buran | 4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7v20201028
submitted
04-11-2020 10:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hci0xn0zip.exe
Size

3.3MB
MD5

d18bf81dbc8acce488abd633d8058cf5
SHA1

1d6dcade355b4867e9435961655a9b9caa373528
SHA256

4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
SHA512

10a6b3994b1b0d37c9f3833e700baded6b89b0162078442b4de5a9747c23027d8943016c5941ba2e530ee5263b87c31a7714aa7bcb5051e5d63cf0a3cd88756f

Score

10^/10

buran evasion persistence ransomware upx

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: kassmaster@danwin1210.me and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: kassmaster@danwin1210.me Reserved email: kassmaster@tutanota.com Your personal ID: 1DE-92F-1C8 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

kassmaster@danwin1210.me

kassmaster@tutanota.com

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 4 IoCs

Processes:

15sp.exemesager43.exelsass.exelsass.exe

pid process

432 15sp.exe
1956 mesager43.exe
632 lsass.exe
1712 lsass.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

pid	process
432	15sp.exe
1956	mesager43.exe
632	lsass.exe
1712	lsass.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\ssd\onset\mesager43.exe	upx
C:\ssd\onset\mesager43.exe	upx
\ssd\onset\mesager43.exe	upx
C:\ssd\onset\mesager43.exe	upx
\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe	upx
\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe	upx
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe	upx
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe	upx
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe	upx

Loads dropped DLL 5 IoCs

Processes:

cmd.execmd.exemesager43.exe

pid process

792 cmd.exe
524 cmd.exe
524 cmd.exe
1956 mesager43.exe
1956 mesager43.exe

pid	process
792	cmd.exe
524	cmd.exe
524	cmd.exe
1956	mesager43.exe
1956	mesager43.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mesager43.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	mesager43.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start"	mesager43.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

lsass.exe

description	ioc	process
File opened (read-only)	\??\N:	lsass.exe
File opened (read-only)	\??\J:	lsass.exe
File opened (read-only)	\??\H:	lsass.exe
File opened (read-only)	\??\U:	lsass.exe
File opened (read-only)	\??\S:	lsass.exe
File opened (read-only)	\??\R:	lsass.exe
File opened (read-only)	\??\M:	lsass.exe
File opened (read-only)	\??\F:	lsass.exe
File opened (read-only)	\??\A:	lsass.exe
File opened (read-only)	\??\Z:	lsass.exe
File opened (read-only)	\??\P:	lsass.exe
File opened (read-only)	\??\O:	lsass.exe
File opened (read-only)	\??\T:	lsass.exe
File opened (read-only)	\??\Q:	lsass.exe
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\K:	lsass.exe
File opened (read-only)	\??\I:	lsass.exe
File opened (read-only)	\??\Y:	lsass.exe
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\V:	lsass.exe
File opened (read-only)	\??\G:	lsass.exe
File opened (read-only)	\??\X:	lsass.exe
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\B:	lsass.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 geoiptool.com

flow	ioc
7	geoiptool.com

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe

Drops file in Program Files directory 15084 IoCs

Processes:

lsass.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00241_.WMF.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0234000.WMF.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Concourse.thmx	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL010.XML.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGREPFRM.DPV.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183328.WMF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0300520.GIF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HM00005_.WMF.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02466U.BMP.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099150.JPG.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107188.WMF.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\ct.sym.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15274_.GIF	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\net.properties	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02066_.WMF.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Christmas.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Jamaica.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00392_.WMF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03513_.WMF.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.HTM.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-javahelp.jar.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00236_.WMF.1DE-92F-1C8	lsass.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\vlc.mo	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00139_.GIF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107364.WMF.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR5F.GIF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Groove.gif.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14565_.GIF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115864.GIF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02293_.WMF.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240389.profile.gz.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jsse.jar.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CERT.XML	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Auckland.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Bangkok	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLADDR.FAE	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIcon.jpg	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations_2.4.0.v20131119-0908.jar	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLJRNLR.FAE.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Palau.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_pressed.gif.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_pt_BR.properties	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01923_.WMF.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImagesMask.bmp	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00932_.WMF.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02746U.BMP.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02198_.GIF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR48B.GIF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151045.WMF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackground.jpg	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Eirunepe.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OMML2MML.XSL.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html.1DE-92F-1C8	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199483.WMF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01293_.WMF.1DE-92F-1C8	lsass.exe

Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

572 timeout.exe
820 timeout.exe
1116 timeout.exe
1656 timeout.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

304 vssadmin.exe
1324 vssadmin.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1116 taskkill.exe
1424 taskkill.exe

pid	process
572	timeout.exe
820	timeout.exe
1116	timeout.exe
1656	timeout.exe

pid	process
304	vssadmin.exe
1324	vssadmin.exe

pid	process
1116	taskkill.exe
1424	taskkill.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

lsass.exemesager43.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	mesager43.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mesager43.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mesager43.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	lsass.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	lsass.exe

