4b78968928cfa5437ffdd56a39a5ea8c10a7b6dc5d3f342d003260088876b3cf

Resubmissions

25-03-2022 06:59

220325-hsddnafgel 10

08-03-2022 23:12

220308-263p9abfb4 8

Analysis

max time kernel
4294372s
max time network
318s
platform
windows7_x64
resource
win7-20220311-en
submitted
25-03-2022 06:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Taleb.Ransom.exe
Size

10.8MB
MD5

ac09b7550eda13e03a55448fd8367e2d
SHA1

8266a12669a4a3952cb9af86e75ed74c27c71013
SHA256

4b78968928cfa5437ffdd56a39a5ea8c10a7b6dc5d3f342d003260088876b3cf
SHA512

44cace3038bd96fa36a9d3b16251573f625f5e7cb53f0233d87f6e8ab564e731bd8719088feec44f47a460c0a096b964c2c0e77f3f1c371b773e66407aef5d29

Score

10^/10

evasion persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Decryption-Guide.txt

Ransom Note

Your Files Are Has Been Locked Your Files Has Been Encrypted with cryptography Algorithm If You Need Your Files And They are Important to You, Dont be shy Send Me an Email Send Test File + The Key File on Your System (File Exist in C:/ProgramData example : RSAKEY-SE-24r6t523 pr RSAKEY.KEY) to Make Sure Your Files Can be Restored Make an Agreement on Price with me and Pay Get Decryption Tool + RSA Key AND Instruction For Decryption Process Attention: 1- Do Not Rename or Modify The Files (You May loose That file) 2- Do Not Try To Use 3rd Party Apps or Recovery Tools ( if You want to do that make an copy from Files and try on them and Waste Your time ) 3-Do not Reinstall Operation System(Windows) You may loose the key File and Loose Your Files 4-Do Not Always Trust to Middle mans and negotiators (some of them are good but some of them agree on 4000usd for example and Asked 10000usd From Client) this Was happened Your Case ID :MJ-PH7316520894 OUR Email :Folperdock@gmail.com

Emails

Folperdock@gmail.com

Signatures

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Taleb.Ransom.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\FindPush.tiff	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\Pictures\RegisterProtect.tiff	Taleb.Ransom.exe

Drops startup file 1 IoCs

Processes:

Taleb.Ransom.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Taleb.Ransom.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

Processes:

Taleb.Ransom.exeexplorer.exe

description	ioc	process
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Taleb.Ransom.exe
File created	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2199625441-3471261906-229485034-1000\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	Taleb.Ransom.exe
File created	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	Taleb.Ransom.exe
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	Taleb.Ransom.exe
File created	C:\Program Files (x86)\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	Taleb.Ransom.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	Taleb.Ransom.exe
File created	C:\Program Files\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Windows\Media\Desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\$RECYCLE.BIN\S-1-5-21-2199625441-3471261906-229485034-1000\desktop.ini	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	Taleb.Ransom.exe
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GMEWETP4\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XIWRAWIU\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\DL4J84XN\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	Taleb.Ransom.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.my-ip.io
5 api.my-ip.io
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091
Drops file in System32 directory 1 IoCs

Processes:

Taleb.Ransom.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\regedit.exe Taleb.Ransom.exe

flow	ioc
4	api.my-ip.io
5	api.my-ip.io

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	Taleb.Ransom.exe

Drops file in Program Files directory 64 IoCs

Processes:

Taleb.Ransom.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV_K_COL.HXK	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\Memo.jtp	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107090.WMF	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00530_.WMF	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml.(MJ-PH7316520894)(Folperdock@gmail.com).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\attention.gif	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\SWBELL.NET.XML	Taleb.Ransom.exe
File opened for modification	C:\Program Files\DenyRestore.html.(MJ-PH7316520894)(Folperdock@gmail.com).Godox	Taleb.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Seoul.(MJ-PH7316520894)(Folperdock@gmail.com).Godox	Taleb.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\leftnav.gif.(MJ-PH7316520894)(Folperdock@gmail.com).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange.css	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDRESPL.ICO	Taleb.Ransom.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkDrop32x32.gif.(MJ-PH7316520894)(Folperdock@gmail.com).Godox	Taleb.Ransom.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\PREVIEW.GIF.(MJ-PH7316520894)(Folperdock@gmail.com).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_cloudy.png	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\PAPYRUS.ELM	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237759.WMF	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBlankPage.html	Taleb.Ransom.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Noumea.(MJ-PH7316520894)(Folperdock@gmail.com).Godox	Taleb.Ransom.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\index.html.(MJ-PH7316520894)(Folperdock@gmail.com).Godox	Taleb.Ransom.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\PREVIEW.GIF.(MJ-PH7316520894)(Folperdock@gmail.com).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Pyongyang	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\FDFFile_8.ico	Taleb.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar.(MJ-PH7316520894)(Folperdock@gmail.com).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Thatch.dotx	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\Revert.wmz	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LETTHEAD.XML	Taleb.Ransom.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\SpiderSolitaire.exe.mui.(MJ-PH7316520894)(Folperdock@gmail.com).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libadf_plugin.dll.(MJ-PH7316520894)(Folperdock@gmail.com).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_m.png	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_up.png	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search.api.(MJ-PH7316520894)(Folperdock@gmail.com).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01761_.WMF	Taleb.Ransom.exe
File created	C:\Program Files\Java\jre7\bin\jaas_nt.dll.(MJ-PH7316520894)(Folperdock@gmail.com).Godox	Taleb.Ransom.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.(MJ-PH7316520894)(Folperdock@gmail.com).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOCF.DLL.(MJ-PH7316520894)(Folperdock@gmail.com).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_mid_disable.gif	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\NUMERIC.JPG	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	Taleb.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\MANIFEST.MF.(MJ-PH7316520894)(Folperdock@gmail.com).Godox	Taleb.Ransom.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libfolder_plugin.dll.(MJ-PH7316520894)(Folperdock@gmail.com).Godox	Taleb.Ransom.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\VBE6EXT.OLB.(MJ-PH7316520894)(Folperdock@gmail.com).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_ro.dll.(MJ-PH7316520894)(Folperdock@gmail.com).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\es-ES\msdaprsr.dll.mui	Taleb.Ransom.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieLetter.dotx.(MJ-PH7316520894)(Folperdock@gmail.com).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_ta.dll.(MJ-PH7316520894)(Folperdock@gmail.com).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\psmachine_64.dll	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01265U.BMP	Taleb.Ransom.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.(MJ-PH7316520894)(Folperdock@gmail.com).Godox	Taleb.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-options-api.jar.(MJ-PH7316520894)(Folperdock@gmail.com).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkDrop32x32.gif	Taleb.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml.(MJ-PH7316520894)(Folperdock@gmail.com).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\bg_sidebar.png	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\settings.js	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Boa_Vista.(MJ-PH7316520894)(Folperdock@gmail.com).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Engine.resources.dll	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvSOFT.x3d.(MJ-PH7316520894)(Folperdock@gmail.com).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html	Taleb.Ransom.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_postage_Thumbnail.bmp	Taleb.Ransom.exe

