buran | cacd10b8c69270ec77d67d8b4d7fc1081ca247200e650f93a2a6e1b9c1c85e37

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

caa499836c5e5fae87726b57d63cc554.exe
Size

334KB
MD5

caa499836c5e5fae87726b57d63cc554
SHA1

7a820dd7549516edbf6f333ff2e4b7a21b63da96
SHA256

cacd10b8c69270ec77d67d8b4d7fc1081ca247200e650f93a2a6e1b9c1c85e37
SHA512

e6c8074aa183e407f3054fc07528576379d1980e97f17e7c4c10673c700a0a2af1354eb7484f9b33bebaa7e7fc04a0bcd2831ba6dcaf62da8c461e2672359b10
SSDEEP

6144:igDsJ4kjHjjB0kATn3+65WffjAS0bBU4T3NY20hqYIyse5z:I6kjHjF0dnO6UXjUBPzNNGqJyLt

Score

10^/10

buran zeppelin persistence ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. PAY FAST 590$=0.013 btc or the price will increase tomorrow bitcoin address bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8 To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? [email protected] TELEGRAM @ payfast290 Your personal ID: 123-8C2-07E Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Detects Zeppelin payload 19 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4232-2-0x0000000004000000-0x0000000004037000-memory.dmp	family_zeppelin
behavioral2/memory/4232-3-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin
behavioral2/memory/4232-4-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin
behavioral2/memory/4232-29-0x0000000004000000-0x0000000004037000-memory.dmp	family_zeppelin
behavioral2/memory/4232-30-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin
behavioral2/memory/1952-32-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin
behavioral2/memory/1952-48-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin
behavioral2/memory/1952-57-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin
behavioral2/memory/4344-104-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin
behavioral2/memory/3192-175-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin
behavioral2/memory/1952-761-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin
behavioral2/memory/3192-781-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin
behavioral2/memory/3192-1179-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin
behavioral2/memory/3192-1423-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin
behavioral2/memory/3192-1985-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin
behavioral2/memory/3192-2294-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin
behavioral2/memory/3192-2853-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin
behavioral2/memory/3192-3262-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin
behavioral2/memory/3192-3950-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (901) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

caa499836c5e5fae87726b57d63cc554.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	caa499836c5e5fae87726b57d63cc554.exe

Executes dropped EXE 3 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exe

pid process

1952 spoolsv.exe
3192 spoolsv.exe
4344 spoolsv.exe

pid	process
1952	spoolsv.exe
3192	spoolsv.exe
4344	spoolsv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

caa499836c5e5fae87726b57d63cc554.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\spoolsv.exe\" -start"	caa499836c5e5fae87726b57d63cc554.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spoolsv.exe

description	ioc	process
File opened (read-only)	\??\U:	spoolsv.exe
File opened (read-only)	\??\T:	spoolsv.exe
File opened (read-only)	\??\Q:	spoolsv.exe
File opened (read-only)	\??\J:	spoolsv.exe
File opened (read-only)	\??\H:	spoolsv.exe
File opened (read-only)	\??\A:	spoolsv.exe
File opened (read-only)	\??\Z:	spoolsv.exe
File opened (read-only)	\??\V:	spoolsv.exe
File opened (read-only)	\??\O:	spoolsv.exe
File opened (read-only)	\??\K:	spoolsv.exe
File opened (read-only)	\??\G:	spoolsv.exe
File opened (read-only)	\??\W:	spoolsv.exe
File opened (read-only)	\??\S:	spoolsv.exe
File opened (read-only)	\??\N:	spoolsv.exe
File opened (read-only)	\??\L:	spoolsv.exe
File opened (read-only)	\??\I:	spoolsv.exe
File opened (read-only)	\??\E:	spoolsv.exe
File opened (read-only)	\??\X:	spoolsv.exe
File opened (read-only)	\??\R:	spoolsv.exe
File opened (read-only)	\??\P:	spoolsv.exe
File opened (read-only)	\??\M:	spoolsv.exe
File opened (read-only)	\??\B:	spoolsv.exe
File opened (read-only)	\??\Y:	spoolsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

73 iplogger.org
75 iplogger.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

41 geoiptool.com

flow	ioc
73	iplogger.org
75	iplogger.org

flow	ioc
41	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

spoolsv.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\charsets.jar.payfast.123-8C2-07E	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4.payfast.123-8C2-07E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\jsse.jar	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml.payfast.123-8C2-07E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md.payfast.123-8C2-07E	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Reflection.eftx	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\fontconfig.bfc	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	spoolsv.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\Microsoft.WindowsDesktop.App.deps.json.payfast.123-8C2-07E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\README.txt.payfast.123-8C2-07E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe.payfast.123-8C2-07E	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml.payfast.123-8C2-07E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\LINEAR_RGB.pf	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\cmm\GRAY.pf	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash_11-lic.gif	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt.payfast.123-8C2-07E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	spoolsv.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\javafx\libxslt.md	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md.payfast.123-8C2-07E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.access	spoolsv.exe
File created	C:\Program Files\Microsoft Office\Office16\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.payfast.123-8C2-07E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\cryptix.md	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe.payfast.123-8C2-07E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\deployment.config	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt.payfast.123-8C2-07E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\javaws.jar.payfast.123-8C2-07E	spoolsv.exe
File opened for modification	C:\Program Files\TestConvertTo.vst	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt.payfast.123-8C2-07E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\README.txt.payfast.123-8C2-07E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe.payfast.123-8C2-07E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ul-oob.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\classlist	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml.payfast.123-8C2-07E	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms.payfast.123-8C2-07E	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt.payfast.123-8C2-07E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-ms.payfast.123-8C2-07E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\sound.properties.payfast.123-8C2-07E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveDrop32x32.gif	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklisted.certs	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\colorimaging.md.payfast.123-8C2-07E	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.payfast.123-8C2-07E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe.payfast.123-8C2-07E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\xalan.md	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterRegular.ttf	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\asm.md.payfast.123-8C2-07E	spoolsv.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\Welcome.html.payfast.123-8C2-07E	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 37 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4124	4232	WerFault.exe	caa499836c5e5fae87726b57d63cc554.exe
3592	4232	WerFault.exe	caa499836c5e5fae87726b57d63cc554.exe
4660	4232	WerFault.exe	caa499836c5e5fae87726b57d63cc554.exe
2464	4232	WerFault.exe	caa499836c5e5fae87726b57d63cc554.exe
2220	4232	WerFault.exe	caa499836c5e5fae87726b57d63cc554.exe
4976	4232	WerFault.exe	caa499836c5e5fae87726b57d63cc554.exe
3628	4232	WerFault.exe	caa499836c5e5fae87726b57d63cc554.exe
4472	4232	WerFault.exe	caa499836c5e5fae87726b57d63cc554.exe
2068	4232	WerFault.exe	caa499836c5e5fae87726b57d63cc554.exe
3432	4232	WerFault.exe	caa499836c5e5fae87726b57d63cc554.exe
3968	4232	WerFault.exe	caa499836c5e5fae87726b57d63cc554.exe
1824	4232	WerFault.exe	caa499836c5e5fae87726b57d63cc554.exe
2004	4232	WerFault.exe	caa499836c5e5fae87726b57d63cc554.exe
4500	4232	WerFault.exe	caa499836c5e5fae87726b57d63cc554.exe
4664	4232	WerFault.exe	caa499836c5e5fae87726b57d63cc554.exe
4216	4232	WerFault.exe	caa499836c5e5fae87726b57d63cc554.exe
4744	4232	WerFault.exe	caa499836c5e5fae87726b57d63cc554.exe
4164	4232	WerFault.exe	caa499836c5e5fae87726b57d63cc554.exe
2428	1952	WerFault.exe	spoolsv.exe
664	1952	WerFault.exe	spoolsv.exe
1144	1952	WerFault.exe	spoolsv.exe
1200	1952	WerFault.exe	spoolsv.exe
1468	1952	WerFault.exe	spoolsv.exe
3724	1952	WerFault.exe	spoolsv.exe
4632	1952	WerFault.exe	spoolsv.exe
1452	1952	WerFault.exe	spoolsv.exe
4344	1952	WerFault.exe	spoolsv.exe
2208	1952	WerFault.exe	spoolsv.exe
4324	1952	WerFault.exe	spoolsv.exe
1824	1952	WerFault.exe	spoolsv.exe
1204	1952	WerFault.exe	spoolsv.exe
4672	1952	WerFault.exe	spoolsv.exe
4624	1952	WerFault.exe	spoolsv.exe
3924	1952	WerFault.exe	spoolsv.exe
4056	1952	WerFault.exe	spoolsv.exe
1712	3192	WerFault.exe	spoolsv.exe
1732	1952	WerFault.exe	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

WMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3264	WMIC.exe
Token: SeSecurityPrivilege	3264	WMIC.exe
Token: SeTakeOwnershipPrivilege	3264	WMIC.exe
Token: SeLoadDriverPrivilege	3264	WMIC.exe
Token: SeSystemProfilePrivilege	3264	WMIC.exe
Token: SeSystemtimePrivilege	3264	WMIC.exe
Token: SeProfSingleProcessPrivilege	3264	WMIC.exe
Token: SeIncBasePriorityPrivilege	3264	WMIC.exe
Token: SeCreatePagefilePrivilege	3264	WMIC.exe
Token: SeBackupPrivilege	3264	WMIC.exe
Token: SeRestorePrivilege	3264	WMIC.exe
Token: SeShutdownPrivilege	3264	WMIC.exe
Token: SeDebugPrivilege	3264	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3264	WMIC.exe
Token: SeRemoteShutdownPrivilege	3264	WMIC.exe
Token: SeUndockPrivilege	3264	WMIC.exe
Token: SeManageVolumePrivilege	3264	WMIC.exe
Token: 33	3264	WMIC.exe
Token: 34	3264	WMIC.exe
Token: 35	3264	WMIC.exe
Token: 36	3264	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3264	WMIC.exe
Token: SeSecurityPrivilege	3264	WMIC.exe
Token: SeTakeOwnershipPrivilege	3264	WMIC.exe
Token: SeLoadDriverPrivilege	3264	WMIC.exe
Token: SeSystemProfilePrivilege	3264	WMIC.exe
Token: SeSystemtimePrivilege	3264	WMIC.exe
Token: SeProfSingleProcessPrivilege	3264	WMIC.exe
Token: SeIncBasePriorityPrivilege	3264	WMIC.exe
Token: SeCreatePagefilePrivilege	3264	WMIC.exe
Token: SeBackupPrivilege	3264	WMIC.exe
Token: SeRestorePrivilege	3264	WMIC.exe
Token: SeShutdownPrivilege	3264	WMIC.exe
Token: SeDebugPrivilege	3264	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3264	WMIC.exe
Token: SeRemoteShutdownPrivilege	3264	WMIC.exe
Token: SeUndockPrivilege	3264	WMIC.exe
Token: SeManageVolumePrivilege	3264	WMIC.exe
Token: 33	3264	WMIC.exe
Token: 34	3264	WMIC.exe
Token: 35	3264	WMIC.exe
Token: 36	3264	WMIC.exe
Token: SeBackupPrivilege	1916	vssvc.exe
Token: SeRestorePrivilege	1916	vssvc.exe
Token: SeAuditPrivilege	1916	vssvc.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

caa499836c5e5fae87726b57d63cc554.exespoolsv.execmd.exe

description	pid	process	target process
PID 4232 wrote to memory of 1952	4232	caa499836c5e5fae87726b57d63cc554.exe	spoolsv.exe
PID 4232 wrote to memory of 1952	4232	caa499836c5e5fae87726b57d63cc554.exe	spoolsv.exe
PID 4232 wrote to memory of 1952	4232	caa499836c5e5fae87726b57d63cc554.exe	spoolsv.exe
PID 1952 wrote to memory of 1452	1952	spoolsv.exe	cmd.exe
PID 1952 wrote to memory of 1452	1952	spoolsv.exe	cmd.exe
PID 1952 wrote to memory of 1452	1952	spoolsv.exe	cmd.exe
PID 1952 wrote to memory of 1604	1952	spoolsv.exe	cmd.exe
PID 1952 wrote to memory of 1604	1952	spoolsv.exe	cmd.exe
PID 1952 wrote to memory of 1604	1952	spoolsv.exe	cmd.exe
PID 1952 wrote to memory of 3304	1952	spoolsv.exe	cmd.exe
PID 1952 wrote to memory of 3304	1952	spoolsv.exe	cmd.exe
PID 1952 wrote to memory of 3304	1952	spoolsv.exe	cmd.exe
PID 1952 wrote to memory of 1312	1952	spoolsv.exe	cmd.exe
PID 1952 wrote to memory of 1312	1952	spoolsv.exe	cmd.exe
PID 1952 wrote to memory of 1312	1952	spoolsv.exe	cmd.exe
PID 1952 wrote to memory of 4964	1952	spoolsv.exe	cmd.exe
PID 1952 wrote to memory of 4964	1952	spoolsv.exe	cmd.exe
PID 1952 wrote to memory of 4964	1952	spoolsv.exe	cmd.exe
PID 1952 wrote to memory of 3192	1952	spoolsv.exe	spoolsv.exe
PID 1952 wrote to memory of 3192	1952	spoolsv.exe	spoolsv.exe
PID 1952 wrote to memory of 3192	1952	spoolsv.exe	spoolsv.exe
PID 1952 wrote to memory of 4344	1952	spoolsv.exe	spoolsv.exe
PID 1952 wrote to memory of 4344	1952	spoolsv.exe	spoolsv.exe
PID 1952 wrote to memory of 4344	1952	spoolsv.exe	spoolsv.exe
PID 1452 wrote to memory of 3264	1452	cmd.exe	WMIC.exe
PID 1452 wrote to memory of 3264	1452	cmd.exe	WMIC.exe
PID 1452 wrote to memory of 3264	1452	cmd.exe	WMIC.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\caa499836c5e5fae87726b57d63cc554.exe
"C:\Users\Admin\AppData\Local\Temp\caa499836c5e5fae87726b57d63cc554.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 784
  2⤵
  - Program crash
  PID:4124
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 792
  2⤵
  - Program crash
  PID:3592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 792
  2⤵
  - Program crash
  PID:4660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 884
  2⤵
  - Program crash
  PID:2464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 864
  2⤵
  - Program crash
  PID:2220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1032
  2⤵
  - Program crash
  PID:4976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1364
  2⤵
  - Program crash
  PID:3628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1384
  2⤵
  - Program crash
  PID:4472
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1580
  2⤵
  - Program crash
  PID:2068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1800
  2⤵
  - Program crash
  PID:3432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1612
  2⤵
  - Program crash
  PID:3968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1676
  2⤵
  - Program crash
  PID:1824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1664
  2⤵
  - Program crash
  PID:2004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1828
  2⤵
  - Program crash
  PID:4500
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1808
  2⤵
  - Program crash
  PID:4664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1396
  2⤵
  - Program crash
  PID:4216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1988
  2⤵
  - Program crash
  PID:4744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1816
  2⤵
  - Program crash
  PID:4164
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 784
    3⤵
    - Program crash
    PID:2428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 792
    3⤵
    - Program crash
    PID:664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 856
    3⤵
    - Program crash
    PID:1144
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 864
    3⤵
    - Program crash
    PID:1200
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1000
    3⤵
    - Program crash
    PID:1468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1056
    3⤵
    - Program crash
    PID:3724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1372
    3⤵
    - Program crash
    PID:4632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1576
    3⤵
    - Program crash
    PID:1452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1584
    3⤵
    - Program crash
    PID:4344
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1676
    3⤵
    - Program crash
    PID:2208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1708
    3⤵
    - Program crash
    PID:4324
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1676
    3⤵
    - Program crash
    PID:1824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1716
    3⤵
    - Program crash
    PID:1204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1552
    3⤵
    - Program crash
    PID:4672
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1752
    3⤵
    - Program crash
    PID:4624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1912
    3⤵
    - Program crash
    PID:3924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3264
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:3304
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:4964
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:3192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 732
      4⤵
      Program crash
      PID:1712
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:4344
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1696
    3⤵
    - Program crash
    PID:4056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1692
    3⤵
    - Program crash
    PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4232 -ip 4232
1⤵
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4232 -ip 4232
1⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4232 -ip 4232
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4232 -ip 4232
1⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4232 -ip 4232
1⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4232 -ip 4232
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4232 -ip 4232
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4232 -ip 4232
1⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4232 -ip 4232
1⤵
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4232 -ip 4232
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4232 -ip 4232
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4232 -ip 4232
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4232 -ip 4232
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4232 -ip 4232
1⤵
PID:904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4232 -ip 4232
1⤵
PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4232 -ip 4232
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4232 -ip 4232
1⤵
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4232 -ip 4232
1⤵
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1952 -ip 1952
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1952 -ip 1952
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1952 -ip 1952
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1952 -ip 1952
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1952 -ip 1952
1⤵
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 1952 -ip 1952
1⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1952 -ip 1952
1⤵
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1952 -ip 1952
1⤵
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1952 -ip 1952
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1952 -ip 1952
1⤵
PID:2900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3708 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1952 -ip 1952
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1952 -ip 1952
1⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1952 -ip 1952
1⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1952 -ip 1952
1⤵
PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1952 -ip 1952
1⤵
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1952 -ip 1952
1⤵
PID:1112

