddx,edrwx,el4,fadein,fax,fcdt,fd2,fdd,fey,fgc,flb,flowchart,flw,fo
lio,form,fpe,fr3,frdoc,frf,fsd,fxm,gde,gdoc,gdocx,gem,gofin,gslides,gsp,gwb,hfd,hft,hmk,hpd,hpt,hwdt,icap,icml,icmt,idap,idml,idms,idpk,ifd,ildoc,imm,imtx,imx,incd,inct,incx,ind
,indb,indl,indp,inds,indt,inlx,isale,isallic,isd,jtp,jwc,lab,lld,lma,lpdf,lsc,ltf,max,mcsp,mdi,mga,mif,mtc,mvd,mvdx,mwl,npp,nud,ola,p65,pcl,pde,pdp,pdr,pgs,pmx,pnh,ppx,psg,pspro
j,psr,ptx,pwt,pzf,pzfx,q3c,qpt,qxb,qxd,qxp,qxt,rb4,rels,rfd,rlf,rmr,rpc,rpx,rwt,sbk,sbv,sdt,simp,sjd,sma,snp,t2d,tds,tp3,uxf,vfc,webtheme,wlp,wmga,wpt,wwf,xdw,xif,xmt,xsn,xzfx,z
dl,zdp,zds,zfx,zno,_doc,_docx,1st,602,abw,act,adoc,aim,ase,awp,aww,bad,bbs,bdp,bdr,bean,bib,bibtex,bml,bna,boc,brx,btd,bzabw,calca,charset,chord,cnm,cod,crwl,cws,cyi,diz,dne,dox
,dvi,dwd,dxb,dxp,eio,eit,emf,eml,emlx,etf,etx,euc,fbl,fcf,fdr,fds,fdxt,fft,fgs,flr,fodt,fountain,frt,fwdn,gmd,gpd,gpn,gsd,gthr,gv,hbk,hht,hs,hwp,hz,iil,ipf,ipspot,jarvis,jis,jnp
,joe,jp1,jrtf,jtd,kes,klg,knt,kon,kwd,latex,lbt,lis,lp2,ltr,ltx,lue,luf,lwp,lxfml,lyx,mbox,mcw,mell,mellel,mnt,msg,mwd,mwp,ndoc,ngloss,njx,note,notes,now,nwctxt,nwm,ocr,odif,odm
,odo,ofl,opeico,openbsd,ort,ott,p7s,pages-
tef,pfx,plantuml,pu,pvm,pwd,qdl,rad,readme,rft,ris,rst,rtd,rtfd,rtx,run,rvf,rzn,safetext,scc,scriv,scrivx,sct,scw,sdw,session,sgm,sig,sla,smf,sms,ssa,story,strings,sxw,tdf,templ
ate,thp,tlb,tm,tmdx,tmvx,tpc,trelby,tvj,u3i,unauth,unx,uof,uot,upd,utf8,utxt,vnt,vw,webdoc,wn,wp,wp4,wp5,wp6,wp7,wpa,wpl,wpw,wri,wsd,wtt,wtx,xbdoc,xbplate,xdl,xwp,xy,xy3,xyp,xyw
,zabw,zrtf,tsc,tsf,uld,unt,upf,vet,vnd,vtf,vwx,wdp,x_b,x_t,xise,xnc,xv3,acsm,apnx,azw,azw1,azw3,azw4,bkk,bpnueb,cebx,dnl,ea,eal,ebk,edn,etd,fkb,han,html0,htmlz,htxt,htz4,htz5,jw
pub,kfx,koob,lit,lrf,lrs,lrx,mart,ncx,nva,oebzip,orb,pef,phl,qmk,rzb,rzs,tcr,tk3,tpz,tr,tr3,webz,ybk,|||3g2,3gp,3gp2,3gpp,3gpp2,asf,asx,avi,drv,f4v,flv,h264,m4v,mkv,moov,mov,mp4
,mpeg,mpg,rm,rmvb,srt,swf,vid,vob,webm,wm,wmv,yuv,264,3mm,3p2,60d,787,890,aaf,aec,aepx,aet,aetx,ajp,ale,am,amv,amx,anim,arcut,arf,avb,avchd,ave,avs,avv,axm,bdm,bdmv,bdt2,bdt3,bi
k,bik2,bix,bk2,blz,bmc,bnp,bs4,bsf,bu,bvr,byu,camproj,camrec,camv,ced,cine,cip,clpi,cme,cmmp,cmmtpl,cmproj,cmrec,cpi,cpvc,cx3,d2v,d3v,dav,dce,dck,dcr,dir,divx,dlx,dmb,dmsd,dmsd3
d,dmsm,dmsm3d,dmss,dmx,dpa,dpg,dream,dv,dv-avi,dv4,dvdmedia,dvr,dvr-
ms,dvx,dxr,dzm,dzp,dzt,edl,evo,exo,eye,eyetv,ezt,f4f,f4m,f4p,fbr,fbz,fcarch,fcp,fcproject,ffm,flc,flh,fli,flic,flx,fpdx,ftc,fvt,g2m,g64,g64x,gcs,gfp,gifv,gl,gom,grasp,gvi,gvp,gx
f,hdmov,hdv,hevc,hkm,ifo,imovieproj,insv,int,ircp,irf,ism,ismc,ismclip,ismv,iva,ivf,ivr,izz,izzy,jdr,jmv,jnr,jss,jts,jtv,k3g,kdenlive,kmv,ktn,lrec,lrv,lsx,lvix,m1pg,m21,m2p,m2t,
m2ts,m2v,mani,mgv,mj2,mjp,mk3d,mnv,moi,mp21,mpf,mpgindex,mpl,mpls,mproj,mpsub,mpv,mqv,msdvd,mswmm,mtv,mvc,mve,mvp,mvy,mxf,mxv,n3r,ncor,nfv,nsv,ntp,nut,nuv,nvc,ogv,ogx,orv,osp,ot
rkey,pac,pgi,photoshow,piv,pjs,plproj,pmf,ppj,prel,pro,prproj,prtl,psb,psh,pvr,pxv,qsv,qt,qtch,qtindex,qtl,qtm,qtz,r3d,ravi,rcproject,rcrec,rcut,rmp,rms,rmv,roq,rsx,rts,rum,rv,r
vid,sbz,screenflow,sdv,sec,sfvidcap,siv,smi,smil,smk,snagproj,ssf,stx,svi,swi,swt,tda3mt,theater,tid,tivo,tix,tod,tp,tp0,tpr,trec,trp,tsp,ttxt,tvlayer,tvs,tvshow,usf,usm,v264,vb
c,vc1,vcpf,vcr,vcv,vdo,vdr,veg,vep,vf,vft,vfw,vfz,vgz,video,viewlet,viv,vivo,vix,vlab,vmlf,vmlt,vp3,vp6,vp7,vpj,vr,vro,vs4,vse,vsh,vsp,vtt,w32,wcp,wfsp,wgi,wlmp,wmd,wmmp,wmx,wp3
,wsve,wtv,wvm,wvx,wxp,xej,xel,xesc,xfl,xlmv,xmv,xvid,y4m,yog,zeg,zm1,zm2,zm3,zmv,|||dem,kmz,mid,ov2,geo,3d,3dc,3dd,3dl,477,apl,apr,aqm,at5,atx,aux,axe,axt,bil,bt,cor,csf,cvi,div
,dix,dlg,dmf,dmt,dt0,dt1,dt2,e00,embr,ers,eta,ffs,fit,fls,fme,fmi,fmv,fmw,geojson,gfw,glb,gmf,gprx,gps,grb,gsb,gsi,gsm,gsr,gsr2,gst,gvsp,gws,hdr,hgt,imd,img,imi,jgw,jnx,jpgw,jpr
,jpw,lan,len,mpk,msd,mxd,mxt,ngt,nm2,nm3,nmap,nmc,nmf,obf,ocd,osb,osc,osm,pix,prm,ptm,ptt,qct,rdc,rgn,rrd,sbn,shp,sld,style,svx,sxd,sym,tfrd,tfw,th,timestamp,tpx,ttkgp,vdc,wfd,w
ld,wor,xol,|||3dm,3ds,a2c,ccd,cdw,cr2,dgn,dwg,dxf,ics,igs,iso,ma,mb,part,rnd,sldasm,sldprt,wm2d,ai,eps,svg,vsd,vst,wmf,aac,ac3,aif,aiff,amr,aob,ape,aud,bwg,flac,iff,m3u,m3u8,m4a
,m4b,m4p,m4r,midi,mp3,mpa,msv,nkc,ra,ram,sln,temp,vb,wav,wave,wma,xsb,xwb,cur,icns,ico,mds,pict,png,bmp,dds,djvu,gif,hta,jpeg,jpg,php,psd,pspimage,scr,tga,thm,tif,tiff,xcf,0cc,2