Drops file in Windows directory 64 IoCs

Processes:

Taleb.Ransom.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\1.0.0.0_ja_31bf3856ad364e35\Microsoft.PowerShell.Security.Resources.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\inf\mdmusrf.PNF	Taleb.Ransom.exe
File opened for modification	C:\Windows\Media\Heritage\Windows Battery Critical.wav	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\peverify.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\legacy.web_lowtrust.config.default	Taleb.Ransom.exe
File opened for modification	C:\Windows\ehome\loadmxf.exe	Taleb.Ransom.exe
File opened for modification	C:\Windows\Media\chimes.wav	Taleb.Ransom.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\system.io.log.resources\3.0.0.0_fr_b03f5f7f11d50a3a\System.IO.Log.Resources.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\Help\mui\0C0A\perfmon.CHM	Taleb.Ransom.exe
File opened for modification	C:\Windows\inf\ts_wpdmtp.inf	Taleb.Ransom.exe
File opened for modification	C:\Windows\Media\Characters\Windows Hardware Fail.wav	Taleb.Ransom.exe
File opened for modification	C:\Windows\inf\ServiceModelService 3.0.0.0\0407\_ServiceModelServicePerfCounters_D.ini	Taleb.Ransom.exe
File opened for modification	C:\Windows\Media\Characters\Windows Pop-up Blocked.wav	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppConfigHome.aspx.it.resx	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\es\System.ServiceModel.Install.Resources.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\IME\IMESC5\DICTS\PINTLGCF.IMD	Taleb.Ransom.exe
File opened for modification	C:\Windows\inf\usbcir.PNF	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Win32.Primitives.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\netmemorycache.ini	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\addUser.aspx.fr.resx	Taleb.Ransom.exe
File opened for modification	C:\Windows\Fonts\serifeg.fon	Taleb.Ransom.exe
File opened for modification	C:\Windows\Globalization\ELS\Transliteration\malayalam-to-latin.nlt	Taleb.Ransom.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0000000010\9.0.0\ul_msvcr80.dll.98CB24AD_52FB_DB5F_FF1F_C8B3B9A1E18E	Taleb.Ransom.exe
File opened for modification	C:\Windows\it-IT\bootfix.bin	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\XPThemes.manifest	Taleb.Ransom.exe
File opened for modification	C:\Windows\Help\Windows\es-ES\appman.h1s	Taleb.Ransom.exe
File opened for modification	C:\Windows\inf\acpipmi.PNF	Taleb.Ransom.exe
File opened for modification	C:\Windows\inf\netimm.inf	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\SQL\ja\SqlPersistenceProviderLogic.sql	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\legacy.web_mediumtrust.config	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\EditAppSetting.aspx.fr.resx	Taleb.Ransom.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.Services.resources\3.5.0.0_de_b77a5c561934e089\System.Data.Services.resources.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\Boot\EFI\pl-PL\bootmgfw.efi.mui	Taleb.Ransom.exe
File opened for modification	C:\Windows\Help\mui\0411\ipsecpolicy.CHM	Taleb.Ransom.exe
File opened for modification	C:\Windows\Help\Windows\de-DE\basics2.h1s	Taleb.Ransom.exe
File opened for modification	C:\Windows\Media\Garden\Windows Battery Low.wav	Taleb.Ransom.exe
File opened for modification	C:\Windows\Cursors\up_m.cur	Taleb.Ransom.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\journal.h1s	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml.XPath\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Xml.XPath.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.Resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.resources.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv14259fd9#\b6a1466f4c910dd8d83b4592bef36aff\System.ServiceModel.Activities.ni.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\uap.h1s	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\navigationBar.ascx.it.resx	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Internals.aspx.fr.resx	Taleb.Ransom.exe
File opened for modification	C:\Windows\Fonts\vgafix.fon	Taleb.Ransom.exe
File opened for modification	C:\Windows\Help\Windows\en-US\sniptoo.h1s	Taleb.Ransom.exe
File opened for modification	C:\Windows\Help\Windows\ja-JP\wu.h1s	Taleb.Ransom.exe
File opened for modification	C:\Windows\inf\prnlx00b.PNF	Taleb.Ransom.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.OutlookViewCtl\14.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.OutlookViewCtl.config	Taleb.Ransom.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.CSharp\7f0531cbaadefd63fb9c1f7ae51fc668\Microsoft.CSharp.ni.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsMediaPlayerMediaLibrary\en-US\CL_LocalizationData.psd1	Taleb.Ransom.exe
File opened for modification	C:\Windows\Fonts\mriam.ttf	Taleb.Ransom.exe
File opened for modification	C:\Windows\Help\mui\0409\ipsecpolicy.CHM	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardInit.ascx	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallRoles.sql	Taleb.Ransom.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Tpm.Resources\6.1.0.0_ja_31bf3856ad364e35\microsoft.tpm.resources.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Activities\39f02628df6b23733fbe777a55e7ffdc\System.Activities.ni.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\DiagPackage.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\appman.h1s	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\Help\Windows\es-ES\Windows.H1T	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.Management.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\caspol.resources.dll	Taleb.Ransom.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 11 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\TV_FolderType = "{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\TV_TopViewVersion = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

Taleb.Ransom.exe

pid	process
1844	Taleb.Ransom.exe
1844	Taleb.Ransom.exe
1844	Taleb.Ransom.exe
1844	Taleb.Ransom.exe
1844	Taleb.Ransom.exe
1844	Taleb.Ransom.exe
1844	Taleb.Ransom.exe
1844	Taleb.Ransom.exe
1844	Taleb.Ransom.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

840 explorer.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeShutdownPrivilege	840	explorer.exe
Token: SeShutdownPrivilege	840	explorer.exe
Token: SeShutdownPrivilege	840	explorer.exe
Token: SeShutdownPrivilege	840	explorer.exe
Token: SeShutdownPrivilege	840	explorer.exe
Token: SeShutdownPrivilege	840	explorer.exe
Token: SeShutdownPrivilege	840	explorer.exe
Token: SeShutdownPrivilege	840	explorer.exe
Token: SeShutdownPrivilege	840	explorer.exe
Token: SeShutdownPrivilege	840	explorer.exe
Token: SeShutdownPrivilege	840	explorer.exe
Token: SeShutdownPrivilege	840	explorer.exe
Token: SeShutdownPrivilege	840	explorer.exe
Token: SeShutdownPrivilege	840	explorer.exe
Token: SeShutdownPrivilege	840	explorer.exe
Token: SeShutdownPrivilege	840	explorer.exe
Token: SeShutdownPrivilege	840	explorer.exe

