buran | fa789f56ef3f5075fc02c53cd937fe1580ae46217cf0a82bd4871043276fb086

Analysis

max time kernel
115s
max time network
100s
platform
windows7_x64
resource
win7v20210408
submitted
27-04-2021 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e826.exe
Size

371KB
MD5

e38ccca299db41904493bfc51ced614d
SHA1

4b9a2c510913dc92cf8f5f879ab198fe5e54f544
SHA256

fa789f56ef3f5075fc02c53cd937fe1580ae46217cf0a82bd4871043276fb086
SHA512

961b03275cd76f4074e1c622216903678067f6115ce6f004be3c62939a13653891f87718e587a9155de999bf9d7c167a687290b7bab40443cf3395f9486ce654

Score

10^/10

buran ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: rootiunik@cock.li and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: rootiunik@cock.li Reserved email: TimothyCrabtree@protonmail.com Your personal ID: DCB-C9B-290 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

rootiunik@cock.li

TimothyCrabtree@protonmail.com

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1536 notepad.exe

pid	process
1536	notepad.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e826.exe

description	ioc	process
File opened (read-only)	\??\Y:	e826.exe
File opened (read-only)	\??\V:	e826.exe
File opened (read-only)	\??\Q:	e826.exe
File opened (read-only)	\??\G:	e826.exe
File opened (read-only)	\??\A:	e826.exe
File opened (read-only)	\??\Z:	e826.exe
File opened (read-only)	\??\W:	e826.exe
File opened (read-only)	\??\T:	e826.exe
File opened (read-only)	\??\S:	e826.exe
File opened (read-only)	\??\R:	e826.exe
File opened (read-only)	\??\P:	e826.exe
File opened (read-only)	\??\L:	e826.exe
File opened (read-only)	\??\J:	e826.exe
File opened (read-only)	\??\F:	e826.exe
File opened (read-only)	\??\E:	e826.exe
File opened (read-only)	\??\K:	e826.exe
File opened (read-only)	\??\I:	e826.exe
File opened (read-only)	\??\H:	e826.exe
File opened (read-only)	\??\X:	e826.exe
File opened (read-only)	\??\U:	e826.exe
File opened (read-only)	\??\O:	e826.exe
File opened (read-only)	\??\N:	e826.exe
File opened (read-only)	\??\M:	e826.exe
File opened (read-only)	\??\B:	e826.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 geoiptool.com

flow	ioc
6	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

e826.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench_3.106.1.v20140827-1737.jar	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLTASK.FAE.rootiunik.DCB-C9B-290	e826.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	e826.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfont.properties.ja.rootiunik.DCB-C9B-290	e826.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.jdp_5.5.0.165303.jar.rootiunik.DCB-C9B-290	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107528.WMF.rootiunik.DCB-C9B-290	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215709.WMF	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00034_.WMF	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF	e826.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Majuro	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00346_.WMF	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Newsprint.eftx.rootiunik.DCB-C9B-290	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONENOTE_K_COL.HXK.rootiunik.DCB-C9B-290	e826.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\DumontDUrville	e826.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html.rootiunik.DCB-C9B-290	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21338_.GIF	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Medium.jpg.rootiunik.DCB-C9B-290	e826.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe.rootiunik.DCB-C9B-290	e826.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.zh_CN_5.5.0.165303.jar	e826.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\vlc.mo	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00268_.WMF.rootiunik.DCB-C9B-290	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF	e826.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png	e826.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif.rootiunik.DCB-C9B-290	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02280_.WMF.rootiunik.DCB-C9B-290	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\BG_ADOBE.GIF	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN086.XML	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BZCARD11.POC	e826.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-attach.jar.rootiunik.DCB-C9B-290	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199473.WMF.rootiunik.DCB-C9B-290	e826.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_zh_4.4.0.v20140623020002.jar.rootiunik.DCB-C9B-290	e826.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\reflow.api	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Perspective.xml	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\NUMERIC.JPG.rootiunik.DCB-C9B-290	e826.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-10.rootiunik.DCB-C9B-290	e826.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-2	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00705_.WMF	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00199_.WMF.rootiunik.DCB-C9B-290	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01751_.GIF	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImages.jpg.rootiunik.DCB-C9B-290	e826.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png	e826.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00560_.WMF	e826.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe.rootiunik.DCB-C9B-290	e826.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml.rootiunik.DCB-C9B-290	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02740U.BMP.rootiunik.DCB-C9B-290	e826.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\PST8PDT	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02503U.BMP	e826.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	e826.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\blacklist.rootiunik.DCB-C9B-290	e826.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Ndjamena	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02443_.WMF	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00231_.WMF.rootiunik.DCB-C9B-290	e826.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+1.rootiunik.DCB-C9B-290	e826.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\London.rootiunik.DCB-C9B-290	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02120_.WMF.rootiunik.DCB-C9B-290	e826.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Macau.rootiunik.DCB-C9B-290	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01242_.WMF.rootiunik.DCB-C9B-290	e826.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkDrop32x32.gif	e826.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	e826.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html	e826.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00482_.WMF	e826.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-nodes_zh_CN.jar.rootiunik.DCB-C9B-290	e826.exe