sf,2sflib,3ga,3gpa,4mp,5xb,5xe,5xs,669,6cm,8cm,8med,8svx,a2b,a2i,a2m,a2w,a52,aa,aa3,aax,abc,abm,acb,acd,acd-bak,acd-
zip,acm,adg,adts,afc,agm,agr,ahx,aifc,aimppl,akp,alaw,all,als,amf,ams,amxd,amz,ang,apf,aria,ariax,3d2,3d4,3da,3df,3dmf,3dmk,3don,3dv,3dx,3dxml,3mf,a3d,a8s,album,animset,anm,aof,
aoi,atl,atm,b3d,bio,blend,br3,br4,br5,br6,br7,brg,bto,bvh,c3z,c4d,cas,ccb,cg,cg3,cga,cgfx,chrparams,cm2,cmod,cmz,crf,crz,cso,d3d,dae,daz,dbl,dbm,ddd,dff,dfs,ds,dsa,dse,dsf,dsi,d
so,dsv,duf,dwf,e57,f3d,facefx,fbm,fbx,fc2,fcz,fg,fnc,fpf,fpj,fry,fsh,fsq,fun,fuse,fx,fxa,fxl,fxs,fxt,glf,glm,gltf,gmmod,gmt,grn,hd2,hdz,hip,hipnc,hlsl,hr2,hrz,hxn,ifc,iges,igi,i
gm,ik,irrmesh,iv,ive,j3o,jas,kfm,kmc,kmcobj,ktz,ldm,llm,lnd,lp,lps,lt2,ltz,lwo,lws,lxo,m3,makerbot,maxc,mc5,mc6,mcz,md5anim,md5camera,md5mesh,meb,mesh,mix,mot,mp,mqo,mrml,ms3d,m
tl,mtx,mtz,mxm,mxs,n2,n3d,nff,nif,nm,nsbta,obp,obz,oct,off,ogf,ol,p21,p2z,p3d,p3l,p5d,phy,pigm,pigs,pl0,pl1,pl2,ply,ppz,prefab,psk,pz2,pz3,pzz,qc,rcs,rds,rig,s,sc4model,sh3d,sh3
f,skl,skp,smd,step,sto,t3d,tcn,tgo,thing,thl,tme,tmo,tri,truck,ts1,tvm,u3d,ums,v3d,v3o,v3v,vac,vert,visual,vmd,vmo,vox,vrl,vso,vue,vvd,w3d,wft,wow,wrl,wrp,wrz,x,x3d,x3g,xmf,xmm,
xof,xrf,xsi,xv0,yaodl,ydl,z3d,zt,123c,123d,123dx,2d,3w,a2l,afd,any,ard,asy,att,bbcd,bcd,bdl,bimx,bmf,bpmc,bpz,bsw,bswx,bxl,cad,cam,catdrawing,catpart,catproduct,cddx,cdl,cgr,ckd
,cmp,cnc,cnd,cpa,crv,cyp,czd,db1,dbq,dc,dc1,dc2,dc3,dft,dfx,dgb,dgk,dlv,drg,drw,drwdot,dsg,dst,dwfx,dwt,dxe,dxx,easm,edrw,eld,eprt,eqn,ewb,ewd,ezc,ezp,fan,fcstd,fcstd1,fcw,fmz,f
pd,fz,fzm,fzp,fzz,g,g3d,gbx,gcd,gcode,gds,gxc,gxd,gxh,gxm,hcp,hsc,hsf,hus,iam,ic3d,icd,ide,idv,idw,if,ifcxml,ifczip,ipj,ipn,ipt,ise,isoz,jam,jbc,job,jt,jvsg,jvsgz,kit,l3b,lcf,ld
r,ldt,li3d,lia,lizd,logicly,ltl,lyc,lyr,mc9,mcx,mhs,mmg,model,modfem,mp11,mp13,mp14,mp7,ms11,ms13,ms14,msm,nc1,neu,ngc,ngd,nwc,nwd,nwf,olb,opt,pc6,pc7,phj,pho,pipd,pipe,pla,prg,
qpm,rcv,red,rml,rra,rs,rsg,sab,sat,sbp,scad,scdoc,sdg,skf,slddrw,t3001,tak,tbp,tc2,tc3,tcd,tcm,tcp,tct,tcw,topprj,topviw,at3,au,aup,ay,b4s,band,bap,bcs,bcstm,bdd,bfstm,bfwav,bid
ule,bonk,brr,brstm,bun,bwf,bww,caff,cda,cdda,cdlx,cdo,cgrp,cidb,ckb,conform,copy,cpr,csh,cts,cwb,cwp,d00,d01,dewf,df2,dfc,djr,dls,dmsa,dmse,ds2,dsm,dsp,dtm,dts,dtshd,dvf,ear,efa
,efe,efk,efq,efs,efv,emp,emx,emy,eop,erb,esps,evr,evrc,exs,f2r,f32,f3r,f4a,f64,fda,fev,frg,fsb,fti,ftmx,fuz,fzf,fzv,g721,g723,g726,gbproj,gig,gio,gm,gmc,gp5,gpbank,gpk,gro,groov
e,gsf,gsflib,guit,gym,h0,h3b,h3e,h4b,h4e,h5b,h5e,h5s,hbb,hbs,hca,hdp,hma,hmi,hps,hsb,iaa,igp,igr,imf,isma,it,iti,itls,its,jo,jo-
7z,jspf,k25,k26,kar,kfn,kin,kmp,koz,kpl,krz,ksc,ksf,kt2,kt3,ktp,lof,logic,logicx,lqt,lso,lvp,lwv,m2,m5p,ma1,mbr,mdr,med,minigsf,miniusf,mka,mmlp,mmpz,mo3,mp2,mpc,mpdp,mpga,mscz,
msmpl_bank,mte,mti,mtp,mui,mus,musx,mux,mx5,mxl,mxmf,myr,naac,narrative,ncw,nfa,nkb,nki,nkm,nks,nkx,nml,nmsv,nra,nsa,ntn,nus3bank,nvf,obw,ofr,oga,oggstr,okt,oma,omf,omg,omx,opus
,orc,ota,ove,ovw,pandora,pca,pcast,pcg,pd,peak,pek,pk,pkf,pna,ppc,pts,ptxt,q1,q2,qcp,r,r1m,raw,rax,rcy,record,rex,rfl,rgrp,rip,rmf,rmi,rmj,rmm,rmt,rns,rol,rsn,rti,rtm,rvx,rx2,s3
i,s3m,sap,sb,sbi,sc2,scs11,sd,sd2,sdat,sdx,sesx,sf2,sfk,sfl,sfpack,sfz,sgp,shn,sid,smpx,snd,sng,sou,sph,sppack,sseq,stap,sth,strm,swa,sxt,syh,syw,syx,td0,tfmx,thx,tm2,tm8,tmc,to
c,trak,tta,txw,u,u8,uax,ub,ulaw,ult,ulw,uni,usflib,ust,uw,uwf,v2m,vag,vap,vc3,vdj,vgm,vlc,vmf,voc,voxal,vpl,vpm,vpr,vpw,vqf,vrf,vsq,vsqx,vyf,w64,wand,wax,wem,wfb,wfp,wpp,wproj,w
tpl,wtpt,wus,wut,wv,wvc,wve,wwu,wyz,xa,xbmml,xfs,xi,xm,xma,xms,xmu,xmz,xopus,xp,xpf,xrns,xsp,xspf,xt,ym,yookoo,zab,zgr,zpa,zvd,zvr,af3,afdesign,artb,ccx,cddz,cdmm,cdmt,cdmtz,cdm
z,cds,cdt,cgm,cil,clarify,cmx,cnv,csy,cv5,cvg,cvs,cvx,dcs,ddrw,design,dhs,dpp,drawing,drawit,egc,emz,ep,epsf,esc,ezdraw,fh10,fh11,fh3,fh4,fh5,fh6,fh7,fh8,fh9,fhd,fif,fs,ft10,ft1
1,ft7,ft8,ft9,ftn,gdraw,gks,glox,graffle,gstencil,gtemplate,gvdesign,hgl,hpg,hpgl,hpl,hvif,igt,igx,jsl,lmk,mgcb,mgmf,mgmx,mgs,mvg,odg,otg,ovp,ovr,pen,pmg,qcc,rdl,scv,sk2,sketch,
slddrt,snagstyles,std,svgz,tlc,tne,tpl,vbr,vml,vsdm,vsdx,vstm,vstx,wmz,wpg,wpi,xmmap,yal,ydr,zgm,2bp,360,411,73i,8ca,8ci,8pbs,8xi,acorn,afphoto,afx,agif,agp,aic,apd,apm,apng,aps
,apx,arr,arw,aseprite,avatar,awd,blkrt,bmq,bmx,bmz,bpg,brk,brt,bss,bti,bw,can,cd5,cdg,cid,cin,cit,clip,colz,cpc,cpg,cps,cpx,ct,dgt,dib,dic,dicom,dm3,dmi,dtw,dvl,ecw,exr,face,falCopyright Joe Security LLC 2021 Page 4 of 13