Suspicious use of FindShellTrayWindow 30 IoCs

Processes:

explorer.exe

pid	process
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe

Suspicious use of SendNotifyMessage 53 IoCs

Processes:

explorer.exe

pid	process
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

840 explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Taleb.Ransom.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1844 wrote to memory of 816	1844	Taleb.Ransom.exe	cmd.exe
PID 1844 wrote to memory of 816	1844	Taleb.Ransom.exe	cmd.exe
PID 1844 wrote to memory of 816	1844	Taleb.Ransom.exe	cmd.exe
PID 1844 wrote to memory of 816	1844	Taleb.Ransom.exe	cmd.exe
PID 816 wrote to memory of 1756	816	cmd.exe	net.exe
PID 816 wrote to memory of 1756	816	cmd.exe	net.exe
PID 816 wrote to memory of 1756	816	cmd.exe	net.exe
PID 816 wrote to memory of 1756	816	cmd.exe	net.exe
PID 1756 wrote to memory of 556	1756	net.exe	net1.exe
PID 1756 wrote to memory of 556	1756	net.exe	net1.exe
PID 1756 wrote to memory of 556	1756	net.exe	net1.exe
PID 1756 wrote to memory of 556	1756	net.exe	net1.exe
PID 1844 wrote to memory of 392	1844	Taleb.Ransom.exe	cmd.exe
PID 1844 wrote to memory of 392	1844	Taleb.Ransom.exe	cmd.exe
PID 1844 wrote to memory of 392	1844	Taleb.Ransom.exe	cmd.exe
PID 1844 wrote to memory of 392	1844	Taleb.Ransom.exe	cmd.exe
PID 1844 wrote to memory of 2000	1844	Taleb.Ransom.exe	cmd.exe
PID 1844 wrote to memory of 2000	1844	Taleb.Ransom.exe	cmd.exe
PID 1844 wrote to memory of 2000	1844	Taleb.Ransom.exe	cmd.exe
PID 1844 wrote to memory of 2000	1844	Taleb.Ransom.exe	cmd.exe
PID 1844 wrote to memory of 2016	1844	Taleb.Ransom.exe	cmd.exe
PID 1844 wrote to memory of 2016	1844	Taleb.Ransom.exe	cmd.exe
PID 1844 wrote to memory of 2016	1844	Taleb.Ransom.exe	cmd.exe
PID 1844 wrote to memory of 2016	1844	Taleb.Ransom.exe	cmd.exe
PID 1844 wrote to memory of 1824	1844	Taleb.Ransom.exe	cmd.exe
PID 1844 wrote to memory of 1824	1844	Taleb.Ransom.exe	cmd.exe
PID 1844 wrote to memory of 1824	1844	Taleb.Ransom.exe	cmd.exe
PID 1844 wrote to memory of 1824	1844	Taleb.Ransom.exe	cmd.exe
PID 1824 wrote to memory of 1656	1824	cmd.exe	net.exe
PID 1824 wrote to memory of 1656	1824	cmd.exe	net.exe
PID 1824 wrote to memory of 1656	1824	cmd.exe	net.exe
PID 1824 wrote to memory of 1656	1824	cmd.exe	net.exe
PID 1656 wrote to memory of 1344	1656	net.exe	net1.exe
PID 1656 wrote to memory of 1344	1656	net.exe	net1.exe
PID 1656 wrote to memory of 1344	1656	net.exe	net1.exe
PID 1656 wrote to memory of 1344	1656	net.exe	net1.exe
PID 1844 wrote to memory of 1996	1844	Taleb.Ransom.exe	cmd.exe
PID 1844 wrote to memory of 1996	1844	Taleb.Ransom.exe	cmd.exe
PID 1844 wrote to memory of 1996	1844	Taleb.Ransom.exe	cmd.exe
PID 1844 wrote to memory of 1996	1844	Taleb.Ransom.exe	cmd.exe
PID 1996 wrote to memory of 1900	1996	cmd.exe	net.exe
PID 1996 wrote to memory of 1900	1996	cmd.exe	net.exe
PID 1996 wrote to memory of 1900	1996	cmd.exe	net.exe
PID 1996 wrote to memory of 1900	1996	cmd.exe	net.exe
PID 1900 wrote to memory of 316	1900	net.exe	net1.exe
PID 1900 wrote to memory of 316	1900	net.exe	net1.exe
PID 1900 wrote to memory of 316	1900	net.exe	net1.exe
PID 1900 wrote to memory of 316	1900	net.exe	net1.exe
PID 1844 wrote to memory of 1784	1844	Taleb.Ransom.exe	cmd.exe
PID 1844 wrote to memory of 1784	1844	Taleb.Ransom.exe	cmd.exe
PID 1844 wrote to memory of 1784	1844	Taleb.Ransom.exe	cmd.exe
PID 1844 wrote to memory of 1784	1844	Taleb.Ransom.exe	cmd.exe
PID 1784 wrote to memory of 1540	1784	cmd.exe	net.exe
PID 1784 wrote to memory of 1540	1784	cmd.exe	net.exe
PID 1784 wrote to memory of 1540	1784	cmd.exe	net.exe
PID 1784 wrote to memory of 1540	1784	cmd.exe	net.exe
PID 1540 wrote to memory of 1556	1540	net.exe	net1.exe
PID 1540 wrote to memory of 1556	1540	net.exe	net1.exe
PID 1540 wrote to memory of 1556	1540	net.exe	net1.exe
PID 1540 wrote to memory of 1556	1540	net.exe	net1.exe
PID 1844 wrote to memory of 840	1844	Taleb.Ransom.exe	cmd.exe
PID 1844 wrote to memory of 840	1844	Taleb.Ransom.exe	cmd.exe
PID 1844 wrote to memory of 840	1844	Taleb.Ransom.exe	cmd.exe
PID 1844 wrote to memory of 840	1844	Taleb.Ransom.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Taleb.Ransom.exe
"C:\Users\Admin\AppData\Local\Temp\Taleb.Ransom.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSDTC
2⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\net.exe
net stop MSDTC
3⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSDTC
4⤵
PID:556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
2⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
2⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\net.exe
net stop SQLSERVERAGENT
3⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT
4⤵
PID:1344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop vds
2⤵
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\net.exe
net stop vds
3⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vds
4⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
2⤵
PID:840

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
2⤵
PID:1504

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
PID:832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLWriter
2⤵
PID:1684

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
3⤵
PID:560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
4⤵
PID:844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLBrowser
2⤵
PID:1524

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
3⤵
PID:1756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
4⤵
PID:1776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
PID:1976

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
PID:1436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
2⤵
PID:1948

C:\Windows\SysWOW64\net.exe
net stop MSSQL$CONTOSO1
3⤵
PID:1820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$CONTOSO1
4⤵
PID:308

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1596

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x18c
1⤵
PID:844

C:\Windows\explorer.exe
explorer.exe
1⤵
- Drops desktop.ini file(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\BlockPublish.asp.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
55964659a42a1e48e5b3c89507e283b3

SHA1
6fd8fc71f5941598914025adb356311d31c146ff

SHA256
5ecc7e40f281011fb6bf3a3fa402f28adf8724b7a7d10c9e473b4c91fc4dedc6

SHA512
20711979d33744432752b303e710e9e968ac66a2f1c85bd2d49697e4200b5a467941b7d8b6d82ad2c0a3053021ec1383d1efc9522d4b753a599108ed18da9286