Drops file in Windows directory 1 IoCs

Processes:

e826.exe

description ioc process

File created C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT e826.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1824 vssadmin.exe
1980 vssadmin.exe

description	ioc	process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	e826.exe

pid	process
1824	vssadmin.exe
1980	vssadmin.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

e826.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	e826.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	e826.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	e826.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	e826.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2036	WMIC.exe
Token: SeSecurityPrivilege	2036	WMIC.exe
Token: SeTakeOwnershipPrivilege	2036	WMIC.exe
Token: SeLoadDriverPrivilege	2036	WMIC.exe
Token: SeSystemProfilePrivilege	2036	WMIC.exe
Token: SeSystemtimePrivilege	2036	WMIC.exe
Token: SeProfSingleProcessPrivilege	2036	WMIC.exe
Token: SeIncBasePriorityPrivilege	2036	WMIC.exe
Token: SeCreatePagefilePrivilege	2036	WMIC.exe
Token: SeBackupPrivilege	2036	WMIC.exe
Token: SeRestorePrivilege	2036	WMIC.exe
Token: SeShutdownPrivilege	2036	WMIC.exe
Token: SeDebugPrivilege	2036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2036	WMIC.exe
Token: SeRemoteShutdownPrivilege	2036	WMIC.exe
Token: SeUndockPrivilege	2036	WMIC.exe
Token: SeManageVolumePrivilege	2036	WMIC.exe
Token: 33	2036	WMIC.exe
Token: 34	2036	WMIC.exe
Token: 35	2036	WMIC.exe
Token: SeIncreaseQuotaPrivilege	600	WMIC.exe
Token: SeSecurityPrivilege	600	WMIC.exe
Token: SeTakeOwnershipPrivilege	600	WMIC.exe
Token: SeLoadDriverPrivilege	600	WMIC.exe
Token: SeSystemProfilePrivilege	600	WMIC.exe
Token: SeSystemtimePrivilege	600	WMIC.exe
Token: SeProfSingleProcessPrivilege	600	WMIC.exe
Token: SeIncBasePriorityPrivilege	600	WMIC.exe
Token: SeCreatePagefilePrivilege	600	WMIC.exe
Token: SeBackupPrivilege	600	WMIC.exe
Token: SeRestorePrivilege	600	WMIC.exe
Token: SeShutdownPrivilege	600	WMIC.exe
Token: SeDebugPrivilege	600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	600	WMIC.exe
Token: SeRemoteShutdownPrivilege	600	WMIC.exe
Token: SeUndockPrivilege	600	WMIC.exe
Token: SeManageVolumePrivilege	600	WMIC.exe
Token: 33	600	WMIC.exe
Token: 34	600	WMIC.exe
Token: 35	600	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2036	WMIC.exe
Token: SeSecurityPrivilege	2036	WMIC.exe
Token: SeTakeOwnershipPrivilege	2036	WMIC.exe
Token: SeLoadDriverPrivilege	2036	WMIC.exe
Token: SeSystemProfilePrivilege	2036	WMIC.exe
Token: SeSystemtimePrivilege	2036	WMIC.exe
Token: SeProfSingleProcessPrivilege	2036	WMIC.exe
Token: SeIncBasePriorityPrivilege	2036	WMIC.exe
Token: SeCreatePagefilePrivilege	2036	WMIC.exe
Token: SeBackupPrivilege	2036	WMIC.exe
Token: SeRestorePrivilege	2036	WMIC.exe
Token: SeShutdownPrivilege	2036	WMIC.exe
Token: SeDebugPrivilege	2036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2036	WMIC.exe
Token: SeRemoteShutdownPrivilege	2036	WMIC.exe
Token: SeUndockPrivilege	2036	WMIC.exe
Token: SeManageVolumePrivilege	2036	WMIC.exe
Token: 33	2036	WMIC.exe
Token: 34	2036	WMIC.exe
Token: 35	2036	WMIC.exe
Token: SeIncreaseQuotaPrivilege	600	WMIC.exe
Token: SeSecurityPrivilege	600	WMIC.exe
Token: SeTakeOwnershipPrivilege	600	WMIC.exe
Token: SeLoadDriverPrivilege	600	WMIC.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