Suspicious use of AdjustPrivilegeToken 89 IoCs

Processes:

mesager43.exetaskkill.exetaskkill.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1956	mesager43.exe
Token: SeDebugPrivilege	1956	mesager43.exe
Token: SeDebugPrivilege	1116	taskkill.exe
Token: SeDebugPrivilege	1424	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1228	WMIC.exe
Token: SeSecurityPrivilege	1228	WMIC.exe
Token: SeTakeOwnershipPrivilege	1228	WMIC.exe
Token: SeLoadDriverPrivilege	1228	WMIC.exe
Token: SeSystemProfilePrivilege	1228	WMIC.exe
Token: SeSystemtimePrivilege	1228	WMIC.exe
Token: SeProfSingleProcessPrivilege	1228	WMIC.exe
Token: SeIncBasePriorityPrivilege	1228	WMIC.exe
Token: SeCreatePagefilePrivilege	1228	WMIC.exe
Token: SeBackupPrivilege	1228	WMIC.exe
Token: SeRestorePrivilege	1228	WMIC.exe
Token: SeShutdownPrivilege	1228	WMIC.exe
Token: SeDebugPrivilege	1228	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1228	WMIC.exe
Token: SeRemoteShutdownPrivilege	1228	WMIC.exe
Token: SeUndockPrivilege	1228	WMIC.exe
Token: SeManageVolumePrivilege	1228	WMIC.exe
Token: 33	1228	WMIC.exe
Token: 34	1228	WMIC.exe
Token: 35	1228	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1304	WMIC.exe
Token: SeSecurityPrivilege	1304	WMIC.exe
Token: SeTakeOwnershipPrivilege	1304	WMIC.exe
Token: SeLoadDriverPrivilege	1304	WMIC.exe
Token: SeSystemProfilePrivilege	1304	WMIC.exe
Token: SeSystemtimePrivilege	1304	WMIC.exe
Token: SeProfSingleProcessPrivilege	1304	WMIC.exe
Token: SeIncBasePriorityPrivilege	1304	WMIC.exe
Token: SeCreatePagefilePrivilege	1304	WMIC.exe
Token: SeBackupPrivilege	1304	WMIC.exe
Token: SeRestorePrivilege	1304	WMIC.exe
Token: SeShutdownPrivilege	1304	WMIC.exe
Token: SeDebugPrivilege	1304	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1304	WMIC.exe
Token: SeRemoteShutdownPrivilege	1304	WMIC.exe
Token: SeUndockPrivilege	1304	WMIC.exe
Token: SeManageVolumePrivilege	1304	WMIC.exe
Token: 33	1304	WMIC.exe
Token: 34	1304	WMIC.exe
Token: 35	1304	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1304	WMIC.exe
Token: SeSecurityPrivilege	1304	WMIC.exe
Token: SeTakeOwnershipPrivilege	1304	WMIC.exe
Token: SeLoadDriverPrivilege	1304	WMIC.exe
Token: SeSystemProfilePrivilege	1304	WMIC.exe
Token: SeSystemtimePrivilege	1304	WMIC.exe
Token: SeProfSingleProcessPrivilege	1304	WMIC.exe
Token: SeIncBasePriorityPrivilege	1304	WMIC.exe
Token: SeCreatePagefilePrivilege	1304	WMIC.exe
Token: SeBackupPrivilege	1304	WMIC.exe
Token: SeRestorePrivilege	1304	WMIC.exe
Token: SeShutdownPrivilege	1304	WMIC.exe
Token: SeDebugPrivilege	1304	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1304	WMIC.exe
Token: SeRemoteShutdownPrivilege	1304	WMIC.exe
Token: SeUndockPrivilege	1304	WMIC.exe
Token: SeManageVolumePrivilege	1304	WMIC.exe
Token: 33	1304	WMIC.exe
Token: 34	1304	WMIC.exe
Token: 35	1304	WMIC.exe

Suspicious use of WriteProcessMemory 118 IoCs

Processes:

hci0xn0zip.exeWScript.execmd.exeWScript.execmd.exemesager43.exe

description	pid	process	target process
PID 1680 wrote to memory of 888	1680	hci0xn0zip.exe	WScript.exe
PID 1680 wrote to memory of 888	1680	hci0xn0zip.exe	WScript.exe
PID 1680 wrote to memory of 888	1680	hci0xn0zip.exe	WScript.exe
PID 1680 wrote to memory of 888	1680	hci0xn0zip.exe	WScript.exe
PID 888 wrote to memory of 792	888	WScript.exe	cmd.exe
PID 888 wrote to memory of 792	888	WScript.exe	cmd.exe
PID 888 wrote to memory of 792	888	WScript.exe	cmd.exe
PID 888 wrote to memory of 792	888	WScript.exe	cmd.exe
PID 792 wrote to memory of 432	792	cmd.exe	15sp.exe
PID 792 wrote to memory of 432	792	cmd.exe	15sp.exe
PID 792 wrote to memory of 432	792	cmd.exe	15sp.exe
PID 792 wrote to memory of 432	792	cmd.exe	15sp.exe
PID 792 wrote to memory of 572	792	cmd.exe	timeout.exe
PID 792 wrote to memory of 572	792	cmd.exe	timeout.exe
PID 792 wrote to memory of 572	792	cmd.exe	timeout.exe
PID 792 wrote to memory of 572	792	cmd.exe	timeout.exe
PID 792 wrote to memory of 304	792	cmd.exe	WScript.exe
PID 792 wrote to memory of 304	792	cmd.exe	WScript.exe
PID 792 wrote to memory of 304	792	cmd.exe	WScript.exe
PID 792 wrote to memory of 304	792	cmd.exe	WScript.exe
PID 792 wrote to memory of 820	792	cmd.exe	timeout.exe
PID 792 wrote to memory of 820	792	cmd.exe	timeout.exe
PID 792 wrote to memory of 820	792	cmd.exe	timeout.exe
PID 792 wrote to memory of 820	792	cmd.exe	timeout.exe
PID 304 wrote to memory of 524	304	WScript.exe	cmd.exe
PID 304 wrote to memory of 524	304	WScript.exe	cmd.exe
PID 304 wrote to memory of 524	304	WScript.exe	cmd.exe
PID 304 wrote to memory of 524	304	WScript.exe	cmd.exe
PID 524 wrote to memory of 564	524	cmd.exe	attrib.exe
PID 524 wrote to memory of 564	524	cmd.exe	attrib.exe
PID 524 wrote to memory of 564	524	cmd.exe	attrib.exe
PID 524 wrote to memory of 564	524	cmd.exe	attrib.exe
PID 524 wrote to memory of 1116	524	cmd.exe	timeout.exe
PID 524 wrote to memory of 1116	524	cmd.exe	timeout.exe
PID 524 wrote to memory of 1116	524	cmd.exe	timeout.exe
PID 524 wrote to memory of 1116	524	cmd.exe	timeout.exe
PID 524 wrote to memory of 1956	524	cmd.exe	mesager43.exe
PID 524 wrote to memory of 1956	524	cmd.exe	mesager43.exe
PID 524 wrote to memory of 1956	524	cmd.exe	mesager43.exe
PID 524 wrote to memory of 1956	524	cmd.exe	mesager43.exe
PID 1956 wrote to memory of 632	1956	mesager43.exe	lsass.exe
PID 1956 wrote to memory of 632	1956	mesager43.exe	lsass.exe
PID 1956 wrote to memory of 632	1956	mesager43.exe	lsass.exe
PID 1956 wrote to memory of 632	1956	mesager43.exe	lsass.exe
PID 1956 wrote to memory of 552	1956	mesager43.exe	notepad.exe
PID 1956 wrote to memory of 552	1956	mesager43.exe	notepad.exe
PID 1956 wrote to memory of 552	1956	mesager43.exe	notepad.exe
PID 1956 wrote to memory of 552	1956	mesager43.exe	notepad.exe
PID 1956 wrote to memory of 552	1956	mesager43.exe	notepad.exe
PID 1956 wrote to memory of 552	1956	mesager43.exe	notepad.exe
PID 1956 wrote to memory of 552	1956	mesager43.exe	notepad.exe
PID 524 wrote to memory of 1116	524	cmd.exe	taskkill.exe
PID 524 wrote to memory of 1116	524	cmd.exe	taskkill.exe
PID 524 wrote to memory of 1116	524	cmd.exe	taskkill.exe
PID 524 wrote to memory of 1116	524	cmd.exe	taskkill.exe
PID 524 wrote to memory of 1424	524	cmd.exe	taskkill.exe
PID 524 wrote to memory of 1424	524	cmd.exe	taskkill.exe
PID 524 wrote to memory of 1424	524	cmd.exe	taskkill.exe
PID 524 wrote to memory of 1424	524	cmd.exe	taskkill.exe
PID 524 wrote to memory of 1724	524	cmd.exe	attrib.exe
PID 524 wrote to memory of 1724	524	cmd.exe	attrib.exe
PID 524 wrote to memory of 1724	524	cmd.exe	attrib.exe
PID 524 wrote to memory of 1724	524	cmd.exe	attrib.exe
PID 524 wrote to memory of 1656	524	cmd.exe	timeout.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

564 attrib.exe
1724 attrib.exe

pid	process
564	attrib.exe
1724	attrib.exe

C:\Users\Admin\AppData\Local\Temp\hci0xn0zip.exe
"C:\Users\Admin\AppData\Local\Temp\hci0xn0zip.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ssd\onset\goodram.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ssd\onset\81ldp.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:792

C:\ssd\onset\15sp.exe
"15sp.exe" e -psion0811 01s.rar
4⤵
- Executes dropped EXE
PID:432

C:\Windows\SysWOW64\timeout.exe
timeout 5
4⤵
- Delays execution with timeout.exe
PID:572

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ssd\onset\Ztestram.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ssd\onset\sata1.bat" "
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\ssd\"
6⤵
- Views/modifies file attributes
PID:564

C:\Windows\SysWOW64\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:1116

C:\ssd\onset\mesager43.exe
mesager43.exe /start
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start
7⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
PID:632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
8⤵
PID:656

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
8⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
8⤵
PID:764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
8⤵
PID:1848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
8⤵
PID:1824

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
9⤵
- Interacts with shadow copies
PID:304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
8⤵
PID:1696