Download Submit
C:\Users\Admin\Desktop\CheckpointUse.3g2.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
fec650a6e169935ce5246ceca1f3621f

SHA1
7c988106d56bdb6c480f7597a1eb5d655c18330d

SHA256
b8734a7839833c3a62c62048e859689a9f8557ff4817b3280a08bf62d3d13cfa

SHA512
3385eb59a46954240c6dd5d237a3d00ade016589911813d0d37965aaead1c6dc13b861054e046ed98b42010bd8a4e982747800993c6ca50db2c2383abb5d11e6

Download Submit
C:\Users\Admin\Desktop\ConvertResolve.png.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
560e134b21de5661407c0739ec074ad5

SHA1
82fae3727ded389ca61cfc8227b3eab0b3140a4e

SHA256
c9eda1d67213f50973e54adfa324207a397b47f4223c1cd29fd85b87cb0b3700

SHA512
6d65c8b25a2c14dd0697de283e04702fa7ce9d6ba8784f4505d27190d5907ef90625567008e0a8b3bc2cb0942b7daedbf542a7e1087e34052c430d828b3b32f1

Download Submit
C:\Users\Admin\Desktop\ConvertUnpublish.midi.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
53586863cb6e46df86455b35e60410c9

SHA1
021d1a2c6920dfd809a4b8377e355c5150e2cd6c

SHA256
2ea1b42283d101026eea86cf6909cf24b5124443393b4295536d61e4b32f217d

SHA512
300dd9b85950868f3223276afc4ce42082d4f7ecdfcb526ccd3da71147f08c09abe99ac2ffa53367f29b5a9f544926d5cb1090996867975cbbcfe29203b2d929

Download Submit
C:\Users\Admin\Desktop\DismountRegister.png.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
5c0b775775a1e4a5da1abc7b52fe10e9

SHA1
f7b68f87a49329e47cb2a81e560ceb0032443fdd

SHA256
d0fb0c0281180d65aea94902c28890113966d23ffc07a92f73e987a826e17861

SHA512
f88680135d8b6d3303e8e6599b2479d51653c2686a74a1b1763390cc486460e40fd90bfe1cc720d864b8122a1ccb7b2ee575f0b58a89bd85d0171bc197385023

Download Submit
C:\Users\Admin\Desktop\EditUndo.gif.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
b2418145e4dc27c1ea8df94f1defe1aa

SHA1
3207861195ec6583246f72da0a847204e0312302

SHA256
3e12f5cd3157dcffa1aef394a077cb477e83dcdc43706af719dec2cfa95dae2e

SHA512
f8d6955889575e4d3ac37785331e1efaf2b903de5025e337fea7942b22e328d576fa7efcc7ef382cc588f9bab9f855b1227ab060b2f82b5a0da760d623a1b82a

Download Submit
C:\Users\Admin\Desktop\ExitConnect.jpe.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
1d42848e857b54f4c4a709d63d49daa4

SHA1
4945a351c9dbf24137392298fae6051c7138c86b

SHA256
c697dada51532b62c3f3514acc542e6a325ef68a198b4237489c2a46aad41222

SHA512
d723dfcc7f531b80834e7a3b8ec39c548377d1f3979509d81018ad8fc1e0d674f2a16f05119e9666757713cc29bd4d9597541394f719fcbe05c70e9cddbbb847

Download Submit
C:\Users\Admin\Desktop\HideUnpublish.css.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
64da50ef0581ee266930943d78ec53c0

SHA1
c58d9c10a8cd9b9a290d9a8492e874abd82c0c3c

SHA256
5d2c8be397e18be01a6506513f9f2dfac92b2e58235cb570fae709e2c4fcec0d

SHA512
3099f2c815cf29b4e17bbc913af16ac4624191f0d3b206a17a7115c5e6b2a7c355f57c2158ee88710343c537a6f453f980f8ff51082b06633fbb5d9249f14062

Download Submit
C:\Users\Admin\Desktop\ImportEdit.wm.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
fb42c0a00d8bf7e6eb5888715c616aed

SHA1
0adb31ff2b0aed6c3df0369c7ec7da5a370f5e27

SHA256
5e35f196eb067e4aed90642b00d6444240e5cb549f386630443c8d60add8fae8

SHA512
c35a56cc8d325e78180c07242ab91b2a3110799205533e623781b91bf7c25372ed796e4083ef220bfcda2b51260682b316bfcc8ff5343a432744d3499be26890

Download Submit
C:\Users\Admin\Desktop\LimitInitialize.rm.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
89066e9b639436a990fda6c78a021433

SHA1
dfffc86f1f13a06e95efd6e57f0cf84dd9be953f

SHA256
2ca90f57015fe6be3a50dbe1e95fe992b23620c8989aba90216e635be461336b

SHA512
03c68867da851b3f2a2a98dc00114ec2e7553ae07a8afcf2ad146ba57baba44ee060948c0c8df6a227a5f570d795eff052da73f33746875b7fd3d0e0c1d589ef

Download Submit
C:\Users\Admin\Desktop\LimitWait.reg.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
ea846ea0b3010982799e83c56ee7e353

SHA1
3862baf799b556d91d14de9f9f97e5a5f9886e95

SHA256
114a1dbe549b6b5b7f5afc8da01a02a996e952b3d1db2f494ac3d9a86b466d8f

SHA512
6324b25b3b254923b114d66eec6018ab921fa4528e9f06e715adebd8268196ef1a36745dfbe98a5199f74abb1742c6a34d51ac09df850c5bcf943face1fe7319

Download Submit
C:\Users\Admin\Desktop\MountConnect.xml.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
7caaae337f33182a7763ce737e8652b9

SHA1
833bd65ad15b4b76fdc8f469a48d4ef83f4fe499

SHA256
fe3b26044e3a9bc3ef52bfca16da7f9fc12c186950cdd582dc82314fd375ecb1

SHA512
3e62a98fb31e39af8bc9c3061be7c471967a92890cf630bcc1a81375b1ff79a878e452097339980842f5f6a383796005721a6160a4cb81bb5d59eb041c817e6a

Download Submit
C:\Users\Admin\Desktop\MountUnblock.3g2.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
5e0b1942e4909dfd2ec430a4f71cfb07

SHA1
0b50da8d514813d4142ef9da55b85b78b5811f13

SHA256
d169ff9f10c7554d7e8798ea63bc6036693101bc99df79c897e6494bfe800826

SHA512
0bd4ee2a381571f97d0354cae849f7e90838047cca80ff4ded9d13f20bdf28e5e89aba3920a3596cbf9a6a8d1f8384c8670a6efbcf541f3c579496ad04e51584

Download Submit
C:\Users\Admin\Desktop\PopUndo.vdx.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
a615bf81e9919f7fce92a42f2d688f22

