Analysis
-
max time kernel
88s -
max time network
87s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
02-04-2021 14:00
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe
-
Size
216KB
-
MD5
75c1ff39aac846286257e7186dc0096e
-
SHA1
2e953e5958353e2590fd14300a492a786d6930d5
-
SHA256
63067c7050bab69e0903ed3887710e4fa50d30d5865c765941df579ddb9b4ab3
-
SHA512
ac3875fc6eb8721c020365522e70f3e94464dc63fd7ba20d10c0c6baae41ab3d403c68d0a6785ee6b571d28647470548b79e07c13e19f69d207944f5581f16d8
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
kokolozombisam@gmail.com
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
explorer.exeexplorer.exepid process 1192 explorer.exe 1108 explorer.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 1536 notepad.exe -
Loads dropped DLL 2 IoCs
Processes:
SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exepid process 1932 SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe 1932 SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start" SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exedescription ioc process File opened (read-only) \??\T: explorer.exe File opened (read-only) \??\J: explorer.exe File opened (read-only) \??\H: explorer.exe File opened (read-only) \??\G: explorer.exe File opened (read-only) \??\B: explorer.exe File opened (read-only) \??\W: explorer.exe File opened (read-only) \??\U: explorer.exe File opened (read-only) \??\P: explorer.exe File opened (read-only) \??\K: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\A: explorer.exe File opened (read-only) \??\Z: explorer.exe File opened (read-only) \??\Y: explorer.exe File opened (read-only) \??\O: explorer.exe File opened (read-only) \??\N: explorer.exe File opened (read-only) \??\M: explorer.exe File opened (read-only) \??\L: explorer.exe File opened (read-only) \??\X: explorer.exe File opened (read-only) \??\Q: explorer.exe File opened (read-only) \??\R: explorer.exe File opened (read-only) \??\I: explorer.exe File opened (read-only) \??\E: explorer.exe File opened (read-only) \??\V: explorer.exe File opened (read-only) \??\S: explorer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 geoiptool.com -
Drops file in Program Files directory 64 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00170_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297749.WMF.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21326_.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153514.WMF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Lisbon.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BABY_01.MID.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ModifiedTelespace.ico explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LINEACT.POC explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GostName.XSL.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\TAB_ON.GIF.@Karla404.2D0-876-029 explorer.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_output\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0238333.WMF.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0186002.WMF.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\CAGCAT10.MML.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Ceuta.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Phoenix explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Eirunepe.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00234_.WMF.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152696.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePage.gif.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Flash.mpp.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Mawson.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Curacao.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CATWIZ11.POC.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00833_.WMF.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_ja.jar.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EAST_01.MID.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG explorer.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPrintTemplate.html explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Funafuti.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341448.JPG.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151041.WMF.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Pushpin.eftx explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REMOTES.ICO explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGTOC.XML.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292248.WMF explorer.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECREC.CFG.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.identity_3.4.0.v20140827-1444.jar.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs-nio2.jar explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Riga explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00159_.WMF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_ja_4.4.0.v20140623020002.jar.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\main.css explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00157_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01744_.GIF.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\CALENDAR.GIF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-oql_ja.jar.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART10.BDR.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt explorer.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html.@Karla404.2D0-876-029 explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR48B.GIF explorer.exe -
Drops file in Windows directory 1 IoCs
Processes:
explorer.exedescription ioc process File created C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1932 vssadmin.exe -
Processes:
SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 explorer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e explorer.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exeWMIC.exevssvc.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1932 SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe Token: SeDebugPrivilege 1932 SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe Token: SeIncreaseQuotaPrivilege 820 WMIC.exe Token: SeSecurityPrivilege 820 WMIC.exe Token: SeTakeOwnershipPrivilege 820 WMIC.exe Token: SeLoadDriverPrivilege 820 WMIC.exe Token: SeSystemProfilePrivilege 820 WMIC.exe Token: SeSystemtimePrivilege 820 WMIC.exe Token: SeProfSingleProcessPrivilege 820 WMIC.exe Token: SeIncBasePriorityPrivilege 820 WMIC.exe Token: SeCreatePagefilePrivilege 820 WMIC.exe Token: SeBackupPrivilege 820 WMIC.exe Token: SeRestorePrivilege 820 WMIC.exe Token: SeShutdownPrivilege 820 WMIC.exe Token: SeDebugPrivilege 820 WMIC.exe Token: SeSystemEnvironmentPrivilege 820 WMIC.exe Token: SeRemoteShutdownPrivilege 820 WMIC.exe Token: SeUndockPrivilege 820 WMIC.exe Token: SeManageVolumePrivilege 820 WMIC.exe Token: 33 820 WMIC.exe Token: 34 820 WMIC.exe Token: 35 820 WMIC.exe Token: SeBackupPrivilege 1832 vssvc.exe Token: SeRestorePrivilege 1832 vssvc.exe Token: SeAuditPrivilege 1832 vssvc.exe Token: SeIncreaseQuotaPrivilege 820 WMIC.exe Token: SeSecurityPrivilege 820 WMIC.exe Token: SeTakeOwnershipPrivilege 820 WMIC.exe Token: SeLoadDriverPrivilege 820 WMIC.exe Token: SeSystemProfilePrivilege 820 WMIC.exe Token: SeSystemtimePrivilege 820 WMIC.exe Token: SeProfSingleProcessPrivilege 820 WMIC.exe Token: SeIncBasePriorityPrivilege 820 WMIC.exe Token: SeCreatePagefilePrivilege 820 WMIC.exe Token: SeBackupPrivilege 820 WMIC.exe Token: SeRestorePrivilege 820 WMIC.exe Token: SeShutdownPrivilege 820 WMIC.exe Token: SeDebugPrivilege 820 WMIC.exe Token: SeSystemEnvironmentPrivilege 820 WMIC.exe Token: SeRemoteShutdownPrivilege 820 WMIC.exe Token: SeUndockPrivilege 820 WMIC.exe Token: SeManageVolumePrivilege 820 WMIC.exe Token: 33 820 WMIC.exe Token: 34 820 WMIC.exe Token: 35 820 WMIC.exe Token: SeDebugPrivilege 1192 explorer.exe Token: SeDebugPrivilege 1192 explorer.exe -
Suspicious use of WriteProcessMemory 50 IoCs
Processes:
SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exeexplorer.execmd.execmd.exedescription pid process target process PID 1932 wrote to memory of 1192 1932 SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe explorer.exe PID 1932 wrote to memory of 1192 1932 SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe explorer.exe PID 1932 wrote to memory of 1192 1932 SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe explorer.exe PID 1932 wrote to memory of 1192 1932 SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe explorer.exe PID 1932 wrote to memory of 1536 1932 SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe notepad.exe PID 1932 wrote to memory of 1536 1932 SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe notepad.exe PID 1932 wrote to memory of 1536 1932 SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe notepad.exe PID 1932 wrote to memory of 1536 1932 SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe notepad.exe PID 1932 wrote to memory of 1536 1932 SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe notepad.exe PID 1932 wrote to memory of 1536 1932 SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe notepad.exe PID 1932 wrote to memory of 1536 1932 SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe notepad.exe PID 1192 wrote to memory of 572 1192 explorer.exe cmd.exe PID 1192 wrote to memory of 572 1192 explorer.exe cmd.exe PID 1192 wrote to memory of 572 1192 explorer.exe cmd.exe PID 1192 wrote to memory of 572 1192 explorer.exe cmd.exe PID 1192 wrote to memory of 1616 1192 explorer.exe cmd.exe PID 1192 wrote to memory of 1616 1192 explorer.exe cmd.exe PID 1192 wrote to memory of 1616 1192 explorer.exe cmd.exe PID 1192 wrote to memory of 1616 1192 explorer.exe cmd.exe PID 1192 wrote to memory of 476 1192 explorer.exe cmd.exe PID 1192 wrote to memory of 476 1192 explorer.exe cmd.exe PID 1192 wrote to memory of 476 1192 explorer.exe cmd.exe PID 1192 wrote to memory of 476 1192 explorer.exe cmd.exe PID 1192 wrote to memory of 1160 1192 explorer.exe cmd.exe PID 1192 wrote to memory of 1160 1192 explorer.exe cmd.exe PID 1192 wrote to memory of 1160 1192 explorer.exe cmd.exe PID 1192 wrote to memory of 1160 1192 explorer.exe cmd.exe PID 1192 wrote to memory of 1500 1192 explorer.exe cmd.exe PID 1192 wrote to memory of 1500 1192 explorer.exe cmd.exe PID 1192 wrote to memory of 1500 1192 explorer.exe cmd.exe PID 1192 wrote to memory of 1500 1192 explorer.exe cmd.exe PID 1192 wrote to memory of 1108 1192 explorer.exe explorer.exe PID 1192 wrote to memory of 1108 1192 explorer.exe explorer.exe PID 1192 wrote to memory of 1108 1192 explorer.exe explorer.exe PID 1192 wrote to memory of 1108 1192 explorer.exe explorer.exe PID 572 wrote to memory of 820 572 cmd.exe WMIC.exe PID 572 wrote to memory of 820 572 cmd.exe WMIC.exe PID 572 wrote to memory of 820 572 cmd.exe WMIC.exe PID 572 wrote to memory of 820 572 cmd.exe WMIC.exe PID 1500 wrote to memory of 1932 1500 cmd.exe vssadmin.exe PID 1500 wrote to memory of 1932 1500 cmd.exe vssadmin.exe PID 1500 wrote to memory of 1932 1500 cmd.exe vssadmin.exe PID 1500 wrote to memory of 1932 1500 cmd.exe vssadmin.exe PID 1192 wrote to memory of 1536 1192 explorer.exe notepad.exe PID 1192 wrote to memory of 1536 1192 explorer.exe notepad.exe PID 1192 wrote to memory of 1536 1192 explorer.exe notepad.exe PID 1192 wrote to memory of 1536 1192 explorer.exe notepad.exe PID 1192 wrote to memory of 1536 1192 explorer.exe notepad.exe PID 1192 wrote to memory of 1536 1192 explorer.exe notepad.exe PID 1192 wrote to memory of 1536 1192 explorer.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
86685952b3e8f4ad691050c954d6250c
SHA11705baba558a84967c186cedb11b4d895470ee22
SHA256762c1ada3a9117b1e0e382e692e37b8d84d4d037bcfad28c65f05fdc15008072
SHA512c9fdcf79f2bbcc40dbb9445ca63eb9760fd2f0884ef3fc6a580e10957ec0f6e7499a3f088e80c3074db8d7d3501bd2d56d70c1bc597329ac03d78ba742dced45
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
885b4461e133e1db2d88f0cdbcd5afb2
SHA115d84bcc041e330ef0d260252461c57bc51c3b29
SHA25684796726a64dd846ffd7d6a322e24c76509d5b77ec67a01101c5a0ed4ae71a92
SHA5123582be2c43f40e683e116cd18ac8b7edbb640ecad17ea50c541c80b384111839e42dfe16a00b8c94725a866f7254147314797bc7f79b1f34d3f439411fdfc0ca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015MD5
61a03d15cf62612f50b74867090dbe79
SHA115228f34067b4b107e917bebaf17cc7c3c1280a8
SHA256f9e23dc21553daa34c6eb778cd262831e466ce794f4bea48150e8d70d3e6af6d
SHA5125fece89ccbbf994e4f1e3ef89a502f25a72f359d445c034682758d26f01d9f3aa20a43010b9a87f2687da7ba201476922aa46d4906d442d56eb59b2b881259d3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
f8e8cecf0e7b87ca9655876c74e4448f
SHA181cbbc8e89acc2b46ce23b876d68af4e4ea6e984
SHA2565be90bfc1b0198d64016dabee198906523ce5b9719fb57233f0b4f9738e3bf36
SHA5129c4d3e8fcd76e0886ada78d131c713ce038ed2fba350d43f63c123d08b824c1c38f93ebd5ab25d715947765e1f88c4d7264701c37d2ef514136b76c53b03f2b4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
29bebcb886ff1d8e2fba2d69b49d8849
SHA12d25f5b769dfe1f36629cf7feaa73ac955673e84
SHA256373a7536d725657f1bbe99cd6e2e220350e9d73a0242ad2b1f12e03ce2689f38
SHA5124936778450ec5309bafbdd5cf9443c0ff0b319e735d25731d90a3347722514869d3ddf292fc8b4000e3752088cb391e5d0870dc8936c23cdcd4885647fd88c81
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
51e7fcb227b43ffe67fa4170ae39c92e
SHA1038ad0c87063cfd9e35fe0b4868513b9ec900090
SHA256ceceaf8bd0f107d09b2d9a161aa4c0a89fcca009d0baa06f153af1d3362088c8
SHA512e86926459a64095ead0209fc5911ca522005032cd3379ca65d730be6365e8e5c74692df4740b25f9d74474cff40fd3fd4d6645b469fe1690d05152012dd37b90
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
fb044d749ff0309cee20dfc4b4174cf6
SHA1e1bb7f89cd13da8b0c1e1d046322caef0056488e
SHA256020b233770dc7666e60fe4a2f8e9efda4edac5e2326a284d6683c926ed961cb4
SHA512af6e7d9b3dfcd23a29882f1efcb628fd1a7ccf3b1fd9ae6fec9dcceff59b05532c029bf100f32b029d37c53dddf04d41f4999b5ddfb9ee726d2701e08abd2927
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
82e845ca7747c76235c5339fc2abfe46
SHA18c83f2a1b0dc4c262d6787359b64a0a0c5a4dbe1
SHA256101c0b7a5837c1ac30b4e788f1f8cf4453a2bd5006028f6a97809587c34308e4
SHA5127d65f2d66d1dfc882b88137224e7a80d1377ee1e17951e3f05b2b1d9705d400e279b3b68d489978cb1347052fff31e362824a7640533b10a88f202d88b7637fa
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\MCC0LJGO.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1R1CL99\UOEXQ1VX.htmMD5
6b17a59cec1a7783febae9aa55c56556
SHA101d4581e2b3a6348679147a915a0b22b2a66643a
SHA25666987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb
SHA5123337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exeMD5
75c1ff39aac846286257e7186dc0096e
SHA12e953e5958353e2590fd14300a492a786d6930d5
SHA25663067c7050bab69e0903ed3887710e4fa50d30d5865c765941df579ddb9b4ab3
SHA512ac3875fc6eb8721c020365522e70f3e94464dc63fd7ba20d10c0c6baae41ab3d403c68d0a6785ee6b571d28647470548b79e07c13e19f69d207944f5581f16d8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exeMD5
75c1ff39aac846286257e7186dc0096e
SHA12e953e5958353e2590fd14300a492a786d6930d5
SHA25663067c7050bab69e0903ed3887710e4fa50d30d5865c765941df579ddb9b4ab3
SHA512ac3875fc6eb8721c020365522e70f3e94464dc63fd7ba20d10c0c6baae41ab3d403c68d0a6785ee6b571d28647470548b79e07c13e19f69d207944f5581f16d8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exeMD5
75c1ff39aac846286257e7186dc0096e
SHA12e953e5958353e2590fd14300a492a786d6930d5
SHA25663067c7050bab69e0903ed3887710e4fa50d30d5865c765941df579ddb9b4ab3
SHA512ac3875fc6eb8721c020365522e70f3e94464dc63fd7ba20d10c0c6baae41ab3d403c68d0a6785ee6b571d28647470548b79e07c13e19f69d207944f5581f16d8
-
C:\Users\Admin\Desktop\ApproveMove.shtml.@Karla404.2D0-876-029MD5
5ca45cebc5a232d7c63e7384c308e0cf
SHA1d75965498561c44621672d760514a84f5bb70cf7
SHA25691809999d3472bdbed54fe853f1fc5c80fed7246ef491e182c3b584299f602ed
SHA512a13b3524445c6b73f6562dcca915d9a15c32352098b32a8117500f94742f3af9b7351a77ae05df5c50a995c4cb1da9d4676f2c5b6dc5339573c67aea9557c7b5
-
C:\Users\Admin\Desktop\CompareUninstall.pcx.@Karla404.2D0-876-029MD5
31877931730a93bd312feaaf0c7c22cc
SHA1dc052375be08db9f0f2b5fcfa743e5124e156279
SHA256c2b8c8d25a091479b38c2b0256cfd8fb6e8d2283a65879d7855f22c5a8431b8c
SHA512781f6ef4b061f8824d06f3f5914004f67d9d978f801b363053ed2c24c190be671ce0eec1f80f8829cc35feae5306d5b646d0ee5b341d6903f5792b87e6d3ead0
-
C:\Users\Admin\Desktop\CompleteProtect.mpg.@Karla404.2D0-876-029MD5
f1ef5c63b3f0e49e274f09ef2c74959e
SHA1d852d179cb9b172302752824bdc918a0f12c98b6
SHA25600e69ffe12b37181d797cbbbe8ee9ca819745d98960e3c5c8a0d19f4bf549224
SHA5128492cab2671497356fd159e9b3577c8269310f14a466edf18db4d1d94951022cae7e6a9f3a8c1313e075756327a082ed621b5a22bcebb22a13489069328de774
-
C:\Users\Admin\Desktop\DisableMeasure.ttc.@Karla404.2D0-876-029MD5
ded499fde71d512e614833ddfce31092
SHA1f552947308949e2f9b5b3d1753331ce141c69fac
SHA256aedb515714ddfcd7af7416f79fda4d83bfcd39faac71e8aa18cb948c48b7d24d
SHA5123b98e44af3078a9c4d57a7453be1d91afcb39f2f6887a71734222676f96f1e0615a3c4aeda512602a0f093cb6bcd942f9d24781bd9ab722fe5be70269775e5c3
-
C:\Users\Admin\Desktop\DisableSplit.mpe.@Karla404.2D0-876-029MD5
9208bace278b124189c0c770e1682906
SHA11aa2f92ea5d360ad0d39f578ad56792fbb1d8b12
SHA256484be691bb5f7107cca7312ab982812036af6d176aab639de164481d59c08287
SHA512db70974ba87a29a11e463cbf8bc3ad82db32eb51dd98989d6f8980041c350fe1091b617cfcf71d179040c8d8cf04f8e1541457f19175209abf5d91f970352799
-
C:\Users\Admin\Desktop\EnableExpand.doc.@Karla404.2D0-876-029MD5
04e32250d6bd08bd3a39509f0d61709b
SHA18663557a694c7ee74e12eb91430fea44eb3e7490
SHA256ab5629fffc1e21773b94693efc855c040ca2eca2a6d730880e8e868a695aa124
SHA512e1858ea0376b504bb17bf6b8019ad19c087d9fd5983dc43cc4d435d282619067f6d070c57086fe540b29e49570f6a1ef5662c91b619e90f9369f8699829a230f
-
C:\Users\Admin\Desktop\FormatBackup.contact.@Karla404.2D0-876-029MD5
7c774e09f4e9db5fe4a8c8f57689c7cf
SHA18aa191176bdeab838bd740cf789f09943e113c9b
SHA2566838295e36ccced198520f658c7f665bbd60cf2b1e7f717f43a4d55fe1baedde
SHA512e8df7d9c314ef7b57d1d89646bc3a4939e16d37629717a45e7fba7fe9b73722b1184398626a50d3dae7be166dd40dddedce6853d9f963299cf156a3d4b3ccc17
-
C:\Users\Admin\Desktop\GrantSwitch.xlsx.@Karla404.2D0-876-029MD5
b608db1b8063e8326625ea6f82c1d1f9
SHA1a7abf1d5f4000d8cfc2035d8dae9b12c43d01c24
SHA2564055212216587771252e21e60c9281febef8560c30926f2d663a8b326801822d
SHA5123f78f50dc4799e0847074ff14945a504321cc659a167aca9d816e0973caf73e71231bf47b87065dcd43ef05335ea4a6397f98f639ecdbf986ead3fe74d9e822e
-
C:\Users\Admin\Desktop\ImportDebug.rmi.@Karla404.2D0-876-029MD5
365bbe5b00b42d94023b710ee56bc260
SHA14e03fd337c8389e9541b8a72e9ebae1762ba3f66
SHA256d081a205961607b773bedebd4a44d67e0854012f5f4b1156064e0b054811bc9c
SHA51252df65535ad009fa4135d99177ba56f087d79581f581190c9780a1f0ce9afdc2cb41bd7dc70e78be6c8da69f4dc7fbaf6eb04eb9e13f38a5c85049e00293ab2f
-
C:\Users\Admin\Desktop\MountOpen.dwg.@Karla404.2D0-876-029MD5
6146e9c1eba6cb06457528dbb8b17211
SHA1d5e2b896ca336c7a6d720fbfe0039ee13395a33c
SHA2565844753ad278b0c263e33c228c841adcfb50f9cd639fd1d5eff6f28af434c0c5
SHA512603e584e4bfe4b54869844c82cf7ba7e99a2633b2ea50c25a6c9c3d1d3682a76677ff6d16fe56af529b2655d31b7ef5c83ad905721c9bcfcb6c3030b6c7dcb52
-
C:\Users\Admin\Desktop\ResolveStop.gif.@Karla404.2D0-876-029MD5
11e3967d86000f09cb250c6607246c99
SHA1ab4375cabbcc9803ffa3905038cc317e4eca02c5
SHA256187ae504514a9d73b42d391807170e4f9fcbdcb0b345e9f07358f6b005dd8454
SHA512a9e9e667547d1fae5254c00f20cab06093deef8d8c011a196f2e7b4d63986f458696b713b222bb46f70c00719f5cae4d1eca46cc7a2412904088ce5b25d84437
-
C:\Users\Admin\Desktop\SplitStep.xps.@Karla404.2D0-876-029MD5
2ac44a60ed93b3dcbcdfe847b54bfd84
SHA1a0ef36b1d9012c32723db557a086f3f28b962025
SHA25683e16f4d3dce5ab029c92d5c2b3022a64b36f1f07dd12506b74e4b417f6be269
SHA51226ba65c3f1f3928a713f5762631046423ffe8461a74fa81ee444a6b8acc723d3e21605fd84f56f0a8bd117510c4fc94c2d590a0bca637ec3001cd83bde55f9c3
-
C:\Users\Admin\Desktop\StartReset.nfo.@Karla404.2D0-876-029MD5
89de51e3928da6e043d1673bc9079b8d
SHA1a40460b871e60e59c991f78738daca2b138818ed
SHA2566a2124a4f04f4d57dd44ea9a56bd606b62af3ffa6dd108205b70945702a3b617
SHA5121a1f8a9a3f5aef39a35fc4737d6c1b6eb77cb1794db247d71ba359044944ea120021a69a7863fb0898241a1cbe150931152f9e0da750ba10c57d3f045a1cf4dd
-
C:\Users\Admin\Desktop\SubmitGroup.fon.@Karla404.2D0-876-029MD5
fb81a3e4e525e0dd066407b6194f0c25
SHA196be9e8f5955702514e9a29b9e2945dc84eb89b2
SHA2564e0f49186fb6c74087c34a726fad40139bc830bd849b4e85163eaa9213bce161
SHA512b0b8a40752ec745f2f09dcc95bb84eb3c8fa15ad067d2b274c54114af0e3b56c1ff68fe3fc543b0606891e5afdd28759ad24a9bd96e611c9e9397ba4e60091d7
-
C:\Users\Admin\Desktop\SuspendRestart.ex_.@Karla404.2D0-876-029MD5
e8f36769af0c4635f87714234e4a114c
SHA12c7a209375af759a71216a016e6724f5e1171ffb
SHA256e6c6faf55bad8c9e046eb06a442a651d4273bd3200c3341791cca6e8e8b597d7
SHA5121ab5822cdf39da8c9bd06e2a9fb97f2f3fa0821d962731b7da9b38860a9df601b4459b201e1b5b6b6e3545f2b72ad0f26d85b3e5f055a036101471713537133a
-
C:\Users\Admin\Desktop\TestHide.M2V.@Karla404.2D0-876-029MD5
e1d37b0b6bec5a97edfb16a7be9639ff
SHA1ff965acac93568e55241c506996be1022febdf8d
SHA2566be63378b30215bbc54fb761ba2fb4ec59c2ba81ce038b5938d504f105ebe016
SHA5128315caa586383dda6f5f17d64fc4f2e91c79c524602f917a4cfe0e00a79e868b623793567d68dc3b5a6f60ff46216fc75583c13c3d0f36194888a328e2855d62
-
C:\Users\Admin\Desktop\TestSave.easmx.@Karla404.2D0-876-029MD5
c6f2f6dade1bb5ab651915e48d730e08
SHA113a18d37b3050e96991b10ef7b12a5a089efe551
SHA256390e840658e46c6b4ba866342481f4f452f18e6932fa33752784d2d83a18591d
SHA51242156602df5db76643c97851898a8ef59eecef9ed65d8b15ea3d72365646bbf37e2354731d5fa222fe761208a4050b3d188ebea121a5252227fbb02691f2edf8
-
C:\Users\Admin\Desktop\TraceOptimize.svg.@Karla404.2D0-876-029MD5
ca0554522d414fb1a5973a2ba1589e65
SHA183a1ec7feba9d935c07d9082a68a15a882186a1e
SHA256c0ba00116a4ccdd599744be93af5cbbb2de05f17c0385d49fe5f3f79be55b8c4
SHA512ff4f10048ed3b8ed429609694c1dcd9a0ceace66a00cd57afb535b1a2a2f8999787709e9e02eb20f08e765c86b16126b5c56c945fa7d6c8144ee26c4d932b348
-
C:\Users\Admin\Desktop\UnregisterAdd.otf.@Karla404.2D0-876-029MD5
94db45db08cf17de820527a73fb5029b
SHA11ee4920cd85beb3926ef07316583c2c6bb9c1987
SHA256a702112d1146890936b0f32fc0cd8000ec211eb39418b0509b266ebb3b5001ed
SHA512ab75347e3e9273e2291e1eb4ba55db3c10998fcfad7628674c1c1be9bd9bf44cab555663977a31e439b8a7ae46d9b30f2240ac333863cc6952c5b85704326065
-
C:\Users\Admin\Desktop\WriteResume.mpeg3.@Karla404.2D0-876-029MD5
f948c1cf5ab72f40c209eb81b9610a99
SHA17ec643a0126c85d9d66a9423e371f47070d36400
SHA256ed9e6d24dfcb467af400c366586abc29651c6d0e77f6fe19e2d633f0bf65e9df
SHA5125ddd89e29dea4e8193a747806fb20856dbb6d83eed7dc2f3afd4977b89e1085f195baeeabbbadd47bca5bc9124ac0ba6547af676c4b9be5a570cfb528644a7be
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exeMD5
75c1ff39aac846286257e7186dc0096e
SHA12e953e5958353e2590fd14300a492a786d6930d5
SHA25663067c7050bab69e0903ed3887710e4fa50d30d5865c765941df579ddb9b4ab3
SHA512ac3875fc6eb8721c020365522e70f3e94464dc63fd7ba20d10c0c6baae41ab3d403c68d0a6785ee6b571d28647470548b79e07c13e19f69d207944f5581f16d8
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exeMD5
75c1ff39aac846286257e7186dc0096e
SHA12e953e5958353e2590fd14300a492a786d6930d5
SHA25663067c7050bab69e0903ed3887710e4fa50d30d5865c765941df579ddb9b4ab3
SHA512ac3875fc6eb8721c020365522e70f3e94464dc63fd7ba20d10c0c6baae41ab3d403c68d0a6785ee6b571d28647470548b79e07c13e19f69d207944f5581f16d8
-
memory/476-25-0x0000000000000000-mapping.dmp
-
memory/572-23-0x0000000000000000-mapping.dmp
-
memory/792-3-0x000007FEF6E90000-0x000007FEF710A000-memory.dmpFilesize
2.5MB
-
memory/820-32-0x0000000000000000-mapping.dmp
-
memory/1108-29-0x0000000000000000-mapping.dmp
-
memory/1160-26-0x0000000000000000-mapping.dmp
-
memory/1192-6-0x0000000000000000-mapping.dmp
-
memory/1500-27-0x0000000000000000-mapping.dmp
-
memory/1536-54-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1536-10-0x0000000000000000-mapping.dmp
-
memory/1536-9-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/1536-55-0x0000000000000000-mapping.dmp
-
memory/1616-24-0x0000000000000000-mapping.dmp
-
memory/1932-2-0x00000000750C1000-0x00000000750C3000-memory.dmpFilesize
8KB
-
memory/1932-33-0x0000000000000000-mapping.dmp