,apx,arr,arw,aseprite,avatar,awd,blkrt,bmq,bmx,bmz,bpg,brk,brt,bss,bti,bw,can,cd5,cdg,cid,cin,cit,clip,colz,cpc,cpg,cps,cpx,ct,dgt,dib,dic,dicom,dm3,dmi,dtw,dvl,ecw,exr,face,fal
,fits,flif,fpg,fpos,fppx,fpx,g3,gcdp,gfb,gfie,ggr,gih,gim,gmbck,gmspr,gp4,grob,gry,hdrp,heic,heif,hf,hpi,hr,hrf,i3d,ic1,ic2,ic3,ica,icb,icn,icon,icpr,ilbm,imj,info,insp,ipick,ip
x,itc2,ithmb,ivue,iwi,j2c,j2k,jb2,jbf,jbg,jbig,jbig2,jbmp,jfi,jfif,jia,jif,jiff,jng,jp2,jpc,jpd,jpe,jpf,jpg-
large,jpg2,jpx,jtf,jwl,jxr,kdi,kdk,kic,kodak,kpg,kra,lb,lbm,lip,ljp,lrpreview,lzp,mbm,mdp,miff,mipmaps,mnr,mpo,mrxs,myl,ncd,ncr,neo,nlm,nol,oc3,oc4,oc5,oci,odi,oplc,otb,oti,ozb,
ozj,ozt,pano,pbm,pc3,pcx,pdn,pe4,pfr,pgf,pgm,pi2,pic,picnc,piskel,pixadex,pm,pnm,pov,ppm,prw,psdx,pse,psp,pspbrush,ptex,ptg,px,pxd,pxm,pxr,pyxel,pza,pzp,pzs,qmg,qti,qtif,ras,rcl
,rcu,rgb,rgba,rgf,ric,rif,riff,rix,rle,rli,rpf,rri,rsb,rsr,rtl,rvg,s2mv,sai,sdr,sfc,skitch,skm,spa,spc,spe,spp,spr,sprite,sprite2,ste,sup,t2b,targa,tb0,tbn,texture,tfc,tg4,thumb
,tn,tpi,trif,tub,ufo,uga,ugoira,urt,v,vda,vic,vicar,viff,vna,vpe,vrimg,vrphoto,vss,wb0,wbc,wbd,wbm,wbmp,wbp,wbz,webp,wi,wic,wmp,wvl,xbm,xwd,ysp,zif,zvi,3fr,bay,cr3,cxi,eip,iiq,j
6i,mef,mfw,mos,mrw,nef,nrw,orf,raf,rw2,rwl,rwz,sr2,srw,x3f,|||apk,bat,cgi,cmd,com,js,jse,gadget,msi,msu,pif,ps1,pwz,vbs,wsf,dll,8bi,crx,ext,h,nbm,nes,plugin,ppa,ppam,xla,xlam,xl
l,xpi,ani,cpl,deskthempack,diagcab,diagpkg,hlp,icl,lnk,msstyles,nomedia,ocx,reg,rom,scrshs,sys,theme,themepack,0xe,73k,89k,8ck,a6p,a7r,ac,actc,action,ahk,air,app,arscript,asb,az
w2,ba_,beam,celx,cof,command,dek,dld,e_e,ebs,ebs2,ecf,eham,elf,epk,esh,ex_,ex4,ex5,exe1,exopc,ezs,fky,fpi,frs,gpe,gpu,ham,hms,hpf,iim,ipa,isu,jsf,jsx,kix,ksh,kx,lo,ls,mcr,mel,mi
o,mrc,mrp,ms,msl,mxe,n,ncl,nexe,ore,osx,otm,phar,plx,pwc,pyc,pyo,qit,qpx,rbx,rfu,rgs,rpj,rxe,scar,scpt,scptd,script,tiapp,tms,u3p,udf,upx,vbe,vbscript,vexe,vlx,vxp,wcm,widget,wi
z,workflow,wpm,wsh,x86,xap,xbap,xlm,xqt,xys,zl9,8ba,8bc,8be,8bf,8bi8,8bl,8bs,8bx,8by,8li,aaui,aaxplugin,accda,accdu,acroplugin,aex,aip,alp,amxx,api,aplg,aplp,arx,asi,avx,ax,bav,
bblm,blu,bmi,bri,brm,bzplug,ccip,cleo,codaplugin,component,cox,dfp,dlo,dlr,dlu,dpm,eaz,epk2,exv,fmplugin,fmx,fwaction,fwactionb,fzip,hvpl,iadaction,iadclass,iadpage,iadplug,iads
tyle,ibplugin,ideplugin,jsxbin,kmm,lrmodule,lrplugin,mda,mde,mfx,milk,mmip,mode,module,mxaddon,mxp,ny,oex,oiv,osax,oxt,p,p64,plx64,q1q,q2q,q4q,q5r,q7q,q8r,q9r,q9s,qar,qtr,qtx,rb
z,rhp,rock,rpi,rplib,rpln,rwplugin,safariextz,sparc,tgp,tko,tmbundle,vsix,vsl,vst3,wie,wll,wlz,wowsl,x32,xadd,xba,xcplugin,xlv,xnt,xsiaddon,zlb,zxp,208,2fs,386,3fs,73u,8cu,8xu,a
dm,adml,admx,aos,asec,bashrc,blf,bom,bud,c32,cgz,ci,cnt,cpq,crash,desklink,dev,dfu,diagcfg,dit,drpm,dvd,ebd,edj,efi,efires,emerald,escopy,etl,evt,evtx,ffa,ffl,ffx,firm,fl1,fota,
fpbf,ftf,ftg,fts,gmmp,grl,group,h1s,hcd,hdmp,help,hhc,hhk,hiv,hpj,hsh,htt,hve,idi,ifw,im4p,ime,img3,inf_loc,ion,ioplist,ipod,iptheme,ius,jpn,kbd,kext,ko,kor,lfs,library-
ms,lockfile,log1,log2,lpd,manifest,mapimail,mdmp,mi4,mlc,mydocs,nb0,nbh,nls,ntfs,odex,pk2,pnf,pol,ppd,prefpane,profile,prop,pwl,qky,qvm,rc1,rc2,rco,reglnk,rfw,ruf,rvp,saver,shd,
shsh,sqm,swp,ta,tdz,thumbnails,timer,trashes,trx_dll,uce,vga,vgd,vx_,vxd,wdgt,webpnp,wer,wgz,wph,wpx,xfb,xrm-
ms,|||aspx,cer,cfm,chm,crdownload,csr,download,htaccess,htm,html,jnlp,jsp,mht,mhtm,mhtml,url,webarchive,webloc,xhtml,xulasf,c,class,fla,java,lua,po,py,so,vc4,vcproj,vcxproj,wsc,
xcodeproj,xsd,a4p,adr,alx,an,appcache,aro,asa,asax,ascx,ashx,asmx,atom,awm,axd,br,browser,btapp,bwp,cha,chat,codasite,con,crl,crt,cshtml,csp,der,dhtml,disco,discomap,dml,do,ece,
edge,epibrw,esproj,ewp,fcgi,freeway,fwp,fwtb,fwtemplate,gne,har,hdm,hdml,htc,htx,hxs,hype,hypesymbol,idc,iqy,itms,itpc,iwdgt,jcz,jhtml,jspa,jspx,jst,jvs,jws,lasso,lbc,less,maff,
mapx,mjs,mspx,muse,nod,nxg,nzb,oam,obml,obml15,obml16,ognc,olp,opml,oth,p12,p7b,p7c,pem,qbo,qrm,rflw,rhtml,rjs,rt,rw3,rwp,rwsw,rwtheme,saveddeck,scss,shtm,shtml,sitemap,sites,si
tes2,suck,swz,tvpi,tvvi,ucf,uhtml,vbd,vbhtml,vdw,vlp,vrml,vrt,vsdisco,wbs,wbxml,web,webhistory,website,wgp,whtt,wml,woa,wrf,wsdl,xbel,xbl,xfdl,xht,xhtm,xpd,xss,xul,xws,zfo,zhtml
,zul,zvz,$01,4db,4th,a,aab,aar,addin,ads,agi,aia,aidl,alb,am4,am5,am6,am7,ane,anjuta,ap_,apa,applet,appx,appxsym,appxupload,arsc,artproj,as2proj,as3proj,asvf,au3,autoplay,awk,b,
bas,basex,bb,bbc,bbproject,bbprojectd,bdsproj,bet,bluej,bos,bpr,bs2,bsc,bsh,btn,buildpath,bur,bytes,caproj,cbl,cbp,cc,ccgame,ccn,ccs,cd,cfc,clips,cls,clw,cob,config,cp,cpb,csi,c
sn,csproj,csx,ctxt,cu,cvsrc,cxp,cxx,d,daconfig,dart,dbml,dbo,dbpro,dbproj,dcp,dcproj,dcuil,ddp,dec,dep,deviceids,df1,dfk,dgml,dgsl,diff,dm1,dmd,dob,docset,dpk,dpkw,dres,dsgm,dsy
m,eba,ecp,edm,edml,edmx,el,elc,ent,eql,erl,escn,ex,exw,f2k,f90,f95,fbp,fbp7,fbz7,fce,fcl,fd,feature,fgl,filters,fimpp,for,forth,fpm,framework,frj,frx,fsi,fsl,fsproj,fsscript,fsx
,fxc,fxcproj,fxml,fxpl,gameproj,gar,gbap,gbas,gbm,gch,gemspec,gfar,gitignore,gitkeep,glade,global,gm6,gm81,gmk,gmo,gmx,go,gorm,gradle,greenfoot,groovy,groupproj,gs3,gsproj,gszip
,gvy,gwd,haml,handlebars,has,hcf,hh,hhh,hhp,hrl,hxx,hydra,i,iconset,idl,idt,ilk,iml,inc,inl,ino,ipch,ipp,isc,iwb,iws,iwz,jav,jcp,jdp,jed,jl,jlr,jnilib,jsfl,jsh,jsxinc,juk,kb,kct
,kdevdlg,kdevelop,kdevprj,kdmp,kps,kt,kv,kvk,lang,lbi,lbs,lds,lgo,lhs,licenses,licx,lisp,livecode,loadtest,lol,lproj,lrdb,lsproj,ltb,luc,lxsproj,m4,magik,mak,markdown,mdzip,mer,
mf,mk,ml,mo,mom,mpws,mq5,mrt,msha,mshc,mshi,msix,mv,mxml,myapp,natvis,nbc,ncb,ned,neko,nfm,nib,nim,nk,nqc,nsh,nsi,nsl,nuproj,nuspec,nvv,nw,nxc,o,oat,ob2,oca,octest,odl,omo,os,ow
,owl,oxygene,patch,pb,pbg,pbxbtree,pbxproj,pbxuser,pcp,ph,pika,pjx,pkgdef,pkgundef,playground,plc,ple,pli,pn,pri,proto,psc,psm1,ptl,pwn,pxi,pyd,pyw,pyx,qml,qpr,qx,rav,rb,rbm,rbp
,rbvcp,rbw,rbxs,rc,rdlc,rdoc,refresh,res,resjson,resources,resw,resx,rexx,rise,rkt,rls,rodl,rotest,rpy,rsrc,ru,rul,rwsnippet,s19,sas,sb2,sb3,sbproj,sc,scala,scratch,sdef,sed,set
,slogo,sltng,smali,snippet,sol,spec,sqlproj,src,ss,ssi,storyboard,sud,suo,svn-
base,swc,swd,swift,t,targets,tcl,td,tiprogram,tk,tld,tlh,tli,tmlanguage,tmpl,tmproj,tmproject,tns,tpk,tpu,tres,tscn,tt,tu,tur,twig,uft,ui,uml,umlclass,vala,var,vbg,vbp,vbproj,vb
x,vbz,vc,vcp,vcx,vcxitems,vdm,vdp,vdproj,vgc,vhd,vhdl,vjp,vjsproj,vm,vpc,vsct,vsmacros,vsmdi,vsmproj,vspf,vsps,vspscc,vspx,vssscc,vsz,vtm,vtml,vtv,vwl,w,wapproj,wasm,wdgtproj,wd
l,wdw,webtest,winmd,wiq,wixlib,wixmsp,wixmst,wixobj,wixout,wixpdb,wixproj,workbook,worksheet,workspace,wowproj,wsp,wxi,wxl,wxs,xaml,xamlx,xbf,xcappdata,xcarchive,xcconfig,xcode,
xib,xojo_menu,xoml,xpp,xq,xql,xqm,xquery,xqy,xsx,xtb,yab,yaml,yml,yml2,ymp,ypr,|||b5t,b6t,bwi,bwt,dmg,i00,i01,i02,isz,md0,md1,md2,nrg,pdi,toast,2mg,adz,afm,ashdisc,atr,avhd,b5i,
b6i,bwa,bws,bwz,ciso,cl5,cue,d64,d88,daa,dao,dax,dbr,disc,disk,dmgpart,dms,e01,ecm,eda,ede,edk,edq,eds,edv,eui,ex01,fdi,g41,gbi,gdrive,gi,gkh,hc,hdd,hfs,hfv,ibadr,ibb,ibdat,ibp,
ibq,imz,ixa,k3b,l01,lx01,mbi,miniso,mrimg,nn,nri,p2g,p2i,partimg,pgd,qcow,qcow2,ratdvd,sco,sdsk,sqfs,st,t64,tao,tap,tzx,ufs,uibak,uif,vaporcd,vc6,vc8,vco,vdi,vfd,vhdx,vmdk,vmwar
evm,volarchive,wbi,wii,wil,wim,winclone,wmt,woz,wud,x64,xdi,xva,xvd,|||fnt,fon,torrent,magnet,sngw,ucm,application,appref-
ms,conf,deskthemepack,ds_store,inf,plist,swb,thempack,cf,cfu,vrp,lgp,pff,efd,00,32x,3dsx,3dz,555,68k,8ld,a26,acww,acx,age3rec,age3sav,age3scn,age3xrec,age3xsav,age3yrec,age3ysav
,am1,arch00,arp,ars,ash,ass,asset,ba2,bak1,bars,bb3,bdae,bf,bfg,bfm,bfs,bgz,bic,big,biq,blorb,blp,bls,bmd,bme,bmg,bng,bnr,bns,bnz,bo2,bo3,breff,breft,brlyt,brmdl,brres,brsar,brs
eq,brtex,brv,bs1,bsa,bsb,bsdiff,bsg,bsp,bus,bzw,carc,cbh,cbv,cdp2,cgf,chd,cm,cns,compiled,cos,course,cpn,crp,cty,d3dbsp,dat_mcr,dat_new,dazip,desc,diva,dm_68,dm_82,dm_83,dm_84,d
nf,dns,dol,dpf,drm,duc,dun,dv2,dzip,e2gm,eepf,egm,eix,ek6,ekx,elm,eng,epc,escape,esg,esm,est_uax,evp,ewl,fbrb,fc1,fc2map,fcm,ff,fgd,fila,film_cpk,fl,flash,fld,fml,fnta,fomod,for
ge,fos,fpid,fpk,fpmb,fpmo,fpop,fps,frc,frw,frz,fs2,fsg,fssave,fst,fuk,fwd,g3x,galaxy,game,gamedata,gba,gbaskin,gbc,gbcskin,gblorb,gcf,gci,gcm,gct,gcz,gd,gdc,gdg,gdi,gdw,genome,g
fx,gg,ggpack,ghb,gjd,glksave,gma,gme,gmres,gmv,god,goomod,gr2,gs0,gsba,gsc,gsx,gtworld,h3m,h4r,h5m,h5u,hat,he,he0,he1,he2,he4,hhsl,hi,hit,hmp,hof,hog,hoi4,honmod,hot,hqm,hum,hwd
,hwmap,hws,hxm,i3pack,ib2,ib3,ibch,ibre,ibro,ibt,icmod,idx0,idx255,ifp,imga,inform,inv,ipl,ips,isr,itk,itr,iwd,j2i,j2l,j64,ja,jag,jap,jbeam,jcr,jg4,jgc,jigsaw,jkb,jmf,jrc,jrz,k2
s,kag,kcl,kf2,kfs,kodu,kv6,kwreplay,l2r,l3d,laby,ldb,ldw,litemod,lk12,ll,lmp,lmu,lock,lod,love,lpb,lsw,ltg,luxb,lvl,lvlx,mae,maplet,mca,mcapm,mcpack,mcserver,mcworld,md3,menu,mg