SHA1
a85348ed9f7da44e57cbb5cfc5bad2091b8c8db6

SHA256
b01d677b98bf05967b5a1e4d9fb0a4a8d61dc971999c85201ff1910091a08194

SHA512
bc7da4655e0c9c34f299c65e4d4574229605c9827f8861f78d22ddd3a0c665f2203c240b45e8df8b775d4670f5572a2dd492509577cd5273bd32a24321478f22

Download Submit
C:\Users\Admin\Desktop\ProtectGroup.wps.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
0ef83ec0bb56a2388cb9bb376f086b64

SHA1
25ed0e87750274418a6d876132fa73e4062d944a

SHA256
266b8d4321c4849e1535c68d166e4ad1e3e2c9e877bcbebfc870c54d1aefbe0f

SHA512
032016b2266f01c08cd292731230b37a0292d913b4bf5621f5447db476e398433ad01ccd17518d3e256fa806363acda86845a17da6112551e5d0358f49ee4ca9

Download Submit
C:\Users\Admin\Desktop\PublishConvert.tif.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
bbe09d5cd39ac248b20aba4500f0b83f

SHA1
e74c52bb3dcf6dda2d382d2cc35346e8bc94b916

SHA256
6160e5a97e2a86ba2818b6dfc2a3332567ccce4552d5ab5aa2801c57caf0e2c4

SHA512
45b958078e1b75f05cfdf101af0fdb7f7c567271effe4a3b25303a24f564480d8b62d557b6ca284d7fe7a86fa03633e954ea0b2ef307060d839b8df2cd69a7c1

Download Submit
C:\Users\Admin\Desktop\RenameReset.vbs.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
34782303290c683cc48d3128a9a25005

SHA1
dc08ac02740ceeda83c367e65fa6fe8cd715affd

SHA256
aced6df376cf8d15b0b2e1710646aa08298d82cd4541563ee91f1394ed188c91

SHA512
fcc559742bbb1781c124537f53e57515ff33f6098221975186cb6fe277876cd7b6514c0f68fb8da7783681e21f3450a72d7b68343459b84d5a8ed48fe911c1dd

Download Submit
C:\Users\Admin\Desktop\SearchSubmit.vst.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
71b5b79ab36ca0c9126192ebb9681085

SHA1
bf8ae441490190102cd239dacfb17423339ec05c

SHA256
98bdeb6903435034351edd8541caee73ee4fd3fc233d03c94dde07e83080de5c

SHA512
dfeb5017c65163d458704a9754700eae019ca7ec3ad5dd28bc989889b7b542e4e5e0d4c6ebd9aa29fe7bed34241c13dea8534c60f948d15e2a8331499ebbf498

Download Submit
C:\Users\Admin\Desktop\ShowConvert.vst.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
c0cde2d0681662d8d4e24432dcdb67f1

SHA1
6592984dde39ee4b09ace61291ee73aa0d76adcd

SHA256
0e49cb3cb9cc0c9199fc2c737d05785011a22b7a04471785a45e0c35dbaa8fd6

SHA512
172d0102c732f573d0612220cfd7d937f332a7e44ecf03a6ed2f4fd54fbc4159a5c619224de0e20e5e919acc62e9cb5971761110228b1390086e0a1bfef0b7f5

Download Submit
C:\Users\Admin\Desktop\ShowPop.xml.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
5646b9539e22f56103493f90ef4b95fe

SHA1
98812293f45f1be645ca98b12dd36f4b73af1ed4

SHA256
b9ca7293484365a84f6044cc2b6ce3684d89da48abf3bb06e1eb4e4213b9c8ea

SHA512
0a18167ed35ce7d42252f2ea752dc7efde4bf55ab275374929dc6d5185278f7c9c423dc88331ef0efea6f785588ab188c997f930493d00d3f2b44e3e3283ea21

Download Submit
C:\Users\Admin\Desktop\TraceTest.mpv2.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
394ea8b57a1eb3b835d273e1de392643

SHA1
7af52bbcb88f777737f5bef7cf19266c8c5eb6f1

SHA256
5d91fb8e7830775e2368846a50e6fd95b14add4b6aa48bbbbe71ac3342eacece

SHA512
6bbb9e8499c94d82d37c3636612ab430b43b72f92b1435152587f83b858ace60ac1e2f62ed093eb9665d9f132d013f636b3b7432039f94d448706ed05615cdf1

Download Submit
C:\Users\Admin\Desktop\TraceUpdate.jpe.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
b9489996c4e30f2230cd53b9e20da849

SHA1
8b2eaa76ce28c7760e47521fa9d71b5c3fa9c55a

SHA256
9ce2321873fe1f239937cfe48a99a1573ef1918054e0121643552d3df875fc71

SHA512
68d74ec9fb43d8412b65b13dd22e77310cabe2f93805cc5f3000ceaf514dfff26692de009bfd1c71b4dce6bef3ff6c3830170089c06b64c3cc00a59166b015a5

Download Submit
C:\Users\Admin\Desktop\UnblockCopy.zip.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
00a34062880fb48928c10b843fbcd098

SHA1
ba886a652a3d7ec8fcaa6d3ae9f386f21aa61b1f

SHA256
8d94dc0b134d403caedc6e43a35719d13dca1c7a544b3617573b2cf38a35077d

SHA512
69fe68e7d6c82e2261d90b740ef838231a4e476251cf561d2c6829ccb4bf0675a510a61bf6d577b66b913351128dd82105f82cb379335aa89393ea7eb5543523

Download Submit
C:\Users\Admin\Desktop\UndoRestart.wdp.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
5653e26163573683778c38421742fe6c

SHA1
8bb1557ed55d17d18f94f7dbb236ab8e1933341e

SHA256
b4555ee349a443ec9a61c93a96a26593106453cc54639ba3e46ce33c904dd1e5

SHA512
5c5b4bd4ec110485dab62214c8d7cfd8b350e33d4c402b7fb0b67868defa59b69cd018cee8117060da1d13e4df207578b98bdff67d8a34de9f86f45f50c9ac7d

Download Submit
C:\Users\Admin\Desktop\UnregisterRepair.aiff.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
44c03e07306e25ece3e814582a4ecfbe

SHA1
2f187f16943b25cc525eb383390da4b044387854

SHA256
e4571b58281f014ded8d48c0c22900ff6387fe384dfa2d00b8c9f5aabe08d444

SHA512
7be5e9067a946ef36baafe5e48fbf888a4f6ffb53da591d51e386fbfb3d703013aa23cffc8098aa6ed04a643fca2b237bc35b6cfef267e4a5e7b47ad591ec724

Download Submit
C:\Users\Admin\Desktop\UnregisterRestart.wmv.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
93883ab43be93d1264dd3c1aba1b24ac

SHA1
fec17a915f1628f5409994979bbba303f626769f

SHA256
47e7cdf65c25832202a5effcf674823eb85013db5e1a8ab568806ebf5c4f04ae

SHA512
13fe9efa6a1472ee101dd29cc5e492e898f67b35231e5c3db6b5c339c8a145071a4652c7d4991e141dc6e2b453ff755df120c040f2508f80305abe3b14bcc3eb

