Analysis
-
max time kernel
115s -
max time network
100s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-04-2021 07:06
Static task
static1
Behavioral task
behavioral1
Sample
e826.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
e826.exe
Resource
win10v20210410
General
-
Target
e826.exe
-
Size
371KB
-
MD5
e38ccca299db41904493bfc51ced614d
-
SHA1
4b9a2c510913dc92cf8f5f879ab198fe5e54f544
-
SHA256
fa789f56ef3f5075fc02c53cd937fe1580ae46217cf0a82bd4871043276fb086
-
SHA512
961b03275cd76f4074e1c622216903678067f6115ce6f004be3c62939a13653891f87718e587a9155de999bf9d7c167a687290b7bab40443cf3395f9486ce654
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
rootiunik@cock.li
TimothyCrabtree@protonmail.com
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
Processes:
notepad.exepid process 1536 notepad.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e826.exedescription ioc process File opened (read-only) \??\Y: e826.exe File opened (read-only) \??\V: e826.exe File opened (read-only) \??\Q: e826.exe File opened (read-only) \??\G: e826.exe File opened (read-only) \??\A: e826.exe File opened (read-only) \??\Z: e826.exe File opened (read-only) \??\W: e826.exe File opened (read-only) \??\T: e826.exe File opened (read-only) \??\S: e826.exe File opened (read-only) \??\R: e826.exe File opened (read-only) \??\P: e826.exe File opened (read-only) \??\L: e826.exe File opened (read-only) \??\J: e826.exe File opened (read-only) \??\F: e826.exe File opened (read-only) \??\E: e826.exe File opened (read-only) \??\K: e826.exe File opened (read-only) \??\I: e826.exe File opened (read-only) \??\H: e826.exe File opened (read-only) \??\X: e826.exe File opened (read-only) \??\U: e826.exe File opened (read-only) \??\O: e826.exe File opened (read-only) \??\N: e826.exe File opened (read-only) \??\M: e826.exe File opened (read-only) \??\B: e826.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 geoiptool.com -
Drops file in Program Files directory 64 IoCs
Processes:
e826.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench_3.106.1.v20140827-1737.jar e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLTASK.FAE.rootiunik.DCB-C9B-290 e826.exe File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT e826.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfont.properties.ja.rootiunik.DCB-C9B-290 e826.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.jdp_5.5.0.165303.jar.rootiunik.DCB-C9B-290 e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107528.WMF.rootiunik.DCB-C9B-290 e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215709.WMF e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00034_.WMF e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF e826.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Majuro e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00346_.WMF e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Newsprint.eftx.rootiunik.DCB-C9B-290 e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONENOTE_K_COL.HXK.rootiunik.DCB-C9B-290 e826.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\DumontDUrville e826.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html.rootiunik.DCB-C9B-290 e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21338_.GIF e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Medium.jpg.rootiunik.DCB-C9B-290 e826.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe.rootiunik.DCB-C9B-290 e826.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.zh_CN_5.5.0.165303.jar e826.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\vlc.mo e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00268_.WMF.rootiunik.DCB-C9B-290 e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF e826.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png e826.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif.rootiunik.DCB-C9B-290 e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02280_.WMF.rootiunik.DCB-C9B-290 e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\BG_ADOBE.GIF e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN086.XML e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BZCARD11.POC e826.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-attach.jar.rootiunik.DCB-C9B-290 e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199473.WMF.rootiunik.DCB-C9B-290 e826.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_zh_4.4.0.v20140623020002.jar.rootiunik.DCB-C9B-290 e826.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\reflow.api e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Perspective.xml e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\NUMERIC.JPG.rootiunik.DCB-C9B-290 e826.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-10.rootiunik.DCB-C9B-290 e826.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-2 e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00705_.WMF e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00199_.WMF.rootiunik.DCB-C9B-290 e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01751_.GIF e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImages.jpg.rootiunik.DCB-C9B-290 e826.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png e826.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00560_.WMF e826.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe.rootiunik.DCB-C9B-290 e826.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml.rootiunik.DCB-C9B-290 e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02740U.BMP.rootiunik.DCB-C9B-290 e826.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\PST8PDT e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02503U.BMP e826.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt e826.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\blacklist.rootiunik.DCB-C9B-290 e826.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Ndjamena e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02443_.WMF e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00231_.WMF.rootiunik.DCB-C9B-290 e826.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+1.rootiunik.DCB-C9B-290 e826.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\London.rootiunik.DCB-C9B-290 e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02120_.WMF.rootiunik.DCB-C9B-290 e826.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Macau.rootiunik.DCB-C9B-290 e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01242_.WMF.rootiunik.DCB-C9B-290 e826.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkDrop32x32.gif e826.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe e826.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html e826.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00482_.WMF e826.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-nodes_zh_CN.jar.rootiunik.DCB-C9B-290 e826.exe -
Drops file in Windows directory 1 IoCs