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1952 -ip 1952
1⤵
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3192 -ip 3192
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1952 -ip 1952
1⤵
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
1KB

MD5
4a0e8f9f75fe9aeaeba8f8598d9d066a

SHA1
06166e7bbe8781aca3d0bbec134a41a339bea5ef

SHA256
9882028c38ec011df3001b6069f9fa986ad701422e8925d60ee3aab5e6203577

SHA512
751f4bc38ca5a27d0afba9abc7f36c1cb0df3686af78d493629abb5c82fca58659f79b52915ecdd7e68df53973756d423634687a323e0a7c021b4c2447f79098

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
08a3de8e492e12daa1e3b6adeb0b3d1b

SHA1
b91c2ab96f1effba2ce5a68f33ff38e2e566ce1e

SHA256
c025e0215267f0ef77cd57de05b4fde9efb229b96ff66587c54cafa01da0cc1e

SHA512
61bbc0333a2cf588fcd33237c7ab28d8296a6cf4680ded12ddd7496528943a40b9efd5a41da71d99ee0b5c9b9749ed20229393a1ad9cd617561b879158f7c3f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4

Filesize
472B

MD5
77b3b243a29ee9dc864fec17d47d089d

SHA1
b2de992b923ad49b3234b419af6500c47c55d80e

SHA256
8a0cc0651648a2da4c223bdb24df2e708d86217f5d4e3679545ccc2dd04dc48c

SHA512
73e9b65f54a7ed38103585c6bd67d724e47f90d5718d0026c9b7205eaf81233e515be5f8a03d31e23e22fea04547e349e92e9f2dcd3ab08c104654d57d1be733

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
169257ee1dae792fa516b7ee24fdbf6d

SHA1
749debd32071e052889110b6e2672ed0f7a0239f

SHA256
5c2d0b615f51c090e6afa909d6612573b902d06582db619452d6443463e9ab45

SHA512
ee0e15925c925452250c6d3a3a06c330257411d12708c98ed7ecee74792e977bb103f3572e1e585648fdd57865ef0718e601d63a70d8605fafecf1f4d4c2a16b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
484B

MD5
9ce9cb6e1cf9eb44da46c43e814a578f

SHA1
2a5e79471d85f3896bee4b1f9bea0d12e09d067a

SHA256
6d23359d5538388ab588d57bf7e8ef4ea2a0ecc389301df872f741d98f6530a8

SHA512
070346fd61971045003dfdf6057f0915a74f64f20867cbaa19a7f6acb7dc9e2e62f416e86c923e6192d65fb2b52727bab368e1452bd0ee37160a85f69ee52e60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4

Filesize
488B

MD5
d2694cad22535c696b75eb254f4ee95d

SHA1
77ab8e0a97ced561599880df4168fcea756cfe68

SHA256
a76606c05094c5e892d61715c14ef4f1b8633236609ad2078a50bb77594e2f9f

SHA512
64ad472ee13c93606aa5b106ce2cda6a71aef2b64e155df8f3003346de04a65d0aa71dba5af1db87bad0d4f5f26dadc43bc2923bc3d1bfcb98d4154d6116d987

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
f8ce1b31ae82b50d39ac431910409499

SHA1
3dc068f7583834b7a358819ced719a2415ccbeca

SHA256
77e7431d3fc43c783f4e28e0417e983f42c6245f1671874cf28bf8e7c0b43298

SHA512
fa678532054472f20a34e0d43d9fced27780e47a96a55418a928577ee8a6cf3588dba17e64410152f4be78a22c7cee35a2685b01178ca585a6efa0c4d3b74160

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\IKUQ4VRC.htm

Filesize
190B

MD5
6ebbeb8c70d5f8ffc3fb501950468594

SHA1
c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

SHA256
a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

SHA512
75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\DWAOZK9P.htm

Filesize
18KB

MD5
d86c179bcfbd66e883f47019ea1ca200

SHA1
c63ad8a4b2a4c3e5408225a1231e25ec44d65eb8

SHA256
b465036b723ca3a35874e6eb4a2560140a2a9364ecc53b2dc7c0f1b59d216bea

SHA512
d9136ce45ba1210a717199f6f9292a656ef0fa86674c168a9be09c7ae2aab25c247bc417d1bf24c11fc403becc0da50805a61f0731c358c596a0780ffe986d8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe

Filesize
334KB

MD5
caa499836c5e5fae87726b57d63cc554

SHA1
7a820dd7549516edbf6f333ff2e4b7a21b63da96

SHA256
cacd10b8c69270ec77d67d8b4d7fc1081ca247200e650f93a2a6e1b9c1c85e37

SHA512
e6c8074aa183e407f3054fc07528576379d1980e97f17e7c4c10673c700a0a2af1354eb7484f9b33bebaa7e7fc04a0bcd2831ba6dcaf62da8c461e2672359b10

Download Submit
C:\odt\.Zeppelin

Filesize
513B

MD5
3500e12e6042b08a719fc254b8d4b5a7

SHA1
c40897902d66861587afbbb129cd27817d06c2cb

SHA256
55c8fb194089135ca59bcbaa227d3b1ed7d60cf8cf643378779aa63302cf982a

SHA512
ed0f692ba5d2f25298e5e08c5dbd39c081b074683326c1cbfb3e5558fb9ce898c33364896c0842b3ed1529c6074c35aa238facdc8bcea0ff997408feb712540b

Download Submit
C:\vcredist2010_x86.log.html

Filesize
83KB

MD5
f267ad4582d28d947a3a9f1829ce90a4

SHA1
e73599e2a4f51dbc5d260170ade7adb833a95efa

SHA256
78f9c001b14f8a4fb330b53a3689e54c032654e3dcf2bc6f432531625adcc897

SHA512
61e5f7a96ec7ed081e0a690878cc4c15054a9d4fdfa559ec229bd8e356b3e7a7200043ac7bb515538de3da2ea63985d6dce693fe77580738b8f5cfff751c86bb

Download Submit
memory/1952-48-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/1952-57-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/1952-31-0x00000000023F0000-0x00000000024F0000-memory.dmp

Filesize
1024KB

Download
memory/1952-32-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/1952-761-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/1952-59-0x00000000023F0000-0x00000000024F0000-memory.dmp

Filesize
1024KB

Download
memory/3192-1423-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/3192-781-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/3192-3950-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/3192-3262-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/3192-2853-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/3192-2294-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/3192-1985-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/3192-1179-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/3192-189-0x0000000002580000-0x0000000002680000-memory.dmp

Filesize
1024KB

Download
memory/3192-175-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/4232-3-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/4232-29-0x0000000004000000-0x0000000004037000-memory.dmp

Filesize
220KB

Download
memory/4232-30-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/4232-2-0x0000000004000000-0x0000000004037000-memory.dmp

Filesize
220KB

Download
memory/4232-1-0x0000000002490000-0x0000000002590000-memory.dmp

Filesize
1024KB

Download
memory/4232-4-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/4232-16-0x0000000002490000-0x0000000002590000-memory.dmp

Filesize
1024KB

Download
memory/4344-104-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/4344-66-0x00000000024E0000-0x00000000025E0000-memory.dmp

Filesize
1024KB

Download
memory/4344-3290-0x00000000024E0000-0x00000000025E0000-memory.dmp

Filesize
1024KB

Download