buran | e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440

Analysis

max time kernel
94s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2022 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

211KB
MD5

19111728bd752688482ffb91eba51913
SHA1

d3f742f64a6d419b2e96651c9993d60f93bdafa9
SHA256

e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440
SHA512

a9cb2e7c98a4847e15b1a0dcd675df9b407c46f82fe623e3cdbdc99d7b9d3af2dd76c9b51541da9ea024acd95efcd74c0be8e37584b91d17b8a97f97e24dce2f
SSDEEP

6144:hia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+g0+:hIMH06cID84DQFu/U3buRKlemZ9DnGAI

Score

10^/10

buran zeppelin persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 480-EF0-086 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Detects Zeppelin payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000300000000071d-136.dat	family_zeppelin
behavioral2/files/0x000300000000071d-137.dat	family_zeppelin
behavioral2/files/0x000300000000071d-140.dat	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin

Executes dropped EXE 2 IoCs

pid	Process
3736	spoolsv.exe
4960	spoolsv.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\CopyStart.tiff	spoolsv.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\spoolsv.exe\" -start"	1.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	spoolsv.exe
File opened (read-only)	\??\B:	spoolsv.exe
File opened (read-only)	\??\A:	spoolsv.exe
File opened (read-only)	\??\W:	spoolsv.exe
File opened (read-only)	\??\T:	spoolsv.exe
File opened (read-only)	\??\N:	spoolsv.exe
File opened (read-only)	\??\K:	spoolsv.exe
File opened (read-only)	\??\J:	spoolsv.exe
File opened (read-only)	\??\G:	spoolsv.exe
File opened (read-only)	\??\V:	spoolsv.exe
File opened (read-only)	\??\R:	spoolsv.exe
File opened (read-only)	\??\M:	spoolsv.exe
File opened (read-only)	\??\O:	spoolsv.exe
File opened (read-only)	\??\U:	spoolsv.exe
File opened (read-only)	\??\Q:	spoolsv.exe
File opened (read-only)	\??\P:	spoolsv.exe
File opened (read-only)	\??\S:	spoolsv.exe
File opened (read-only)	\??\L:	spoolsv.exe
File opened (read-only)	\??\I:	spoolsv.exe
File opened (read-only)	\??\F:	spoolsv.exe
File opened (read-only)	\??\E:	spoolsv.exe
File opened (read-only)	\??\Z:	spoolsv.exe
File opened (read-only)	\??\Y:	spoolsv.exe
File opened (read-only)	\??\X:	spoolsv.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-20.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Close.png.480-EF0-086	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.480-EF0-086	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\SLATE.ELM.480-EF0-086	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\ICE.ELM.480-EF0-086	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_7_Loud.m4a	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\example_icons2x.png.480-EF0-086	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close2x.png.480-EF0-086	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-24.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_backarrow_default.svg	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-de_de_2x.gif	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\cs-cz\ui-strings.js.480-EF0-086	spoolsv.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sv-se\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-execution_ja.jar.480-EF0-086	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_ja.jar.480-EF0-086	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200_contrast-high.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-colorize.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\AppxManifest.xml	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\ui-strings.js	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\en_get.svg.480-EF0-086	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-BoldIt.otf	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt.480-EF0-086	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.zh_CN_5.5.0.165303.jar	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_contrast-black.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-64_altform-unplated.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der.480-EF0-086	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\share.svg	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_zh_CN.jar.480-EF0-086	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_02.jpg	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg3.jpg	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MediumTile.scale-100_contrast-black.png	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\PlaceholderCollectionHero.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\kb-locked.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\ui-strings.js.480-EF0-086	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\koreus.luac	spoolsv.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_ja_4.4.0.v20140623020002.jar.480-EF0-086	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler.jar	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-oob.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ppd.xrm-ms	spoolsv.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\APASixthEditionOfficeOnline.xsl	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedStoreLogo.scale-100_contrast-white.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.scale-125.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PlaceCard\contrast-black\OfflineError.svg	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\ui-strings.js	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-no-text_2x.gif.480-EF0-086	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-pl.xrm-ms.480-EF0-086	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_xml.luac	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailBadge.scale-100.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ru-ru\ui-strings.js.480-EF0-086	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\logo.png	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_it.properties.480-EF0-086	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-oob.xrm-ms.480-EF0-086	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	1.exe
Token: SeDebugPrivilege	2384	1.exe
Token: SeDebugPrivilege	3736	spoolsv.exe
Token: SeDebugPrivilege	3736	spoolsv.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 3736	2384	1.exe	81
PID 2384 wrote to memory of 3736	2384	1.exe	81
PID 2384 wrote to memory of 3736	2384	1.exe	81
PID 2384 wrote to memory of 4224	2384	1.exe	82
PID 2384 wrote to memory of 4224	2384	1.exe	82
PID 2384 wrote to memory of 4224	2384	1.exe	82
PID 2384 wrote to memory of 4224	2384	1.exe	82
PID 2384 wrote to memory of 4224	2384	1.exe	82
PID 2384 wrote to memory of 4224	2384	1.exe	82
PID 3736 wrote to memory of 4960	3736	spoolsv.exe	89
PID 3736 wrote to memory of 4960	3736	spoolsv.exe	89
PID 3736 wrote to memory of 4960	3736	spoolsv.exe	89
PID 3736 wrote to memory of 3956	3736	spoolsv.exe	91
PID 3736 wrote to memory of 3956	3736	spoolsv.exe	91
PID 3736 wrote to memory of 3956	3736	spoolsv.exe	91
PID 3736 wrote to memory of 3956	3736	spoolsv.exe	91
PID 3736 wrote to memory of 3956	3736	spoolsv.exe	91
PID 3736 wrote to memory of 3956	3736	spoolsv.exe	91

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Modifies extensions of user files
    - Drops file in Program Files directory
    PID:4960
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3956
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:4224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe

Filesize
211KB

MD5
19111728bd752688482ffb91eba51913

SHA1
d3f742f64a6d419b2e96651c9993d60f93bdafa9

SHA256
e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440

SHA512
a9cb2e7c98a4847e15b1a0dcd675df9b407c46f82fe623e3cdbdc99d7b9d3af2dd76c9b51541da9ea024acd95efcd74c0be8e37584b91d17b8a97f97e24dce2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe

Filesize
211KB

MD5
19111728bd752688482ffb91eba51913

SHA1
d3f742f64a6d419b2e96651c9993d60f93bdafa9

SHA256
e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440

SHA512
a9cb2e7c98a4847e15b1a0dcd675df9b407c46f82fe623e3cdbdc99d7b9d3af2dd76c9b51541da9ea024acd95efcd74c0be8e37584b91d17b8a97f97e24dce2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe

Filesize
211KB

MD5
19111728bd752688482ffb91eba51913

SHA1
d3f742f64a6d419b2e96651c9993d60f93bdafa9

SHA256
e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440

SHA512
a9cb2e7c98a4847e15b1a0dcd675df9b407c46f82fe623e3cdbdc99d7b9d3af2dd76c9b51541da9ea024acd95efcd74c0be8e37584b91d17b8a97f97e24dce2f

Download Submit
C:\Users\Admin\Desktop\BackupImport.mhtml.480-EF0-086

Filesize
824KB

MD5
601b0814007b4167b0ee9fdbdd83b8af

SHA1
290056ba2ffe8b78e355213905fe2e8503d560f5

SHA256
e932a3263f41544fffae778225b2b06d493d3856149c7136669e3817fcfddb94

SHA512
848d1ac384afd67ee61b8b55475c48f73d075c20c8b7ee783f6011e670e2a61eca2a0fb044334076c33a566b206100173f124976bd07d3fdc423b57f81525b24

Download Submit
C:\Users\Admin\Desktop\BlockClose.docm.480-EF0-086

Filesize
471KB

MD5
311700ee96d0d4dae6784e959a5f3678

SHA1
11f5a33ad5503c7c209398ecb4b1928f7793fe4d

SHA256
06ecfe34798db4b78be9ded7f3f91478ae219f57b3e7e647df33319a0d22dfe7

SHA512
a32d415b9cefbdfdd9b4ca9015f69d6bfeda3e76972dc247364e5e276f422b019d098d13c7cc6b7ad7ff5237e2cdb7dee2f3573b83338ceeb1b0eab92bd7816e

Download Submit
C:\Users\Admin\Desktop\ConvertFromUndo.vb.480-EF0-086

Filesize
518KB

MD5
2f297a97cc9f4f6c4662dc54ea12faa0

SHA1
848bf37984feed154433d984a20c3b72cb143eaa

SHA256
00bb2bca3fe02cd7e8afffbb12f9d64175b977377a6ef7df05ebb11e929d1916

SHA512
5a83ac6b8bf0e68cc654927c6dfe033d3b083492105be1f196334bf629ba90a2646bd3a3a2495291053ca8896c7fdf7a2c16b7de33586d8bd5bc7c5d531ee51a

Download Submit
C:\Users\Admin\Desktop\ConvertLimit.reg.480-EF0-086

Filesize
377KB

MD5
3217f43816807bb3eaa3f06842683623

SHA1
d0f4c3844ea7f9916308fed480db50fce8a207d6

SHA256
bdcb25c7c634218619b1e34a2cf5b5877afae20a885733cd98a1721910978ca6

SHA512
eea0e554aab14e0286f8c05fbdafebea13423aeb70c956eb6c985c2cab8a9403b03eb02db5412e89b60ee0a416b3421735e68a71ec083e45ff5e2c5e432c7b45

Download Submit
C:\Users\Admin\Desktop\DebugEnable.vsdm.480-EF0-086

Filesize
683KB

MD5
75d8e76b9094e46444935a4ae900aa43

SHA1
027438efb85364b96815b545e26e4949681ef6a0

SHA256
5c5558758b6e46fc0eff583f18f27e33cdf5340d33b810333ab301d21e77990a

SHA512
2f02e797fe574351deeb5bff4ee4d7b79ec66d9c332ad7fa49d180eed2094919d08afc899cb33f99fbbc36074dfdb87a4f155b593e671efbfaf395915e3da635

Download Submit
C:\Users\Admin\Desktop\DismountCopy.ram.480-EF0-086

Filesize
730KB

MD5
8d07abe349e2e3c612281f692138d74a

SHA1
63560ddcdb4e3838ea517f4eaddafcf74976da5b

SHA256
aeabead4da59e4ad9e1213270fe0c23dfac4ca0a8dcba1afd4107a1b39d8be51

SHA512
4ab75f025a4221ef747413adcaaa3aa2839fae49b7ff620625f1069161f0955f96e759b50e3811423f95123c74b7b81a54d044c205d7de2d852a7fcb6eff9db9

Download Submit
C:\Users\Admin\Desktop\ExpandRestart.wmx.480-EF0-086

Filesize
424KB

MD5
bba9b95ad8d554d4b20fa13df29f34d4

SHA1
e0670d79eda2729cf413bb891b50e31a255b8489

SHA256
2a1a6c61ab4dbc6c908c9711b6a19257e05a2148603ae6f3a1aa204b80e3594a

SHA512
bf1c5bb9ac259ebe765c3252f1834933e4fb0668b135028b9f6951c9edd3dc1bca823267e62464b8c10f970cc4e89733597966d23c761815b185861d1a27a0b0

Download Submit
C:\Users\Admin\Desktop\GrantInitialize.inf.480-EF0-086

Filesize
942KB

MD5
84f824eca061c383be4a1221ae6fdaea

SHA1
3dfe946363e0580c020b6787927aac50221c7599

SHA256
2b85448a2eea36aa5fec5f9a19cce4f02bb7be55da688b04deaa89123ef02442

SHA512
f24fca023ca6c4f2077449f81e28480e2b7be8ac4d030d7cf5f8df81c102b36d7b5b17a5f10f20e128ad54255bfb6943897ef708ad21b41b68ea43a063586e15