e826.execmd.execmd.execmd.exe

description	pid	process	target process
PID 736 wrote to memory of 1528	736	e826.exe	cmd.exe
PID 736 wrote to memory of 1528	736	e826.exe	cmd.exe
PID 736 wrote to memory of 1528	736	e826.exe	cmd.exe
PID 736 wrote to memory of 1528	736	e826.exe	cmd.exe
PID 736 wrote to memory of 1520	736	e826.exe	cmd.exe
PID 736 wrote to memory of 1520	736	e826.exe	cmd.exe
PID 736 wrote to memory of 1520	736	e826.exe	cmd.exe
PID 736 wrote to memory of 1520	736	e826.exe	cmd.exe
PID 736 wrote to memory of 524	736	e826.exe	cmd.exe
PID 736 wrote to memory of 524	736	e826.exe	cmd.exe
PID 736 wrote to memory of 524	736	e826.exe	cmd.exe
PID 736 wrote to memory of 524	736	e826.exe	cmd.exe
PID 736 wrote to memory of 2000	736	e826.exe	cmd.exe
PID 736 wrote to memory of 2000	736	e826.exe	cmd.exe
PID 736 wrote to memory of 2000	736	e826.exe	cmd.exe
PID 736 wrote to memory of 2000	736	e826.exe	cmd.exe
PID 1528 wrote to memory of 2036	1528	cmd.exe	WMIC.exe
PID 1528 wrote to memory of 2036	1528	cmd.exe	WMIC.exe
PID 1528 wrote to memory of 2036	1528	cmd.exe	WMIC.exe
PID 1528 wrote to memory of 2036	1528	cmd.exe	WMIC.exe
PID 736 wrote to memory of 428	736	e826.exe	cmd.exe
PID 736 wrote to memory of 428	736	e826.exe	cmd.exe
PID 736 wrote to memory of 428	736	e826.exe	cmd.exe
PID 736 wrote to memory of 428	736	e826.exe	cmd.exe
PID 736 wrote to memory of 380	736	e826.exe	cmd.exe
PID 736 wrote to memory of 380	736	e826.exe	cmd.exe
PID 736 wrote to memory of 380	736	e826.exe	cmd.exe
PID 736 wrote to memory of 380	736	e826.exe	cmd.exe
PID 736 wrote to memory of 1120	736	e826.exe	e826.exe
PID 736 wrote to memory of 1120	736	e826.exe	e826.exe
PID 736 wrote to memory of 1120	736	e826.exe	e826.exe
PID 736 wrote to memory of 1120	736	e826.exe	e826.exe
PID 428 wrote to memory of 1824	428	cmd.exe	vssadmin.exe
PID 428 wrote to memory of 1824	428	cmd.exe	vssadmin.exe
PID 428 wrote to memory of 1824	428	cmd.exe	vssadmin.exe
PID 428 wrote to memory of 1824	428	cmd.exe	vssadmin.exe
PID 380 wrote to memory of 600	380	cmd.exe	WMIC.exe
PID 380 wrote to memory of 600	380	cmd.exe	WMIC.exe
PID 380 wrote to memory of 600	380	cmd.exe	WMIC.exe
PID 380 wrote to memory of 600	380	cmd.exe	WMIC.exe
PID 380 wrote to memory of 1980	380	cmd.exe	vssadmin.exe
PID 380 wrote to memory of 1980	380	cmd.exe	vssadmin.exe
PID 380 wrote to memory of 1980	380	cmd.exe	vssadmin.exe
PID 380 wrote to memory of 1980	380	cmd.exe	vssadmin.exe
PID 736 wrote to memory of 1536	736	e826.exe	notepad.exe
PID 736 wrote to memory of 1536	736	e826.exe	notepad.exe
PID 736 wrote to memory of 1536	736	e826.exe	notepad.exe
PID 736 wrote to memory of 1536	736	e826.exe	notepad.exe
PID 736 wrote to memory of 1536	736	e826.exe	notepad.exe
PID 736 wrote to memory of 1536	736	e826.exe	notepad.exe
PID 736 wrote to memory of 1536	736	e826.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\e826.exe
"C:\Users\Admin\AppData\Local\Temp\e826.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
2⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
2⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:428

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:600

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1980

C:\Users\Admin\AppData\Local\Temp\e826.exe
"C:\Users\Admin\AppData\Local\Temp\e826.exe" -agent 0
2⤵
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1120

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:1536

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1588

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
1⤵
PID:1124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\Desktop\DenyConnect.ods.rootiunik.DCB-C9B-290
MD5
b3ac82ab9fbfac56358b7cef748a091e

SHA1
bb3027f8b7917fff8577485aac37ec81189df79b

SHA256
d40146abd014a0a4f2623ffc27d7f95623a2eaad5569f1a3ddf92bff3e0365ea

SHA512
f103c06a856a8c192133d7b2b2c6438769cb0ccd09959c48cbcc6d97b072ae6a0302524fdc3d523b62cbec9e2fc69b75d3783c39a4dfefc0ec639d336d318c15

Download Submit
C:\Users\Admin\Desktop\DisableStop.gif.rootiunik.DCB-C9B-290
MD5
4805d141a6fa637a7daefcc27e334baf

SHA1
59a26e62043dee192ca34280c43c9978d937f2e1

SHA256
24310a65fdd9368616bc76b566f932d63c3d6574fa38e291c85c5e757a952336

SHA512
8c2797a027a189a98afad741eb90172bea6a494d097229d918c8d0ef379230c8df0eee8741f9d5f9182890a590fa8ba297b9dde0c9f12ad93f2f8ef51271a114

Download Submit
C:\Users\Admin\Desktop\ExitRemove.wm.rootiunik.DCB-C9B-290
MD5
996317cdcf62dc3184a6537ee23376e8

SHA1
9321bcd682f66170aba8f353a8a9b0f4ffee9537

SHA256
17fbfa669b0ea9859872b2c12dd01502468200a3c4b7b721530d8e056c6f8f99

SHA512
d75a6d54b15fccd6024b30b252fc11f4cd3bfb1a2f40641552bbe92f7e6e070bf02432d19cdd73ec8f794d3fa6c167730734bbf19d7202db20e66c8c35bb03f8

Download Submit
C:\Users\Admin\Desktop\GetConvert.csv.rootiunik.DCB-C9B-290
MD5
504555075b92fb6f464d3c51a59040dd

SHA1
8876dba178b285891b3dba86f43ec27e989ba479

SHA256
364a9dd718c634bef4fb7d26b236cfecd377ca024cd4ca83b50ee66681014153

SHA512
d02b8a1a51397b5da5dbe6c7e548f70985119a709ad4d76bcd216070f9eab9c5a48e984fb8ea551cb1d0980ee1ea4e9ee449a1a0c0d2dbf8b8a040480b87e87f

Download Submit
C:\Users\Admin\Desktop\GroupComplete.ods.rootiunik.DCB-C9B-290
MD5
d896dc3031b66944affad7487515e934

SHA1
5b5439ba39691192e9006ed19180aa3f8596fb11

SHA256
b6c3c48f8737dd3704b83637004718fd92716209d7df0da6af90945bb05ceae8

SHA512
0d2afaee719cd057c8227a5ae249f4b5d2cc9d89e1823a0ccdaacb66884fbefabaed917ae54b2c5552c77e8dbd62a0ce800a078b921b991843116b7d85eb250b

Download Submit
C:\Users\Admin\Desktop\JoinDeny.nfo.rootiunik.DCB-C9B-290
MD5
ceed8fa7bafe1f0ee0888c8962641e10

SHA1
3d75f668af3eef734a72778a060138ed3ca75dd5

SHA256
2876e8ef66452035f0f5ce3179de5e4149c6a5a689a5bb4368a4e1bf0c420c05

SHA512
cac6c1566e6f4aa50b882b8f95129fd6c012d107b7b472adc169a45e3c1db1a2648c213c0d91ffd0a424dd42b026ef5f4a56affc1808b9194f7333ac0c4e20c3

Download Submit
C:\Users\Admin\Desktop\JoinUnpublish.xltm.rootiunik.DCB-C9B-290
MD5
d2305d2f0b345fb5a704159e150ea6ec

SHA1
3c5230e67d8573e2728aac49ceacaf1a1364ee82

SHA256
4ba387bc9cb0f44e16ca60a998141b8e2b07e3d5611e2391cf67e166e925613f

SHA512
e0c1a033c73a069900fb45a25f05aae20815d7df7517e50c87d0f1a3fe89587a4ef71c931348a116e8e64e5ebc3b8869854b2852d090e85b25506f90efbfda28

Download Submit
C:\Users\Admin\Desktop\MountSync.kix.rootiunik.DCB-C9B-290
MD5
56f0617e0ee71b1bb0eba9e94cd78414

SHA1
d0eba1074fd797a2b5d8829b49de88dbfb306ccf

SHA256
a31e4e8e9a7e8f3aa963117d6e75dcad6ad93551672a2225780a6abaa5f619ca

SHA512
266f32d183870f297429dea5a9a48518513c9253bf321adb4776901d39b8aff5f07aea77985b6832ca3cbe05e5a419f4c107442786e62254472e8ffafc27072b

Download Submit
C:\Users\Admin\Desktop\NewDebug.rm.rootiunik.DCB-C9B-290
MD5
a36ece9e080928581e358dd93730d640

SHA1
a6763720983a25a73ab7746b7e53338ed93c5b17

SHA256
a3bd2d3d23e97c2166ccc2184191b428d8e4265a1eacc135716e5e28243d0698

SHA512
f923fbcc0b3a2258f452bc17fc3e0314fd8d3c9630e6681eb6646f50a0a2207e785e4310d46d1df7d9dedd47651e63180f85c38a3ca5321e7447f8ee49f31a8b

Download Submit
C:\Users\Admin\Desktop\OutResize.mpeg3.rootiunik.DCB-C9B-290
MD5
067200fd145c956c0d5853ee2caeff42

SHA1
8b8ef7d0aec9c246eaff0c680255df0976ecf4ab

SHA256
b3e2a4c3cc8d239143869a53c713e9ea149d8e411e3e47c14c472f99c6c2560c

SHA512
ff4722d747a45db5daae791570e74dbe315a1317c44b2af71d6a8828f11b66ee5f0173c10bd34c06220cca8f2900e7e09da2ceea6ffe1e3a254dae89e5888fc0

Download Submit
C:\Users\Admin\Desktop\OutWrite.wdp.rootiunik.DCB-C9B-290
MD5
bfdce10d56acb26433745a3e025cf7e6