l,mgx,mii,mis,mp2m,mp2s,mpm,mpq,mrs,mul,n-
gage,n3pmesh,n64,nar,narc,nav,naz,nbt,nca,ncer,ncf,ncgr,nclr,ndd,ndr,neosave,nfs11save,ngage,ngp,ngs,nl2script,nlelem,nlpx,nltrack,nlvm,nop,npa,nro,ns1,nsbca,nsbmd,nsbtx,nsbva,n
scr,nsp,ntrk,ogz,omod,osk,osr,osu,ovh,ovl,p2m,p3t,papa,pbn,pbp,pcsav,pgn,phn,pk3,pk4,pkx,player,plr,pqhero,prk,properties,pssg,pwf,pxp,qwd,radq,rasunsoft,rbj,rbxl,rbxlx,rbxm,rbx
mx,replay,ress,rfc,rfgs_pc,rfm,rgd,rgp,rgss2a,rgss3a,rgssad,rgt,rim,rkg,rkp,rofl,ros,rot,rp2,rpgmvm,rpgmvo,rpgmvp,rpgproject,rpgsave,rpkg,rpl,rpyc,rs2,rsdk,rton,rttex,rvdata,rvd
ata2,rvproj,rvproj2,rxdata,s2z,sad,sami,sc2archive,sc2assets,sc2bank,sc2data,sc2ma,sc2map,sc2mod,sc2replay,sc2save,sc4desc,sc4lot,schematic,scs,scworld,sd7,settings,sfar,sfo,sg0
,sga,sgb,sgpbprj,sii,sims2pack,sims3,sims3pack,sli,smzip,splane,srm,stencyl,sv5,svs,taf,tbm,td6,tex0,tfr,tic,tiger,tim,tkr,tlk,tmod,tor,tp4,ts4script,ttarch,ttl,twt,tzarc,uasset
,uc,ucl,udk,ukx,ulx,umap,umd,umod,umx,unf,unif,unity,unity3d,unityproj,unr,updatr,upk,ups,uqm,usa,usx,ut2,ut2mod,ut3,ut4mod,ut8,utc,utw,utx,uvx,uxx,v64,vbf,vcm,veh,vfs0,vgi,vhv,
vmap,vmap_c,vmdl,vmv,vmx,vol,vvvvvv,vwp,vx2,w3g,w3m,w3n,w3x,w3z,wa2,wad,wagame,wal,wam,wbfs,wbt,wc6,weap,wgf,whirld,wl1,wl6,wldx,wmo,wolfquest,wop,world,wotmod,wotreplay,wowsrep
lay,wrpl,wtd,wtf,wu8,wxn,wz,xal,xan,xbe,xbsav,xci,xen,xex,xgdw,xgt,xmb,xnb,xom,xp2,xp3,xp4,xpk,xs,xtl,xvmconf,y3a,y3d,ycm,ydc,ydk,ydt,yfs,ytd,z1,z2,z2f,z2s,z3,z4,z5,z6,z64,z7,z8
,zad,zblorb,zks,zmap,zs0,zs1,zs2,zs3,zs4,zs5,zs6,zs7,zs8,zs9,zsd,zsm,ztd,ztmp,zzz,256,8st,a2theme,a7p,aco,acrodata,acv,acw,adpp,ahl,ahs,ahu,ait,aiu,alv,aom,arg,asef,asl,asw,aswc
s,asws,atc,ath,atn,atz,awcav,bau,bcmx,bgi,bitpim,bitsboard,blob,blt,blw,boot,bs7,bsxc,bsxp,btsearch,bxx,c2r,camp,cdrt,cex,chl,chx,clr,cmate,cmmtheme,cnf,comp,copreset,costyle,cp
dx,cptm,csaplan,cskin,csplan,cui,cuix,dbb,dbg,dcst,ddf,deft,directory,dok,dpv,dr5,dsw,dtsconfig,duck,dxls,ecfg,eft,eftx,ehi,emm,emmt,enp,ens,enz,epr,eqf,eqp,etff,eum,ewprj,eww,e
xample,exe4j,exportedui,eyetvp,eyetvsched,fat,fbt,fc,fcc,fdc,fe_launch,flst,fm3,fmod,fpl,frames,frr,fspy,ft,fth,ftp,ftpquota,fvp,fwt,fxb,gcsx,gid,gin,gliffy,gmw,godot,gqsx,gtkrc
,gvimrc,gvswatch,h2p,hd3d,hdt,hfp,hme,how2,hpr,ht,iaf,icc,icm,icst,icursorfx,iddx,idf,idpp,ihw,iip,iit,ikf,ikmp,immodules,import,injb,inms,ipcc,ipynb,iros,irs,isp,iss,itt,ix,jdf
,jkm,joy,kcb,kds,kfl,klc,kmf,kuip,kyb,kys,l4d,lbrn,lbu,lcc,lfo,lgt,lh3d,lily,lmc,lnst,loaders,look,lop,lrsmcol,lrtemplate,lva,lvf,lxcp,lxsopt,m2s,mailhost,mask,mcl,mgk,mlk,mns,m
nu,mobirise,moef,mof,moti,motn,motr,mpt,mskn,msn,mst,mxskin,mycolors,ncfg,nd,ndc,ngrr,nji,nkp,np4,npfx,nsx,ntc,nts,nvp,nwv,obi,obt,oce,officeui,ofp,oif,ois,olk14pref,oms,onetoc,
onetoc2,ops,options,opts,osdx,oss,otmu,otpu,otw,otwu,otz,ovpn,pctl,pdadj,pgp,pie,pio,pip,pmc,pmj,pmp,policy,pr,pref,prfpset,profimail,propdesc,props,ps1xml,psc1,pvs,pxb,q2d,q5q,
q9q,qat,qss,qtp,qvpp,qvt,qxw,rcf,rct,rdo,rdp,rdr,rdw,resmoncfg,rfq,rgrid,rhr,rll,rmskin,rnx,rpb,rpe,rpk,rproj,rps,rpv,ruleset,rwstyle,s2ml,sgt,sif,ski,skin,skn,skz,sl,slt,smt,sp
fx,srs,sss,stb,sw2,t2c,tcls,tee,terminal,tfx,tgw,the,thmx,tll,tlo,tmtheme,tpark,tscproj,tsi,tsm,tsz,tts,tvtemplate,tw3,twc,typeit4me,uct,udcx,ugr,uis,user,utz,vbox,vcomps,vcpref
,vcw,vim,vimrc,viz,vmac,vmba,vmc,vmcx,vmpl,vmtm,vmxf,vnc,vni,vph,vps,vqc,vsprops,vssettings,vstpreset,vsw,vtpr,wc,wcx,wcz,wfc,wfw,wif,wlvs,wme,wms,work,wzconfig,x4k,xcscheme,xct
,xcu,xdr,xep,xes,xet,xev,xgs,xiz,xlb,xpl,xst,xtodvd,xtreme,xui,xur,xvm,xwk,ytt,zon,zpf,zvt,acfm,amfm,dfont,eot,euf,f3f,ffil,fot,gdr,gf,glif,lwfn,nftr,odttf,pfa,pfb,pfm,pmt,suit,
t65,tfm,ttc,tte,vfb,vlw,vnf,woff,woff2,xfn,ytf,|||pkpass,grs,_eml,_nws,!bt,!qb,!sync,!ut,1,323,83p,8xp,aawdef,abr,ac$,acl,acs,add,aepkey,afploc,ahd,ahi,alt,aod,appup,aria2,auz,a
vastlic,avgdx,az!,bbl,bc!,bfc,bkmk,bli,bnd,bootskin,bp2,bp3,bqy,bst,bt!,buf,cache,calibre,cbds,cdf-
ms,cerber3,cfl,chunk001,chw,clkk,clkt,clkw,clkx,cmm,contour,cp3,crc,crd,ctg,cul,cvr,dcover,dctmp,decrypt,desktop,disabled,dlm,dmx-
info,drc,dskin,dstudio,dtapart,dwc,dwl,dwlibrary,ebn,edc,eek,ef2,egt,email,enf,enml,esd,event,ewnet,exd,extra,eyb,ezlog,ezw,fb!,feedback,ffu,file,fl3,flf,fmelic,fnd,fnlf,fpfv,fr
k,ftil,ftploc,fw,g1a,g3a,gau,glink,gly,gpg,gradients,gta,h1q,hdk,hdx,hlb,hlx,hmx,hxa,hxc,hxe,hxk,hxt,ical,icalendar,icma,icontainer,id,idlk,ifl,iix,imapmbox,imy,inca,indk,inetlo