Processes:
e826.exedescription ioc process File created C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT e826.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1824 vssadmin.exe 1980 vssadmin.exe -
Processes:
e826.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 e826.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e e826.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e e826.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e e826.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 2036 WMIC.exe Token: SeSecurityPrivilege 2036 WMIC.exe Token: SeTakeOwnershipPrivilege 2036 WMIC.exe Token: SeLoadDriverPrivilege 2036 WMIC.exe Token: SeSystemProfilePrivilege 2036 WMIC.exe Token: SeSystemtimePrivilege 2036 WMIC.exe Token: SeProfSingleProcessPrivilege 2036 WMIC.exe Token: SeIncBasePriorityPrivilege 2036 WMIC.exe Token: SeCreatePagefilePrivilege 2036 WMIC.exe Token: SeBackupPrivilege 2036 WMIC.exe Token: SeRestorePrivilege 2036 WMIC.exe Token: SeShutdownPrivilege 2036 WMIC.exe Token: SeDebugPrivilege 2036 WMIC.exe Token: SeSystemEnvironmentPrivilege 2036 WMIC.exe Token: SeRemoteShutdownPrivilege 2036 WMIC.exe Token: SeUndockPrivilege 2036 WMIC.exe Token: SeManageVolumePrivilege 2036 WMIC.exe Token: 33 2036 WMIC.exe Token: 34 2036 WMIC.exe Token: 35 2036 WMIC.exe Token: SeIncreaseQuotaPrivilege 600 WMIC.exe Token: SeSecurityPrivilege 600 WMIC.exe Token: SeTakeOwnershipPrivilege 600 WMIC.exe Token: SeLoadDriverPrivilege 600 WMIC.exe Token: SeSystemProfilePrivilege 600 WMIC.exe Token: SeSystemtimePrivilege 600 WMIC.exe Token: SeProfSingleProcessPrivilege 600 WMIC.exe Token: SeIncBasePriorityPrivilege 600 WMIC.exe Token: SeCreatePagefilePrivilege 600 WMIC.exe Token: SeBackupPrivilege 600 WMIC.exe Token: SeRestorePrivilege 600 WMIC.exe Token: SeShutdownPrivilege 600 WMIC.exe Token: SeDebugPrivilege 600 WMIC.exe Token: SeSystemEnvironmentPrivilege 600 WMIC.exe Token: SeRemoteShutdownPrivilege 600 WMIC.exe Token: SeUndockPrivilege 600 WMIC.exe Token: SeManageVolumePrivilege 600 WMIC.exe Token: 33 600 WMIC.exe Token: 34 600 WMIC.exe Token: 35 600 WMIC.exe Token: SeIncreaseQuotaPrivilege 2036 WMIC.exe Token: SeSecurityPrivilege 2036 WMIC.exe Token: SeTakeOwnershipPrivilege 2036 WMIC.exe Token: SeLoadDriverPrivilege 2036 WMIC.exe Token: SeSystemProfilePrivilege 2036 WMIC.exe Token: SeSystemtimePrivilege 2036 WMIC.exe Token: SeProfSingleProcessPrivilege 2036 WMIC.exe Token: SeIncBasePriorityPrivilege 2036 WMIC.exe Token: SeCreatePagefilePrivilege 2036 WMIC.exe Token: SeBackupPrivilege 2036 WMIC.exe Token: SeRestorePrivilege 2036 WMIC.exe Token: SeShutdownPrivilege 2036 WMIC.exe Token: SeDebugPrivilege 2036 WMIC.exe Token: SeSystemEnvironmentPrivilege 2036 WMIC.exe Token: SeRemoteShutdownPrivilege 2036 WMIC.exe Token: SeUndockPrivilege 2036 WMIC.exe Token: SeManageVolumePrivilege 2036 WMIC.exe Token: 33 2036 WMIC.exe Token: 34 2036 WMIC.exe Token: 35 2036 WMIC.exe Token: SeIncreaseQuotaPrivilege 600 WMIC.exe Token: SeSecurityPrivilege 600 WMIC.exe Token: SeTakeOwnershipPrivilege 600 WMIC.exe Token: SeLoadDriverPrivilege 600 WMIC.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
e826.execmd.execmd.execmd.exedescription pid process target process PID 736 wrote to memory of 1528 736 e826.exe cmd.exe PID 736 wrote to memory of 1528 736 e826.exe cmd.exe PID 736 wrote to memory of 1528 736 e826.exe cmd.exe PID 736 wrote to memory of 1528 736 e826.exe cmd.exe PID 736 wrote to memory of 1520 736 e826.exe cmd.exe PID 736 wrote to memory of 1520 736 e826.exe cmd.exe PID 736 wrote to memory of 1520 736 e826.exe cmd.exe PID 736 wrote to memory of 1520 736 e826.exe cmd.exe PID 736 wrote to memory of 524 736 e826.exe cmd.exe PID 736 wrote to memory of 524 736 e826.exe cmd.exe PID 736 wrote to memory of 524 736 e826.exe cmd.exe PID 736 wrote to memory of 524 736 e826.exe cmd.exe PID 736 wrote to memory of 2000 736 e826.exe cmd.exe PID 736 wrote to memory of 2000 736 e826.exe cmd.exe PID 736 wrote to memory of 2000 736 e826.exe cmd.exe PID 736 wrote to memory of 2000 736 e826.exe cmd.exe PID 1528 wrote to memory of 2036 1528 cmd.exe WMIC.exe PID 1528 wrote to memory of 2036 1528 cmd.exe WMIC.exe PID 1528 wrote to memory of 2036 1528 cmd.exe WMIC.exe PID 1528 wrote to memory of 2036 1528 cmd.exe WMIC.exe PID 736 wrote to memory of 428 736 e826.exe cmd.exe PID 736 wrote to memory of 428 736 e826.exe cmd.exe PID 736 wrote to memory of 428 736 e826.exe cmd.exe PID 736 wrote to memory of 428 736 e826.exe cmd.exe PID 736 wrote to memory of 380 736 e826.exe cmd.exe PID 736 wrote to memory of 380 736 e826.exe cmd.exe PID 736 wrote to memory of 380 736 e826.exe cmd.exe PID 736 wrote to memory of 380 736 e826.exe cmd.exe PID 736 wrote to memory of 1120 736 e826.exe e826.exe PID 736 wrote to memory of 1120 736 e826.exe e826.exe PID 736 wrote to memory of 1120 736 e826.exe e826.exe PID 736 wrote to memory of 1120 736 e826.exe e826.exe PID 428 wrote to memory of 1824 428 cmd.exe vssadmin.exe PID 428 wrote to memory of 1824 428 cmd.exe vssadmin.exe PID 428 wrote to memory of 1824 428 cmd.exe vssadmin.exe PID 428 wrote to memory of 1824 428 cmd.exe vssadmin.exe PID 380 wrote to memory of 600 380 cmd.exe WMIC.exe PID 380 wrote to memory of 600 380 cmd.exe WMIC.exe PID 380 wrote to memory of 600 380 cmd.exe WMIC.exe PID 380 wrote to memory of 600 380 cmd.exe WMIC.exe PID 380 wrote to memory of 1980 380 cmd.exe vssadmin.exe PID 380 wrote to memory of 1980 380 cmd.exe vssadmin.exe PID 380 wrote to memory of 1980 380 cmd.exe vssadmin.exe PID 380 wrote to memory of 1980 380 cmd.exe vssadmin.exe PID 736 wrote to memory of 1536 736 e826.exe notepad.exe PID 736 wrote to memory of 1536 736 e826.exe notepad.exe PID 736 wrote to memory of 1536 736 e826.exe notepad.exe PID 736 wrote to memory of 1536 736 e826.exe notepad.exe PID 736 wrote to memory of 1536 736 e826.exe notepad.exe PID 736 wrote to memory of 1536 736 e826.exe notepad.exe PID 736 wrote to memory of 1536 736 e826.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e826.exe"C:\Users\Admin\AppData\Local\Temp\e826.exe"1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\e826.exe"C:\Users\Admin\AppData\Local\Temp\e826.exe" -agent 02⤵
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\Desktop\DenyConnect.ods.rootiunik.DCB-C9B-290MD5
b3ac82ab9fbfac56358b7cef748a091e
SHA1bb3027f8b7917fff8577485aac37ec81189df79b
SHA256d40146abd014a0a4f2623ffc27d7f95623a2eaad5569f1a3ddf92bff3e0365ea
SHA512f103c06a856a8c192133d7b2b2c6438769cb0ccd09959c48cbcc6d97b072ae6a0302524fdc3d523b62cbec9e2fc69b75d3783c39a4dfefc0ec639d336d318c15
-
C:\Users\Admin\Desktop\DisableStop.gif.rootiunik.DCB-C9B-290MD5
4805d141a6fa637a7daefcc27e334baf
SHA159a26e62043dee192ca34280c43c9978d937f2e1
SHA25624310a65fdd9368616bc76b566f932d63c3d6574fa38e291c85c5e757a952336
SHA5128c2797a027a189a98afad741eb90172bea6a494d097229d918c8d0ef379230c8df0eee8741f9d5f9182890a590fa8ba297b9dde0c9f12ad93f2f8ef51271a114
-
C:\Users\Admin\Desktop\ExitRemove.wm.rootiunik.DCB-C9B-290MD5
996317cdcf62dc3184a6537ee23376e8
SHA19321bcd682f66170aba8f353a8a9b0f4ffee9537
SHA25617fbfa669b0ea9859872b2c12dd01502468200a3c4b7b721530d8e056c6f8f99
SHA512d75a6d54b15fccd6024b30b252fc11f4cd3bfb1a2f40641552bbe92f7e6e070bf02432d19cdd73ec8f794d3fa6c167730734bbf19d7202db20e66c8c35bb03f8
-
C:\Users\Admin\Desktop\GetConvert.csv.rootiunik.DCB-C9B-290MD5
504555075b92fb6f464d3c51a59040dd
SHA18876dba178b285891b3dba86f43ec27e989ba479
SHA256364a9dd718c634bef4fb7d26b236cfecd377ca024cd4ca83b50ee66681014153
SHA512d02b8a1a51397b5da5dbe6c7e548f70985119a709ad4d76bcd216070f9eab9c5a48e984fb8ea551cb1d0980ee1ea4e9ee449a1a0c0d2dbf8b8a040480b87e87f
-
C:\Users\Admin\Desktop\GroupComplete.ods.rootiunik.DCB-C9B-290MD5
d896dc3031b66944affad7487515e934
SHA15b5439ba39691192e9006ed19180aa3f8596fb11
SHA256b6c3c48f8737dd3704b83637004718fd92716209d7df0da6af90945bb05ceae8
SHA5120d2afaee719cd057c8227a5ae249f4b5d2cc9d89e1823a0ccdaacb66884fbefabaed917ae54b2c5552c77e8dbd62a0ce800a078b921b991843116b7d85eb250b
-
C:\Users\Admin\Desktop\JoinDeny.nfo.rootiunik.DCB-C9B-290MD5
ceed8fa7bafe1f0ee0888c8962641e10
SHA13d75f668af3eef734a72778a060138ed3ca75dd5
SHA2562876e8ef66452035f0f5ce3179de5e4149c6a5a689a5bb4368a4e1bf0c420c05
SHA512cac6c1566e6f4aa50b882b8f95129fd6c012d107b7b472adc169a45e3c1db1a2648c213c0d91ffd0a424dd42b026ef5f4a56affc1808b9194f7333ac0c4e20c3
-
C:\Users\Admin\Desktop\JoinUnpublish.xltm.rootiunik.DCB-C9B-290MD5
d2305d2f0b345fb5a704159e150ea6ec
SHA13c5230e67d8573e2728aac49ceacaf1a1364ee82
SHA2564ba387bc9cb0f44e16ca60a998141b8e2b07e3d5611e2391cf67e166e925613f
SHA512e0c1a033c73a069900fb45a25f05aae20815d7df7517e50c87d0f1a3fe89587a4ef71c931348a116e8e64e5ebc3b8869854b2852d090e85b25506f90efbfda28
-
C:\Users\Admin\Desktop\MountSync.kix.rootiunik.DCB-C9B-290MD5
56f0617e0ee71b1bb0eba9e94cd78414
SHA1d0eba1074fd797a2b5d8829b49de88dbfb306ccf
SHA256a31e4e8e9a7e8f3aa963117d6e75dcad6ad93551672a2225780a6abaa5f619ca
SHA512266f32d183870f297429dea5a9a48518513c9253bf321adb4776901d39b8aff5f07aea77985b6832ca3cbe05e5a419f4c107442786e62254472e8ffafc27072b
-
C:\Users\Admin\Desktop\NewDebug.rm.rootiunik.DCB-C9B-290MD5
a36ece9e080928581e358dd93730d640
SHA1a6763720983a25a73ab7746b7e53338ed93c5b17
SHA256a3bd2d3d23e97c2166ccc2184191b428d8e4265a1eacc135716e5e28243d0698
SHA512f923fbcc0b3a2258f452bc17fc3e0314fd8d3c9630e6681eb6646f50a0a2207e785e4310d46d1df7d9dedd47651e63180f85c38a3ca5321e7447f8ee49f31a8b
-
C:\Users\Admin\Desktop\OutResize.mpeg3.rootiunik.DCB-C9B-290MD5
067200fd145c956c0d5853ee2caeff42
SHA18b8ef7d0aec9c246eaff0c680255df0976ecf4ab
SHA256b3e2a4c3cc8d239143869a53c713e9ea149d8e411e3e47c14c472f99c6c2560c
SHA512ff4722d747a45db5daae791570e74dbe315a1317c44b2af71d6a8828f11b66ee5f0173c10bd34c06220cca8f2900e7e09da2ceea6ffe1e3a254dae89e5888fc0
-
C:\Users\Admin\Desktop\OutWrite.wdp.rootiunik.DCB-C9B-290MD5
bfdce10d56acb26433745a3e025cf7e6
SHA12c7f4fc9dec861d0ad58fb62f97e47218adde1ea
SHA256f5ee665d3b4301d81c4706ca50627d7a920942852c3218f82e550c72ac512418
SHA5126c09ed5e4a1123587fa8173ed3d6324ebc09737b9cfe74128e6ac394b5b50e64393160438ea797586e4e1e6c2161782ecc133f619d498d5a6986a013124987c8
-
C:\Users\Admin\Desktop\PopSet.mpeg.rootiunik.DCB-C9B-290MD5
99b3ada56bd3c00baea7dcc6d7ff3963
SHA1eabc916a0fd33c7681f4842bae5df675e148a9ed
SHA256972bab4ffa595951e610411cd04a694dfb1018e7dae55efbdf323a59fb0d6e7f
SHA5121d89f0be36bf414fb2f436166bbb168482d4f8146a75e0ffd9d9e31bf035d1e7c8d4cb60ff3893117b0505ce218be21a8b94a483a4ef0c6622f707a84cd0f8b7
-
C:\Users\Admin\Desktop\RequestDisable.raw.rootiunik.DCB-C9B-290MD5
b0c822eb141ed350cfedf4a12b6e4b46
SHA1a14db63db8cb78b0b60e32856e1ff82d0766ea08
SHA256b581392e5288cdf92581839471f576ff192f8fecf2edb0bfb08aebbee7be9db6
SHA51290d1c6d9891677e7f59e27d01ed8eab1a38bdd8d15f490926e7b8ce225f639dd6a02ec2454892a16494e852283d10187f61552a36386c6c8d13b4112a219024c
-
C:\Users\Admin\Desktop\ResetMerge.pub.rootiunik.DCB-C9B-290MD5
a9c725dd65b550598e32f7f75b1408b0
SHA10837bf253c429c021d19e9bfe868c88eb3589cf6
SHA256709b25e273ec06a9e62fbf683d705e29626a6442927bf699adb5741b38fd8469
SHA5120da57ed52257bf51273f99b4524dc3e2c94c60e007fdeda8a3d280af9a60057ef2cb59888f84991530bf2773dcbee5e5e8f24f829ad65ac3653ee35e443cdefd
-
C:\Users\Admin\Desktop\ResetTrace.csv.rootiunik.DCB-C9B-290MD5
3a7034dd8b974483c5320652035c2f95
SHA18d42c9e6334c3e0f7932eb006e308c26178465de
SHA256f249b64101fd4ee1b048c379f4aedf50e4effccc64b80bb6845ae2a2bc362557
SHA512c7bb2a37463d59d60125e1adeabae46affbb2b75c61fd0033489bc3128e22b54df7a41f168f293f29c945d8f1e6f88b4c1ef47fd249a3aff7a401b2e169bff99
-
C:\Users\Admin\Desktop\ResolveRevoke.wvx.rootiunik.DCB-C9B-290MD5
a8df420daf534cf3d2c7344fe11a50ce
SHA19b458d06c1ba352d10ab9edc45ba4c102630ba04
SHA25635745933359f3753b5a47dd4d626fb9db197801d4b4cdc4b81a57fc86048d18c
SHA51211b6f4ea7f3a623b4d6f1ea190f5d29d80cbca007ba00cbc9a91eb50e7d707d1723c80bcd5fd24d4c1e2f23baa6539a20d1f804c13ad99a217abc2ec0d48d44f
-
C:\Users\Admin\Desktop\RestartRegister.xml.rootiunik.DCB-C9B-290MD5
f912e1057e99d1b09a397b30b1db1a15
SHA18b48f52991b66faa0fe5503f9897c8f86aa41d18
SHA2568d13b4afabad18fe0fb76d747e2e96ab77328474a7eb0c9999099124712750bb
SHA5125abf7872888db206b30a73ac8cca856c90ac6a6935ef86f4379ff5670f61fa94062ce132da46f8312aeeebcfb1a4b1e13c16fe50a575ff962c48cfcfa5ea3f0d
-
C:\Users\Admin\Desktop\ResumeMount.mht.rootiunik.DCB-C9B-290MD5
a312778ee9097a6802012b0d7f693c52
SHA1169eaed703119c8e2c9540a6536230f1f86fdd36
SHA256753f68d653eca425ee65b064781fba9d6ed066645fb25425373c5e42f2eb43a6
SHA512e12241451f3f2f431d6bed580fc7ddf2744cba0382ddb786e3042d99368fa169a9130cddfbc1cc65b69a51261bf13797a0f4bef85f41917c489329901cd38c8c
-
C:\Users\Admin\Desktop\SetSubmit.edrwx.rootiunik.DCB-C9B-290MD5
102d350d0d9bc675d04b876338f21e06
SHA13c7968096d3707c631039e206d01c229f3534a06
SHA256726c82ffd48d958db9de0335c28da68e124aa8f28e18f5e422858c2f7a561262
SHA512a4f8560c32d6037e47e4f605f8ac91fd0b322b125e1076f3a9fb8a064fe7fc29ce359378eecb1932886bac8ea8ec8ebe740d21bfadcb91733265d37732c9ac44
-
C:\Users\Admin\Desktop\SplitRestart.xml.rootiunik.DCB-C9B-290MD5
3f84b3dc444f7607b00f03cce799db99
SHA1ec8d19533873c66bd66806c901bc3958d0e76f15
SHA2560f9c936a56c5f92047ea8e62bc6fc9f196c48f34233a3b1d913bbd2a2d0245e2
SHA5123512a5f3b95b8b0653c8b1f8db3d9f6bf847e5cacb5fb5ae2c60327c9fdda80e35ce3153bb042dbe0b0adbfc7dbbcd49b80e413a7f03de82625ce64f626a2966
-
C:\Users\Admin\Desktop\StartEnter.mpv2.rootiunik.DCB-C9B-290MD5
a7a383aa8d8efe952e42c774ef09aab8
SHA16d8714d8cb7bf049d92ea3df7835ed0d0d67d254
SHA2567315d75eeca4f16992d1d8901784b281def2977363c8012468895004d4689f95
SHA512a3b7898f529e71bcfee1b05fd0e365b09a6c4b285115c54ced7bb49be93c19001ddafccf89915752d83377cdd508802b20d2ad10afa92af15a56fb3b3cfda923
-
C:\Users\Admin\Desktop\SuspendResolve.dotm.rootiunik.DCB-C9B-290MD5
fd75486af98f18ceade96866715b87f4
SHA1a704375d39106ac7d40bf842be4d2559adfb98ee
SHA25652dc24b9f20cc5cfe89a7ac9dbd0563cc713f0d51829c0ffac99184cce11e1b4
SHA51201fec3c2fcc3f3a8f79c5e1a6487480c341432d87cc4fde5a3fd39acbfdfad89282de340e707b62b63608bcdbfd5ccd1ad426a85231969ca7747c2136ecab5ae
-
C:\Users\Admin\Desktop\SyncEnable.ppt.rootiunik.DCB-C9B-290MD5
24d1b42bf03992d76717fce4aba5ecfc
SHA147777d1567a6f1e13b71ea21a5915a1e414d41fe
SHA2560b2ddbf34e6bbc0220626910980c87baf00cc21abce0931123f3b071f53572b0
SHA5120c1315e99f10c9a5ea1feaa41ac6e07158bebe6fd9f17dc0d40125f8825662bfa7ea05199e3b2a0579dee50fd789a8e5b72285a15eb9e540193cbae5756344a4
-
C:\Users\Admin\Desktop\SyncRedo.fon.rootiunik.DCB-C9B-290MD5
a51212d7a011d6205cbbed9c996d60e7
SHA148f710ca32f3d099e14d3d89c6892f5e072ef74f
SHA256ad75d22bb8e200671866a23a1acb913776c9ebf5bd2f8cddc91231885f825ac6
SHA5125de81bf1b5ce896a88efa883f8493aca49d082b21e96a3a324f7b11da0ab43bfc7b4a814235bed4dae1e245519ca62660d3e811339f74495ff0cae38db4f8cc2
-
C:\Users\Admin\Desktop\TraceWatch.jpg.rootiunik.DCB-C9B-290MD5
107d2d999bc4093a82d040011b9d4755
SHA12321c338db71bed4e2b82a83d11465ad1052819b
SHA25617880ab41e7a19e719e7b1a977d51ec8a7dbd4aa7ea66073cef4e92b412b82f8
SHA51251e67f9a443d42077aa02df29daf01c22802f5a9af3f3ff60624a5966ecbc0a19e00e3110e0dc289ab8621f442adea22652625432d019d396d116f92fa169d93
-
C:\Users\Admin\Desktop\UnblockEnable.wmf.rootiunik.DCB-C9B-290MD5
184499f3b56001e513d3905a3d868e64
SHA16de5d5689b7ee90c74a185395e86656f4ebf6369
SHA256bd448adfefafa91f401d292e09cd42a461c70d7db3ca6b6543c963b19ef1cfc3
SHA5123d6700744971eed294c0886bf830d08581c1857401c3d6cf526a7ac40e182a90596874cdea139d8a9fe5652ea862486c83ed1652876446aa1b4558a2ec401efd
-
C:\Users\Admin\Desktop\UnpublishSearch.midi.rootiunik.DCB-C9B-290MD5
7e5f89c8a29656c3984673e676df0f86
SHA105fc45197925b981735d7725e32716a375660331
SHA2567a11db479e6c47b08e354c062cd65421944b32f89ef8e0132453f8d00036fe7a
SHA5127f6f93b00578a0c2eb252950e49b8e46b8f8483831206924dc1d63b28d0e1c19689ec6b7b0f4a895e185865ba37fd48086868fcb54eedab56cfd47ad777fea38
-
C:\Users\Public\Desktop\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXTMD5
42f551d98de5d473e99f4f0ec09a232e
SHA14d0d64127375859615a09b49f38d55d4db336b01
SHA2563ed47cf52936b45dbd9a29137157fa6a515bb1ff8f659c72e0485b1e5030e1d3
SHA5121ad3b262dadc1c8910f49d9dfa1afa14a7ca6796d9c6a1bd2f915494bdc78788e29fa5dc74f9ca36239e05256ccbebf04b291a5e50c0b82664b99a496a89a658
-
memory/380-69-0x0000000000000000-mapping.dmp
-
memory/428-68-0x0000000000000000-mapping.dmp
-
memory/524-65-0x0000000000000000-mapping.dmp
-
memory/600-73-0x0000000000000000-mapping.dmp
-
memory/736-61-0x0000000000220000-0x0000000000257000-memory.dmpFilesize
220KB
-
memory/736-62-0x0000000000400000-0x0000000000855000-memory.dmpFilesize
4.3MB
-
memory/736-60-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB
-
memory/1120-77-0x0000000000400000-0x0000000000855000-memory.dmpFilesize
4.3MB
-
memory/1120-70-0x0000000000000000-mapping.dmp
-
memory/1124-108-0x000007FEFBEA1000-0x000007FEFBEA3000-memory.dmpFilesize
8KB
-
memory/1520-64-0x0000000000000000-mapping.dmp
-
memory/1528-63-0x0000000000000000-mapping.dmp
-
memory/1536-105-0x0000000000000000-mapping.dmp
-
memory/1536-107-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1824-71-0x0000000000000000-mapping.dmp
-
memory/1980-74-0x0000000000000000-mapping.dmp
-
memory/2000-66-0x0000000000000000-mapping.dmp
-
memory/2036-67-0x0000000000000000-mapping.dmp