SHA1
2c7f4fc9dec861d0ad58fb62f97e47218adde1ea

SHA256
f5ee665d3b4301d81c4706ca50627d7a920942852c3218f82e550c72ac512418

SHA512
6c09ed5e4a1123587fa8173ed3d6324ebc09737b9cfe74128e6ac394b5b50e64393160438ea797586e4e1e6c2161782ecc133f619d498d5a6986a013124987c8

Download Submit
C:\Users\Admin\Desktop\PopSet.mpeg.rootiunik.DCB-C9B-290
MD5
99b3ada56bd3c00baea7dcc6d7ff3963

SHA1
eabc916a0fd33c7681f4842bae5df675e148a9ed

SHA256
972bab4ffa595951e610411cd04a694dfb1018e7dae55efbdf323a59fb0d6e7f

SHA512
1d89f0be36bf414fb2f436166bbb168482d4f8146a75e0ffd9d9e31bf035d1e7c8d4cb60ff3893117b0505ce218be21a8b94a483a4ef0c6622f707a84cd0f8b7

Download Submit
C:\Users\Admin\Desktop\RequestDisable.raw.rootiunik.DCB-C9B-290
MD5
b0c822eb141ed350cfedf4a12b6e4b46

SHA1
a14db63db8cb78b0b60e32856e1ff82d0766ea08

SHA256
b581392e5288cdf92581839471f576ff192f8fecf2edb0bfb08aebbee7be9db6

SHA512
90d1c6d9891677e7f59e27d01ed8eab1a38bdd8d15f490926e7b8ce225f639dd6a02ec2454892a16494e852283d10187f61552a36386c6c8d13b4112a219024c

Download Submit
C:\Users\Admin\Desktop\ResetMerge.pub.rootiunik.DCB-C9B-290
MD5
a9c725dd65b550598e32f7f75b1408b0

SHA1
0837bf253c429c021d19e9bfe868c88eb3589cf6

SHA256
709b25e273ec06a9e62fbf683d705e29626a6442927bf699adb5741b38fd8469

SHA512
0da57ed52257bf51273f99b4524dc3e2c94c60e007fdeda8a3d280af9a60057ef2cb59888f84991530bf2773dcbee5e5e8f24f829ad65ac3653ee35e443cdefd

Download Submit
C:\Users\Admin\Desktop\ResetTrace.csv.rootiunik.DCB-C9B-290
MD5
3a7034dd8b974483c5320652035c2f95

SHA1
8d42c9e6334c3e0f7932eb006e308c26178465de

SHA256
f249b64101fd4ee1b048c379f4aedf50e4effccc64b80bb6845ae2a2bc362557

SHA512
c7bb2a37463d59d60125e1adeabae46affbb2b75c61fd0033489bc3128e22b54df7a41f168f293f29c945d8f1e6f88b4c1ef47fd249a3aff7a401b2e169bff99

Download Submit
C:\Users\Admin\Desktop\ResolveRevoke.wvx.rootiunik.DCB-C9B-290
MD5
a8df420daf534cf3d2c7344fe11a50ce

SHA1
9b458d06c1ba352d10ab9edc45ba4c102630ba04

SHA256
35745933359f3753b5a47dd4d626fb9db197801d4b4cdc4b81a57fc86048d18c

SHA512
11b6f4ea7f3a623b4d6f1ea190f5d29d80cbca007ba00cbc9a91eb50e7d707d1723c80bcd5fd24d4c1e2f23baa6539a20d1f804c13ad99a217abc2ec0d48d44f

Download Submit
C:\Users\Admin\Desktop\RestartRegister.xml.rootiunik.DCB-C9B-290
MD5
f912e1057e99d1b09a397b30b1db1a15

SHA1
8b48f52991b66faa0fe5503f9897c8f86aa41d18

SHA256
8d13b4afabad18fe0fb76d747e2e96ab77328474a7eb0c9999099124712750bb

SHA512
5abf7872888db206b30a73ac8cca856c90ac6a6935ef86f4379ff5670f61fa94062ce132da46f8312aeeebcfb1a4b1e13c16fe50a575ff962c48cfcfa5ea3f0d

Download Submit
C:\Users\Admin\Desktop\ResumeMount.mht.rootiunik.DCB-C9B-290
MD5
a312778ee9097a6802012b0d7f693c52

SHA1
169eaed703119c8e2c9540a6536230f1f86fdd36

SHA256
753f68d653eca425ee65b064781fba9d6ed066645fb25425373c5e42f2eb43a6

SHA512
e12241451f3f2f431d6bed580fc7ddf2744cba0382ddb786e3042d99368fa169a9130cddfbc1cc65b69a51261bf13797a0f4bef85f41917c489329901cd38c8c

Download Submit
C:\Users\Admin\Desktop\SetSubmit.edrwx.rootiunik.DCB-C9B-290
MD5
102d350d0d9bc675d04b876338f21e06

SHA1
3c7968096d3707c631039e206d01c229f3534a06

SHA256
726c82ffd48d958db9de0335c28da68e124aa8f28e18f5e422858c2f7a561262

SHA512
a4f8560c32d6037e47e4f605f8ac91fd0b322b125e1076f3a9fb8a064fe7fc29ce359378eecb1932886bac8ea8ec8ebe740d21bfadcb91733265d37732c9ac44

Download Submit
C:\Users\Admin\Desktop\SplitRestart.xml.rootiunik.DCB-C9B-290
MD5
3f84b3dc444f7607b00f03cce799db99

SHA1
ec8d19533873c66bd66806c901bc3958d0e76f15

SHA256
0f9c936a56c5f92047ea8e62bc6fc9f196c48f34233a3b1d913bbd2a2d0245e2

SHA512
3512a5f3b95b8b0653c8b1f8db3d9f6bf847e5cacb5fb5ae2c60327c9fdda80e35ce3153bb042dbe0b0adbfc7dbbcd49b80e413a7f03de82625ce64f626a2966

Download Submit
C:\Users\Admin\Desktop\StartEnter.mpv2.rootiunik.DCB-C9B-290
MD5
a7a383aa8d8efe952e42c774ef09aab8

SHA1
6d8714d8cb7bf049d92ea3df7835ed0d0d67d254

SHA256
7315d75eeca4f16992d1d8901784b281def2977363c8012468895004d4689f95

SHA512
a3b7898f529e71bcfee1b05fd0e365b09a6c4b285115c54ced7bb49be93c19001ddafccf89915752d83377cdd508802b20d2ad10afa92af15a56fb3b3cfda923

Download Submit
C:\Users\Admin\Desktop\SuspendResolve.dotm.rootiunik.DCB-C9B-290
MD5
fd75486af98f18ceade96866715b87f4

SHA1
a704375d39106ac7d40bf842be4d2559adfb98ee

SHA256
52dc24b9f20cc5cfe89a7ac9dbd0563cc713f0d51829c0ffac99184cce11e1b4

SHA512
01fec3c2fcc3f3a8f79c5e1a6487480c341432d87cc4fde5a3fd39acbfdfad89282de340e707b62b63608bcdbfd5ccd1ad426a85231969ca7747c2136ecab5ae

Download Submit
C:\Users\Admin\Desktop\SyncEnable.ppt.rootiunik.DCB-C9B-290
MD5
24d1b42bf03992d76717fce4aba5ecfc

SHA1
47777d1567a6f1e13b71ea21a5915a1e414d41fe

SHA256
0b2ddbf34e6bbc0220626910980c87baf00cc21abce0931123f3b071f53572b0

SHA512
0c1315e99f10c9a5ea1feaa41ac6e07158bebe6fd9f17dc0d40125f8825662bfa7ea05199e3b2a0579dee50fd789a8e5b72285a15eb9e540193cbae5756344a4

Download Submit
C:\Users\Admin\Desktop\SyncRedo.fon.rootiunik.DCB-C9B-290
MD5
a51212d7a011d6205cbbed9c996d60e7

SHA1
48f710ca32f3d099e14d3d89c6892f5e072ef74f

SHA256
ad75d22bb8e200671866a23a1acb913776c9ebf5bd2f8cddc91231885f825ac6

SHA512
5de81bf1b5ce896a88efa883f8493aca49d082b21e96a3a324f7b11da0ab43bfc7b4a814235bed4dae1e245519ca62660d3e811339f74495ff0cae38db4f8cc2

Download Submit
C:\Users\Admin\Desktop\TraceWatch.jpg.rootiunik.DCB-C9B-290
MD5
107d2d999bc4093a82d040011b9d4755

SHA1
2321c338db71bed4e2b82a83d11465ad1052819b

SHA256
17880ab41e7a19e719e7b1a977d51ec8a7dbd4aa7ea66073cef4e92b412b82f8

SHA512
51e67f9a443d42077aa02df29daf01c22802f5a9af3f3ff60624a5966ecbc0a19e00e3110e0dc289ab8621f442adea22652625432d019d396d116f92fa169d93

Download Submit
C:\Users\Admin\Desktop\UnblockEnable.wmf.rootiunik.DCB-C9B-290
MD5
184499f3b56001e513d3905a3d868e64

SHA1
6de5d5689b7ee90c74a185395e86656f4ebf6369

SHA256
bd448adfefafa91f401d292e09cd42a461c70d7db3ca6b6543c963b19ef1cfc3

SHA512
3d6700744971eed294c0886bf830d08581c1857401c3d6cf526a7ac40e182a90596874cdea139d8a9fe5652ea862486c83ed1652876446aa1b4558a2ec401efd

Download Submit
C:\Users\Admin\Desktop\UnpublishSearch.midi.rootiunik.DCB-C9B-290
MD5
7e5f89c8a29656c3984673e676df0f86

SHA1
05fc45197925b981735d7725e32716a375660331

SHA256
7a11db479e6c47b08e354c062cd65421944b32f89ef8e0132453f8d00036fe7a

SHA512
7f6f93b00578a0c2eb252950e49b8e46b8f8483831206924dc1d63b28d0e1c19689ec6b7b0f4a895e185865ba37fd48086868fcb54eedab56cfd47ad777fea38

Download Submit
C:\Users\Public\Desktop\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
MD5
42f551d98de5d473e99f4f0ec09a232e

SHA1
4d0d64127375859615a09b49f38d55d4db336b01

SHA256
3ed47cf52936b45dbd9a29137157fa6a515bb1ff8f659c72e0485b1e5030e1d3

SHA512
1ad3b262dadc1c8910f49d9dfa1afa14a7ca6796d9c6a1bd2f915494bdc78788e29fa5dc74f9ca36239e05256ccbebf04b291a5e50c0b82664b99a496a89a658

Download Submit
memory/380-69-0x0000000000000000-mapping.dmp

Download
memory/428-68-0x0000000000000000-mapping.dmp

Download
memory/524-65-0x0000000000000000-mapping.dmp

Download
memory/600-73-0x0000000000000000-mapping.dmp

Download
memory/736-61-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/736-62-0x0000000000400000-0x0000000000855000-memory.dmp

Filesize
4.3MB

Download
memory/736-60-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/1120-77-0x0000000000400000-0x0000000000855000-memory.dmp

Filesize
4.3MB

Download
memory/1120-70-0x0000000000000000-mapping.dmp

Download
memory/1124-108-0x000007FEFBEA1000-0x000007FEFBEA3000-memory.dmp

Filesize
8KB

Download
memory/1520-64-0x0000000000000000-mapping.dmp

Download
memory/1528-63-0x0000000000000000-mapping.dmp

Download
memory/1536-105-0x0000000000000000-mapping.dmp

Download
memory/1536-107-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1824-71-0x0000000000000000-mapping.dmp

Download
memory/1980-74-0x0000000000000000-mapping.dmp

Download
memory/2000-66-0x0000000000000000-mapping.dmp

Download
memory/2036-67-0x0000000000000000-mapping.dmp

Download