c,ing,inlk,inm,iobit,ipsw,isn,itc,jad,jc,jc!,jcl,jcw,jms,jmt,jmx,jqz,jrs,khd,khi,kmr,kyr,lck,legal,letter,lic,licensekey,lid,link,linx,logonvista,logonxp,loov,lrc,lsn,lwtp,lxa,m
ab,mailtoloc,mbs,mc2,mco,md5,mdw,mfil,mgdatabase,mgo,mgt,mjdoc,mmo,mnl,mnx,montage,mpcpl,mrk,mta,mtd,mthd,mvi,na2,nav2,nch,nd5,ndl,new,nick,njb,nk2,nss,nth,nup,nvi,ob!,ook,opdow
nload,ost,otc,owg,owm,p10,p2p,p7m,p7r,pad,pando,partial,pdpcomp,plsk,ppk,psar,psi,pth,ptr,pvk,qds,qiz,qua,qwq,qxl,radiumkey2,rat,redir,reloc,rem,req,rfb,rfn,rfp,rmh,rov,rpmsg,rs
a,rtc,rwlibrary,rxc,search-ms,sft,sfv,shs,skba,skindex,skr,slf,slupkg-ms,snf,snt,sr0,sslf,ssw,storymill,svn-
work,swj,t$m,tbs,tcz,tec,tfil,tip,tla,tls,tmb,tnef,tnsp,tpkey,tpm,trace,tscdf,tstream,ttx,uls,unk,unknown,unl,upg,urr,vbt,vdjsend,ver,vir,vlcl,vmg,vmhf,vmhr,vmsg,vncloc,vor,vpa,
vpc6,vpc7,wba,wcinv,wdseml,wgs,wje,wordlist,wrts,wsz,wtc,wul,wwd,wzmul,xensearch,xlnk,xnk,xslic,xwf,ybd,ymg,yps,z80,zm9,zml,ztf,ztr,zvpl,|||pas,bpl,dpr,dcu,dpl,dproj,|||\n"
}
Yara Overview
Copyright Joe Security LLC 2021 Page 5 of 13
Sigma Overview
No Sigma rule has matched
Jbx Signature Overview
Click to jump to signature section
AV Detection:
Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Spam, unwanted Advertisements and Ransom Demands:
Found ransom note / readme
Yara detected CryLock ransomware
Deletes shadow drive data (may be related to ransomware)
Hooking and other Techniques for Hiding and Protection:
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malware Analysis System Evasion:
Contains functionality to detect sleep reduction / modifications
Source Rule Description Author Strings
C:\Users\user\AppData\Local\Temp\how_to_decrypt.hta JoeSecurity_CryLock Yara detected CryLock ransomware
Joe Security
Source Rule Description Author Strings
00000000.00000003.197222832.0000000004FF0000.00000004.00000001.sdmp
JoeSecurity_CryLock Yara detected CryLock ransomware
Joe Security
00000000.00000002.462601526.0000000005018000.00000004.00000001.sdmp
JoeSecurity_CryLock Yara detected CryLock ransomware
Joe Security
00000000.00000002.462574922.000000000500C000.00000004.00000001.sdmp
JoeSecurity_CryLock Yara detected CryLock ransomware
Joe Security
00000000.00000002.462552901.0000000004FF4000.00000004.00000001.sdmp
JoeSecurity_CryLock Yara detected CryLock ransomware
Joe Security
Process Memory Space: vnMQDhyZya.exe PID: 4580 JoeSecurity_CryLock Yara detected CryLock ransomware
Joe Security
Dropped Files
Memory Dumps
Copyright Joe Security LLC 2021 Page 6 of 13
Mitre Att&ck Matrix
InitialAccess Execution Persistence
PrivilegeEscalation Defense Evasion
CredentialAccess Discovery
LateralMovement Collection Exfiltration
Commandand Control
NetworkEffects
RemoteServiceEffects
ValidAccounts
NativeAPI 1
ApplicationShimming 1
Access TokenManipulation 1
Masquerading 1 InputCapture 1 1
System TimeDiscovery 1
RemoteServices
InputCapture 1 1
ExfiltrationOver OtherNetworkMedium
EncryptedChannel 1
Eavesdrop onInsecureNetworkCommunication
RemotelyTrack DeviceWithoutAuthorization
DefaultAccounts
ScheduledTask/Job
Boot orLogonInitializationScripts
ProcessInjection 1
Access TokenManipulation 1
LSASSMemory
SecuritySoftwareDiscovery 1 2
RemoteDesktopProtocol
ArchiveCollectedData 1
ExfiltrationOverBluetooth
Junk Data Exploit SS7 toRedirect PhoneCalls/SMS
RemotelyWipe DataWithoutAuthorization
DomainAccounts
At (Linux) Logon Script(Windows)
ApplicationShimming 1
Process Injection 1 SecurityAccountManager
ProcessDiscovery 3
SMB/WindowsAdmin Shares
ClipboardData 2
AutomatedExfiltration
Steganography Exploit SS7 toTrack DeviceLocation
ObtainDeviceCloudBackups
LocalAccounts
At(Windows)
Logon Script(Mac)
Logon Script(Mac)
Deobfuscate/DecodeFiles orInformation 1
NTDS ApplicationWindowDiscovery 1 1
DistributedComponentObject Model
Input Capture ScheduledTransfer
ProtocolImpersonation
SIM CardSwap
CloudAccounts
Cron NetworkLogon Script
Network LogonScript
Obfuscated Files orInformation 2
LSA Secrets System ServiceDiscovery 1
SSH Keylogging DataTransferSize Limits
FallbackChannels
ManipulateDeviceCommunication
ReplicationThroughRemovableMedia
Launchd Rc.common Rc.common File Deletion 1 CachedDomainCredentials
File andDirectoryDiscovery 1
VNC GUI InputCapture
ExfiltrationOver C2Channel
MultibandCommunication
Jamming orDenial ofService
ExternalRemoteServices
ScheduledTask
StartupItems
Startup Items Compile AfterDelivery
DCSync SystemInformationDiscovery 2 6
WindowsRemoteManagement
Web PortalCapture
ExfiltrationOverAlternativeProtocol
CommonlyUsed Port
Rogue Wi-FiAccess Points
Behavior GraphID: 450141
Sample: vnMQDhyZya.bin
Startdate: 17/07/2021
Architecture: WINDOWS
Score: 96
Found malware configurationAntivirus / Scanner
detection for submittedsample
Icon mismatch, binaryincludes an icon from
a different legit applicationin order to fool users
4 other signatures
vnMQDhyZya.exe
1
started
C:\Users\user\AppData\...\how_to_decrypt.hta, HTML
dropped
Contains functionalityto detect sleep reduction
/ modifications
Legend:
Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
Hide Legend
Behavior Graph
Copyright Joe Security LLC 2021 Page 7 of 13
ThumbnailsThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source Detection Scanner Label Link
vnMQDhyZya.exe 84% Virustotal Browse
vnMQDhyZya.exe 46% Metadefender Browse
Screenshots
Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Copyright Joe Security LLC 2021 Page 8 of 13
General Information
Joe Sandbox Version: 33.0.0 White Diamond
Analysis ID: 450141
Start date: 17.07.2021
Start time: 00:31:14
Joe Sandbox Product: CloudBasic
Overall analysis duration: 0h 5m 40s
Hypervisor based Inspection enabled: false
Report type: light
Sample file name: vnMQDhyZya.bin (renamed file extension from bin to exe)
Cookbook file name: default.jbs
Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:
24
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 0
Technologies: HCA enabledEGA enabledHDC enabledAMSI enabled
Analysis Mode: default
Analysis stop reason: Timeout
Detection: MAL
Classification: mal96.rans.evad.winEXE@1/1@0/0
vnMQDhyZya.exe 86% ReversingLabs Win32.Ransomware.FileCryptor
vnMQDhyZya.exe 100% Avira HEUR/AGEN.1140448
Source Detection Scanner Label Link
No Antivirus matches
Source Detection Scanner Label Link Download
0.2.vnMQDhyZya.exe.400000.0.unpack 100% Avira HEUR/AGEN.1108767 Download File
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Dropped Files
Unpacked PE Files
Domains
URLs
Domains and IPs
Contacted Domains
Contacted IPs
Copyright Joe Security LLC 2021 Page 9 of 13
EGA Information: Failed
HDC Information: Successful, ratio: 99.9% (good quality ratio 97.4%)Quality average: 80.4%Quality standard deviation: 25.2%
HCA Information: Failed
Cookbook Comments: Adjust boot timeEnable AMSI
Warnings:
No simulations
No context
No context
No context
No context
No context
C:\Users\user\AppData\Local\Temp\how_to_decrypt.hta
Process: C:\Users\user\Desktop\vnMQDhyZya.exe
File Type: HTML document, ASCII text, with CRLF line terminators
Category: dropped
Size (bytes): 6031
Entropy (8bit): 5.556670512747036
Encrypted: false
SSDEEP: 96:7SWCBg9TlfXNQBg9TlfXMrmd7BW5olrfYBeYDXA1cF00beuYK1:7FTlfXXTlfXMrmdNXf1cbnYI
MD5: 9B566DFE1A1F108C0DA7ECC9395B67A2
SHA1: F97195B9D974D4AE9269381462DA65F1D2ABDA85
SHA-256: 0834D8D12ABB8E0A3C22F4C8F0901240483844DD8063917BAEC2E3400522CF08
SHA-512: F95889ED583547BC14230231204328D2DF092823E4C8A3EC25792E9302AFC999A98A737BEFD39E647A3388F9273BF6D98878BCCE95E033A51AD55B0AC00FAE65
Malicious: true
Yara Hits: Rule: JoeSecurity_CryLock, Description: Yara detected CryLock ransomware, Source: C:\Users\user\AppData\Local\Temp\how_to_decrypt.hta, Author: Joe Security
Reputation: low
Show All
Simulations
Behavior and APIs
Joe Sandbox View / Context
IPs
Domains
ASN
JA3 Fingerprints
Dropped Files
Created / dropped Files
Copyright Joe Security LLC 2021 Page 10 of 13
Static File Info
GeneralFile type: PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit): 6.480181156357604
TrID: Win32 Executable (generic) a (10002005/4) 99.79%Win32 Executable Delphi generic (14689/80) 0.15%Win16/32 Executable Delphi generic (2074/23) 0.02%Generic Win/DOS Executable (2004/3) 0.02%DOS Executable Generic (2002/1) 0.02%
File name: vnMQDhyZya.exe
File size: 688128
MD5: 23755a33694adc76023dd0b7607bc03d
SHA1: 33a68ea32f34ab635a7f6ce6d39cf48e97329031
SHA256: e001f6a5b2d4d2659b010fb5825eb4383e8f415861a244329bc70cfcd18da507
SHA512: aa179e18c61514e0ea93fe0d3813af4d788b1f7c8fe20987e3d0316b77478f9afb6af3f9cd1797903b955b1a623e495c4f00c384957e93f1037fc45fb312ab58
SSDEEP: 12288:67YumfFmeva/WAQZYJo2YBVt3cU7iIFIeiqcaesKxt5Z3y+pIhfJhkiMySTXdv5/:EYT3a/WMJ4VbiwesKxt5Z3y+pIhfJhkF
File Content Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
File Icon
Icon Hash: b99988fcd4f66e0f
Preview:<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">..<html>..<title>CryLock</title>..<hta:application showInTaskBar="no" APPLICATION="yes" ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no" applicationname="CryLock" border="thick" contexmenu="no" ..scroll="no" selection="yes" singleinstance="yes" windowstate="normal" MAXIMIZEBUTTON="NO" BORDER="DIALOG" width="100" height="100" MINIMIZEBUTTON="NO"></hta:application>..<script language="JavaScript">..var ud=0;..var op=0xc7bf30;..var zoc=0;..function document.onkeydown() {.. var alt=window.event.altKey;.. if (event.keyCode==116 || event.keyCode==27 || alt && event.keyCode==115) {.. event.keyCode=0;.. event.cancelBubble=true;.. return false;.. }.. }..function document.onblur()..{..alert('Attention! This important information for you!');..}..function ChangeTime()..{..var sd = new Date('July 19 2021 00:32:00');..var dn = new Date();..if (sd.getTime()<dn.getTime())..{..var dt=document.getEle
C:\Users\user\AppData\Local\Temp\how_to_decrypt.hta
GeneralEntrypoint: 0x4766c0
Entrypoint Section: CODE
Digitally signed: false
Imagebase: 0x400000
Subsystem: windows gui
Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp: 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major: 4
OS Version Minor: 0
File Version Major: 4
File Version Minor: 0
Subsystem Version Major: 4
Subsystem Version Minor: 0
Import Hash: a673946f3abdec2477cd32a41983c2e9
Static PE Info
Entrypoint Preview
Copyright Joe Security LLC 2021 Page 11 of 13
No network behavior found
Code Manipulations
Statistics
System Behavior
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics
CODE 0x1000 0x75844 0x75a00 False 0.503746429995 data 6.54275157823 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
DATA 0x77000 0x1658 0x1800 False 0.482747395833 data 4.48427478987 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
BSS 0x79000 0x17c5 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata 0x7b000 0x2a14 0x2c00 False 0.352272727273 data 4.91316264989 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls 0x7e000 0x10 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata 0x7f000 0x18 0x200 False 0.048828125 data 0.20058190744 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc 0x80000 0x8a80 0x8c00 False 0.571958705357 data 6.64498546971 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc 0x89000 0x24f64 0x25000 False 0.300431535051 data 5.20881384664 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
Language of compilation system Country where language is spoken Map
Russian Russia
Network Behavior
Start time: 00:31:59
Start date: 17/07/2021
Data Directories
Sections
Resources
Imports
Possible Origin
Analysis Process: vnMQDhyZya.exe PID: 4580 Parent PID: 5692Analysis Process: vnMQDhyZya.exe PID: 4580 Parent PID: 5692
General
Copyright Joe Security LLC 2021 Page 12 of 13
Joe Sandbox Cloud Basic 33.0.0 White Diamond
Disassembly
Code Analysis
Copyright Joe Security LLC
File ActivitiesFile Activities
Path: C:\Users\user\Desktop\vnMQDhyZya.exe
Wow64 process (32bit): true
Commandline: 'C:\Users\user\Desktop\vnMQDhyZya.exe'
Imagebase: 0x400000
File size: 688128 bytes
MD5 hash: 23755A33694ADC76023DD0B7607BC03D
Has elevated privileges: true
Has administrator privileges: true
Programmed in: Borland Delphi
Yara matches: Rule: JoeSecurity_CryLock, Description: Yara detected CryLock ransomware, Source: 00000000.00000003.197222832.0000000004FF0000.00000004.00000001.sdmp, Author: Joe SecurityRule: JoeSecurity_CryLock, Description: Yara detected CryLock ransomware, Source: 00000000.00000002.462601526.0000000005018000.00000004.00000001.sdmp, Author: Joe SecurityRule: JoeSecurity_CryLock, Description: Yara detected CryLock ransomware, Source: 00000000.00000002.462574922.000000000500C000.00000004.00000001.sdmp, Author: Joe SecurityRule: JoeSecurity_CryLock, Description: Yara detected CryLock ransomware, Source: 00000000.00000002.462552901.0000000004FF4000.00000004.00000001.sdmp, Author: Joe Security
Reputation: low
Show Windows behavior
File CreatedFile Created
File WrittenFile Written
Copyright Joe Security LLC 2021 Page 13 of 13