Download Submit
C:\Users\Admin\Desktop\InstallResolve.ini.480-EF0-086

Filesize
801KB

MD5
26e9018b2c70f7f6496e2fa68f5e280b

SHA1
7d4c612bc82a1719f998c25fab45e3a8a2c46949

SHA256
3a970c51f5b459d767d92cf25200517c953f4d057f82c62fdc43a185cb9aa5d4

SHA512
747ea8d9a388030e47c75fe2fa17986910520dbd3ded9ccc0f57a4b4a8bf68c17487fa3ba007ca5281c3c16f610b85a7c1828758137ebe278fe4d30b1c02b713

Download Submit
C:\Users\Admin\Desktop\MeasureSubmit.lock.480-EF0-086

Filesize
565KB

MD5
4e4713ae98afa93a9826113c15503ec5

SHA1
c9ef9d4f13d268b5df4bf3d371140b59ccee3965

SHA256
0eb949f7271b2e1f02cbc438907eda543151793a0c60cbf5ce53dfbb5368884e

SHA512
f840fce8e9058c66d458990b2ba560fa1ea706c69af07a886da8cd460371a7276227d050cdfa1ae0dd80108769b16457cc3e692ac48ceef7505dd30251030725

Download Submit
C:\Users\Admin\Desktop\MergeHide.emf.480-EF0-086

Filesize
401KB

MD5
05773e34e7ee4b63f0fab428c9043044

SHA1
7b459e774222edd6082a139f57e9cf9a7c1e1079

SHA256
f115ab8d93bd0bc7d849d89937072ee795ca0cd44e7b061feced1e0aef539e23

SHA512
2caa0cb0bdb081766d004a45fa3eb2d54cb090001be2a43c5b896dc457c6492e736b6167768bf6d147825cb99bc466a7f7da96f04c82d1d4d77b0dd8b368fce5

Download Submit
C:\Users\Admin\Desktop\MergeUnregister.rtf.480-EF0-086

Filesize
495KB

MD5
58accd610558bc13ec3c87aad45e615c

SHA1
374e9539cf42e1cd38df01a21667f42a6526f8b1

SHA256
7030ff31ce027bca859fe9ab61583c70605159d0e5629b3a295f4b1e8c299a51

SHA512
2b7c9e65f104104f49cb9fd37403d7278510fcd61135f75238fc689b01d6ffa0ba5ceff86dfe1e3d245cb5658a40353a92efe8527d8ddd90693454375b53847f

Download Submit
C:\Users\Admin\Desktop\OptimizeGroup.wmf.480-EF0-086

Filesize
612KB

MD5
6bba7eddbe45e31b4a1cd21131bc727f

SHA1
f36a2434321670b2d86c2178e693cd91823f9e6f

SHA256
83292946538fd1d12d90bedc93aecbc2d57a114616a09310840ea8e6a70d83d7

SHA512
181ac4a4207b68e0f9c75d50e1898eb7a459a648d1d1a900f02fd4a4df6d27b000ef25229389c061d86bba1ecb33635e2aa0163fba8ed0d10c8051422af47cac

Download Submit
C:\Users\Admin\Desktop\ReadPop.aif.480-EF0-086

Filesize
918KB

MD5
886edee100eb80c4332425cfbb50e5f3

SHA1
731f8bcb4ded4a9d6370e2378193d2f78fd370d5

SHA256
5efb74d4303bc1fdcec31d9f0c5be716390e29ce03967dc56d9ee0c3c1dbdda4

SHA512
dcc9368b216ab816321f56f463574cbcf7785e77f0ff40a5ccd31f05975e3a5271b6bca5016e3ab88c21025d4882960b747b45368de6bd1855df8e71689cbb90

Download Submit
C:\Users\Admin\Desktop\RegisterSet.pptx.480-EF0-086

Filesize
354KB

MD5
7d10e21767cb04d35557b4bc9000077d

SHA1
d81b958a7f96e12184932333d3df6ace0ca52557

SHA256
8c97d79fd9ecd44a19580828b3940db2942cb78c672d2a025f1379c78247633c

SHA512
52020bf9b98e4b7299e2e45f7b2487551bc6a3068962c0e3fc0cac871d4b22535257e259a667f2c52fe7383aea565ab5df584dba8d3e6a5fcb3221aec24e595d

Download Submit
C:\Users\Admin\Desktop\RemoveUnprotect.eprtx.480-EF0-086

Filesize
753KB

MD5
9f498316586e018f2e7ecfcce2e2823e

SHA1
f5e373528be2a02e934b5940460cdd2e7ea2d875

SHA256
917bb87488d59e6431f9815e90664dcd32899bef059132d5611cc7b9cd0fd0a8

SHA512
06345d0aa1c3460a4663d2ddd2fc2ce7b8ba661ab71d99ea25f026e356a061fc51fde59cff967a2fe4e5d9db879ffecaf72ecf0570c65f68d70ab7f0cf2c1108

Download Submit
C:\Users\Admin\Desktop\RenameSelect.mp4v.480-EF0-086

Filesize
448KB

MD5
9f69d18653c9c0e9a1c89b0b64a357d9

SHA1
cc57b7a28c6ac7b2747d9adeb9ca38b18a0b17ab

SHA256
7c669434717a15dd88094fbab4991f698672ce33ee3a37b019a82222a5d63a98

SHA512
2873897267461e80c2847ab64f868333749dbaaf2260326e972c4cb6bd465af96fbdd6ee55a18bd4d9e7a4917660a644492eb72c9e767c98ff705dbbb9c37761

Download Submit
C:\Users\Admin\Desktop\ResetAssert.svg.480-EF0-086

Filesize
659KB

MD5
99c6f2f626790650a246247ba7678cf0

SHA1
f422425ca21b00f41476ed2ab92a4b9a8c0581d1

SHA256
8b1923a5cc7f959c7c6c9d832030c0ce431a33ec90fbdd9bd5860286031cdf2b

SHA512
92b252490a34a5a623ccac24383be78b4c5b52b1136fc336eac1412b7e0e5a7e23ea02b5c7c286b727b11b725fc5c1d17a785bb53d9b06777a19ea907be36ac7

Download Submit
C:\Users\Admin\Desktop\SendRedo.xls.480-EF0-086

Filesize
1.3MB

MD5
e90e557178658dcc3202c8021b771200

SHA1
92f77e7da645d8ec5cf18835360a43d68c668423

SHA256
d4907381b23e38ed63d024c5b8719bbbdeb614dad3fa3e1677bfbd023bd9e683

SHA512
b41e996a100d4931b14f35826ef93ddc52e418db5a5e629ea425ce56aa45385083937cfcb35532be8848dd24f0f3f35c9fbb9b7bdd1c3b92e26ca5372837ba2d

Download Submit
C:\Users\Admin\Desktop\ShowLimit.tif.480-EF0-086

Filesize
330KB

MD5
ffcbd6d9f20e3c5318555c048a291cf7

SHA1
ca582f593f706dcc9a5765998e3ee77b6332bbb3

SHA256
507955663e2fd24cf98955f49ddf89d940ae4d81db8b7140133012d7d4dccc7d

SHA512
5ba2c9039f2ff638795884bcfa5e045fa6d4fa4f88e167e9ff4b7df501e90d6e998e95fc8b7956a7c0976432dc14470dcbbfc333dff789c854ef93973bf9f113

Download Submit
C:\Users\Admin\Desktop\SkipExit.M2V.480-EF0-086

Filesize
589KB

MD5
9502b14d4b82cfc1cb93b52a0d1fc2cc

SHA1
ceb1d23160bf6343ef5eef4a8317c83f7a2ec947

SHA256
4fef106e5d1c141b7e026857973f4208e5b08931daecaf495866d45ef75dcf50

SHA512
683d39cb59d03c78f7f890f166a7d9917f0328837c2e1f7b5b750ed600bdbbd36afc3086c3df5ce6484e0bc442b85ff1a022e76607d0ad8a551682ef61f427da

