buran | 7757c11c449860e2dd54ae97e05835fb39f89a9c93f32dfc23b258ad49c3622e

Analysis

max time kernel
97s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
22-01-2023 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

211KB
MD5

511e849a593b7787b1387b56f12d8c05
SHA1

6c830eed04570ba8f8873cba3f61ca568f7b9535
SHA256

7757c11c449860e2dd54ae97e05835fb39f89a9c93f32dfc23b258ad49c3622e
SHA512

3d803144229fd7e63e971d0bd617fb96eaf2a1e802ad36dc2eac3fe809b351f68d07f4b81ebd24b9367e72b9d5e91a655a07acfd430ee631e226def7ff987fe6
SSDEEP

6144:Bia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+Q+:BIMH06cID84DQFu/U3buRKlemZ9DnGAI

Score

10^/10

buran zeppelin persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 199-5E8-47B Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Detects Zeppelin payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000d0000000054a8-55.dat	family_zeppelin
behavioral1/files/0x000d0000000054a8-56.dat	family_zeppelin
behavioral1/files/0x000d0000000054a8-58.dat	family_zeppelin
behavioral1/files/0x000d0000000054a8-62.dat	family_zeppelin
behavioral1/files/0x000d0000000054a8-64.dat	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin

Executes dropped EXE 2 IoCs

Processes:

smss.exesmss.exe

pid	Process
1064	smss.exe
2016	smss.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

smss.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\RemoveWrite.tiff	smss.exe
File opened for modification	C:\Users\Admin\Pictures\SearchWatch.tiff	smss.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid	Process
1968	notepad.exe

Loads dropped DLL 2 IoCs

Processes:

1.exe

pid	Process
880	1.exe
880	1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start"	1.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	1.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

smss.exe

description	ioc	Process
File opened (read-only)	\??\L:	smss.exe
File opened (read-only)	\??\B:	smss.exe
File opened (read-only)	\??\W:	smss.exe
File opened (read-only)	\??\U:	smss.exe
File opened (read-only)	\??\R:	smss.exe
File opened (read-only)	\??\O:	smss.exe
File opened (read-only)	\??\H:	smss.exe
File opened (read-only)	\??\F:	smss.exe
File opened (read-only)	\??\E:	smss.exe
File opened (read-only)	\??\S:	smss.exe
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\M:	smss.exe
File opened (read-only)	\??\J:	smss.exe
File opened (read-only)	\??\G:	smss.exe
File opened (read-only)	\??\Z:	smss.exe
File opened (read-only)	\??\Y:	smss.exe
File opened (read-only)	\??\K:	smss.exe
File opened (read-only)	\??\I:	smss.exe
File opened (read-only)	\??\P:	smss.exe
File opened (read-only)	\??\A:	smss.exe
File opened (read-only)	\??\X:	smss.exe
File opened (read-only)	\??\V:	smss.exe
File opened (read-only)	\??\T:	smss.exe
File opened (read-only)	\??\Q:	smss.exe

Drops file in Program Files directory 64 IoCs

Processes:

smss.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00086_.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0295069.WMF.199-5E8-47B	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser_5.5.0.165303.jar	smss.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01236U.BMP.199-5E8-47B	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02470U.BMP	smss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_SelectionSubpicture.png	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_it.jar.199-5E8-47B	smss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt.199-5E8-47B	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FALL_01.MID	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLYER.XML	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveLetter.dotx	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar.199-5E8-47B	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search5.api	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00559_.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02067_.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg.199-5E8-47B	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar.199-5E8-47B	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif.199-5E8-47B	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grid.xml.199-5E8-47B	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECREC.CFG.199-5E8-47B	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_hyperlink.gif.199-5E8-47B	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02886_.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL011.XML	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\TOC98.POC	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0240175.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01152_.WMF.199-5E8-47B	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02431_.WMF.199-5E8-47B	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0305493.WMF.199-5E8-47B	smss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe.199-5E8-47B	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar.199-5E8-47B	smss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd\jamendo.luac	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar.199-5E8-47B	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01167_.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281638.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Groove Starter Template.xsn.199-5E8-47B	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Regina.199-5E8-47B	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tirane.199-5E8-47B	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL106.XML	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02280_.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Trek.thmx.199-5E8-47B	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0222019.WMF	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\management.properties	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Copenhagen	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105384.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImagesMask.bmp.199-5E8-47B	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\TAB_ON.GIF.199-5E8-47B	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.PH.XML	smss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_ja_4.4.0.v20140623020002.jar.199-5E8-47B	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212685.WMF.199-5E8-47B	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL083.XML	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\UCT.199-5E8-47B	smss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg.199-5E8-47B	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif.199-5E8-47B	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.TW.XML	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBREF.XML	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_ja.jar	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

1.exesmss.exe

description	pid	Process
Token: SeDebugPrivilege	880	1.exe
Token: SeDebugPrivilege	880	1.exe
Token: SeDebugPrivilege	1064	smss.exe
Token: SeDebugPrivilege	1064	smss.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

1.exesmss.exe

description	pid	Process	procid_target
PID 880 wrote to memory of 1064	880	1.exe	27
PID 880 wrote to memory of 1064	880	1.exe	27
PID 880 wrote to memory of 1064	880	1.exe	27
PID 880 wrote to memory of 1064	880	1.exe	27
PID 880 wrote to memory of 1968	880	1.exe	28
PID 880 wrote to memory of 1968	880	1.exe	28
PID 880 wrote to memory of 1968	880	1.exe	28
PID 880 wrote to memory of 1968	880	1.exe	28
PID 880 wrote to memory of 1968	880	1.exe	28
PID 880 wrote to memory of 1968	880	1.exe	28
PID 880 wrote to memory of 1968	880	1.exe	28
PID 1064 wrote to memory of 2016	1064	smss.exe	29
PID 1064 wrote to memory of 2016	1064	smss.exe	29
PID 1064 wrote to memory of 2016	1064	smss.exe	29
PID 1064 wrote to memory of 2016	1064	smss.exe	29
PID 1064 wrote to memory of 1292	1064	smss.exe	30
PID 1064 wrote to memory of 1292	1064	smss.exe	30
PID 1064 wrote to memory of 1292	1064	smss.exe	30
PID 1064 wrote to memory of 1292	1064	smss.exe	30
PID 1064 wrote to memory of 1292	1064	smss.exe	30
PID 1064 wrote to memory of 1292	1064	smss.exe	30
PID 1064 wrote to memory of 1292	1064	smss.exe	30

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Modifies extensions of user files
    - Drops file in Program Files directory
    PID:2016
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1292
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

Filesize
211KB

MD5
511e849a593b7787b1387b56f12d8c05

SHA1
6c830eed04570ba8f8873cba3f61ca568f7b9535

SHA256
7757c11c449860e2dd54ae97e05835fb39f89a9c93f32dfc23b258ad49c3622e

SHA512
3d803144229fd7e63e971d0bd617fb96eaf2a1e802ad36dc2eac3fe809b351f68d07f4b81ebd24b9367e72b9d5e91a655a07acfd430ee631e226def7ff987fe6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

Filesize
211KB

MD5
511e849a593b7787b1387b56f12d8c05

SHA1
6c830eed04570ba8f8873cba3f61ca568f7b9535

SHA256
7757c11c449860e2dd54ae97e05835fb39f89a9c93f32dfc23b258ad49c3622e

SHA512
3d803144229fd7e63e971d0bd617fb96eaf2a1e802ad36dc2eac3fe809b351f68d07f4b81ebd24b9367e72b9d5e91a655a07acfd430ee631e226def7ff987fe6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

Filesize
211KB

MD5
511e849a593b7787b1387b56f12d8c05

SHA1
6c830eed04570ba8f8873cba3f61ca568f7b9535

SHA256
7757c11c449860e2dd54ae97e05835fb39f89a9c93f32dfc23b258ad49c3622e

SHA512
3d803144229fd7e63e971d0bd617fb96eaf2a1e802ad36dc2eac3fe809b351f68d07f4b81ebd24b9367e72b9d5e91a655a07acfd430ee631e226def7ff987fe6

Download Submit
C:\Users\Admin\Desktop\BlockMeasure.scf.199-5E8-47B

Filesize
657KB

MD5
2189ae9e97f0380050ce463d6cb83296

SHA1
f89d31fdf01e9fdf27109cb5b5af1c3faedca855

SHA256
fd0664d783eaa10aa34168b6c47f0a446e7760fb19f585d64d58130dbf0ea7d9

SHA512
302975c3148f8fd7883e6d735dbf48c4db428c8ff8b66fdfdf1c9998838ae3d910bb82383b37806e85c074d23ae286b92b942eb30e4cf8d139e14127bb927f9b