Download Submit
C:\Users\Admin\Pictures\ApproveInstall.jpeg.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
94e4785430d89884874631ce9cd91345

SHA1
df57de1788f32fc52331bb85fc288acdd9a99f62

SHA256
182b59319a1ae56d2bd2e81b8f3aa0fe217f089f61f9f99f40887bf951b0966d

SHA512
a94ee218c5a623f8d14e8e33fbd31bdfc8ed128ca04fb6d96825b278ad4e902ec129b58b22a9c5c1c70ce3351e72f0530d88b9b97c3fdca3b0d32958119b5d12

Download Submit
C:\Users\Admin\Pictures\ClearDeny.ico.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
036e3598bcdb510e2641fb3e86afaf52

SHA1
6b0ee0e2c437f4fee89e094b87e99314d933bf74

SHA256
8b3247039b51308e475eedc9208dc6294fd378ed4bb295a74765f61a5f753a62

SHA512
1eecf3138e09c3a8e258d2d0565dbca63af87929d45544d93d74b81e26f124a8f95f82acbf28c5f366fe5e692d067482bcc76ef6adc5102273017a192abfaa4d

Download Submit
C:\Users\Admin\Pictures\CompareGroup.ico.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
41324f3a063562a3659571abd6e03b2b

SHA1
80660825f97f58f86e2156f581722590b96172c4

SHA256
1d8f3dcd7e9c980c8f314cf364014dc4694ac00372ba5e6cea5e29f31da2fc88

SHA512
a9dba4f4c3e2d606f685d988080426d005008564d43d15506bd970d411c88d547a8121f5989dc0b2cfede581dc1638ef71405226cd3b11c0cf22cc88a5235153

Download Submit
C:\Users\Admin\Pictures\CompareRename.ico.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
cbe739ab0502c53054a8759d3fffe0c0

SHA1
7501ad96d8564b7be5cb3577b6bfe2fb1144e4ef

SHA256
6a4abb89b1b2ba9725b5811cae3e45d66f39743d7fd2582481c0d7d96dddbf19

SHA512
d38239da9a61a8452e3b8137c5c0d085e889b461e02f0a9ce29e4705e923371871e2b71deba9979cc0cf56efd06b491278f1989347e13194e014edcdedbb1d85

Download Submit
C:\Users\Admin\Pictures\CompareUndo.svgz.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
28c40cc7ec7b9ec2d64a49ccd8aea04e

SHA1
71bc9cf1f9391d9d0479f9fc829de7dc509b87f1

SHA256
e0ec133e0e8d6a82ca6486b4b8db02a0a809f47645d95d7bc5710156dbe76fc2

SHA512
9bc5884d30451d571c9f6abd286d7213d99b23a59d4c9b40c41861d5aecd8419be8733c144df871b312d6d950d0d4bc7c37a2f5afd266a02b236696fd0e39fee

Download Submit
C:\Users\Admin\Pictures\CompressMeasure.emz.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
e22b55cc06944d9c8e473e9f7ef0a1f0

SHA1
c0399b9fda28e79ea9ad6c873a12fbbd0e1abbab

SHA256
ce5dd4fa1f1757694b2cb42eb2f44083a98c356abef1245ea2493e9b3332e216

SHA512
582546afd1f40aed43f59aec9e488af833a5c7a7a46ed051a43b540828e46c5cdb47d7a5072c33690f8b1184363c50ea149bbb3d6a97ab2372d1e36ad497ff9d

Download Submit
C:\Users\Admin\Pictures\ConnectUpdate.bmp.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
9bf752f87d8c103d26d3ab2513563935

SHA1
608df090fe49a4229c43ab3c79fc90d7862df859

SHA256
faac8359c7ae8c1deb261908c46e055dcfb5a0cfbff3535ba2d1b86b4f29ff4b

SHA512
95b9f8c17efce3b9b233aa7a35bfa8bad7b89f4e28d6d52bdb472cbfdb2c1dd740220d87c0e281a89a5d4541e0fca8ab93828782e50883c523c70999d6adc6ed

Download Submit
C:\Users\Admin\Pictures\CopyFormat.tif.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
ef2eb036b56350e6647a6d5bc5f6b1f8

SHA1
12d85d1c40903b01ad4e773566bc374522fd422b

SHA256
a342322e84b46570013ac5220d945b459afe2a166503eef7528c624461018730

SHA512
ce60aea79f4b9b9f6d30b339e9174bd35b1d2064bf8d2577c7e7f1e61ec86400ad9102efaf1a167f4e71955de0fd127b55d13b91b2b56765586285e3cdbbe1fc

Download Submit
C:\Users\Admin\Pictures\DismountRepair.ico.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
ef00b38e6fb32bb0cd2f3ac3503ae056

SHA1
38a2c57c0f54025e90bf0d20cc62077efccf290f

SHA256
5e69b7bbd4557042cab0f942a11ad6dacfe911c481a922108471f27ebc40ea72

SHA512
6528738f878f216d8447750c25587868d4cfe2cc4b4cbb1c809b8e8fc0ebd5ad6bdaa5b360e15c18d84f11344145ae4fb21dbf47dba8bbabd85ae1b6adc8ff5e

Download Submit
C:\Users\Admin\Pictures\EnableInitialize.wmf.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
6e1f3fed3f75dfe8da900b108f921323

SHA1
6a4de4076c13965cb15fcf0e93f70d6d89e99787

SHA256
67954dc0b53941d2125650d8d2b7aff90c2e0f3688bf467b6b8e7a6e47c58bef

SHA512
e71691117a2703fdda8e6bf21e00a78a2352057aa511134ff70ddd048e7f1cda3702ad31a2490c9619dd9fa989b8dd2a0afb0f62e764c48398cd234481862b8e

Download Submit
C:\Users\Admin\Pictures\FindPush.tiff.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
2bce8bd028ff0193b5cfdf5939827b60

SHA1
2c78cedd84e0412b8cacb32bb6984d1f73f9ab70

SHA256
bdcf7493456d0a8a6c4ff8ff481552e87ac925aad83ad3f52aa23d41dfbea463

SHA512
084157ab57ee9f213f6118f041d370f797300569cfd385cb82ea8f1805f57a805d606b68bf35b9930b05255d3b912290c3d2de0e51b17f2e1f68c623c960dabd

Download Submit
C:\Users\Admin\Pictures\GetWait.jpeg.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
53649e45b473a5ea2c98a2e4d533d4b4

SHA1
55f48ec9fb6cffe5ac8cd363e0ea58eb1b7d3081

SHA256
c875afea2284eacc9724ec5623b42afbbe83852537f9dbbccbbf571b31699290

SHA512
57cdedb734c7881ae1d8baa6664de27c9cae8b2f3dcbf1d1c8caa98835b4849c5804d2148ee3c85251b893c7bf22de7dbfcc91fb5b5c26a1cbf37a4706b1148f

Download Submit
C:\Users\Admin\Pictures\GroupStart.dxf.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
2d676624f8e0b8612d55bef7b595c08d

SHA1
c7d11bc8faafa7ea1009911cca0f39337a70ec22

SHA256
7ec7e4e1edab20795848b71a1b22dae35404376c7d4cd4a9e089656926fd6466

SHA512
9425e73694992f83b1388f4b8844889598b410dd3223a22650f0e0591e43a3dc211a4f32893659e5c71ba12199b262c8ee3863cbd69a8f21e8fcaa5ea537eb1d

Download Submit
C:\Users\Admin\Pictures\JoinAdd.jpg.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
c1788b6b3019e3371d2f32d6949a6fae

SHA1
95e1b272cd4d77db58e45d68979c83e25d116731

SHA256
42c99838b2a597af0a883f63935f44dd95660199451715493467e752cf3f882b

SHA512
6cea83d9787bcac8d0f5b45180b2d9cdbf03dd708633ef7d3ade82653ceee204e465571c57aeb44e1bb1a99961ccf4884d82356559b7f64c664a9d5479c26d0a

Download Submit
C:\Users\Admin\Pictures\MeasureStep.crw.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
cb7ec99b03200adb619381c1938f932f

SHA1
d46522eb68a20a6092ca07104d7f2b348e31efb0

SHA256
988c838a0ec9498fa4062b05aee34647b9112398c7bbdb4f5dfdf3cb4e807845

SHA512
e18f5f3bd534b24df7f0c993da13bd3994d27837f6228029bf29a80bc867b6a7d712e28545359872a52e7b4cefaed57b28d62f8786f677c13d9ed6e712c97b7e

Download Submit
C:\Users\Admin\Pictures\MountHide.raw.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
912a2eb32c73b1ab27583a52a124b39d

SHA1
bd34ec2490d51445652f65aff4a4672bdb7f32f4

SHA256
fd1996ce270b2b105b93962ddf9efd0981c2c4146665dfda940e4465f18ec68a

SHA512
ffc6ebf365844fa21b707e7d11b51b1d39d599ba6eeee2281dcd521fb470131fdc4c897b614137e922b95c400a9b6d6df1c418cd307f5c35cc8703e0e39c5142

Download Submit
C:\Users\Admin\Pictures\MountLock.jpg.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
636476f186736c14933d78dc34ca1f24

SHA1
9fb48598fffa9a09cec5c930268d34d29b3dcd02

SHA256
0a34b02c8cdf2c8fa9cb13df224042d81d5f3fa2cfd2677a44ed95508b14f2aa

SHA512
db58445a7428ab0359a0e4eb8567edef5e7aae49cbbe0ca66d3a7194cf7b0f1a8c47e31cbd2ad037300836fc69e7cbc8be3ab1260d367baa7028835f6694cca3

Download Submit
C:\Users\Admin\Pictures\OpenEnable.cr2.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
6d35c2fe5a9f7793bb8db3804fe406ae

SHA1
1652f9f6fcf78083dd450ac17756c69c3376efec

SHA256
06cdfc43995706b08a35158f4ee0a311bcb52ddf06d3bf3bb1b4ea51aa9ee4bb

SHA512
06c602c7dd1bd1e1373e5741d75834cff4a4b01c367cc2c996f5bab90c8b5c83a26a1954db41926e5c342814383026d7bc480f768383ae290a9d32f1b2e66771

Download Submit
C:\Users\Admin\Pictures\OpenInitialize.jpeg.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
aae3122d18a012e27070617f478eafc8

SHA1
87aebb35718cbbc0cdc6761d0a52a63a6e897d3b

SHA256
ed51e50f9af24e8fe5ddd4982e1d05ce81480c71a06127a4d5d79078c1e9b36c

SHA512
21a8a9484eb440db666909bcdf718f30febc5a18f64aa3dbb5824882e99f50784841a0b74cf534e30c298b8431464373e2efc592665755b782c4cb6b9af5139f

Download Submit
C:\Users\Admin\Pictures\PopConvertTo.emz.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
1015ac542709c401cf1fe7a1268a91f2

SHA1
fca436f2dabedba006aa4555ae71597d074997c1

SHA256
8442ada02f3c62f34eb9f6c0c1b0cab17ede95344e1ac02f411edaa5db3a58d8

SHA512
bb0b2ab7740fa9823efc1b4964544743065eb46847ac0378b1e6ec1551a28d635b5a015417b84aa017203eeb3dd200c28796e3c850fe8c0221a2c4cb4b1179d2

Download Submit
C:\Users\Admin\Pictures\ReadNew.pcx.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
fe638bd4af86b319201fd1e290511e02

SHA1
207ddfda78d64d85dfa6b5c64da365d161a42db0

SHA256
a651e34de49eed28e37b418110559cf5092d6aedc013541ecde30c3ed471f557

SHA512
cee9c841971612d2f6db879641b6c648f435bec21b2c043a9642e905391521b5b2b4c00eaec706ec931c9909721ce842fcf859b5905d290c26f52e4a1d1137e0

Download Submit
C:\Users\Admin\Pictures\RegisterProtect.tiff.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
d7ebb7679debf842da45b524f2ddcd71

SHA1
538309af4b93cea1129a3afa91ee8661d3280336

SHA256
a62c0c93ac4db0c37b9face888af7750712a97c863a8ce0ad23455cc7b189c1e

SHA512
db86c7e2d2c9e87ad77a69179c3524b25892947ca73d146de1e0c95327e2b0d1d4edc82e2b74702e91408ef271e08f75c404a8d31362288fba6340ae6f796338

Download Submit
C:\Users\Admin\Pictures\ResolveInstall.dwg.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
241e7369697a3d289837edcb2776e14f

SHA1
00c06e81480cfda44b4fde3bba6efb6929b7ffb0

SHA256
ad6d603ef454570f65e0eb89ee0171be194b9e8cf6fe9f76c000727a447b9f9e

SHA512
1ce72f264a89665969dafeddf8d39c30936ccd04ec75811040bfa6b362e52cd8a1df0610ab2f301a16dedc2785817a36f2b52774ebda1147cf741dcf02fe0fe2

Download Submit
C:\Users\Admin\Pictures\SaveInvoke.jpeg.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
f2b5a62374ad554833ac925250322fab

SHA1
800f1c0f1b7c30639c47855ed64c43b6ca677591

SHA256
72fe27e19082863898a748ebc157e001cff8e4506cf383982853caef05335b67

SHA512
8ac721b4874100560e24269a05f469522210bd6beba96060cab22993dc5027217af2acba774a1148b72241704ddea31e5878b6317856123f8683e1bc4736fa08

Download Submit
C:\Users\Admin\Pictures\SplitOpen.svg.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
231456fa949dc9b904f796fe95440ff5

SHA1
578aefeb83e2264585b73d1b53aa58ee0861a0d9

SHA256
cedbd80f53a5490db3dc11255046230a5a3e348868fae47b740cfde0691c0624

SHA512
234a5fa1488fc9744ecf51c49e8df21a531280782d54c064bf5537980553db0f582110debecb13bb59ec31f1ec421c8f2470f6aaa5542656f407e2c31c301d41

