buran | 4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a

Analysis

max time kernel
124s
max time network
137s
platform
windows10_x64
resource
win10v20201028
submitted
04-11-2020 10:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hci0xn0zip.exe
Size

3.3MB
MD5

d18bf81dbc8acce488abd633d8058cf5
SHA1

1d6dcade355b4867e9435961655a9b9caa373528
SHA256

4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
SHA512

10a6b3994b1b0d37c9f3833e700baded6b89b0162078442b4de5a9747c23027d8943016c5941ba2e530ee5263b87c31a7714aa7bcb5051e5d63cf0a3cd88756f

Score

10^/10

buran evasion persistence ransomware upx

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: kassmaster@danwin1210.me and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: kassmaster@danwin1210.me Reserved email: kassmaster@tutanota.com Your personal ID: 478-E76-A52 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

kassmaster@danwin1210.me

kassmaster@tutanota.com

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 4 IoCs

Processes:

15sp.exemesager43.exelsass.exelsass.exe

pid process

3428 15sp.exe
1988 mesager43.exe
2260 lsass.exe
348 lsass.exe

pid	process
3428	15sp.exe
1988	mesager43.exe
2260	lsass.exe
348	lsass.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

lsass.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\CompressInstall.tiff	lsass.exe
File opened for modification	C:\Users\Admin\Pictures\UnblockFormat.tiff	lsass.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ssd\onset\mesager43.exe	upx
C:\ssd\onset\mesager43.exe	upx
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe	upx
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe	upx
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mesager43.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run	mesager43.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start"	mesager43.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

lsass.exe

description	ioc	process
File opened (read-only)	\??\T:	lsass.exe
File opened (read-only)	\??\P:	lsass.exe
File opened (read-only)	\??\O:	lsass.exe
File opened (read-only)	\??\M:	lsass.exe
File opened (read-only)	\??\J:	lsass.exe
File opened (read-only)	\??\U:	lsass.exe
File opened (read-only)	\??\X:	lsass.exe
File opened (read-only)	\??\N:	lsass.exe
File opened (read-only)	\??\G:	lsass.exe
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\B:	lsass.exe
File opened (read-only)	\??\Z:	lsass.exe
File opened (read-only)	\??\S:	lsass.exe
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\H:	lsass.exe
File opened (read-only)	\??\A:	lsass.exe
File opened (read-only)	\??\V:	lsass.exe
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\R:	lsass.exe
File opened (read-only)	\??\Q:	lsass.exe
File opened (read-only)	\??\K:	lsass.exe
File opened (read-only)	\??\I:	lsass.exe
File opened (read-only)	\??\F:	lsass.exe
File opened (read-only)	\??\Y:	lsass.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 geoiptool.com

flow	ioc
15	geoiptool.com

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Drops file in Program Files directory 24139 IoCs

Processes:

lsass.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms.478-E76-A52	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_en.dub	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.js.478-E76-A52	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare.HxS	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_CatEye.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x86__8wekyb3d8bbwe\AppxSignature.p7x	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\stopNetworkServer.478-E76-A52	lsass.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-GoogleCloudCache-Dark.scale-140.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\Close2x.png.478-E76-A52	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\cg_16x11.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-60_altform-fullcolor.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-100.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\ui-strings.js.478-E76-A52	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms.478-E76-A52	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\vlc.mo	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\ui-strings.js.478-E76-A52	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1938_48x48x32.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeAppList.targetsize-32_contrast-black.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\PlayStore_icon.svg	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-tw\ui-strings.js.478-E76-A52	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PeopleAppList.scale-100.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-disabled.svg	lsass.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.properties	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\StoreManifest.xml	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\RunningLate.scale-64.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htm	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\ui-strings.js.478-E76-A52	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423496939244.profile.gz.478-E76-A52	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteReplayCrossHairIcon-2.png	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Wisp.thmx.478-E76-A52	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-fr\ui-strings.js	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js.478-E76-A52	lsass.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml.478-E76-A52	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-200.png	lsass.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons_ie8.gif.478-E76-A52	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\THMBNAIL.PNG.478-E76-A52	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\shadow.png	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN105.XML.478-E76-A52	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\TXP_HotelReservation_Dark.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_hover_18.svg.478-E76-A52	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\ui-strings.js	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fi-fi\ui-strings.js	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ul-oob.xrm-ms.478-E76-A52	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\LargeTile.scale-125.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedSmallTile.scale-100.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Themes\fable.mobile.jpg	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\icudt26l.dat	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-ms.478-E76-A52	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE.478-E76-A52	lsass.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_CopyNoDrop32x32.gif	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ppd.xrm-ms.478-E76-A52	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL027.XML.478-E76-A52	lsass.exe

Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

2648 timeout.exe
952 timeout.exe
2516 timeout.exe
3112 timeout.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1784 vssadmin.exe
2212 vssadmin.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2400 taskkill.exe
3948 taskkill.exe

pid	process
2648	timeout.exe
952	timeout.exe
2516	timeout.exe
3112	timeout.exe

pid	process
1784	vssadmin.exe
2212	vssadmin.exe

pid	process
2400	taskkill.exe
3948	taskkill.exe

Modifies registry class 2 IoCs

Processes:

hci0xn0zip.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	hci0xn0zip.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	cmd.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

mesager43.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	mesager43.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mesager43.exe

Suspicious use of AdjustPrivilegeToken 93 IoCs

Processes:

mesager43.exetaskkill.exetaskkill.exeWMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1988	mesager43.exe
Token: SeDebugPrivilege	1988	mesager43.exe
Token: SeDebugPrivilege	2400	taskkill.exe
Token: SeDebugPrivilege	3948	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3256	WMIC.exe
Token: SeSecurityPrivilege	3256	WMIC.exe
Token: SeTakeOwnershipPrivilege	3256	WMIC.exe
Token: SeLoadDriverPrivilege	3256	WMIC.exe
Token: SeSystemProfilePrivilege	3256	WMIC.exe
Token: SeSystemtimePrivilege	3256	WMIC.exe
Token: SeProfSingleProcessPrivilege	3256	WMIC.exe
Token: SeIncBasePriorityPrivilege	3256	WMIC.exe
Token: SeCreatePagefilePrivilege	3256	WMIC.exe
Token: SeBackupPrivilege	3256	WMIC.exe
Token: SeRestorePrivilege	3256	WMIC.exe
Token: SeShutdownPrivilege	3256	WMIC.exe
Token: SeDebugPrivilege	3256	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3256	WMIC.exe
Token: SeRemoteShutdownPrivilege	3256	WMIC.exe
Token: SeUndockPrivilege	3256	WMIC.exe
Token: SeManageVolumePrivilege	3256	WMIC.exe
Token: 33	3256	WMIC.exe
Token: 34	3256	WMIC.exe
Token: 35	3256	WMIC.exe
Token: 36	3256	WMIC.exe
Token: SeIncreaseQuotaPrivilege	776	WMIC.exe
Token: SeSecurityPrivilege	776	WMIC.exe
Token: SeTakeOwnershipPrivilege	776	WMIC.exe
Token: SeLoadDriverPrivilege	776	WMIC.exe
Token: SeSystemProfilePrivilege	776	WMIC.exe
Token: SeSystemtimePrivilege	776	WMIC.exe
Token: SeProfSingleProcessPrivilege	776	WMIC.exe
Token: SeIncBasePriorityPrivilege	776	WMIC.exe
Token: SeCreatePagefilePrivilege	776	WMIC.exe
Token: SeBackupPrivilege	776	WMIC.exe
Token: SeRestorePrivilege	776	WMIC.exe
Token: SeShutdownPrivilege	776	WMIC.exe
Token: SeDebugPrivilege	776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	776	WMIC.exe
Token: SeRemoteShutdownPrivilege	776	WMIC.exe
Token: SeUndockPrivilege	776	WMIC.exe
Token: SeManageVolumePrivilege	776	WMIC.exe
Token: 33	776	WMIC.exe
Token: 34	776	WMIC.exe
Token: 35	776	WMIC.exe
Token: 36	776	WMIC.exe
Token: SeBackupPrivilege	3852	vssvc.exe
Token: SeRestorePrivilege	3852	vssvc.exe
Token: SeAuditPrivilege	3852	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3256	WMIC.exe
Token: SeSecurityPrivilege	3256	WMIC.exe
Token: SeTakeOwnershipPrivilege	3256	WMIC.exe
Token: SeLoadDriverPrivilege	3256	WMIC.exe
Token: SeSystemProfilePrivilege	3256	WMIC.exe
Token: SeSystemtimePrivilege	3256	WMIC.exe
Token: SeProfSingleProcessPrivilege	3256	WMIC.exe
Token: SeIncBasePriorityPrivilege	3256	WMIC.exe
Token: SeCreatePagefilePrivilege	3256	WMIC.exe
Token: SeBackupPrivilege	3256	WMIC.exe
Token: SeRestorePrivilege	3256	WMIC.exe
Token: SeShutdownPrivilege	3256	WMIC.exe
Token: SeDebugPrivilege	3256	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3256	WMIC.exe
Token: SeRemoteShutdownPrivilege	3256	WMIC.exe