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
9⤵
- Interacts with shadow copies
PID:1324

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 0
8⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1712

C:\Windows\SysWOW64\notepad.exe
notepad.exe
8⤵
PID:1700

C:\Windows\SysWOW64\notepad.exe
notepad.exe
7⤵
PID:552

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 15sp.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 15sp.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\ssd\onset\mesager43.exe"
6⤵
- Views/modifies file attributes
PID:1724

C:\Windows\SysWOW64\timeout.exe
timeout 4
6⤵
- Delays execution with timeout.exe
PID:1656

C:\Windows\SysWOW64\timeout.exe
timeout 4
4⤵
- Delays execution with timeout.exe
PID:820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
PID:912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

Hidden Files and Directories

T1158

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
9d538c0560b32800760c81848d63c768

SHA1
0347de3203f816ec681476bad1ba61a9d617933d

SHA256
ff250295947988215771c7277792f7678cbb6c8d0db006a034622ae50090cc07

SHA512
14e728259be57440bf8b497884cb376c2f1b7bde2b9c8ffc3c9f3804dbe59f12899a57e434b2f8b3ca03a215eda40c434eec21064b93bdbbc75c4951ec7b3c45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
61faf9608aef25c78ecec385617c1fe5

SHA1
475cb92095f1ee2c19a6eaa4615697b1b9f0c21e

SHA256
efa2e7c480e2cdeb6834fd1afca56ceb66f814e2b8da59ba6df4569d2b397ef4

SHA512
1b9226545cc39585a4a18b52227cdd7e6b8ff889dd40e9e186cce8d52c10abe1686fd8c799f52656f8b33ba47fa809d0f8369b1ef28207ebcc0d23e26a1d13dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
f3b3ba3b8527743bfe3ae7feb9de6a4d

SHA1
65a5fc2851514d5867a6726768f03d956142185e

SHA256
49a00de339c432d57e5ec170f091b5995fa8bc4eb4121344642d25d22408b0aa

SHA512
961f899691646528b86bdea736ed59e7ea78137c2346b709aa0e98ed6ffad1466678efbccfc210be448634f979f5e97bde90cada0cf43f98f27c2afbd19562f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
e13c5ed4065e628b2309a604481914bd

SHA1
6ab13901f97842606613369c1a6e55a6245394ac

SHA256
567f095151965a3162ec8c44fff1f5ade1df2bfd6ec8ee5ce4bd4597f7025c24

SHA512
30e1f4a33dd7781fc37c1e06c7da56e12820509b8c5d70848387ce2b97f91b435544732df136027228831999048d147f19088d1c9f03f37225aff4c2db7a7b98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
ae975dda8198ca770f7a93b58b9522b2

SHA1
6a4399fa11893c27c26c2cad1e9035f0f587def3

SHA256
2aa786fff8de7e3c20526e1458d605fa5c10e3ee8687491bb3bdf0710d69b9cb

SHA512
c2b5174ca3a6e607260571721ce4d8001afe02250ba7b9a08f8ce03923991d185d23d1f21dfe66cd1387ba13c03288c72654e911d5f88b60c9c635af260b4692

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
a8ed05f40bd20e4b0707ba30640e0789

SHA1
b292540d22e73dcd7c658b21f3980ce23bf66ba0

SHA256
09a39ce1ea39efc23eeb3eca5befff7d11d2e9e2f3dcca6eba847409197a6aee

SHA512
2d4fd396204b1f1cf5e17d5f1994bfdd4dd75cbc16dead369bb40d45418dec7dbc07ee89098a950a1fc917568fc2c432a90ce98e8b08097c101e9743d6589aa6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
b35c4579965c159a7ea6c2325e021313

SHA1
f09e5da2a753aa135ecb81228c988dc717045c2b

SHA256
3206ae8bfde56d71ff39f7597adb1efeaea6f02ceb7ead225c7c90baedced049

SHA512
ca9be8531b5e92c7213fbbaaf9946820fd3ff42bfa1f3eb885a5226446c8f1284805dab78103061348d3a96a2453cab8a8915b55de3b2f6dcd6901f6332b8b5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\9Z7ZIKAT.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1R1CL99\W3ZEK3KP.htm
MD5
6b17a59cec1a7783febae9aa55c56556

SHA1
01d4581e2b3a6348679147a915a0b22b2a66643a

SHA256
66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

SHA512
3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\Users\Admin\Desktop\BackupLock.au.1DE-92F-1C8
MD5
4baa0147d8c4377e7ef8d43ecc07ee22

SHA1
855688bae371df44b94124de6bee05a450304d6c

SHA256
e2eabf5e43b2b707713583974a3b21bc3cc87d21b553c694ab3fe7193078a5ca

SHA512
367b6314b8e73de750420791cdb13df8fce9ce6f1f5ac694d970cdadde941383ca665e40471953efd5bbeda237169bbf451ba2c9e7f1d73de6240c9b6a68d18d

Download Submit
C:\Users\Admin\Desktop\BlockNew.pps.1DE-92F-1C8
MD5
3f1dab60c9850a024df3432784549d1b

SHA1
49005f00251da25bd9a670bb6dbfc8d832c32918

SHA256
eeb27ea44fd77fd954ba855f472ee4c944726b1c0abf94bef9a76f93ad1957b3

SHA512
8dd8ab26604a90083003de3034b2811ed724531b5e79316c315732c000c0ff34c56800011a8d7edf291189164a5ca900975005d0ac1dc4cb1372db676fcdb085

Download Submit
C:\Users\Admin\Desktop\CompareSkip.ps1.1DE-92F-1C8
MD5
c8a183b128a5b85c04fef81f38acb9c5

SHA1
2e0b801aab035171275b85819cc95be832d24def

SHA256
f2b54d178b9bfdc57ea50f8c1a035fc382d246b230b5f65ebfa4e5327d3a2253

SHA512
dbf15ac82aaf1346c10d585aa81797c8cb2712afa7fed3e3a951fbe3c0b5ce9553090eed7d8d7429a7568afd50f53d326bf48633a46793ee3bd9d8eb4a973267

Download Submit
C:\Users\Admin\Desktop\CompleteAssert.rar.1DE-92F-1C8
MD5
95f192265123daf66b417a7542085960

SHA1
522136ef564acc3f828cdf7265a5e06e584412be

SHA256
86d72625294c322375c7b89e6dfc16bd055856c3c3c374ce6dff87524e996a94

SHA512
3a198923b617f6eb1e5d78faf91454fbe424a11e64ff803b45f1fc92796412fe953857d3266b95ef4c498361dd28a73c8a742df804e4fc0fe38bc88e27b36693

Download Submit
C:\Users\Admin\Desktop\ConfirmPush.ppt.1DE-92F-1C8
MD5
56473fba8a4fd520c377d24221e1a001

SHA1
491fba2e2bde8a006862340990fafac1ed9eaf08

SHA256
4b80a38382f494a3436664277b533c6cd1490840bf7f45c2250885273e0e95d7

SHA512
97dd84b8a95ff25dc203b932e993eaaf822ab551b75fb3229733fbd601248aee371f50d98af984ba6278f7e3b5897b506b9dc098516c9b098891774f1fccf3b6

Download Submit
C:\Users\Admin\Desktop\EnterLock.MOD.1DE-92F-1C8
MD5
154f5d69ae6688432e08eebeaca8556b

SHA1
5514613d6b90602f5935ef78cda71edb975b2b25

SHA256
4074a1a3260a301612b59fc3e062ab836b2fe77b7d8626b237d6adfd0ddc08db

SHA512
0b6735516cb3757a05bb97bf12287fe89776538dadfe9c86ebf7ebb03649a0bd8a85136e78153bb727fa68ae6f50a115b5850197ac0f02c68e3898ed87831c2b

Download Submit
C:\Users\Admin\Desktop\FormatSkip.css.1DE-92F-1C8
MD5
312b7844fbf244afbde6284d34b00b44

SHA1
ae49d17dff3c6500a5d110222ee69e55068493e8

SHA256
138c971a3761bde8fd4f078f710278e99aaf794f6f566e3f4a140f331a59dcc3

SHA512
add8bd4c573308bd3c4de783b05d447bc2e7c07424bdfee0f4310334f49fa3bc5d8820be545e45c92e15c5884a64ffa5138a9c63c2d9a5066dad261e21be8021

Download Submit
C:\Users\Admin\Desktop\HidePing.aif.1DE-92F-1C8
MD5
3dfcea99e2857daa5c699305d68fa472

SHA1
1c291aa8f6bfda7e91bdfb183193879ffeec9a97

SHA256
c34caa33906c81958e16d650b939b5fa52e3d91d010d5a9a296b5af814e7b5e9

SHA512
96bc6a455a52f405897a6fb8f3d79575acb9968b024ad9bf05ff0b3dcf2d630b4f87e698e09ba1df0f78b8223262eced91564532b5d6d5c32c1067a8beabc8cd

Download Submit
C:\Users\Admin\Desktop\HideRequest.css.1DE-92F-1C8
MD5
80a2eabd02c3a4783f59204f4d9b5407

SHA1
fd7b73a605eb6d1ab48e948a3815cdcef2363c20

SHA256
4d35211092b67e295793e33e179386ce9ec2dbf4096600ac9ac90398ab589c09

SHA512
834c38b2a765c3d288edcdb869a612d51f0b93c2dbdc8f54dd58fe0c6b043537f3ca86774bbb52992a54794450b53205d04729cc822f7d015f4c4fcee556e44c

Download Submit
C:\Users\Admin\Desktop\ImportCompare.ini.1DE-92F-1C8
MD5
f2ed0a03853dcd926c51b4406c23c2e2

SHA1
f5712729065e62433f48606236e07c247d18157c

SHA256
e07056dca6cf1a1015bd68fe81e66acbdf89a64c5d8280de3451cc894e307340

SHA512
90446fa80079581657c10d05eae7fc2962e74978dfd7fcb425b41e131dfd2f6553e6b1c8414bc25d6e2da4c1885c5811e039b94c8c4b72761ea5adf3aecab9e4