Download Submit
C:\Users\Admin\Pictures\SplitTrace.bmp.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
ae9932e0886a943ad9ea3c1bbf4baee2

SHA1
51a744fbcd6b6c7bbbc2d28a1fe5e01b668880d5

SHA256
0d7c7c1630942e1a235de10128fae38091c3d10db4bdf4c01da60cd653632187

SHA512
40be2122e215a11f1f109b012e3a8916edf00d9ed54fe640168bd1eead1fdefcbe7a4b0ccfcfe2e4d0bc8726ede86065b464bf5a239edb215749e4ccbacd90a1

Download Submit
C:\Users\Admin\Pictures\StepRestore.bmp.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
825c6bc32f13873a75e91f35b5b879a0

SHA1
95b25b3b4f752db165b6b1ef49a8fd35fd8ee5cf

SHA256
9be2483e3ce3be86464a44bca386438fd0557b0fd62617f4f2738f4341b7db27

SHA512
7e2a277ccd0ca62b5c1f5858f08ae9de13aed4063fa7e149072ffb449862d0d8708db82520806f3c2406c6824a33193536e4aacd2a747ee909c1eca58475cdda

Download Submit
C:\Users\Admin\Pictures\SubmitPublish.raw.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
07edc795f8d8109144975d34af484aa6

SHA1
547780f6ac24f20b13e3e2dcdd9cec735d1c7ee5

SHA256
382c0720472c2a6070029a72645d0c529d0ff65b8b4f3370a63c35519279c505

SHA512
d7bb726a1eecdfecca8c25fe8359a89b163a456485fcdc7446a66caebd14e0b70a7cbb97468a0c46dc694c96a4933affa87baabf7814073a92eaf3043b0c73a1

Download Submit
C:\Users\Admin\Pictures\TraceTest.bmp.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
1c80ae37d9a6e7f3595161fd4120d288

SHA1
4ccf2f26211a00e52b3fd26b01331e0aa99c44d2

SHA256
9f722c2b878d8499fd14d4068b218d1b135228836daee1028dab6e60b8999806

SHA512
9c136201bca01693125b6add99b7c89e4e456cc8973f10da49c5bf8e94cc1f43a33381ea2a6ecce5680d6c560a2f52f8e0724921c154d398a2d63f068a0f386f

Download Submit
C:\Users\Admin\Pictures\UnlockMount.bmp.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
23ecbaa5dea41ac26a69e9529e66ced0

SHA1
0e6c26282aabe9f793c1c0255662af874574c0f2

SHA256
f7969d55afa8f9a148e68dc832e97ace85d50a9f2c120f12668a3b2e8d20d6a0

SHA512
2a0354051b9b4f18c5761389840f07e579edbeb542334fef4d4547da7a52c2227754e7f730cb6d1d45625aa17f1ac51aef171ae985db70f7f48796a76facbcf1

Download Submit
C:\Users\Admin\Pictures\UnregisterStep.png.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
97439b783de46dbbe57fd870ebbb60a4

SHA1
84448bb05a870de0cb1d1f2e9c02593654ab02c1

SHA256
bfc38930ba3fd5d6e196c30690eb400cf22c52dd0db4281c3182dbd0876da30a

SHA512
dee1ecabec7a5caddc4c46d3d75db879c1b2a52846a1e21d97b74edabc6eedb964c855446fc947dd309af2965b40781b4660416d7fc7f67dd68bd353a0e69c4b

Download Submit
C:\Users\Admin\Pictures\UpdateConfirm.svgz.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
cde44a1830a2d34c72cbd2afd7e7b29a

SHA1
298b2340f44fd7e640b00fd5f719fe4e113a846d

SHA256
7768c46105d9929cab9d3dd02685ce936de5cab631e5dbbd88d5e433df2ac3fb

SHA512
1af9dafc69f344c6b83fe76968d1081a56fa0e84b7158871941491be8ebe3ad78c71454eaf2707592bfb49fce671b24b68c88b2f94d9817c774c624f051d3d61

Download Submit
C:\Users\Admin\Pictures\UpdatePublish.png.(MJ-PH7316520894)(Folperdock@gmail.com).Godox
MD5
af33aad9aa36fd5c9899956defd88877

SHA1
5fa7c8f2d98e934f0400c8ff6d650534931fa6d0

SHA256
d5dadebd32e60bc62bea5cbce8abdd7f5504ec5686fb630c34814a88d17af6b6

SHA512
ddb8118e4c8f6f312e7e44667354b5575de8c3a71be053c8c13ff0cc1a7a4c895eb174b4093b2471aaa986dab86a2de4cb297c7dc50db946e5ba24b815aa9d4c

Download Submit
memory/308-86-0x0000000000000000-mapping.dmp

Download
memory/316-65-0x0000000000000000-mapping.dmp

Download
memory/392-57-0x0000000000000000-mapping.dmp

Download
memory/556-56-0x0000000000000000-mapping.dmp

Download
memory/560-76-0x0000000000000000-mapping.dmp

Download
memory/816-54-0x0000000000000000-mapping.dmp

Download
memory/832-73-0x0000000000000000-mapping.dmp

Download
memory/840-69-0x0000000000000000-mapping.dmp

Download
memory/844-77-0x0000000000000000-mapping.dmp

Download
memory/1344-62-0x0000000000000000-mapping.dmp

Download
memory/1436-82-0x0000000000000000-mapping.dmp

Download
memory/1504-72-0x0000000000000000-mapping.dmp

Download
memory/1524-78-0x0000000000000000-mapping.dmp

Download
memory/1540-67-0x0000000000000000-mapping.dmp

Download
memory/1556-68-0x0000000000000000-mapping.dmp

Download
memory/1596-87-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

Filesize
8KB

Download
memory/1656-61-0x0000000000000000-mapping.dmp

Download
memory/1684-75-0x0000000000000000-mapping.dmp

Download
memory/1756-79-0x0000000000000000-mapping.dmp

Download
memory/1756-55-0x0000000000000000-mapping.dmp

Download
memory/1776-80-0x0000000000000000-mapping.dmp

Download
memory/1784-66-0x0000000000000000-mapping.dmp

Download
memory/1820-85-0x0000000000000000-mapping.dmp

Download
memory/1824-60-0x0000000000000000-mapping.dmp

Download
memory/1900-64-0x0000000000000000-mapping.dmp

Download
memory/1948-84-0x0000000000000000-mapping.dmp

Download
memory/1976-81-0x0000000000000000-mapping.dmp

Download
memory/1996-63-0x0000000000000000-mapping.dmp

Download
memory/2000-58-0x0000000000000000-mapping.dmp

Download
memory/2000-83-0x0000000000000000-mapping.dmp

Download
memory/2016-59-0x0000000000000000-mapping.dmp

Download
memory/2044-70-0x0000000000000000-mapping.dmp

Download
memory/2044-71-0x0000000075611000-0x0000000075613000-memory.dmp

Filesize
8KB

Download