buran | 4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a

Analysis

max time kernel
221s
max time network
181s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-07-2022 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4E0D1EDB76747FD945B87DD18299298F0DF719EDBEA946119D91DB59A9B6527A.exe
Size

3.3MB
MD5

d18bf81dbc8acce488abd633d8058cf5
SHA1

1d6dcade355b4867e9435961655a9b9caa373528
SHA256

4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
SHA512

10a6b3994b1b0d37c9f3833e700baded6b89b0162078442b4de5a9747c23027d8943016c5941ba2e530ee5263b87c31a7714aa7bcb5051e5d63cf0a3cd88756f

Score

10^/10

buran evasion persistence ransomware upx

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 185-F58-9E6 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 4 IoCs

pid	Process
1220	15sp.exe
1336	mesager43.exe
864	TrustedInstaller.exe
1232	TrustedInstaller.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\SkipPing.tiff	TrustedInstaller.exe
File opened for modification	C:\Users\Admin\Pictures\StartUndo.tiff	TrustedInstaller.exe
File opened for modification	C:\Users\Admin\Pictures\MeasureDebug.tiff	TrustedInstaller.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1684	attrib.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000133e8-76.dat	upx
behavioral1/files/0x00070000000133e8-77.dat	upx
behavioral1/files/0x00070000000133e8-78.dat	upx
behavioral1/files/0x00070000000133e8-80.dat	upx
behavioral1/memory/1336-83-0x0000000000400000-0x000000000055C000-memory.dmp	upx
behavioral1/files/0x0008000000014138-84.dat	upx
behavioral1/files/0x0008000000014138-85.dat	upx
behavioral1/files/0x0008000000014138-87.dat	upx
behavioral1/memory/864-101-0x0000000000400000-0x000000000055C000-memory.dmp	upx
behavioral1/memory/1336-102-0x0000000000400000-0x000000000055C000-memory.dmp	upx
behavioral1/files/0x0008000000014138-113.dat	upx
behavioral1/files/0x0008000000014138-116.dat	upx
behavioral1/memory/1232-122-0x0000000000400000-0x000000000055C000-memory.dmp	upx
behavioral1/memory/864-123-0x0000000000400000-0x000000000055C000-memory.dmp	upx
behavioral1/memory/1232-124-0x0000000000400000-0x000000000055C000-memory.dmp	upx
behavioral1/memory/1232-125-0x0000000000400000-0x000000000055C000-memory.dmp	upx
behavioral1/memory/864-156-0x0000000000400000-0x000000000055C000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
1240	cmd.exe
1520	cmd.exe
1520	cmd.exe
1336	mesager43.exe
1336	mesager43.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	mesager43.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\TrustedInstaller.exe\" -start"	mesager43.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	TrustedInstaller.exe
File opened (read-only)	\??\Q:	TrustedInstaller.exe
File opened (read-only)	\??\N:	TrustedInstaller.exe
File opened (read-only)	\??\L:	TrustedInstaller.exe
File opened (read-only)	\??\K:	TrustedInstaller.exe
File opened (read-only)	\??\E:	TrustedInstaller.exe
File opened (read-only)	\??\Y:	TrustedInstaller.exe
File opened (read-only)	\??\X:	TrustedInstaller.exe
File opened (read-only)	\??\S:	TrustedInstaller.exe
File opened (read-only)	\??\O:	TrustedInstaller.exe
File opened (read-only)	\??\M:	TrustedInstaller.exe
File opened (read-only)	\??\H:	TrustedInstaller.exe
File opened (read-only)	\??\B:	TrustedInstaller.exe
File opened (read-only)	\??\Z:	TrustedInstaller.exe
File opened (read-only)	\??\W:	TrustedInstaller.exe
File opened (read-only)	\??\P:	TrustedInstaller.exe
File opened (read-only)	\??\J:	TrustedInstaller.exe
File opened (read-only)	\??\I:	TrustedInstaller.exe
File opened (read-only)	\??\U:	TrustedInstaller.exe
File opened (read-only)	\??\R:	TrustedInstaller.exe
File opened (read-only)	\??\F:	TrustedInstaller.exe
File opened (read-only)	\??\A:	TrustedInstaller.exe
File opened (read-only)	\??\V:	TrustedInstaller.exe
File opened (read-only)	\??\G:	TrustedInstaller.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01138_.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00343_.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WING1.WMF.185-F58-9E6	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTS.ICO	TrustedInstaller.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-search.jar.185-F58-9E6	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Chicago	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.api	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107254.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR30B.GIF.185-F58-9E6	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageSmall.jpg	TrustedInstaller.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\ShvlRes.dll.mui	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01923_.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198102.