Download Submit
C:\Users\Admin\Desktop\InstallConnect.ogg.1DE-92F-1C8
MD5
af4c095c940b1c29cba02a21b6244ed5

SHA1
336709e08b4c4aaf9825816fa49beae0d93e263f

SHA256
e32c2ec539dbe66d7b1c647a9cdf97fd1bdac671e561cc39c79e5c382781ad97

SHA512
67853a52d306b8a74af6b6dfc53b95495a56145f9e4b2bb76fa1fb572382399f65d248c7a27c495ed5dccd24202c64bf46d9f2b4f83b9c03476aaf6552d9d3f9

Download Submit
C:\Users\Admin\Desktop\JoinRemove.wmv.1DE-92F-1C8
MD5
8808b06e1dd5f315315c22346d343f6f

SHA1
0d10eac36220a8c6bed3d28511d57272dad63aae

SHA256
3c9f77ac4460ed23785f80e2eebfda8d9c9ee6bee81765f1a4ce9a968f09db20

SHA512
13ea97d5e1cce097cb551662a1e8b349119af026a75e6b2a75a0928506dda6a092e8bf22e7197be4e2aea3a1bb618aef3f8a966284aa3920d262a042fe0695b4

Download Submit
C:\Users\Admin\Desktop\MoveSplit.odt.1DE-92F-1C8
MD5
398b53c546f81d9d8e15b74cf16f8aa3

SHA1
75855e1aa7ed9b1f24cb5e8a16e560335d166ec5

SHA256
038fb2f08cc2571b02f58840d5dab08802db78ccf34632af9cbe78d24bc1b31e

SHA512
7b92536bdbd4b6a8e7e1c0fac9a5def097ae13477d9665cbdfc269e8dc00d8ca3bf8193f1d26960f761a4a21ca69d80cd513328375faf77cf87de7848e249bee

Download Submit
C:\Users\Admin\Desktop\ProtectMeasure.png.1DE-92F-1C8
MD5
2c6b3d7b91c5a02d57fb26fe10318402

SHA1
486f8b0b70f53c9aaac4f759b7117d8710107f8c

SHA256
3a65608b32777cc3964d6c264e4cd283da9fd30b0b1b5e821f14245675515434

SHA512
d0e9a62cf63cb852f69e50aabdb56cd6c684746fad774b35ea936825126ee2d1340f567c458d22c355b6187d788f6e760b5005501c92aabed50084b9076632f6

Download Submit
C:\Users\Admin\Desktop\RemoveRegister.xht.1DE-92F-1C8
MD5
c682446407a98f143e51e931cfe5b95b

SHA1
1c34a7a401f7de343c9b0681067b0761e896f7fa

SHA256
d3ddf4ea70bd48ec2db2d2d02fa7938163dce0ac4bd86ff66cbd98fc05158272

SHA512
3e65ea09ac27efbb0bcc123dd4aa5b2cfe85054991502fb428c5e265c9370bbc46411aa3747230e808bf5b5a77e47799244a09cd079bd18efe8dba674e24f3be

Download Submit
C:\Users\Admin\Desktop\RestartComplete.pps.1DE-92F-1C8
MD5
6f3675ba05225ecb1422707707c92b65

SHA1
88daa633ba26e113ded8e03f1b826f8af6c36b70

SHA256
18af77dbc2ea4c83a965da85cf0a62759bf62f3416bcde0dda0f851588e185c5

SHA512
c79f56a5dab96a59d6ac4c63f2f85914f331799038d029367985d56902d58f9aeed270c58b73e9389f21222e168cfe9586d763e0d34d10c449d853f3026078a2

Download Submit
C:\Users\Admin\Desktop\ResumeHide.reg.1DE-92F-1C8
MD5
39b4acaa02400aca3951a0370ea64ea2

SHA1
818a73a7d8f1d90687c1ecc6b3627f71ee2a1b57

SHA256
3df19c8db7f94ff15cfde7df25122f808a5d9edc7ba41aea7c4fa605ab54643c

SHA512
984adef2fe5cbbceb72ca71e80237c4dcbfbbde68220b72e940bcffcaf096016abc5b36c15f9160bd730ee2cf075dbf95dc9066fb356c2add5d3f2713765966b

Download Submit
C:\Users\Admin\Desktop\SaveUndo.tiff.1DE-92F-1C8
MD5
41df9a1e2dc0fd11ee4585683851ab75

SHA1
53bb3703ed568679a14f1a750329dcb68c59eebb

SHA256
041247edf54807dfe25994b0c8fcc9a5fc80e7c85ed6bac73798229fc2ad97fe

SHA512
5df966014030e563b4f9779c9634849ae8a30e0ef7c21a46b280e24cf101eee759906fb999b28844877d9fdd6605dc87b1f44452237e4b1fc49fa6c3a3af1d6f

Download Submit
C:\Users\Admin\Desktop\StepDisable.iso.1DE-92F-1C8
MD5
ae5e7bfafce7b95a7c286698480470eb