Suspicious use of WriteProcessMemory 90 IoCs

Processes:

hci0xn0zip.exeWScript.execmd.exeWScript.execmd.exemesager43.exelsass.exe

description	pid	process	target process
PID 3304 wrote to memory of 3420	3304	hci0xn0zip.exe	WScript.exe
PID 3304 wrote to memory of 3420	3304	hci0xn0zip.exe	WScript.exe
PID 3304 wrote to memory of 3420	3304	hci0xn0zip.exe	WScript.exe
PID 3420 wrote to memory of 736	3420	WScript.exe	cmd.exe
PID 3420 wrote to memory of 736	3420	WScript.exe	cmd.exe
PID 3420 wrote to memory of 736	3420	WScript.exe	cmd.exe
PID 736 wrote to memory of 3428	736	cmd.exe	15sp.exe
PID 736 wrote to memory of 3428	736	cmd.exe	15sp.exe
PID 736 wrote to memory of 3428	736	cmd.exe	15sp.exe
PID 736 wrote to memory of 3112	736	cmd.exe	timeout.exe
PID 736 wrote to memory of 3112	736	cmd.exe	timeout.exe
PID 736 wrote to memory of 3112	736	cmd.exe	timeout.exe
PID 736 wrote to memory of 2552	736	cmd.exe	WScript.exe
PID 736 wrote to memory of 2552	736	cmd.exe	WScript.exe
PID 736 wrote to memory of 2552	736	cmd.exe	WScript.exe
PID 736 wrote to memory of 2648	736	cmd.exe	timeout.exe
PID 736 wrote to memory of 2648	736	cmd.exe	timeout.exe
PID 736 wrote to memory of 2648	736	cmd.exe	timeout.exe
PID 2552 wrote to memory of 980	2552	WScript.exe	cmd.exe
PID 2552 wrote to memory of 980	2552	WScript.exe	cmd.exe
PID 2552 wrote to memory of 980	2552	WScript.exe	cmd.exe
PID 980 wrote to memory of 1512	980	cmd.exe	attrib.exe
PID 980 wrote to memory of 1512	980	cmd.exe	attrib.exe
PID 980 wrote to memory of 1512	980	cmd.exe	attrib.exe
PID 980 wrote to memory of 952	980	cmd.exe	timeout.exe
PID 980 wrote to memory of 952	980	cmd.exe	timeout.exe
PID 980 wrote to memory of 952	980	cmd.exe	timeout.exe
PID 980 wrote to memory of 1988	980	cmd.exe	mesager43.exe
PID 980 wrote to memory of 1988	980	cmd.exe	mesager43.exe
PID 980 wrote to memory of 1988	980	cmd.exe	mesager43.exe
PID 1988 wrote to memory of 2260	1988	mesager43.exe	lsass.exe
PID 1988 wrote to memory of 2260	1988	mesager43.exe	lsass.exe
PID 1988 wrote to memory of 2260	1988	mesager43.exe	lsass.exe
PID 1988 wrote to memory of 748	1988	mesager43.exe	notepad.exe
PID 1988 wrote to memory of 748	1988	mesager43.exe	notepad.exe
PID 1988 wrote to memory of 748	1988	mesager43.exe	notepad.exe
PID 1988 wrote to memory of 748	1988	mesager43.exe	notepad.exe
PID 1988 wrote to memory of 748	1988	mesager43.exe	notepad.exe
PID 1988 wrote to memory of 748	1988	mesager43.exe	notepad.exe
PID 980 wrote to memory of 2400	980	cmd.exe	taskkill.exe
PID 980 wrote to memory of 2400	980	cmd.exe	taskkill.exe
PID 980 wrote to memory of 2400	980	cmd.exe	taskkill.exe
PID 980 wrote to memory of 3948	980	cmd.exe	taskkill.exe
PID 980 wrote to memory of 3948	980	cmd.exe	taskkill.exe
PID 980 wrote to memory of 3948	980	cmd.exe	taskkill.exe
PID 980 wrote to memory of 2952	980	cmd.exe	attrib.exe
PID 980 wrote to memory of 2952	980	cmd.exe	attrib.exe
PID 980 wrote to memory of 2952	980	cmd.exe	attrib.exe
PID 980 wrote to memory of 2516	980	cmd.exe	timeout.exe
PID 980 wrote to memory of 2516	980	cmd.exe	timeout.exe
PID 980 wrote to memory of 2516	980	cmd.exe	timeout.exe
PID 2260 wrote to memory of 1300	2260	lsass.exe	cmd.exe
PID 2260 wrote to memory of 1300	2260	lsass.exe	cmd.exe
PID 2260 wrote to memory of 1300	2260	lsass.exe	cmd.exe
PID 2260 wrote to memory of 3624	2260	lsass.exe	cmd.exe
PID 2260 wrote to memory of 3624	2260	lsass.exe	cmd.exe
PID 2260 wrote to memory of 3624	2260	lsass.exe	cmd.exe
PID 2260 wrote to memory of 3652	2260	lsass.exe	cmd.exe
PID 2260 wrote to memory of 3652	2260	lsass.exe	cmd.exe
PID 2260 wrote to memory of 3652	2260	lsass.exe	cmd.exe
PID 2260 wrote to memory of 2428	2260	lsass.exe	cmd.exe
PID 2260 wrote to memory of 2428	2260	lsass.exe	cmd.exe
PID 2260 wrote to memory of 2428	2260	lsass.exe	cmd.exe
PID 2260 wrote to memory of 620	2260	lsass.exe	cmd.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1512 attrib.exe
2952 attrib.exe

pid	process
1512	attrib.exe
2952	attrib.exe

C:\Users\Admin\AppData\Local\Temp\hci0xn0zip.exe
"C:\Users\Admin\AppData\Local\Temp\hci0xn0zip.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3304

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ssd\onset\goodram.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ssd\onset\81ldp.bat" "
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:736

C:\ssd\onset\15sp.exe
"15sp.exe" e -psion0811 01s.rar
4⤵
- Executes dropped EXE
PID:3428

C:\Windows\SysWOW64\timeout.exe
timeout 5
4⤵
- Delays execution with timeout.exe
PID:3112

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ssd\onset\Ztestram.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ssd\onset\sata1.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\ssd\"
6⤵
- Views/modifies file attributes
PID:1512

C:\Windows\SysWOW64\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:952

C:\ssd\onset\mesager43.exe
mesager43.exe /start
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start
7⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
8⤵
PID:1300

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
8⤵
PID:3624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
8⤵
PID:3652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
8⤵
PID:2428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
8⤵
PID:620

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
9⤵
- Interacts with shadow copies
PID:1784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
8⤵
PID:2704

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
9⤵
- Interacts with shadow copies
PID:2212

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 0
8⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
PID:348

C:\Windows\SysWOW64\notepad.exe
notepad.exe
8⤵
PID:1880

C:\Windows\SysWOW64\notepad.exe
notepad.exe
7⤵
PID:748

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 15sp.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 15sp.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\ssd\onset\mesager43.exe"
6⤵
- Views/modifies file attributes
PID:2952

C:\Windows\SysWOW64\timeout.exe
timeout 4
6⤵
- Delays execution with timeout.exe
PID:2516

C:\Windows\SysWOW64\timeout.exe
timeout 4
4⤵
- Delays execution with timeout.exe
PID:2648

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

Hidden Files and Directories

T1158

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
9d538c0560b32800760c81848d63c768

SHA1
0347de3203f816ec681476bad1ba61a9d617933d

SHA256
ff250295947988215771c7277792f7678cbb6c8d0db006a034622ae50090cc07

SHA512
14e728259be57440bf8b497884cb376c2f1b7bde2b9c8ffc3c9f3804dbe59f12899a57e434b2f8b3ca03a215eda40c434eec21064b93bdbbc75c4951ec7b3c45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
61faf9608aef25c78ecec385617c1fe5

SHA1
475cb92095f1ee2c19a6eaa4615697b1b9f0c21e

SHA256
efa2e7c480e2cdeb6834fd1afca56ceb66f814e2b8da59ba6df4569d2b397ef4

SHA512
1b9226545cc39585a4a18b52227cdd7e6b8ff889dd40e9e186cce8d52c10abe1686fd8c799f52656f8b33ba47fa809d0f8369b1ef28207ebcc0d23e26a1d13dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
f3b3ba3b8527743bfe3ae7feb9de6a4d

SHA1
65a5fc2851514d5867a6726768f03d956142185e

SHA256
49a00de339c432d57e5ec170f091b5995fa8bc4eb4121344642d25d22408b0aa

SHA512
961f899691646528b86bdea736ed59e7ea78137c2346b709aa0e98ed6ffad1466678efbccfc210be448634f979f5e97bde90cada0cf43f98f27c2afbd19562f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
c7279fdae28ce7a9c7f0274bea302ce9

SHA1
9f90fa1c22818e978a1a4e6d7aa95ceb5022328b

SHA256
2ea6044df72bcc8a987523b88eda285ce7eaeb81dfaa268fab9cf767d0d478d0

SHA512
c83a7bfff5a89c9b5bf87cb9f5690f1a23c6aacc435685282de10b7508a0dfa1ce43fa111b8b17bd17bda3a00201ab36874c3a69ea24f360400157bd6bc66b03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
879de9988924a584c35eee8baaeabde4

SHA1
778a90a1c33f6b2436454f6c67715fca90aa1853

SHA256
1e87dfb7a03a693231e25d6a7375b8a437846a001e396e43f14a2542a7df949d

SHA512
782a1bfae5771d2e80e956cb5b28a53cd42c27aeceacde2e84a4a055ca149f70af62df9538010e330a82cc8e426c58a3cca5edca54dd108ccd695c72a809031d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
39c6a004a633e46615065dd06ea9418d

SHA1
c51b2012f1b756409f4062f531881bddde4aa48c

SHA256
effe5cae8c728b07f653b62a9106748f00d9e44620320a339097a15e101380b9

SHA512
9f4cb5804009672124793f4df99bea2858a256dee2e0e0371d02c4276b7da31e242fca22555ade357a83b17e97f97d38a5e4440ff2722ae6311d3ea3f0410304

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\IY4QX4U3.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\16W0LC6B.htm
MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\Users\Admin\Desktop\AddUnpublish.dxf.478-E76-A52
MD5
e2578c66bca548aa83bc580c21e33e6a

SHA1
e84adae5126543ecf1478c73977646bb9d265666

SHA256
efded0a92b9305d2b36395efdc2b11f73c1fc7b35bf8b290eb7d88ad9ddd9be0

SHA512
9dbd98a3dc1a50ae4ea99c00cf5c462629b951bea020a54471ba22f4d6c05de459cca30bac829a3b2dffeed43fccb699d489c00585322575b3e00921d71a0b5e

Download Submit
C:\Users\Admin\Desktop\CheckpointRepair.aifc.478-E76-A52
MD5
afd6200c7ae230cf54ff169342ed6b1e

SHA1
4448f988deed74fb91aa66c0693e61d291ab3790

SHA256
dad93bc062a3a0771595762d98341d16ba182599a259813022cb494d05913fcc

SHA512
a551c62ef39354938a6853a8f280ce35427840712326ef10de845962fb7e9ac4eb13ece1c2e622299113903a8166351189165123ff6b6d90a3d40c5bcb28c192

Download Submit
C:\Users\Admin\Desktop\CheckpointSearch.potx.478-E76-A52
MD5
f3fce5ce71370a67947f85242f016344

SHA1
6c158b27b059853db5ead2cc42d64d09c8ee4b1d

SHA256
7bfb638d28b32c04cbd5748d1e13630185339ca151a8ef1540d97bf9bb75cada

SHA512
504633a980ff2a44b382e1e206e74a91dd69dc9008a8bd74cad6ee86ca7fdbb05e6720797467cbad27a045067eb982b04cea047a5eb4effc182bb95b516be504

Download Submit
C:\Users\Admin\Desktop\CompleteSend.mov.478-E76-A52
MD5
b70d23dbc149c96c3efdf1e75665f316

SHA1
5257be4a8bc6ca71280eb074ef7201ea4693db37

SHA256
d49ac84160040e422f61d21d665063459bf4365a3395eff948f30abca0407b7f

SHA512
c0cb97284ecc411b001523d8258a3b35e7c74134eeb78531782230c0e42027b0a6df2e118200191902397b760d9eacdb3d590f146797418f939e8244cab32b79

Download Submit
C:\Users\Admin\Desktop\ConvertFromProtect.tiff.478-E76-A52
MD5
625eef858db5d643d341f5d91c05cd9b

SHA1
57e9f2afdc470f27594e8d5e50ff7ac041713059

SHA256
8ff258ac475916ab7ca1f9819aaed0e309e2ba64e496e243ceff8b0e73466a9a

SHA512
d5c0a7803e0a7a54638f05cf34fb1adea02a95425d2065675a1333fc53f25c6a805c1173bdfc852f4cf87bbf8908479bc3bb5c1c45dd63ba215b6fd0d72b79b5

Download Submit
C:\Users\Admin\Desktop\ConvertToRegister.edrwx.478-E76-A52
MD5
00053c2dc4cd2b5ef48cdf015df65b46

SHA1
b49b2b4c0b61d71ef9052bd599d4e722a6dd2506

SHA256
57aec5e42e6b471aac966d867246d02eaf5af67da2c3d3f2e9e56c096ce22e6b

SHA512
4848b409159cb2a110aabaf26efcbcacd4a0aad47707d71b065b51b8e6bb356537afb581445de504f39771360d513611943663d768fbb96ce875e66e9ebc4000

Download Submit
C:\Users\Admin\Desktop\DebugMeasure.jpeg.478-E76-A52
MD5
fb35df8cc65cde9482abfbf9bc9393e7

SHA1
adedd8f6b734b9635de71eab34914cb5b4a09b92

SHA256
82afbe3b51df233e38106c3052289b651ad9ecfafa3371e9b93df62c5b87785f

SHA512
11df8d61dbfc176c22b5591ca8768cb42def413eb7ce3020996967fa5a5ffe47c0f0695e20c5b0912b983588fc0cac50ce0d180d7b36ed0c3630f1a662318fe5

Download Submit
C:\Users\Admin\Desktop\EnableUse.txt.478-E76-A52
MD5
75d60c745a3d585b0d0cdf8df30b01f3

SHA1
09dd9b0bf96bb5af0feb06ee8bcc550f6779d779

SHA256
a496e9160424024ebe08be78204b2698b5d6c119109b7876c582aebec157e189

SHA512
c7592519ba654f9da0cac620198b14ac64283e27ce640edc10fb347e962d2061ef0befe1b598e04c81cd41945e2a82bc89f752a85e638627e1437b5ed27b4381

Download Submit
C:\Users\Admin\Desktop\ExpandStop.3gp.478-E76-A52
MD5
ff8f574ef785fe5e3fe93798b1fb47d4

SHA1
d6d862109e84a141495c3a0a664db7f4436aeb2c

SHA256
4ab2016a07f2c416ac7e20e3ee849bc647f1fd46a3542aa15b09f46a31f12230

SHA512
a248ea0036e1c7f87013d50d2b4c9978a78d4d3e522b747ed09691dfa29e022e52c8297df625d3e02e545c7fee8dbd0a2006aa805bc7551bb4e6a93698201b83

Download Submit
C:\Users\Admin\Desktop\InstallEnter.wav.478-E76-A52
MD5
d1867a6ef067d2e1dc16eb55587528b3

SHA1
9fb318a91a31638eb5caffeb274f3cd2cbbb6d26

SHA256
7cb9a8e00b48046eefa3c0854c53173e389531e2d33382df7f4021e755b764d5

SHA512
6eddf4c2055247bc838529569c9ee6f3c713a502da24accc19f3fff6008d0644473bed3e000445758cea65617ff6d64d75a50b029d641bbff346f11cf77781ca

Download Submit
C:\Users\Admin\Desktop\InstallSelect.bin.478-E76-A52
MD5
5c9b98ea2c5ed2cf9ec9db80f77afac1

SHA1
beb7682db7657ce89e3d2e71ccc23faa518cadf4

SHA256
be3d9a1e8a8f6b36613c0c215f91e654c6547b28febbe50e9559dbf89c355d29

SHA512
b9ab098a9b5c6920efe93e16d3a63170786f885e5256dd561e06ce93159626c8b4a4e45d541fa32b51efe0c46111ec4b620d2bfb01c4b1c7343311384381b78c

Download Submit
C:\Users\Admin\Desktop\InvokeAssert.ex_.478-E76-A52
MD5
2fc92c21c50386bdfb360677023355bd

SHA1
f8592e2cd00e163e1101885d2c40377740620b13

SHA256
c2aa9751112f3b65ea120aa8a3c6bb5a573291f19d3ce4f01344940157095d44

SHA512
9fc71a7b5b54472e78facc7a38eda8d42db8b98d6bbbcd2ef8dbb5683520b454831020e33ba1071a3dc0e5099545a7de0c5de9152da4ce844979fb6bdf638709

Download Submit
C:\Users\Admin\Desktop\LimitPublish.wdp.478-E76-A52
MD5
bbe12a759be01d7d64be54b582dd8bc1

SHA1
e13bf1d166a459b830dc6098da772e0e630830d5

SHA256
86999d5a86dfcbebe1edc6c2fac9ae7d6bfe15e4fd9c831cbe5a994a49706a91

SHA512
7f7f53b6cdf91e098eb869c55d2ccf2d061be8e2fef9eb40808dd3669481587710b4390bff59efc9ccae166c6ae17997e4ad5a94bb1a8e33f3fa38522c9ae436

Download Submit
C:\Users\Admin\Desktop\MergeConnect.potx.478-E76-A52
MD5
3c145d2a1c949124543f80121c53c726

SHA1
2e2054b1305a8df2358a9b7c1aa82210073e9e57

SHA256
7f3e3d057e38340f05032c6d62a26180fbfff6949cfae5404186d1084657d6df

SHA512
63f8bd7f52daecbb049432f8fc0026a7aad9e7da352b7c791ee7e6d5f8d1661f08f09a51613e8870cfac446bc023e5e09c085173bb656be4333f4f7892d0cc74

Download Submit
C:\Users\Admin\Desktop\MergeShow.mid.478-E76-A52
MD5
904b36124bf7100c57701b614a50a7cf

SHA1
45f99041cade7afa01f6b0253717bc03bf48a7ff

SHA256
6a70f602a644491dfc6cc136dc5a7e323bc9a2d0d1c17ee262a6e359b258fe44

SHA512
c041f7153ec64b0b1d3965939bca4dc62b784c8f0cdd277e6762aed7b0eac7be8f9af4d6b8ba81d00cfa74d000cf7f78b143630258d6a003fb511c803a670436

Download Submit
C:\Users\Admin\Desktop\OpenShow.bin.478-E76-A52
MD5
2c241a37c1b4ab35a5020ec552d29859

SHA1
37fc18b921a5bfe95c7f97e3eb53f1f153f8983f

SHA256
9d10880880b9beb753b9e5f80c31ead9973957d00c1784e88628637187f8af58

SHA512
1d7a8c24bd3ed3e3292af73cb5126218cd5fa2d63c486094ae5c62e539d41cef910da9923255d2713831cc1f2579bea724b31cfb4d1bd3f7295293f6b6c29924

Download Submit
C:\Users\Admin\Desktop\PopRestore.tif.478-E76-A52
MD5
e6d2191274eacebe86cb5d25f2a2ec9d

SHA1
cb632c06d41413f75dace02e6a529a9bddcb96d2

SHA256
9a95b4a2a4712507b7d9d166893d5d631a276a412364c47f02693993ebd3f72e

SHA512
898510e1a17c97d5994e59d936871c716d991ebbb1ab2ca1ac2a4728fb6c4411a9c70c16b610fa1b07f168114d9f56b4368eb7e2b6929178961269930e38555f

Download Submit
C:\Users\Admin\Desktop\ReceiveConfirm.cr2.478-E76-A52
MD5
e276805d1ec86ca8e811fd5e0f427c72

SHA1
edda1ca7fad82aaf5b4506cff7e2f80a0dd5dedc

SHA256
5bbb805686aa8591ee8cec22e5c2b754b1103a3de91503c283f584af7b84d642

SHA512
0acff377d08d0f7d1df3f27e1d8818ec05348e3a5f71f1b87bc1b4fe6113870eaa2f431897026150a7157c8bba3f0fe70487ccd109834313345082a0262debb9

Download Submit
C:\Users\Admin\Desktop\ResizeRename.m4a.478-E76-A52
MD5
53b489d3656a024075510996ae33459b

SHA1
673bfdf1caf8714086536c2ee365913f23e2c063

SHA256
74461d80424afa2c21c45b489bba90b1c69b5a410edbb3c22f630a05d279cbaa

SHA512
ee796f996b774a106c0c6be6b2befc31b3645b9689b1cd557363503caa36af9ad3cf14eb9130969154be47fedfe84042256c71636f8b3967f5aed26c4f045ee3

Download Submit
C:\Users\Admin\Desktop\RestoreExport.vst.478-E76-A52
MD5
603d9ca13835a758fa8b18eb328f3033

SHA1
ad40d9371098ef3371cb197e87a93b2c219b81ea

SHA256
4758747bd53b5e2619854fb467b6bb89e595e151c39836eb454a0842be29b37c

SHA512
81e0c6266ddab943530794809355a83d6479b4f22782b19bbccf17b9019bbe64b64d66272e3fd3e38dd688179af523e1dcad4144ffbe2b9ea05acf561567f695

Download Submit
C:\Users\Admin\Desktop\RevokeAssert.WTV.478-E76-A52
MD5
41f6d832a4f07a5901a9367a8cc7115b

SHA1
a0d2349504e4692c21f5020834d258cda44b5756

SHA256
bd1fd27fa9c654bb2df8ba2dbd4f2884335d94b2a2ad36d2e59f91efb9a6ef9a

SHA512
ea6f5fce49345bf4c77a1487f5546f0f1a6298f04ee2dc8ab7a165a3856523154da38191ab517107086e255b2e3c1ecd1e5c8d0cf8c0b1fdea132d6f737af2ea

Download Submit
C:\Users\Admin\Desktop\SendInstall.vsdm.478-E76-A52
MD5
7314465a899d9d97720b2fde3cc0f03c

SHA1
804999e82c3fe3618f364b3dd48fb1f3774848c3

SHA256
080ffcfe3b3da3e9ef3c4f3a46478a284ac40fd31bebf961f44fdd391fe012a3

SHA512
0b4b564a0a40d385721d5abec5548422ee088b3576747bd385f3dbbfbd95b46bf12409e58106cdd0eeb3b5c4bde73d4d0c7bc475e02e583ad12a67b1b0812efa

Download Submit
C:\Users\Admin\Desktop\SwitchBlock.mpa.478-E76-A52
MD5
884bdc8106cbd7565aeeffcc8aa5c43b

SHA1
5ba1acbbbb778405159a59dee6109eee09624569

SHA256
c506b4dee31246e834235bf3705300c6c41beee4edcf708be37cd6c662c5f7b9

SHA512
8cc365e315cc1fd632e232015e3d9c891681c068fb3be7d3b167e72998c30f4a6f86f6d061ce2c6db6466857e5d64a2f79ecf58e84572982788c0fb7a6f939e1

Download Submit
C:\Users\Admin\Desktop\TestRestart.ogg.478-E76-A52
MD5
d69e26c7d54a1ec2812c19ba077aee6f

SHA1
ad14af0e931859d247d3d6f82fd3e7f71865c9c5

SHA256
934289bbbf937436a0e58a9b6e58ac3774451b181848b3a48003dc4752f4f80e

SHA512
181eea388ffa553bec8d03319dd4c4e044f315f30f63b5bc04c05b479ca321efd7af34d1ebcdb3bfac8c94cc1e7455430f9364c10ffaca5232e718b3c3ab121d

Download Submit
C:\Users\Admin\Desktop\UnpublishEdit.dxf.478-E76-A52
MD5
0154c0c3f42010130b92c799416407e3

SHA1
3260d9c9ec49d96d18b0c64f52190758b0c5d7f1

SHA256
9b4796f9bd8484d1cbf64cfcf04862640a70a748aa68df6874e5948800ff3421

SHA512
e33cbec520226e5990e9a6c8c312bca441dfbad9d6d9faf75b51fed77a5098186253b54ff2e2f21a4e3a540b9cc6c3ba8162246114eb3c55923b129ea63a4a60

Download Submit
C:\ssd\onset\15sp.exe
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\ssd\onset\15sp.exe
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\ssd\onset\58nfs.ini
MD5
42f9b29cb18cec22cf1f68375685ddc2

SHA1
54de5fd042aa740be90f85d7887d41ebc0e00b4b

SHA256
7aac762ca37c72400df369c6a25d81e758071e570f8dd68f136290923165d007

SHA512
f4065bc2b1b5ef8577c22ee6fe3ee4e5ee9af413d7a693940e317d2ab23de4ac64079761469369b282665c5d19fd3beb9a9ecd0af64a40531df946c65f36ab5c

Download Submit
C:\ssd\onset\81ldp.bat
MD5
a5464805722aa29200eb97cb26605135

SHA1
80b2c57e6475325a89eaaba24db02685830018ea

SHA256
03130577ed6032ec6fce61f3f4a52fbfd2e7eb69ca1901823682b392f89c0e8a

SHA512
d99760c1a82e2bd46d4d400c60c2c7a1fdfa057b84c6de2e992e19c662f62aed357e67c6f326e989124ccf7b67b57e1157b124e9bee4765e4f6730fb57660aae

Download Submit
C:\ssd\onset\Ztestram.vbs
MD5
b835e273fb843348db5f05d2ed0958e8

SHA1
8a5feab98df1ef7a898863e941e8bb07d007b9c1

SHA256
066327629f90b617ff1980f80a69ff3f5d76b4b005bfe9ee1a52319bc5517c94

SHA512
5438cd64586b1bfb6b555b9183e50cfae143306b163d7b4810383198cb8afcee3b5631a4f7cfb65561c2bb9babfaf70e8403937ae8d80cae93e9cd57e5c8331e

Download Submit
C:\ssd\onset\goodram.vbs
MD5
1ed7cb327b190a41ed8aee89c9be87d1

SHA1
6bd8634e530a6911501f1ab1c23fa4282d3a9e4f

SHA256
c31b950a44c81e1aaa37c495da1cf671ef730a5d1efbf5e68a875bf998c94663

SHA512
a9b85159614d71f91f05d9f1a4f65085105591ef7ca6d4094e171121e4259ebeca65fe490c28846b8d5791ef15cd7c01d56c7114aab517bab64c2f262c3dfb7c

Download Submit
C:\ssd\onset\mesager43.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\ssd\onset\mesager43.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\ssd\onset\sata1.bat
MD5
03560667f8a4144f8d45f917fd522a95

SHA1
df8ec645f2cbecb9388c87a63674b508a791433e

SHA256
41e9529c2acd43b7a206ec80655016bb65ba6721acfd930d351399730e809ad1

SHA512
215824afaaf96acef5977a7e6f48b2133cd969b1d809db333bf1b700176dfaa745141aade50fb4bec1151087a3deb2d64ae542b2405a17ec53d17fbc69052ad4

Download Submit
memory/348-42-0x0000000000000000-mapping.dmp

Download
memory/620-40-0x0000000000000000-mapping.dmp

Download
memory/736-3-0x0000000000000000-mapping.dmp

Download
memory/748-22-0x0000000000000000-mapping.dmp

Download
memory/748-21-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/776-46-0x0000000000000000-mapping.dmp

Download
memory/952-14-0x0000000000000000-mapping.dmp

Download
memory/980-12-0x0000000000000000-mapping.dmp

Download
memory/1300-36-0x0000000000000000-mapping.dmp

Download
memory/1512-13-0x0000000000000000-mapping.dmp

Download
memory/1784-45-0x0000000000000000-mapping.dmp

Download
memory/1880-75-0x0000000000000000-mapping.dmp

Download
memory/1988-15-0x0000000000000000-mapping.dmp

Download
memory/2212-48-0x0000000000000000-mapping.dmp

Download
memory/2260-18-0x0000000000000000-mapping.dmp

Download
memory/2400-31-0x0000000000000000-mapping.dmp

Download
memory/2428-39-0x0000000000000000-mapping.dmp

Download
memory/2516-34-0x0000000000000000-mapping.dmp

Download
memory/2552-9-0x0000000000000000-mapping.dmp

Download
memory/2648-10-0x0000000000000000-mapping.dmp

Download
memory/2704-41-0x0000000000000000-mapping.dmp

Download
memory/2952-33-0x0000000000000000-mapping.dmp

Download
memory/3112-7-0x0000000000000000-mapping.dmp

Download
memory/3256-47-0x0000000000000000-mapping.dmp

Download
memory/3420-0-0x0000000000000000-mapping.dmp

Download
memory/3428-5-0x0000000000000000-mapping.dmp

Download
memory/3624-37-0x0000000000000000-mapping.dmp

Download
memory/3652-38-0x0000000000000000-mapping.dmp

Download
memory/3948-32-0x0000000000000000-mapping.dmp

Download