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEB11.POC	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Charitable Contributions.accdt	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF.185-F58-9E6	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_zh_CN.jar	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Installed_resources14.xss.185-F58-9E6	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\TAB_OFF.GIF.185-F58-9E6	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0297757.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME01.CSS.185-F58-9E6	TrustedInstaller.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.clusters	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-text.xml	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CLIP.WMF.185-F58-9E6	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00204_.WMF.185-F58-9E6	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPreviewTemplate.html	TrustedInstaller.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04196_.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107450.WMF.185-F58-9E6	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Metro.xml.185-F58-9E6	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB2A.BDR.185-F58-9E6	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santiago.185-F58-9E6	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_zh_CN.jar.185-F58-9E6	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153516.WMF.185-F58-9E6	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Istanbul	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml.185-F58-9E6	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif.185-F58-9E6	TrustedInstaller.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\St_Johns	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6.185-F58-9E6	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_ja_4.4.0.v20140623020002.jar.185-F58-9E6	TrustedInstaller.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\art\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_ja.jar	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\EST5EDT.185-F58-9E6	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02097_.WMF	TrustedInstaller.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198377.WMF.185-F58-9E6	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Midway	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\EST5.185-F58-9E6	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00441_.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR37F.GIF	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSOSEC.XML.185-F58-9E6	TrustedInstaller.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115836.GIF.185-F58-9E6	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.185-F58-9E6	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt.185-F58-9E6	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Chihuahua	TrustedInstaller.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\ChessMCE.png	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\XMLSDK5.CHM	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00633_.WMF	TrustedInstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
628	timeout.exe
1700	timeout.exe
1808	timeout.exe
1036	timeout.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
544	vssadmin.exe
1520	vssadmin.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1348	taskkill.exe
628	taskkill.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	mesager43.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mesager43.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mesager43.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	TrustedInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	TrustedInstaller.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1336	mesager43.exe
Token: SeDebugPrivilege	1336	mesager43.exe
Token: SeDebugPrivilege	1348	taskkill.exe
Token: SeDebugPrivilege	628	taskkill.exe
Token: SeIncreaseQuotaPrivilege	432	WMIC.exe
Token: SeSecurityPrivilege	432	WMIC.exe
Token: SeTakeOwnershipPrivilege	432	WMIC.exe
Token: SeLoadDriverPrivilege	432	WMIC.exe
Token: SeSystemProfilePrivilege	432	WMIC.exe
Token: SeSystemtimePrivilege	432	WMIC.exe
Token: SeProfSingleProcessPrivilege	432	WMIC.exe
Token: SeIncBasePriorityPrivilege	432	WMIC.exe
Token: SeCreatePagefilePrivilege	432	WMIC.exe
Token: SeBackupPrivilege	432	WMIC.exe
Token: SeRestorePrivilege	432	WMIC.exe
Token: SeShutdownPrivilege	432	WMIC.exe
Token: SeDebugPrivilege	432	WMIC.exe
Token: SeSystemEnvironmentPrivilege	432	WMIC.exe
Token: SeRemoteShutdownPrivilege	432	WMIC.exe
Token: SeUndockPrivilege	432	WMIC.exe
Token: SeManageVolumePrivilege	432	WMIC.exe
Token: 33	432	WMIC.exe
Token: 34	432	WMIC.exe
Token: 35	432	WMIC.exe
Token: SeIncreaseQuotaPrivilege	960	WMIC.exe
Token: SeSecurityPrivilege	960	WMIC.exe
Token: SeTakeOwnershipPrivilege	960	WMIC.exe
Token: SeLoadDriverPrivilege	960	WMIC.exe
Token: SeSystemProfilePrivilege	960	WMIC.exe
Token: SeSystemtimePrivilege	960	WMIC.exe
Token: SeProfSingleProcessPrivilege	960	WMIC.exe
Token: SeIncBasePriorityPrivilege	960	WMIC.exe
Token: SeCreatePagefilePrivilege	960	WMIC.exe
Token: SeBackupPrivilege	960	WMIC.exe
Token: SeRestorePrivilege	960	WMIC.exe
Token: SeShutdownPrivilege	960	WMIC.exe
Token: SeDebugPrivilege	960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	960	WMIC.exe
Token: SeRemoteShutdownPrivilege	960	WMIC.exe
Token: SeUndockPrivilege	960	WMIC.exe
Token: SeManageVolumePrivilege	960	WMIC.exe
Token: 33	960	WMIC.exe
Token: 34	960	WMIC.exe
Token: 35	960	WMIC.exe
Token: SeBackupPrivilege	1472	vssvc.exe
Token: SeRestorePrivilege	1472	vssvc.exe
Token: SeAuditPrivilege	1472	vssvc.exe
Token: SeIncreaseQuotaPrivilege	432	WMIC.exe
Token: SeSecurityPrivilege	432	WMIC.exe
Token: SeTakeOwnershipPrivilege	432	WMIC.exe
Token: SeLoadDriverPrivilege	432	WMIC.exe
Token: SeSystemProfilePrivilege	432	WMIC.exe
Token: SeSystemtimePrivilege	432	WMIC.exe
Token: SeProfSingleProcessPrivilege	432	WMIC.exe
Token: SeIncBasePriorityPrivilege	432	WMIC.exe
Token: SeCreatePagefilePrivilege	432	WMIC.exe
Token: SeBackupPrivilege	432	WMIC.exe
Token: SeRestorePrivilege	432	WMIC.exe
Token: SeShutdownPrivilege	432	WMIC.exe
Token: SeDebugPrivilege	432	WMIC.exe
Token: SeSystemEnvironmentPrivilege	432	WMIC.exe
Token: SeRemoteShutdownPrivilege	432	WMIC.exe
Token: SeUndockPrivilege	432	WMIC.exe
Token: SeManageVolumePrivilege	432	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1620	1992	4E0D1EDB76747FD945B87DD18299298F0DF719EDBEA946119D91DB59A9B6527A.exe	27
PID 1992 wrote to memory of 1620	1992	4E0D1EDB76747FD945B87DD18299298F0DF719EDBEA946119D91DB59A9B6527A.exe	27
PID 1992 wrote to memory of 1620	1992	4E0D1EDB76747FD945B87DD18299298F0DF719EDBEA946119D91DB59A9B6527A.exe	27
PID 1992 wrote to memory of 1620	1992	4E0D1EDB76747FD945B87DD18299298F0DF719EDBEA946119D91DB59A9B6527A.exe	27
PID 1620 wrote to memory of 1240	1620	WScript.exe	28
PID 1620 wrote to memory of 1240	1620	WScript.exe	28
PID 1620 wrote to memory of 1240	1620	WScript.exe	28
PID 1620 wrote to memory of 1240	1620	WScript.exe	28
PID 1240 wrote to memory of 1220	1240	cmd.exe	30
PID 1240 wrote to memory of 1220	1240	cmd.exe	30
PID 1240 wrote to memory of 1220	1240	cmd.exe	30
PID 1240 wrote to memory of 1220	1240	cmd.exe	30
PID 1240 wrote to memory of 628	1240	cmd.exe	31
PID 1240 wrote to memory of 628	1240	cmd.exe	31
PID 1240 wrote to memory of 628	1240	cmd.exe	31
PID 1240 wrote to memory of 628	1240	cmd.exe	31
PID 1240 wrote to memory of 580	1240	cmd.exe	32
PID 1240 wrote to memory of 580	1240	cmd.exe	32
PID 1240 wrote to memory of 580	1240	cmd.exe	32
PID 1240 wrote to memory of 580	1240	cmd.exe	32
PID 1240 wrote to memory of 1700	1240	cmd.exe	33
PID 1240 wrote to memory of 1700	1240	cmd.exe	33
PID 1240 wrote to memory of 1700	1240	cmd.exe	33
PID 1240 wrote to memory of 1700	1240	cmd.exe	33
PID 580 wrote to memory of 1520	580	WScript.exe	34
PID 580 wrote to memory of 1520	580	WScript.exe	34
PID 580 wrote to memory of 1520	580	WScript.exe	34
PID 580 wrote to memory of 1520	580	WScript.exe	34
PID 1520 wrote to memory of 1684	1520	cmd.exe	36
PID 1520 wrote to memory of 1684	1520	cmd.exe	36
PID 1520 wrote to memory of 1684	1520	cmd.exe	36
PID 1520 wrote to memory of 1684	1520	cmd.exe	36
PID 1520 wrote to memory of 1808	1520	cmd.exe	37
PID 1520 wrote to memory of 1808	1520	cmd.exe	37
PID 1520 wrote to memory of 1808	1520	cmd.exe	37
PID 1520 wrote to memory of 1808	1520	cmd.exe	37
PID 1520 wrote to memory of 1336	1520	cmd.exe	38
PID 1520 wrote to memory of 1336	1520	cmd.exe	38
PID 1520 wrote to memory of 1336	1520	cmd.exe	38
PID 1520 wrote to memory of 1336	1520	cmd.exe	38
PID 1336 wrote to memory of 864	1336	mesager43.exe	41
PID 1336 wrote to memory of 864	1336	mesager43.exe	41
PID 1336 wrote to memory of 864	1336	mesager43.exe	41
PID 1336 wrote to memory of 864	1336	mesager43.exe	41
PID 1336 wrote to memory of 1920	1336	mesager43.exe	42
PID 1336 wrote to memory of 1920	1336	mesager43.exe	42
PID 1336 wrote to memory of 1920	1336	mesager43.exe	42
PID 1336 wrote to memory of 1920	1336	mesager43.exe	42
PID 1336 wrote to memory of 1920	1336	mesager43.exe	42
PID 1336 wrote to memory of 1920	1336	mesager43.exe	42
PID 1336 wrote to memory of 1920	1336	mesager43.exe	42
PID 1520 wrote to memory of 1348	1520	cmd.exe	43
PID 1520 wrote to memory of 1348	1520	cmd.exe	43
PID 1520 wrote to memory of 1348	1520	cmd.exe	43
PID 1520 wrote to memory of 1348	1520	cmd.exe	43
PID 1520 wrote to memory of 628	1520	cmd.exe	45
PID 1520 wrote to memory of 628	1520	cmd.exe	45
PID 1520 wrote to memory of 628	1520	cmd.exe	45
PID 1520 wrote to memory of 628	1520	cmd.exe	45
PID 1520 wrote to memory of 908	1520	cmd.exe	46
PID 1520 wrote to memory of 908	1520	cmd.exe	46
PID 1520 wrote to memory of 908	1520	cmd.exe	46
PID 1520 wrote to memory of 908	1520	cmd.exe	46
PID 1520 wrote to memory of 1036	1520	cmd.exe	47

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
908	attrib.exe
1684	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4E0D1EDB76747FD945B87DD18299298F0DF719EDBEA946119D91DB59A9B6527A.exe
"C:\Users\Admin\AppData\Local\Temp\4E0D1EDB76747FD945B87DD18299298F0DF719EDBEA946119D91DB59A9B6527A.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ssd\onset\goodram.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\ssd\onset\81ldp.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\ssd\onset\15sp.exe
      "15sp.exe" e -psion0811 01s.rar
      4⤵
      Executes dropped EXE
      PID:1220
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      Delays execution with timeout.exe
      PID:628
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ssd\onset\Ztestram.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:580
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\ssd\onset\sata1.bat" "
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1520
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\ssd\"
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1684
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        6⤵
        Delays execution with timeout.exe
        
        PID:1808
      - C:\ssd\onset\mesager43.exe
        
        mesager43.exe /start
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -start
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Modifies system certificate store
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
        8⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
        8⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
        8⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
        8⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
        8⤵
        
        PID:868
        
        C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        9⤵
        Interacts with shadow copies
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
        8⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:960
        
        C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        9⤵
        Interacts with shadow copies
        
        PID:1520
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -agent 0
        8⤵
        Executes dropped EXE
        Modifies extensions of user files
        Drops file in Program Files directory
        
        PID:1232
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad.exe
        7⤵
        
        PID:1920
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im 15sp.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1348
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im 15sp.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib -s -h "C:\ssd\onset\mesager43.exe"
        6⤵
        Views/modifies file attributes
        
        PID:908
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 4
        6⤵
        Delays execution with timeout.exe
        
        PID:1036
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 4
      4⤵
      Delays execution with timeout.exe
      PID:1700

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
97d4eb06a21b13dca95f364192cbc613

SHA1
5357c95b3663855ba8efb334088cec21b6360b72

SHA256
9bd13f38edc76bf18d9c3237acc45d636df270bf645563092cc5f40595fe18e8

SHA512
43915e89f4e484281f4f6d07ba3dd70fb2ce2fb67edc688ca0e6cee9eea009704c49b684c606587dc229633cf48d6107a904a134554c1e510fa5fca0340bf8d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_8AE57F9FAAC778EA4099F469BEEE4C46

Filesize
472B

MD5
413381f33d96c33f2e18560b44db9d7a

SHA1
8a31c09ccc2c7699fc1c7cff9700f3525bcc35ee

SHA256
e8aefc6f7be286fbbed7a15ceed86638820d0e27fb87393e24567c98360ed64b

SHA512
842f0a3259978f44f83eb125177990d2c8e5a15396bf4ba2237985b10387189d00277cc29fe35a08d90e0ab067567388741c17f6717eae88d0f5dca826475c50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
589c442fc7a0c70dca927115a700d41e

SHA1
66a07dace3afbfd1aa07a47e6875beab62c4bb31

SHA256
2e5cb72e9eb43baafb6c6bfcc573aac92f49a8064c483f9d378a9e8e781a526a

SHA512
1b5fa79e52be495c42cf49618441fb7012e28c02e7a08a91da9213db3ab810f0e83485bc1dd5f625a47d0ba7cfcdd5ea50acc9a8dcebb39f048c40f01e94155b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
edc7462655e639289e72bac7927c5fc4

SHA1
6d257306c79b1ed31d2e99dfcd4fe8410560b280

SHA256
2d248d2f1e355a14dfb265503783f783a1b05b32010ba4edc6985d579b4bfb65

SHA512
59bec750e075e650b704f1b668d04c85ddca119b6d036d48d3912cb8c4c77961e06ee91df279be12a8d238e920dfb9142cdec0a64ce4618dec230fb30db72d25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
398B

MD5
3dd8f0e333d7609a604b0ad23221a14d

SHA1
5f96c8a2fe2c40d750433eba6159d45a33934389

SHA256
93698ce900c78686d2eb4f87068c03c465023ec2006dc5f1b4e44e4c8582d33f

SHA512
18180f0c18e42a49e20d721902b2548b17573080eeada541cdde36cec7b7b0c48791accad13c62d82a68666efe3a8fa4453294017cd3a44f34d210c83392801f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_8AE57F9FAAC778EA4099F469BEEE4C46

Filesize
402B

MD5
1b426a7ddbf3be6a624863f449babbff

SHA1
3651d4cce5f2372653455adab0e83ee6f5eae1dc

SHA256
99429b6eb6586e2e8de899ab5f0edc55e7603924e30d5ff74727c0cd82f426a4

SHA512
d7f051a3d2fcd77b3a8012be19576143cce667247984bd8fb8dbfda6e35caa7c56fc473a1024e8eb471eaf80d772287bcc095aff1083927c502d817f7cfe8d98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
156a204109995d89b965b83c7d9eb186

SHA1
cc1a0944fe985195f184d9afa9bf69e84e25c06b

SHA256
025e508496bf6eeb0ecc707de124c19daea3298c8e1c271eef2ce82d58e839dc

SHA512
4350b36dc5dcac74d6e1f70100e4c1eec46a3fef39c9bb2f565616109ea8ef0884524cf8934031f18fa009496b6b2db4dfe556a82613b340765fb7d2fae8d9d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
396B

MD5
f52e9fed842862c29802c1272366a252

SHA1
48f3ceaf53104a3226f02e25a7fe1c37306461ba

SHA256
e1c8b495fc5e276086c16d4e37e5d5bdccda404586a667d3a981179dff63391b

SHA512
1ea14da7200b58e38fbb9c7416ef81a73ef60f8d4727a68a6a86d3742d26ce6d291d29c93457ae675aa33ea7eaac3dcc7d8441e2785dd342aeb841e41fec0631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0O8D7KIM\SB5D73P2.htm

Filesize
184B

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TGS3CERJ\PX5KT80M.htm

Filesize
18KB

MD5
6b17a59cec1a7783febae9aa55c56556

SHA1
01d4581e2b3a6348679147a915a0b22b2a66643a

SHA256
66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

SHA512
3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
406B

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe

Filesize
511KB

MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe

Filesize
511KB

MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe

Filesize
511KB

MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\Users\Admin\Desktop\AssertCopy.jpe.185-F58-9E6

Filesize
270KB

MD5
61233881662da207b82a815fbec50202

SHA1
b401ec44a0f9b781435e3690efa794ab3500a346

SHA256
b160c9c348018e3d829830388d08a1abdd442ce3c69459bc7a6cddc1f20912df

SHA512
dc97671a1b18b79f7a49003465545368be2f07db57fd09e66081b67c5d56844ecb6271ff3d594ddab2801fe6b96f5a9ac74f7c5acdbc6a901e8208efd02c14a6

Download Submit
C:\Users\Admin\Desktop\CheckpointStart.DVR.185-F58-9E6

Filesize
176KB

MD5
5c70f0718e82e0ff6a00031d7e72e19d

SHA1
2c4d496f36cb8d29769587c239a9dc268c1922a9

SHA256
bad59232184fe389368d584edffb62577d21c2ca7c0a4c1c7d59c636f1141418

SHA512
874219337aaa3ed6160962e418ecb0f52856446c33bfba55af1716551166b87cbbb733778a6b7848a6fa7e46bacc2872e31ec4ca46ab49159c16d16eeb98f9ef

Download Submit
C:\Users\Admin\Desktop\CompareUnblock.vssx.185-F58-9E6

Filesize
338KB

MD5
87d551082d8b96880a52d08ad6b9f5f8

SHA1
b1ffcba50e2d18e9139fca04b8c1bd1d631b3c6d

SHA256
08e7800e826e13de8de2183abc847b6495a0e25c69113ea91de2fc6cc6418efe

SHA512
b5bf4dc328fae61dcfe0f3de44604b2e3ad8139999fb2ede7290a22e7fa80a8d16446f9fba02ea1bd1152531f3f85e72a1e1d0f51a322817dad9f98af8e93899

Download Submit
C:\Users\Admin\Desktop\CompressEnable.fon.185-F58-9E6

Filesize
142KB

MD5
896a13de923a92ed268fd0172fea5098

SHA1
49e08ada98c29b7613e832354aa821ec67c12fab

SHA256
3a90f9c388a8302726ea901316115a4a4f7183c173c6cf630d4a730322659431

SHA512
a510b62ccd9292238f81c4fb0ba8a7068bf3b076eedd76670b2ce1acf8e6e71c338b07d5251f8036c7f7d3e166bbe283fa627dca51ace6053bbbe4f22caf6a02

Download Submit
C:\Users\Admin\Desktop\ConnectWrite.wps.185-F58-9E6

Filesize
235KB

MD5
799989f677015b043b08a71d5f466564

SHA1
29178679609f261d22a633a80e6a8a2e4a3014ab

SHA256
f8bdddbf237598b87cce00aafe3acdf46815ba97870f8d53545c556486bdf9bc

SHA512
da5d65298fe529de162b14ebfb7d12d5bdabfdd3be869e914ed9d51bbf96966a84ed19262632c0dc9e1bd9139f4d43180a55af90dfa52afa7abbaa4b7d5fcc2a

Download Submit
C:\Users\Admin\Desktop\ConvertFromClose.jfif.185-F58-9E6

Filesize
304KB

MD5
6b79b7c816de998061253fcdc7a09420

SHA1
f45d7173ae8b5def1c167fc98253baaeb56827f6

SHA256
cb517db577d157f9d563bfa25b46e9ea6dbb032ec2967eaf594a41ec5c40a7f4

SHA512
df7fdbbbbfcb682725013e5eb544af625096e649760a5b886cbecba38451f9d108c56b17c4497ed21a55d9cedc2d47a369eeda4f8643f25a9c8c2767e903fcac

Download Submit
C:\Users\Admin\Desktop\ConvertFromCopy.vsw.185-F58-9E6

Filesize
487KB

MD5
034679df98b7270215324d580f7c7d3d

SHA1
dbfbc472be6de70e4a0358c871a54887659d73fb

SHA256
182fc1d5dcbf369a7b153d55106b6078129439de7f75e413ebab68f90c457540

SHA512
be178093f563a955dce336e88be2f42149146bb725421eec5f25561db80421504f631d54bedba1453c5988e759d08b597fd2d97948293de0cc893dd4694748d6

Download Submit
C:\Users\Admin\Desktop\DisconnectRequest.3gpp.185-F58-9E6

Filesize
312KB

MD5
6fa681e94dbb3e255dfd109cd61bff66

SHA1
3b6b7ee0f99e040afab5368d8fc0f67cbc835497

SHA256
7c479d523c7bd07cc534e53511055be5d14f4cf1336c0f6fd143d3a93cac950e

SHA512
40032661616f67736a42b1a43eeec0537e718702bcb70f8ecf0ac8d271d8cf148d490592acb7c0f191383bdc62beeb868bee06c324e3cd64c4c6028fe3b2229d

Download Submit
C:\Users\Admin\Desktop\ExpandUnregister.dotm.185-F58-9E6

Filesize
346KB

MD5
47fea4afeda08434fbbe23de13081dc4

SHA1
0638d7ce648332fedf9f9eb79859bb4396a1ec17

SHA256
1de1fe624a12582e26a0b0410bbf6f1256d0c86e09e7bf8fce2f20d868c1b082

SHA512
876636c1fd91a244d9eab99720d093d40b07ccfd70b5b828fa82a96ba19271e9ca5d2e10c1c1b5ad2956325f18e5695dd9519bcf77e66a43c7d21ddfbc001b44

Download Submit
C:\Users\Admin\Desktop\FindRedo.mpp.185-F58-9E6

Filesize
244KB

MD5
3b94f28d7bff23c6c6c666c453c2fe96

SHA1
70322fe4852d692f654a1daf4c0223cfa25a4e85

SHA256
0738e5f774b62d8440bfabb9f0223b2ea83b97fb86574be372e4705d5d022264

SHA512
f5c4ecd738efaff0578d0ed265d865f5ae40c24591f3b3eb1b16368a0359bf3a18aae61d589c8b338c534415ce30747f3f0b1946b277ab521d0d47876303adc9

Download Submit
C:\Users\Admin\Desktop\FormatJoin.fon.185-F58-9E6

Filesize
253KB

MD5
4d08f5dda5b5824c7e2e72d4bd08a2f2

SHA1
02e606d206d59e47b71b8d70395434343e9040c4

SHA256
376dd43c6db7bc4561ea8add3471c560c76b05b0b02c8da9f242aaf886324ad0

SHA512
88708b5364f063a6bda6b7ee88074944a34567876cd6a3e0d086444395fd5d619a27c4db30caafa5b4a86d3b524cb46e48de2916a4edbf364ec9be40db55b601

Download Submit
C:\Users\Admin\Desktop\GroupBackup.tiff.185-F58-9E6

Filesize
287KB

MD5
f1b328b82e2e9730b1715624d5b2addc

SHA1
63861d3314cd40ed98c9e4613270a6b8af7192c1

SHA256
8496b5e57ea1f1015b111a45ca3577ce3a2dc9f4d1d1f51f8552f13f27e433be

SHA512
edc5b473a26c16ed0a1034c7bea10efb4d647733d59a1670c2ddf25cebd20d2ac6c909852c23191da0f3034140c15af4dd2bf758c566f6b5fc06f02cca862eed

Download Submit
C:\Users\Admin\Desktop\GroupRead.mpa.185-F58-9E6

Filesize
210KB

MD5
b34438a95ab287da1d79a939506615e1

SHA1
824eb665349e049455f5ff0c59cfe374973d0867

SHA256
df31bbb17131fe014f293d76e6bf5236eb92db02b1bfa40bc557795edd153424

SHA512
2ef158bde788f5cabce4aa9e29e057e9e16bf75796c1b6735cbea4918a52ebbde4fbb96a7b789d1841df0ec0cf42a4850822ffbce7645cd6f4e200645f91846c

Download Submit
C:\Users\Admin\Desktop\InvokeMove.jpeg.185-F58-9E6

Filesize
261KB

MD5
e04c235c18f2d729e5331af368e2cba3

SHA1
58939d8a745b33e20d7cb3a1bad2bb453afbd497

SHA256
3efc4e3238c6bef9b347d162c6dc53b55c921a1e7449a095f709e6d263b36a0c

SHA512
763052ade04249cfd8f5287dc24801c3f40284a01081f5143a5d7af252fe83a94ba80edea75fb8153a8ca12de8699bed214080cb938e45f9665d9a2714994b03

Download Submit
C:\Users\Admin\Desktop\InvokeStep.txt.185-F58-9E6

Filesize
133KB

MD5
c38c47aac73c5ce852d54d507b46c568

SHA1
db415f7c05a3442dc60daf002ab082b6b2b55add

SHA256
784979e01ff018cfe34171c082f5468cdf8e06d058dac14bf5843df1fbf3ea92

SHA512
0970f6bc29f7750761c4476a02ee29c4663435d4f073693db4a2b27da3a2263a6e8877c5d53fec28361521f2c066a98a0656019b72fdbe1dc9e1e5287c76655c

Download Submit
C:\Users\Admin\Desktop\MeasureOpen.mp2.185-F58-9E6

Filesize
159KB

MD5
a668bfba137c81040b07f6c6dfb315b5

SHA1
307bb58d7d0a95d8083ef36a40eedcde6ea4141c

SHA256
827926490264216bdbf44137082eccb81e0f59835447663096844d000b6c76e5

SHA512
f003e837f466c0dbdb7edcc04dc7e0cf1e6a8abdba6824eb6be5180495485f07f66cea0685b7f6d60363fb0ced445b568396e5c616f945919970eaba611ba369

Download Submit
C:\Users\Admin\Desktop\MoveCopy.mpe.185-F58-9E6

Filesize
295KB

MD5
5448992477c13d52402acbdb2c0fb1d0

SHA1
c0f3c1c99946f85f25d7bc305f58249e6a6d513c

SHA256
92fc91078ed802ea23bbab79087e085c193c34444d8436fd7a349062eb4eb7b7

SHA512
17c313cc7b06528ec4e17cff527a7d418139034a91f8924fc0d1e8b156443dfbaa5732e207a59386ddfb7b001674aa096917006cbdb725a5b1167296251b166e

Download Submit
C:\Users\Admin\Desktop\PingConfirm.html.185-F58-9E6

Filesize
278KB

MD5
4423c079f52314a78f72b5ba1af87bf6

SHA1
cf3a08d0e016e32c5c742352ad4e9a841fd71976

SHA256
f3e47a33525c5b596c027a3ca66f3e6d62b10e8b1e9a8988d804ec6b46b5eef6

SHA512
e8a133c0414b7abba440bd0eaef1aa1d0b7225864b4c239a1d782e501ae41c43ceb431e59f3fbaf62e410a96d1816da07aa12b733796547ff011da64b0d6a197

Download Submit
C:\Users\Admin\Desktop\RedoRestart.search-ms.185-F58-9E6

Filesize
150KB

MD5
572cf97ed178e13ea127796a618274a8

SHA1
b24e920489170e95d72bcdb7e501211b66c5aca3

SHA256
59de6d1f6a272c696280d5d52b243e60e655bee54e53c98680d43d7cfdf5beb9

SHA512
dcb08a8caef9f5fea5d9aeaad2988a38f8f695b18c4b55233753a379aca6cea0dc9696b79ab11e01118e7647303a406c572e35db452f40d1a5fe2f590a3fb9c9

Download Submit
C:\Users\Admin\Desktop\RepairCompress.TS.185-F58-9E6

Filesize
218KB

MD5
a70ef5f281159998b5f39b202b06a706

SHA1
bbd7bc4b17dd71e3bbd3b9bd78a2d03eb65b865f

SHA256
58f1ac1eff1e2c27e19fae9c1d1211b413cf6014edab7128f1f13c6bebd9b965

SHA512
192289f1be5a60d635b9f8ac13d2b8c7d977846e4e78e565e88e817a9b19754e477caf39a0c8075cec13bf3e9ed1dc697fc482d5bab1e294062ad4ffaa9b86e4

Download Submit
C:\Users\Admin\Desktop\SaveLimit.zip.185-F58-9E6

Filesize
227KB

MD5
49a7822ecde27a290c2fa01685ae3f29

SHA1
73980b13c152358bb0886ffee837e2550a77c15b

SHA256
af68bd0cce09d3318a59498e8ac5019995efde623777aae3fbccfe598f77caa7

SHA512
cbac1c299f61b877cdbf6768db506cbbf18cc12e866a4f3a62c323902e253d10dd35d74b7b8c76e5fa806a24dad913f29f6a6d3614c858a14232e6794b7ae962

Download Submit
C:\Users\Admin\Desktop\SaveNew.html.185-F58-9E6

Filesize
329KB

MD5
e949d5f48562077157ed078dbfa896ac

SHA1
dbb58b747b1f84239b83380f2acd5ddf45836ecf

SHA256
8dad27ebb14b961fc444188e8612b05d1efc4ed2063700643b356f8a3177f80d

SHA512
4fb73d0e968469ccde42cb9d2e254b993432268bc10707031e29c13cab5cb3fa8defc8eaa869b4ecdc84fc319bacdcd7e2b6ba2b0f709968588e54a7be8b89ce

Download Submit
C:\Users\Admin\Desktop\SubmitPing.mht.185-F58-9E6

Filesize
201KB

MD5
3cee5834cb8c310e57ad9574339c7160

SHA1
93e4e2fd739628053e93d59afc4f835c6d44902e

SHA256
daf8ad1445731867eb447758967bdcfa86448070cdcc85be224be1973776d7ab

SHA512
a42772a4dd752204d648ba3ca929652bf5c9591c8c172d5d0b804e5dd58c5f4b95fba9a576b15c79cceb99768adf7d7c7ef387b98171ae4b7368efe886e32039

Download Submit
C:\Users\Admin\Desktop\SyncMerge.reg.185-F58-9E6

Filesize
167KB

MD5
c365b8cc78dd00b84e18ec28a2e057f3

SHA1
a8659cab55d814edfdca5b0711f72a0ad45372ce

SHA256
58ddc3034607188943f2de577de7b0d15a96a17e91972e78d2ce41d1b40042de

SHA512
a0910b3b0605df68e88057d7987c2854cac1adcd6812cc4533d6b2d8c2632b877c447fd148636dd2efaf355f20beb1f33e5279608b46c39464975c4061fd66f5

Download Submit
C:\Users\Admin\Desktop\TestLock.zip.185-F58-9E6

Filesize
125KB

MD5
84486937be0234a425dd71700306f66e

SHA1
ad1b6adae81ae457abef61eb9ac69a81791226ab

SHA256
477aa9c5a7988008006831d3a8df00366ec39389202c633be45659da45f80003

SHA512
71ff9ec68e50e8830b7679c2192990d367234146f0ffcd6dd00278dd2dfe78e84f20c1e24b105952267f345488a85f3c7869b5cb383376dcebb6bf9e1ef94b58

Download Submit
C:\Users\Admin\Desktop\UninstallTrace.mov.185-F58-9E6

Filesize
321KB

MD5
f3acff6acfce5c27a1ba09da5e70bbd9

SHA1
6507a4570054506502a6ab73b8594beca2e2e835

SHA256
8e31d5fb06bb8f7e7d44d0cfb29b2ab2fc9fa12852e7c1e3b16031cf2ec41890

SHA512
51ecb408040710991b5224e8b124d3c5d94c83c7bde4716c8423433f202e301c485668f917b361493155eb073c47e42d47c3bb71fdfe15f198f76daba79c0081

Download Submit
C:\Users\Admin\Desktop\UnprotectNew.mpe.185-F58-9E6

Filesize
355KB

MD5
e01a3a3251e9676aa181bc23063147e1

SHA1
1df888556fd43ca232c2a1ca82c7fafbcfe12319

SHA256
b145b2cfcc1decf5de668868dd9404bbd01ee7d38a24418a752929901e5b8f43

SHA512
fb271a7f2c33c8071a0f0d42ef5ddbf5d85d3d8afc82d68c02d3a07f5cb856f8b9abbb2408199b17b62e7d1fd0fe41580a9d03e985469de056189a2d51603568

Download Submit
C:\Users\Admin\Desktop\WatchRevoke.xla.185-F58-9E6

Filesize
193KB

MD5
d01ecd74964db38e9042dc4aff66e245

SHA1
69fddc2f5459a15a7e8e7f8b17f0bc6d2db97a91

SHA256
13726aa14178cf1accd80e96bfc6f5733e3a234a4a5638459b0df896920562df

SHA512
28a3fe5b720bc2998dedbee3d1cdc1e88f6f32b3bd37e5df11f9fffabc03f6bf4dc50653eece93cfca021c123be0c063e945f6b3f8d5690d53e726b53de62f9d

Download Submit
C:\ssd\onset\15sp.exe

Filesize
551KB

MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\ssd\onset\15sp.exe

Filesize
551KB

MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\ssd\onset\58nfs.ini

Filesize
111KB

MD5
42f9b29cb18cec22cf1f68375685ddc2

SHA1
54de5fd042aa740be90f85d7887d41ebc0e00b4b

SHA256
7aac762ca37c72400df369c6a25d81e758071e570f8dd68f136290923165d007

SHA512
f4065bc2b1b5ef8577c22ee6fe3ee4e5ee9af413d7a693940e317d2ab23de4ac64079761469369b282665c5d19fd3beb9a9ecd0af64a40531df946c65f36ab5c

Download Submit
C:\ssd\onset\81ldp.bat

Filesize
180B

MD5
a5464805722aa29200eb97cb26605135

SHA1
80b2c57e6475325a89eaaba24db02685830018ea

SHA256
03130577ed6032ec6fce61f3f4a52fbfd2e7eb69ca1901823682b392f89c0e8a

SHA512
d99760c1a82e2bd46d4d400c60c2c7a1fdfa057b84c6de2e992e19c662f62aed357e67c6f326e989124ccf7b67b57e1157b124e9bee4765e4f6730fb57660aae

Download Submit
C:\ssd\onset\Ztestram.vbs

Filesize
95B

MD5
b835e273fb843348db5f05d2ed0958e8

SHA1
8a5feab98df1ef7a898863e941e8bb07d007b9c1

SHA256
066327629f90b617ff1980f80a69ff3f5d76b4b005bfe9ee1a52319bc5517c94

SHA512
5438cd64586b1bfb6b555b9183e50cfae143306b163d7b4810383198cb8afcee3b5631a4f7cfb65561c2bb9babfaf70e8403937ae8d80cae93e9cd57e5c8331e

Download Submit
C:\ssd\onset\goodram.vbs

Filesize
96B

MD5
1ed7cb327b190a41ed8aee89c9be87d1

SHA1
6bd8634e530a6911501f1ab1c23fa4282d3a9e4f

SHA256
c31b950a44c81e1aaa37c495da1cf671ef730a5d1efbf5e68a875bf998c94663

SHA512
a9b85159614d71f91f05d9f1a4f65085105591ef7ca6d4094e171121e4259ebeca65fe490c28846b8d5791ef15cd7c01d56c7114aab517bab64c2f262c3dfb7c

Download Submit
C:\ssd\onset\mesager43.exe

Filesize
511KB

MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\ssd\onset\mesager43.exe

Filesize
511KB

MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\ssd\onset\sata1.bat

Filesize
669B

MD5
03560667f8a4144f8d45f917fd522a95

SHA1
df8ec645f2cbecb9388c87a63674b508a791433e

SHA256
41e9529c2acd43b7a206ec80655016bb65ba6721acfd930d351399730e809ad1

SHA512
215824afaaf96acef5977a7e6f48b2133cd969b1d809db333bf1b700176dfaa745141aade50fb4bec1151087a3deb2d64ae542b2405a17ec53d17fbc69052ad4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe

Filesize
511KB

MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe

Filesize
511KB

MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
\ssd\onset\15sp.exe

Filesize
551KB

MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
\ssd\onset\mesager43.exe

Filesize
511KB

MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
\ssd\onset\mesager43.exe

Filesize
511KB

MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
memory/864-101-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/864-156-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/864-123-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1232-125-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1232-124-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1232-122-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1336-83-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1336-102-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1520-82-0x0000000002130000-0x000000000228C000-memory.dmp

Filesize
1.4MB

Download
memory/1992-54-0x0000000075DB1000-0x0000000075DB3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads