buran | 63067c7050bab69e0903ed3887710e4fa50d30d5865c765941df579ddb9b4ab3

Analysis

max time kernel
88s
max time network
87s
platform
windows7_x64
resource
win7v20201028
submitted
02-04-2021 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe
Size

216KB
MD5

75c1ff39aac846286257e7186dc0096e
SHA1

2e953e5958353e2590fd14300a492a786d6930d5
SHA256

63067c7050bab69e0903ed3887710e4fa50d30d5865c765941df579ddb9b4ab3
SHA512

ac3875fc6eb8721c020365522e70f3e94464dc63fd7ba20d10c0c6baae41ab3d403c68d0a6785ee6b571d28647470548b79e07c13e19f69d207944f5581f16d8

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: kokolozombisam@gmail.com and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: kokolozombisam@gmail.com Telegraml: @Karla404 Your personal ID: 2D0-876-029 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

kokolozombisam@gmail.com

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

explorer.exeexplorer.exe

pid process

1192 explorer.exe
1108 explorer.exe
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1536 notepad.exe
Loads dropped DLL 2 IoCs

Processes:

SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe

pid process

1932 SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe
1932 SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe

pid	process
1192	explorer.exe
1108	explorer.exe

pid	process
1536	notepad.exe

pid	process
1932	SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe
1932	SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start"	SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
File opened (read-only)	\??\T:	explorer.exe
File opened (read-only)	\??\J:	explorer.exe
File opened (read-only)	\??\H:	explorer.exe
File opened (read-only)	\??\G:	explorer.exe
File opened (read-only)	\??\B:	explorer.exe
File opened (read-only)	\??\W:	explorer.exe
File opened (read-only)	\??\U:	explorer.exe
File opened (read-only)	\??\P:	explorer.exe
File opened (read-only)	\??\K:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\A:	explorer.exe
File opened (read-only)	\??\Z:	explorer.exe
File opened (read-only)	\??\Y:	explorer.exe
File opened (read-only)	\??\O:	explorer.exe
File opened (read-only)	\??\N:	explorer.exe
File opened (read-only)	\??\M:	explorer.exe
File opened (read-only)	\??\L:	explorer.exe
File opened (read-only)	\??\X:	explorer.exe
File opened (read-only)	\??\Q:	explorer.exe
File opened (read-only)	\??\R:	explorer.exe
File opened (read-only)	\??\I:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\V:	explorer.exe
File opened (read-only)	\??\S:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 geoiptool.com

flow	ioc
5	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00170_.WMF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297749.WMF.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21326_.GIF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153514.WMF	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Lisbon.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BABY_01.MID.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ModifiedTelespace.ico	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LINEACT.POC	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GostName.XSL.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\TAB_ON.GIF.@Karla404.2D0-876-029	explorer.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0238333.WMF.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0186002.WMF.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\CAGCAT10.MML.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Ceuta.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Phoenix	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Eirunepe.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00234_.WMF.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152696.WMF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePage.gif.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Flash.mpp.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Mawson.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Curacao.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CATWIZ11.POC.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00833_.WMF.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_ja.jar.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EAST_01.MID.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG	explorer.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPrintTemplate.html	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Funafuti.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341448.JPG.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151041.WMF.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Pushpin.eftx	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REMOTES.ICO	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGTOC.XML.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292248.WMF	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECREC.CFG.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.identity_3.4.0.v20140827-1444.jar.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs-nio2.jar	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Riga	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00159_.WMF	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_ja_4.4.0.v20140623020002.jar.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\main.css	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00157_.WMF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01744_.GIF.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\CALENDAR.GIF	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-oql_ja.jar.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART10.BDR.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	explorer.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html.@Karla404.2D0-876-029	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR48B.GIF	explorer.exe

Drops file in Windows directory 1 IoCs

Processes:

explorer.exe

description ioc process

File created C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1932 vssadmin.exe

description	ioc	process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe

pid	process
1932	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	explorer.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exeWMIC.exevssvc.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1932	SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe
Token: SeDebugPrivilege	1932	SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe
Token: SeIncreaseQuotaPrivilege	820	WMIC.exe
Token: SeSecurityPrivilege	820	WMIC.exe
Token: SeTakeOwnershipPrivilege	820	WMIC.exe
Token: SeLoadDriverPrivilege	820	WMIC.exe
Token: SeSystemProfilePrivilege	820	WMIC.exe
Token: SeSystemtimePrivilege	820	WMIC.exe
Token: SeProfSingleProcessPrivilege	820	WMIC.exe
Token: SeIncBasePriorityPrivilege	820	WMIC.exe
Token: SeCreatePagefilePrivilege	820	WMIC.exe
Token: SeBackupPrivilege	820	WMIC.exe
Token: SeRestorePrivilege	820	WMIC.exe
Token: SeShutdownPrivilege	820	WMIC.exe
Token: SeDebugPrivilege	820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	820	WMIC.exe
Token: SeRemoteShutdownPrivilege	820	WMIC.exe
Token: SeUndockPrivilege	820	WMIC.exe
Token: SeManageVolumePrivilege	820	WMIC.exe
Token: 33	820	WMIC.exe
Token: 34	820	WMIC.exe
Token: 35	820	WMIC.exe
Token: SeBackupPrivilege	1832	vssvc.exe
Token: SeRestorePrivilege	1832	vssvc.exe
Token: SeAuditPrivilege	1832	vssvc.exe
Token: SeIncreaseQuotaPrivilege	820	WMIC.exe
Token: SeSecurityPrivilege	820	WMIC.exe
Token: SeTakeOwnershipPrivilege	820	WMIC.exe
Token: SeLoadDriverPrivilege	820	WMIC.exe
Token: SeSystemProfilePrivilege	820	WMIC.exe
Token: SeSystemtimePrivilege	820	WMIC.exe
Token: SeProfSingleProcessPrivilege	820	WMIC.exe
Token: SeIncBasePriorityPrivilege	820	WMIC.exe
Token: SeCreatePagefilePrivilege	820	WMIC.exe
Token: SeBackupPrivilege	820	WMIC.exe
Token: SeRestorePrivilege	820	WMIC.exe
Token: SeShutdownPrivilege	820	WMIC.exe
Token: SeDebugPrivilege	820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	820	WMIC.exe
Token: SeRemoteShutdownPrivilege	820	WMIC.exe
Token: SeUndockPrivilege	820	WMIC.exe
Token: SeManageVolumePrivilege	820	WMIC.exe
Token: 33	820	WMIC.exe
Token: 34	820	WMIC.exe
Token: 35	820	WMIC.exe
Token: SeDebugPrivilege	1192	explorer.exe
Token: SeDebugPrivilege	1192	explorer.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exeexplorer.execmd.execmd.exe

description	pid	process	target process
PID 1932 wrote to memory of 1192	1932	SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe	explorer.exe
PID 1932 wrote to memory of 1192	1932	SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe	explorer.exe
PID 1932 wrote to memory of 1192	1932	SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe	explorer.exe
PID 1932 wrote to memory of 1192	1932	SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe	explorer.exe
PID 1932 wrote to memory of 1536	1932	SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe	notepad.exe
PID 1932 wrote to memory of 1536	1932	SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe	notepad.exe
PID 1932 wrote to memory of 1536	1932	SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe	notepad.exe
PID 1932 wrote to memory of 1536	1932	SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe	notepad.exe
PID 1932 wrote to memory of 1536	1932	SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe	notepad.exe
PID 1932 wrote to memory of 1536	1932	SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe	notepad.exe
PID 1932 wrote to memory of 1536	1932	SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe	notepad.exe
PID 1192 wrote to memory of 572	1192	explorer.exe	cmd.exe
PID 1192 wrote to memory of 572	1192	explorer.exe	cmd.exe
PID 1192 wrote to memory of 572	1192	explorer.exe	cmd.exe
PID 1192 wrote to memory of 572	1192	explorer.exe	cmd.exe
PID 1192 wrote to memory of 1616	1192	explorer.exe	cmd.exe
PID 1192 wrote to memory of 1616	1192	explorer.exe	cmd.exe
PID 1192 wrote to memory of 1616	1192	explorer.exe	cmd.exe
PID 1192 wrote to memory of 1616	1192	explorer.exe	cmd.exe
PID 1192 wrote to memory of 476	1192	explorer.exe	cmd.exe
PID 1192 wrote to memory of 476	1192	explorer.exe	cmd.exe
PID 1192 wrote to memory of 476	1192	explorer.exe	cmd.exe
PID 1192 wrote to memory of 476	1192	explorer.exe	cmd.exe
PID 1192 wrote to memory of 1160	1192	explorer.exe	cmd.exe
PID 1192 wrote to memory of 1160	1192	explorer.exe	cmd.exe
PID 1192 wrote to memory of 1160	1192	explorer.exe	cmd.exe
PID 1192 wrote to memory of 1160	1192	explorer.exe	cmd.exe
PID 1192 wrote to memory of 1500	1192	explorer.exe	cmd.exe
PID 1192 wrote to memory of 1500	1192	explorer.exe	cmd.exe
PID 1192 wrote to memory of 1500	1192	explorer.exe	cmd.exe
PID 1192 wrote to memory of 1500	1192	explorer.exe	cmd.exe
PID 1192 wrote to memory of 1108	1192	explorer.exe	explorer.exe
PID 1192 wrote to memory of 1108	1192	explorer.exe	explorer.exe
PID 1192 wrote to memory of 1108	1192	explorer.exe	explorer.exe
PID 1192 wrote to memory of 1108	1192	explorer.exe	explorer.exe
PID 572 wrote to memory of 820	572	cmd.exe	WMIC.exe
PID 572 wrote to memory of 820	572	cmd.exe	WMIC.exe
PID 572 wrote to memory of 820	572	cmd.exe	WMIC.exe
PID 572 wrote to memory of 820	572	cmd.exe	WMIC.exe
PID 1500 wrote to memory of 1932	1500	cmd.exe	vssadmin.exe
PID 1500 wrote to memory of 1932	1500	cmd.exe	vssadmin.exe
PID 1500 wrote to memory of 1932	1500	cmd.exe	vssadmin.exe
PID 1500 wrote to memory of 1932	1500	cmd.exe	vssadmin.exe
PID 1192 wrote to memory of 1536	1192	explorer.exe	notepad.exe
PID 1192 wrote to memory of 1536	1192	explorer.exe	notepad.exe
PID 1192 wrote to memory of 1536	1192	explorer.exe	notepad.exe
PID 1192 wrote to memory of 1536	1192	explorer.exe	notepad.exe
PID 1192 wrote to memory of 1536	1192	explorer.exe	notepad.exe
PID 1192 wrote to memory of 1536	1192	explorer.exe	notepad.exe
PID 1192 wrote to memory of 1536	1192	explorer.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Encoder.33750.22954.16449.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:1160

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1932

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -agent 0
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1108

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:1536

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:1536

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
86685952b3e8f4ad691050c954d6250c

SHA1
1705baba558a84967c186cedb11b4d895470ee22

SHA256
762c1ada3a9117b1e0e382e692e37b8d84d4d037bcfad28c65f05fdc15008072

SHA512
c9fdcf79f2bbcc40dbb9445ca63eb9760fd2f0884ef3fc6a580e10957ec0f6e7499a3f088e80c3074db8d7d3501bd2d56d70c1bc597329ac03d78ba742dced45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
885b4461e133e1db2d88f0cdbcd5afb2

SHA1
15d84bcc041e330ef0d260252461c57bc51c3b29

SHA256
84796726a64dd846ffd7d6a322e24c76509d5b77ec67a01101c5a0ed4ae71a92

SHA512
3582be2c43f40e683e116cd18ac8b7edbb640ecad17ea50c541c80b384111839e42dfe16a00b8c94725a866f7254147314797bc7f79b1f34d3f439411fdfc0ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
61a03d15cf62612f50b74867090dbe79

SHA1
15228f34067b4b107e917bebaf17cc7c3c1280a8

SHA256
f9e23dc21553daa34c6eb778cd262831e466ce794f4bea48150e8d70d3e6af6d

SHA512
5fece89ccbbf994e4f1e3ef89a502f25a72f359d445c034682758d26f01d9f3aa20a43010b9a87f2687da7ba201476922aa46d4906d442d56eb59b2b881259d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
f8e8cecf0e7b87ca9655876c74e4448f

SHA1
81cbbc8e89acc2b46ce23b876d68af4e4ea6e984

SHA256
5be90bfc1b0198d64016dabee198906523ce5b9719fb57233f0b4f9738e3bf36

SHA512
9c4d3e8fcd76e0886ada78d131c713ce038ed2fba350d43f63c123d08b824c1c38f93ebd5ab25d715947765e1f88c4d7264701c37d2ef514136b76c53b03f2b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
29bebcb886ff1d8e2fba2d69b49d8849

SHA1
2d25f5b769dfe1f36629cf7feaa73ac955673e84

SHA256
373a7536d725657f1bbe99cd6e2e220350e9d73a0242ad2b1f12e03ce2689f38

SHA512
4936778450ec5309bafbdd5cf9443c0ff0b319e735d25731d90a3347722514869d3ddf292fc8b4000e3752088cb391e5d0870dc8936c23cdcd4885647fd88c81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
51e7fcb227b43ffe67fa4170ae39c92e

SHA1
038ad0c87063cfd9e35fe0b4868513b9ec900090

SHA256
ceceaf8bd0f107d09b2d9a161aa4c0a89fcca009d0baa06f153af1d3362088c8

SHA512
e86926459a64095ead0209fc5911ca522005032cd3379ca65d730be6365e8e5c74692df4740b25f9d74474cff40fd3fd4d6645b469fe1690d05152012dd37b90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
fb044d749ff0309cee20dfc4b4174cf6

SHA1
e1bb7f89cd13da8b0c1e1d046322caef0056488e

SHA256
020b233770dc7666e60fe4a2f8e9efda4edac5e2326a284d6683c926ed961cb4

SHA512
af6e7d9b3dfcd23a29882f1efcb628fd1a7ccf3b1fd9ae6fec9dcceff59b05532c029bf100f32b029d37c53dddf04d41f4999b5ddfb9ee726d2701e08abd2927

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
82e845ca7747c76235c5339fc2abfe46

SHA1
8c83f2a1b0dc4c262d6787359b64a0a0c5a4dbe1

SHA256
101c0b7a5837c1ac30b4e788f1f8cf4453a2bd5006028f6a97809587c34308e4

SHA512
7d65f2d66d1dfc882b88137224e7a80d1377ee1e17951e3f05b2b1d9705d400e279b3b68d489978cb1347052fff31e362824a7640533b10a88f202d88b7637fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\MCC0LJGO.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1R1CL99\UOEXQ1VX.htm
MD5
6b17a59cec1a7783febae9aa55c56556

SHA1
01d4581e2b3a6348679147a915a0b22b2a66643a

SHA256
66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

SHA512
3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
MD5
75c1ff39aac846286257e7186dc0096e

SHA1
2e953e5958353e2590fd14300a492a786d6930d5

SHA256
63067c7050bab69e0903ed3887710e4fa50d30d5865c765941df579ddb9b4ab3

SHA512
ac3875fc6eb8721c020365522e70f3e94464dc63fd7ba20d10c0c6baae41ab3d403c68d0a6785ee6b571d28647470548b79e07c13e19f69d207944f5581f16d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
MD5
75c1ff39aac846286257e7186dc0096e

SHA1
2e953e5958353e2590fd14300a492a786d6930d5

SHA256
63067c7050bab69e0903ed3887710e4fa50d30d5865c765941df579ddb9b4ab3

SHA512
ac3875fc6eb8721c020365522e70f3e94464dc63fd7ba20d10c0c6baae41ab3d403c68d0a6785ee6b571d28647470548b79e07c13e19f69d207944f5581f16d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
MD5
75c1ff39aac846286257e7186dc0096e

SHA1
2e953e5958353e2590fd14300a492a786d6930d5

SHA256
63067c7050bab69e0903ed3887710e4fa50d30d5865c765941df579ddb9b4ab3

SHA512
ac3875fc6eb8721c020365522e70f3e94464dc63fd7ba20d10c0c6baae41ab3d403c68d0a6785ee6b571d28647470548b79e07c13e19f69d207944f5581f16d8

Download Submit
C:\Users\Admin\Desktop\ApproveMove.shtml.@Karla404.2D0-876-029
MD5
5ca45cebc5a232d7c63e7384c308e0cf

SHA1
d75965498561c44621672d760514a84f5bb70cf7

SHA256
91809999d3472bdbed54fe853f1fc5c80fed7246ef491e182c3b584299f602ed

SHA512
a13b3524445c6b73f6562dcca915d9a15c32352098b32a8117500f94742f3af9b7351a77ae05df5c50a995c4cb1da9d4676f2c5b6dc5339573c67aea9557c7b5

Download Submit
C:\Users\Admin\Desktop\CompareUninstall.pcx.@Karla404.2D0-876-029
MD5
31877931730a93bd312feaaf0c7c22cc