SHA1
91be4e31fad5732d116c1a539591fba38f2f2f0c

SHA256
ccd5e78c6dfddb8b1a5e3c03bb7772df57dd6bc5a4e0e2daa21d7f557215e9b2

SHA512
2f181dff31ca13895e7c992924b8efd94a4a2aff252fab01548977609338aab709f3d24053baa556588dd46bfcf9279a70468126bd2b8c9c987242323483fa72

Download Submit
C:\Users\Admin\Desktop\StopDismount.xla.1DE-92F-1C8
MD5
c3b1d08ee1f36b51477ddc4a505b9e10

SHA1
d34ee9668d02a4359854410d2d6c59a162be8b54

SHA256
e19638f42ae110c3c7db0256a9315e261a98c5f846708958356cfaa207d88211

SHA512
5bbfe49d52f5356ce99a820b20b6753694a3f5b4c50934ab773cd86b8f52de7614c90f73285a85f189be893cc4be25541a87c4bdd37c3b7ffb6158e2af9d1c85

Download Submit
C:\Users\Admin\Desktop\SwitchTest.wdp.1DE-92F-1C8
MD5
2ca289e6774ea0c01385fba288529643

SHA1
6b90dee8e88770bdaf324b2276d381d4c699a55a

SHA256
d975d814b85f9b9403985810c0d79106172db32349c23db7ee2291e78713a62d

SHA512
d549058eb03981731f2d7910ff1b7be888af37d97d9589479519998c7ffba89603e585cc8d9539b9e8b7545535b562b6b876f8801666f23659c168408ee2e641

Download Submit
C:\Users\Admin\Desktop\SwitchUninstall.ps1.1DE-92F-1C8
MD5
4eb5ea5b7c68b213a6effb379582166d

SHA1
117b4131dc661ad0eaf08bda742212856fac8983

SHA256
e7d6ed19700aaaec8449228f3dde6f6cea48f9e8bea06d80c3d634a6545089c3

SHA512
1c298cb7561cd97c76653afd5fee125d9bc2c5d672156f5f51ea4d3a1e352be4188f3e8e7569e3c700d32fc38d5b0d5ab12c27fe8f2d7b670db2c2d776d4b64f

Download Submit
C:\Users\Admin\Desktop\SyncCopy.avi.1DE-92F-1C8
MD5
ef8ca8e77269c5f9d49b7a3f013dc4bf

SHA1
39fe5947689a62270bf9c22f73589763d0845aa5

SHA256
abe77e7fd526e4bfd843116fd2af64523a10f5a5def182d29cb76be4c9ff21a8

SHA512
16758bdad21af87211701daabd1dfb7318367a8cb5c83dce66a4e846d79414d4217fbb822b468ffe79d6fe3ca9c6d8007e7b2e98b9ac2ec9351f04e9bb5c2a65

Download Submit
C:\Users\Admin\Desktop\UninstallHide.wax.1DE-92F-1C8
MD5
615191415addfb58260d1764b1d293b8

SHA1
49b545ada2c27a55ec06114ac3b60988262b5d65

SHA256
db4ba9763f828221f7c25b0d477f8a1138e9701205ccf0d83ff661ac7a75a689

SHA512
4a03d92a79324c73fd912cc8c7022dc2af830af68bf93828a11a3c8a05899165e7f564a64ee796956c8de47dff2d88b68fb3b7570afe13128a31b1633589991b

Download Submit
C:\Users\Admin\Desktop\UnprotectCheckpoint.au.1DE-92F-1C8
MD5
5b61f59aa7d9bed11be28172df06f960

SHA1
b3c377af12dac82cded4e79499ef05f6a6eb471a

SHA256
698bbfa72419f3828ebef89c287a434d1027522eb30a046836cc67bf333da65f

SHA512
173cf0b2f39764cf42ae31557f2398c05ce3b0dc36aab912bded38f580f45fcd3fc805f373c77ff92f07ef8c85cfcae493e109a01c6e60cbf524885c16afbc6d

Download Submit
C:\Users\Admin\Desktop\WaitReset.mp4.1DE-92F-1C8
MD5
759154f44b2a4af5a6a64a418f84b10f

SHA1
9d01f627d534bcefc96a377bc36b65d81028cbf4

SHA256
6fd0345a8da4ca69255da1ebdbd4d6da5890a4d26dbf0c3013554d2cfa1171af

SHA512
20701d13c419e8a6c2cef0918765595e2ed8f711132dcda4ea0f7054514a07034b57b0b804ecdc1fdccf3cee276c27f6d32a8afa64a2f12452fdd007b2cb4fe2

Download Submit
C:\Users\Admin\Desktop\WatchReceive.mpeg.1DE-92F-1C8
MD5
d7e23f21f5533c74e273414775f81d15

SHA1
57a99d18f33df8187e95d450a1c5d04e26d76d8e

SHA256
7f9cdecc972978572b9f4345f05596d423d3c43c972e6d6e23d99bc5d8fcc32f

SHA512
57099de13a4080d529b30af4d2fbf469275f3eae2ea464536c6eccce56c1a6e7ef88214d8ec5399bff26634ea26c6909efa1a3c5bf3b24eaf0ababaa8a2b937a

Download Submit
C:\ssd\onset\15sp.exe
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\ssd\onset\15sp.exe
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\ssd\onset\58nfs.ini
MD5
42f9b29cb18cec22cf1f68375685ddc2

SHA1
54de5fd042aa740be90f85d7887d41ebc0e00b4b

SHA256
7aac762ca37c72400df369c6a25d81e758071e570f8dd68f136290923165d007

SHA512
f4065bc2b1b5ef8577c22ee6fe3ee4e5ee9af413d7a693940e317d2ab23de4ac64079761469369b282665c5d19fd3beb9a9ecd0af64a40531df946c65f36ab5c

Download Submit
C:\ssd\onset\81ldp.bat
MD5
a5464805722aa29200eb97cb26605135

SHA1
80b2c57e6475325a89eaaba24db02685830018ea

SHA256
03130577ed6032ec6fce61f3f4a52fbfd2e7eb69ca1901823682b392f89c0e8a

SHA512
d99760c1a82e2bd46d4d400c60c2c7a1fdfa057b84c6de2e992e19c662f62aed357e67c6f326e989124ccf7b67b57e1157b124e9bee4765e4f6730fb57660aae

Download Submit
C:\ssd\onset\Ztestram.vbs
MD5
b835e273fb843348db5f05d2ed0958e8

SHA1
8a5feab98df1ef7a898863e941e8bb07d007b9c1

SHA256
066327629f90b617ff1980f80a69ff3f5d76b4b005bfe9ee1a52319bc5517c94

SHA512
5438cd64586b1bfb6b555b9183e50cfae143306b163d7b4810383198cb8afcee3b5631a4f7cfb65561c2bb9babfaf70e8403937ae8d80cae93e9cd57e5c8331e

Download Submit
C:\ssd\onset\goodram.vbs
MD5
1ed7cb327b190a41ed8aee89c9be87d1

SHA1
6bd8634e530a6911501f1ab1c23fa4282d3a9e4f

SHA256
c31b950a44c81e1aaa37c495da1cf671ef730a5d1efbf5e68a875bf998c94663

SHA512
a9b85159614d71f91f05d9f1a4f65085105591ef7ca6d4094e171121e4259ebeca65fe490c28846b8d5791ef15cd7c01d56c7114aab517bab64c2f262c3dfb7c

Download Submit
C:\ssd\onset\mesager43.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\ssd\onset\mesager43.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\ssd\onset\sata1.bat
MD5
03560667f8a4144f8d45f917fd522a95

SHA1
df8ec645f2cbecb9388c87a63674b508a791433e

SHA256
41e9529c2acd43b7a206ec80655016bb65ba6721acfd930d351399730e809ad1

SHA512
215824afaaf96acef5977a7e6f48b2133cd969b1d809db333bf1b700176dfaa745141aade50fb4bec1151087a3deb2d64ae542b2405a17ec53d17fbc69052ad4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
\ssd\onset\15sp.exe
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
\ssd\onset\mesager43.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
\ssd\onset\mesager43.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
memory/304-56-0x0000000000000000-mapping.dmp

Download
memory/304-14-0x0000000000000000-mapping.dmp

Download
memory/432-10-0x0000000000000000-mapping.dmp

Download
memory/524-17-0x0000000000000000-mapping.dmp

Download
memory/552-31-0x0000000000000000-mapping.dmp

Download
memory/552-30-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/564-18-0x0000000000000000-mapping.dmp

Download
memory/572-12-0x0000000000000000-mapping.dmp

Download
memory/632-28-0x0000000000000000-mapping.dmp

Download
memory/656-45-0x0000000000000000-mapping.dmp

Download
memory/764-47-0x0000000000000000-mapping.dmp

Download
memory/792-5-0x0000000000000000-mapping.dmp

Download
memory/820-15-0x0000000000000000-mapping.dmp

Download
memory/888-2-0x0000000000000000-mapping.dmp

Download
memory/888-6-0x00000000027F0000-0x00000000027F4000-memory.dmp

Filesize
16KB

Download
memory/1116-41-0x0000000000000000-mapping.dmp

Download
memory/1116-19-0x0000000000000000-mapping.dmp

Download
memory/1228-50-0x0000000000000000-mapping.dmp

Download
memory/1304-57-0x0000000000000000-mapping.dmp

Download
memory/1324-58-0x0000000000000000-mapping.dmp

Download
memory/1424-42-0x0000000000000000-mapping.dmp

Download
memory/1616-25-0x000007FEF6460000-0x000007FEF66DA000-memory.dmp

Filesize
2.5MB

Download
memory/1656-44-0x0000000000000000-mapping.dmp

Download
memory/1680-0-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/1696-51-0x0000000000000000-mapping.dmp

Download
memory/1700-87-0x0000000000000000-mapping.dmp

Download
memory/1712-53-0x0000000000000000-mapping.dmp

Download
memory/1724-43-0x0000000000000000-mapping.dmp

Download
memory/1824-49-0x0000000000000000-mapping.dmp

Download
memory/1848-48-0x0000000000000000-mapping.dmp

Download
memory/1956-23-0x0000000000000000-mapping.dmp

Download
memory/2032-46-0x0000000000000000-mapping.dmp

Download