Download Submit
C:\Users\Admin\Desktop\CheckpointResume.dxf.199-5E8-47B

Filesize
297KB

MD5
ff5080807811e19eeb7404fc4aec230c

SHA1
8f76e4f7bf91eb664f65ecd46513432b4faf8587

SHA256
7594f73e9e9899b3dcf710d2f4702ca1148236e0b0afc52e1aa673f265664784

SHA512
cbb79414d48e52e5a70284fff54f7d78bd4e44bfcfee34a9940d1a44f297f8f9bfec78d526513c9fa966488e078fd56d73a7973c8a6015542083ffded2b89ea8

Download Submit
C:\Users\Admin\Desktop\ExitNew.js.199-5E8-47B

Filesize
255KB

MD5
4faa946aeb8a78db2c650bae5797994b

SHA1
82953f68ea77f6c4c9e741cd4e71725e7614a498

SHA256
416778a8af2d13e807e645363231b7b9c1d711fbb906a54dba8a3e3d6b46e030

SHA512
fea9f5df1a7a90e8f7b6da291fba2e217d811a54c608bf1459798d25a4c48edf75710278099afe7d07ca96b60b35793afd761af0dc7d235c4262bb77ef3ba0e5

Download Submit
C:\Users\Admin\Desktop\FormatEnter.inf.199-5E8-47B

Filesize
509KB

MD5
5c574e0c6758f842569530165b402391

SHA1
043126f327e743b188015c3cc5cf1e2294b71054

SHA256
8540b5049b86fd918a2e856c2be9ca463bb3df4af69153071563f2b04fcdb8c4

SHA512
9398262c036bc98853358c979f23c0c19022de0f47659242af44086c6e2cd18e2832dcfe5ef2a97fb3c8b6efd3a87d0cac1a3b180bc809f743ee8302b8330c5e

Download Submit
C:\Users\Admin\Desktop\ImportClear.jfif.199-5E8-47B

Filesize
488KB

MD5
322fc524ffa9141941d49c079df0921a

SHA1
916493540c4a0a2c9e980d1bb2d880d679e062d4

SHA256
7dd3ec828222c5f74c5d0337060068d669139a8a31073951a00b18690a184f11

SHA512
2ca7de7f1aa66a449546b74bbe286e861d523e02918a196584cdf51220c64e125f72ed18d9e064351c4716ce34996753ee8558391b5869fc54c72129b0abdcb6

Download Submit
C:\Users\Admin\Desktop\JoinApprove.contact.199-5E8-47B

Filesize
530KB

MD5
cf21a542a634ba9b046b7eb8e8de85c1

SHA1
6a794f64b1bc7c9697ddee3d0cbbbd542db708d4

SHA256
5a2ca7ca05ccec86f459a455c694dc815f912e7e2b3686f8c8b14d5f0bd16bc7

SHA512
776b6d26dd19edf1f804890323a5eb73ee32fbdb366b6308a6afa5686da29d0fb6cc619d9ec94a963437fa274baf27552079b43fb565064da2e0213b84b72d23

Download Submit
C:\Users\Admin\Desktop\MeasureSkip.xhtml.199-5E8-47B

Filesize
615KB

MD5
f9b668c8d3abb5dae1f8e0e325ac14df

SHA1
f2190e865994f7ad9a27897dde17b09baed43ca0

SHA256
a0df00cb21d818ee09488b75331591119c0db866421023619a8d8e0219035787

SHA512
c46329b53aad186d07e1c68ad25dc5bc059b9af337c7bf58b4af71fc1660f002a72ac160dd0611c7a996d8f78bc34ccd487f3a1aa4b566a0210a600b1d238e69

Download Submit
C:\Users\Admin\Desktop\NewLock.mpe.199-5E8-47B

Filesize
911KB

MD5
c22c4764346c18c64308ef1ba7752104

SHA1
be7a1e771e8394bcc65754557d7ac3627d75afc2

SHA256
11687562be9769d6e1b89ae9747838313d29d397be2307a312331c702cd1e899

SHA512
07db4b0276ff3f72337170a603678a295ab197f5418a1171d056a5f849e326d14e03cd3ce1fed9a466932b573c97b92d1cd727adc1380b3f26a65dce06c997e6

Download Submit
C:\Users\Admin\Desktop\NewUnlock.7z.199-5E8-47B

Filesize
234KB

MD5
e6b673215e614829d07e7e24c808c304

SHA1
53c956bbe326a4106f11f49a492ad139ab4088ad

SHA256
6e91b3e7b42092dc29d57dd54fa9735f0cbc935f5d53f31eb5e4810b30f3ecb4

SHA512
fee55b86d3967c564b21a075f75b088be741e0fd62c4666cee5f0acf47694dcaea4005ca75182bf11d3cd53cb5de26dd9d1a46990f3b17da8b738a5db29d0f5f

Download Submit
C:\Users\Admin\Desktop\OpenPush.au.199-5E8-47B

Filesize
361KB

MD5
372a23e38512834bb91344d7e583087f

SHA1
9f3f6996fb6c2bda6747685d0b3856f70f86aa28

SHA256
bf7a338a227c2b2f6fd14f14f71ef6ba13ca2e7636e09b9717ad3d9567831d86

SHA512
6a19ecf8e3e88348ad554c9b3c89de89906ea43488929f3eb52a60bd21d2fbe5c200579cf50472113a773a0a839d50c39575b7c8c9ee997e627d4d6723fb5859

Download Submit
C:\Users\Admin\Desktop\ReadDismount.xlsx.199-5E8-47B

Filesize
424KB

MD5
c469d7c0f723bdd785d068c9d43646bd

SHA1
9de528197bd292dc3de9e4e5fc9960b333d84f74

SHA256
9670ee3f454de1bae9f06198bba2beb08e127db99a0b68bb86b48f48af0a32c5

SHA512
234f49f06f9c3be45d17de67928d41bc35a428b6d54e9fdb1f48d7c366fd3527a96ca3570c8603bb079f3eadfc590f4cbb0ac355ddeb9fc7fe366d33e65c7a71

Download Submit
C:\Users\Admin\Desktop\RemoveGet.tiff.199-5E8-47B

Filesize
594KB

MD5
f78c3b106237574919cb46a427168836

SHA1
d7a9798d5b06ee51c1b91dc630967c7c73b85313

SHA256
0fc5e2978e341aa990d3e8f88cb7f4fac5b75b955ec5f3b11f6c7a515aec93df

SHA512
1816f981f428603041c0d29aaad8cfcab799ed16c5e4a57cedc61e866bba3cf9e1685b5d492dc1e711a9b7fe183f1bb08c6a09e91780cb3f0186b02480492dd7

Download Submit
C:\Users\Admin\Desktop\RenameInstall.emf.199-5E8-47B

Filesize
551KB

MD5
1d10f5960536b70a18e90e8bd29ac808

SHA1
2e16e81f609f2feaad70590bd022c809f2d0c97b

SHA256
73b567e2a896df3002a3aa43e078c433ba68516126a9da02db23c656e8b4c1c8

SHA512
22f6db15fbd3d5823f933d0aa164eb23daf789a463ec6dfdc5b198bc33769a43f2b513ff8ad95b68839987f1a61602a0bac49c4fdc8cdd39b461dc1412de1549

Download Submit
C:\Users\Admin\Desktop\RenameUse.bmp.199-5E8-47B

Filesize
445KB

MD5
52af854ba79bad1a1b3fc4c6d54b379e

SHA1
65515366b4592655c74b0674067885bd4e50de11

SHA256
3213845d4e05157ed9c957cbd1f5f9a20acec5f195a1c71968d2e4fd0a207257

SHA512
0ed20aaa8084dcc6cb427ddd2017cc67c5e55e337e16ec7e10332765b120dfc63fa498d0740bae87404f120eefae2d3e972467d04bc1cc22978ab7091e523c20

Download Submit
C:\Users\Admin\Desktop\RestartMove.shtml.199-5E8-47B

Filesize
467KB

MD5
838cc392c2f1483198f6e3abe6049f40

SHA1
1a04393c4346cd00ce62e1b6996867f660558755

SHA256
6567ce6bd497ab20a2704d6c54238fddffaaf5faa6107cb7b687e6795347143d

SHA512
b7dcdd0dc10485a469781d7bfaa72e031bd63ff327f7e1167e6ab2dc9a0007d415b266e6a9b31aceee46f438fad2035f7c8443046a0993ca9db9ff5f25fd7b88

Download Submit
C:\Users\Admin\Desktop\SaveShow.lock.199-5E8-47B

Filesize
276KB

MD5
8dfc0a4b101432c228b2cd531c79a362

SHA1
4231d861ec629dd950ab99661c21e06745331400

SHA256
42969991a467df63a26bbfc0592bff1b78b4e66365257396c21a6c4fecd3148a

SHA512
2e7a2b80c4189c0214529452d2c1ece8467565d556dbc662b5bf91091108dd4d60ed166cdf1c287f9c85213374b9b041c487664f8aee2afdad286b69b8cfdd2b

Download Submit
C:\Users\Admin\Desktop\SelectShow.tmp.199-5E8-47B

Filesize
382KB

MD5
1662e16e457c53fc3f079bb257d50350

SHA1
98294a31818a31bd13366ccb70c095c38d545b9a

SHA256
ae206ea432f791b2466f2a29e524b9a3477ebc5f1899bbbedd5d127b2790578a

SHA512
5fb4680613fb27bdeb4ef494a378d4a24e2168ff17b1f1b60676db64e480e2970220af4786e01e793e6c4442bda8f587665b3cb9481bc26791427bd4371854a1

Download Submit
C:\Users\Admin\Desktop\SendSelect.mpeg3.199-5E8-47B

Filesize
403KB

MD5
d7e5bb6944ccd8ea286eed6009788cc7

SHA1
1b0335621ede453af620786900c4134cd3fc4e02

SHA256
dd937e66260036644420e49526d923d376790b36b9ddc575c2e428eb269b245e

SHA512
696fb0b2a7678d6274a53502de57359eb6330caadc7a2de5986cd6d59d72f97990e4adfe1cb365394d464e1cedf634c05620d4baa5320721ce805d380acc00de

Download Submit
C:\Users\Admin\Desktop\SkipUnpublish.xsl.199-5E8-47B

Filesize
636KB

MD5
f0354bfd71be3a54c20be03fbc72c90d

SHA1
b0530fbbf495757567e90adb68513ebd17177dc8

SHA256
2ac6fd9c98381eea256280b48d6ab9825ab8679b3b99b6fa6913a1ef387c72ea

SHA512
dda2a11fc6c85acaaf61cd89f60cc590a142e1c7aea923096433c638375c864edb04e10fc71d4a5e3e5646bbbec43b9db93f1a0814a0df467052a0121e9d12cc

Download Submit
C:\Users\Admin\Desktop\StopImport.ps1.199-5E8-47B

Filesize
572KB

MD5
c2955091013a9017bdd2ad138e3a1f58

SHA1
3e4792939f2b78f99fc2819e576180b343f38965

SHA256
11ebde96c8d51f3f66742c0740c129d676bc23ac9e743dac133ff7804493060b

SHA512
eb3e1a88297c965ca16401cad77aceea028c877aa3b62acf320d2a190562b20e86617fcf9069bea6745db0e2669493a2b4af99fe4d6bc3e2be73fbbad8baa070

Download Submit
C:\Users\Admin\Desktop\UnblockClose.odp.199-5E8-47B

Filesize
319KB

MD5
de9c05ddba27d2afe4cd55713540544e

SHA1
515c0eacd6ae1ce3166337b2776c3d0819d21ecd

SHA256
200eb67252238e0ab5e76a99b25d560a5bc796899c3cca114fad1485ce9cb262

SHA512
0f579f1b3441e3f26c4f41d33d1a1b135916bc5c5a3390c6975574ef07aa8d4f7c05f746d4b1002040804da1d91f3529958a1383a584678b3ab7ca75d0ef374b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

Filesize
211KB

MD5
511e849a593b7787b1387b56f12d8c05

SHA1
6c830eed04570ba8f8873cba3f61ca568f7b9535

SHA256
7757c11c449860e2dd54ae97e05835fb39f89a9c93f32dfc23b258ad49c3622e

SHA512
3d803144229fd7e63e971d0bd617fb96eaf2a1e802ad36dc2eac3fe809b351f68d07f4b81ebd24b9367e72b9d5e91a655a07acfd430ee631e226def7ff987fe6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

Filesize
211KB

MD5
511e849a593b7787b1387b56f12d8c05

SHA1
6c830eed04570ba8f8873cba3f61ca568f7b9535

SHA256
7757c11c449860e2dd54ae97e05835fb39f89a9c93f32dfc23b258ad49c3622e

SHA512
3d803144229fd7e63e971d0bd617fb96eaf2a1e802ad36dc2eac3fe809b351f68d07f4b81ebd24b9367e72b9d5e91a655a07acfd430ee631e226def7ff987fe6

Download Submit
memory/880-54-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download
memory/1064-57-0x0000000000000000-mapping.dmp

Download
memory/1292-87-0x0000000000000000-mapping.dmp

Download
memory/1968-60-0x0000000000000000-mapping.dmp

Download
memory/2016-63-0x0000000000000000-mapping.dmp

Download