SHA1
dc052375be08db9f0f2b5fcfa743e5124e156279

SHA256
c2b8c8d25a091479b38c2b0256cfd8fb6e8d2283a65879d7855f22c5a8431b8c

SHA512
781f6ef4b061f8824d06f3f5914004f67d9d978f801b363053ed2c24c190be671ce0eec1f80f8829cc35feae5306d5b646d0ee5b341d6903f5792b87e6d3ead0

Download Submit
C:\Users\Admin\Desktop\CompleteProtect.mpg.@Karla404.2D0-876-029
MD5
f1ef5c63b3f0e49e274f09ef2c74959e

SHA1
d852d179cb9b172302752824bdc918a0f12c98b6

SHA256
00e69ffe12b37181d797cbbbe8ee9ca819745d98960e3c5c8a0d19f4bf549224

SHA512
8492cab2671497356fd159e9b3577c8269310f14a466edf18db4d1d94951022cae7e6a9f3a8c1313e075756327a082ed621b5a22bcebb22a13489069328de774

Download Submit
C:\Users\Admin\Desktop\DisableMeasure.ttc.@Karla404.2D0-876-029
MD5
ded499fde71d512e614833ddfce31092

SHA1
f552947308949e2f9b5b3d1753331ce141c69fac

SHA256
aedb515714ddfcd7af7416f79fda4d83bfcd39faac71e8aa18cb948c48b7d24d

SHA512
3b98e44af3078a9c4d57a7453be1d91afcb39f2f6887a71734222676f96f1e0615a3c4aeda512602a0f093cb6bcd942f9d24781bd9ab722fe5be70269775e5c3

Download Submit
C:\Users\Admin\Desktop\DisableSplit.mpe.@Karla404.2D0-876-029
MD5
9208bace278b124189c0c770e1682906

SHA1
1aa2f92ea5d360ad0d39f578ad56792fbb1d8b12

SHA256
484be691bb5f7107cca7312ab982812036af6d176aab639de164481d59c08287

SHA512
db70974ba87a29a11e463cbf8bc3ad82db32eb51dd98989d6f8980041c350fe1091b617cfcf71d179040c8d8cf04f8e1541457f19175209abf5d91f970352799

Download Submit
C:\Users\Admin\Desktop\EnableExpand.doc.@Karla404.2D0-876-029
MD5
04e32250d6bd08bd3a39509f0d61709b

SHA1
8663557a694c7ee74e12eb91430fea44eb3e7490

SHA256
ab5629fffc1e21773b94693efc855c040ca2eca2a6d730880e8e868a695aa124

SHA512
e1858ea0376b504bb17bf6b8019ad19c087d9fd5983dc43cc4d435d282619067f6d070c57086fe540b29e49570f6a1ef5662c91b619e90f9369f8699829a230f

Download Submit
C:\Users\Admin\Desktop\FormatBackup.contact.@Karla404.2D0-876-029
MD5
7c774e09f4e9db5fe4a8c8f57689c7cf

SHA1
8aa191176bdeab838bd740cf789f09943e113c9b

SHA256
6838295e36ccced198520f658c7f665bbd60cf2b1e7f717f43a4d55fe1baedde

SHA512
e8df7d9c314ef7b57d1d89646bc3a4939e16d37629717a45e7fba7fe9b73722b1184398626a50d3dae7be166dd40dddedce6853d9f963299cf156a3d4b3ccc17

Download Submit
C:\Users\Admin\Desktop\GrantSwitch.xlsx.@Karla404.2D0-876-029
MD5
b608db1b8063e8326625ea6f82c1d1f9

SHA1
a7abf1d5f4000d8cfc2035d8dae9b12c43d01c24

SHA256
4055212216587771252e21e60c9281febef8560c30926f2d663a8b326801822d

SHA512
3f78f50dc4799e0847074ff14945a504321cc659a167aca9d816e0973caf73e71231bf47b87065dcd43ef05335ea4a6397f98f639ecdbf986ead3fe74d9e822e

Download Submit
C:\Users\Admin\Desktop\ImportDebug.rmi.@Karla404.2D0-876-029
MD5
365bbe5b00b42d94023b710ee56bc260

SHA1
4e03fd337c8389e9541b8a72e9ebae1762ba3f66

SHA256
d081a205961607b773bedebd4a44d67e0854012f5f4b1156064e0b054811bc9c

SHA512
52df65535ad009fa4135d99177ba56f087d79581f581190c9780a1f0ce9afdc2cb41bd7dc70e78be6c8da69f4dc7fbaf6eb04eb9e13f38a5c85049e00293ab2f

Download Submit
C:\Users\Admin\Desktop\MountOpen.dwg.@Karla404.2D0-876-029
MD5
6146e9c1eba6cb06457528dbb8b17211

SHA1
d5e2b896ca336c7a6d720fbfe0039ee13395a33c

SHA256
5844753ad278b0c263e33c228c841adcfb50f9cd639fd1d5eff6f28af434c0c5

SHA512
603e584e4bfe4b54869844c82cf7ba7e99a2633b2ea50c25a6c9c3d1d3682a76677ff6d16fe56af529b2655d31b7ef5c83ad905721c9bcfcb6c3030b6c7dcb52

Download Submit
C:\Users\Admin\Desktop\ResolveStop.gif.@Karla404.2D0-876-029
MD5
11e3967d86000f09cb250c6607246c99

SHA1
ab4375cabbcc9803ffa3905038cc317e4eca02c5

SHA256
187ae504514a9d73b42d391807170e4f9fcbdcb0b345e9f07358f6b005dd8454

SHA512
a9e9e667547d1fae5254c00f20cab06093deef8d8c011a196f2e7b4d63986f458696b713b222bb46f70c00719f5cae4d1eca46cc7a2412904088ce5b25d84437

Download Submit
C:\Users\Admin\Desktop\SplitStep.xps.@Karla404.2D0-876-029
MD5
2ac44a60ed93b3dcbcdfe847b54bfd84

SHA1
a0ef36b1d9012c32723db557a086f3f28b962025

SHA256
83e16f4d3dce5ab029c92d5c2b3022a64b36f1f07dd12506b74e4b417f6be269

SHA512
26ba65c3f1f3928a713f5762631046423ffe8461a74fa81ee444a6b8acc723d3e21605fd84f56f0a8bd117510c4fc94c2d590a0bca637ec3001cd83bde55f9c3

Download Submit
C:\Users\Admin\Desktop\StartReset.nfo.@Karla404.2D0-876-029
MD5
89de51e3928da6e043d1673bc9079b8d

SHA1
a40460b871e60e59c991f78738daca2b138818ed

SHA256
6a2124a4f04f4d57dd44ea9a56bd606b62af3ffa6dd108205b70945702a3b617

SHA512
1a1f8a9a3f5aef39a35fc4737d6c1b6eb77cb1794db247d71ba359044944ea120021a69a7863fb0898241a1cbe150931152f9e0da750ba10c57d3f045a1cf4dd

Download Submit
C:\Users\Admin\Desktop\SubmitGroup.fon.@Karla404.2D0-876-029
MD5
fb81a3e4e525e0dd066407b6194f0c25

SHA1
96be9e8f5955702514e9a29b9e2945dc84eb89b2

SHA256
4e0f49186fb6c74087c34a726fad40139bc830bd849b4e85163eaa9213bce161

SHA512
b0b8a40752ec745f2f09dcc95bb84eb3c8fa15ad067d2b274c54114af0e3b56c1ff68fe3fc543b0606891e5afdd28759ad24a9bd96e611c9e9397ba4e60091d7

Download Submit
C:\Users\Admin\Desktop\SuspendRestart.ex_.@Karla404.2D0-876-029
MD5
e8f36769af0c4635f87714234e4a114c

SHA1
2c7a209375af759a71216a016e6724f5e1171ffb

SHA256
e6c6faf55bad8c9e046eb06a442a651d4273bd3200c3341791cca6e8e8b597d7

SHA512
1ab5822cdf39da8c9bd06e2a9fb97f2f3fa0821d962731b7da9b38860a9df601b4459b201e1b5b6b6e3545f2b72ad0f26d85b3e5f055a036101471713537133a

Download Submit
C:\Users\Admin\Desktop\TestHide.M2V.@Karla404.2D0-876-029
MD5
e1d37b0b6bec5a97edfb16a7be9639ff

SHA1
ff965acac93568e55241c506996be1022febdf8d

SHA256
6be63378b30215bbc54fb761ba2fb4ec59c2ba81ce038b5938d504f105ebe016

SHA512
8315caa586383dda6f5f17d64fc4f2e91c79c524602f917a4cfe0e00a79e868b623793567d68dc3b5a6f60ff46216fc75583c13c3d0f36194888a328e2855d62

Download Submit
C:\Users\Admin\Desktop\TestSave.easmx.@Karla404.2D0-876-029
MD5
c6f2f6dade1bb5ab651915e48d730e08

SHA1
13a18d37b3050e96991b10ef7b12a5a089efe551

SHA256
390e840658e46c6b4ba866342481f4f452f18e6932fa33752784d2d83a18591d

SHA512
42156602df5db76643c97851898a8ef59eecef9ed65d8b15ea3d72365646bbf37e2354731d5fa222fe761208a4050b3d188ebea121a5252227fbb02691f2edf8

Download Submit
C:\Users\Admin\Desktop\TraceOptimize.svg.@Karla404.2D0-876-029
MD5
ca0554522d414fb1a5973a2ba1589e65

SHA1
83a1ec7feba9d935c07d9082a68a15a882186a1e

SHA256
c0ba00116a4ccdd599744be93af5cbbb2de05f17c0385d49fe5f3f79be55b8c4

SHA512
ff4f10048ed3b8ed429609694c1dcd9a0ceace66a00cd57afb535b1a2a2f8999787709e9e02eb20f08e765c86b16126b5c56c945fa7d6c8144ee26c4d932b348

Download Submit
C:\Users\Admin\Desktop\UnregisterAdd.otf.@Karla404.2D0-876-029
MD5
94db45db08cf17de820527a73fb5029b

SHA1
1ee4920cd85beb3926ef07316583c2c6bb9c1987

SHA256
a702112d1146890936b0f32fc0cd8000ec211eb39418b0509b266ebb3b5001ed

SHA512
ab75347e3e9273e2291e1eb4ba55db3c10998fcfad7628674c1c1be9bd9bf44cab555663977a31e439b8a7ae46d9b30f2240ac333863cc6952c5b85704326065

Download Submit
C:\Users\Admin\Desktop\WriteResume.mpeg3.@Karla404.2D0-876-029
MD5
f948c1cf5ab72f40c209eb81b9610a99

SHA1
7ec643a0126c85d9d66a9423e371f47070d36400

SHA256
ed9e6d24dfcb467af400c366586abc29651c6d0e77f6fe19e2d633f0bf65e9df

SHA512
5ddd89e29dea4e8193a747806fb20856dbb6d83eed7dc2f3afd4977b89e1085f195baeeabbbadd47bca5bc9124ac0ba6547af676c4b9be5a570cfb528644a7be

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
MD5
75c1ff39aac846286257e7186dc0096e

SHA1
2e953e5958353e2590fd14300a492a786d6930d5

SHA256
63067c7050bab69e0903ed3887710e4fa50d30d5865c765941df579ddb9b4ab3

SHA512
ac3875fc6eb8721c020365522e70f3e94464dc63fd7ba20d10c0c6baae41ab3d403c68d0a6785ee6b571d28647470548b79e07c13e19f69d207944f5581f16d8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
MD5
75c1ff39aac846286257e7186dc0096e

SHA1
2e953e5958353e2590fd14300a492a786d6930d5

SHA256
63067c7050bab69e0903ed3887710e4fa50d30d5865c765941df579ddb9b4ab3

SHA512
ac3875fc6eb8721c020365522e70f3e94464dc63fd7ba20d10c0c6baae41ab3d403c68d0a6785ee6b571d28647470548b79e07c13e19f69d207944f5581f16d8

Download Submit
memory/476-25-0x0000000000000000-mapping.dmp

Download
memory/572-23-0x0000000000000000-mapping.dmp

Download
memory/792-3-0x000007FEF6E90000-0x000007FEF710A000-memory.dmp

Filesize
2.5MB

Download
memory/820-32-0x0000000000000000-mapping.dmp

Download
memory/1108-29-0x0000000000000000-mapping.dmp

Download
memory/1160-26-0x0000000000000000-mapping.dmp

Download
memory/1192-6-0x0000000000000000-mapping.dmp

Download
memory/1500-27-0x0000000000000000-mapping.dmp

Download
memory/1536-54-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1536-10-0x0000000000000000-mapping.dmp

Download
memory/1536-9-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1536-55-0x0000000000000000-mapping.dmp

Download
memory/1616-24-0x0000000000000000-mapping.dmp

Download
memory/1932-2-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/1932-33-0x0000000000000000-mapping.dmp

Download