Download Submit
C:\Users\Admin\Desktop\StopUse.wmf.480-EF0-086

Filesize
542KB

MD5
d8a592a4f3ea3838b49718fd7215f46d

SHA1
e1029a49d716b3c9818b7940477e61d467e0712a

SHA256
19dbf16ea0869d5200a506754c3e7be3b2399ef841d8471c6b6011da02fcf580

SHA512
ade6e3efc6a7a4f1baabfac0bcc10ae0ad01516d9c4dd5ce26ff1825f8de5d283e7b8341bc166dcc2455fa081b5a1a88ab34849246107fa1515ac779c1c20e9d

Download Submit
C:\Users\Admin\Desktop\SuspendRegister.wdp.480-EF0-086

Filesize
636KB

MD5
7487ccfcf9b72d58212d8f6fd84278b6

SHA1
74938bc29b54580a4901527a782622909e2e6b27

SHA256
ae810708137221a978759e68f6d2fb4992480ef07ee5dc45424dd1c71b5213f5

SHA512
c607b46e48b15c70667d2e3c6e6185cf74ba6fede8681e1e0e95a3b0f8d74ec5decffd0f49fcc911be377febc41ebe00004fa62a715d21986fc13ad778144831

Download Submit
C:\Users\Admin\Desktop\SyncConvertTo.xlsx.480-EF0-086

Filesize
871KB

MD5
10a9e9e01041304d92aa4fb3aae8affa

SHA1
8344afa743ae73dc195ce7a3d0b93b145214db26

SHA256
52ea81b8f180cb2888dc2470706b5195f2cc3ebd2c24ef0befcc0b701a200817

SHA512
32b1d0fdc9280b0f726812c125b835dc976b2d6255447ac06f281200a6f3c2c3390a29bee7ff3055459e38c2b69e8527c8c62e35948f06febcede579f0a1c721

Download Submit
C:\Users\Admin\Desktop\UnregisterStart.m4v.480-EF0-086

Filesize
777KB

MD5
61a44c9f03ce376e6bafa883de8f42a8

SHA1
09b708a922e946192ff4e30dab53d845482b48bf

SHA256
850bf20499db226e31a0f2be802fefa2c879d4fadd0155ff78269af9e821ca15

SHA512
515fe04ecfd4610d3e43d87205c67217af772d683951cc17a5bb9a42c1ec931305b9a0885ef69730332904952239cfd1586524087c287c93e19b20619778205c

Download Submit
C:\Users\Admin\Desktop\UpdateRestore.ram.480-EF0-086

Filesize
706KB

MD5
3d43f6baa9171f09182025f5603f9387

SHA1
8e15718b07cab0fd3ba147d5f6e310623a0a91e0

SHA256
a794d049fecdb7cbdb72ddef9bb5033644df747d76db52dea1561a3c7ef9e5e5

SHA512
aebab77869e5c4caad8b0fcb06f04bb820ae894067fb17fd1c79c21eb8e1c35c7691461aa4b9a8a5dbee11c4a31b0a46741755971a4b16a73b6a17bf832ea68a

Download Submit
C:\Users\Admin\Desktop\UseLimit.jpg.480-EF0-086

Filesize
848KB

MD5
4d103016cbb958c19e73291b10ce2ac4

SHA1
d80fe9f1a97c0754fa46e5e2477010e169d20e8c

SHA256
581461eac8deba94f2e1b879bc8b62e97d22a239a308ecdedf427cde1cdb7d0e

SHA512
68b0fe7ccf0d1d6b034aee63164fe84d6ca291b77195cef8214dc389451b3724fe34de94d94230335c26e29df015694a3e1b89fc4bb54d244ec2fb165e1a84fd

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads