buran | 9303d30aa5e5468492f198074da31f39485f03d09c0e958199c2eb78ec4d9a47

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-04-2024 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e05acea94e72eacc59d3180543957e5c_JaffaCakes118.exe
Size

293KB
MD5

e05acea94e72eacc59d3180543957e5c
SHA1

633393001e83b72785fce0aebbe1f3290b26c27a
SHA256

9303d30aa5e5468492f198074da31f39485f03d09c0e958199c2eb78ec4d9a47
SHA512

e870dc844740e660da6329ee2b598003621fe7bec9227f49c88b697536a0e1ff4b35de125190672fcdbe9f7fdc3afa48b325149376283e2a45887841ff66f118
SSDEEP

6144:Ll0eMClIYaiZk9H3/r7q4egW1iKR4sR1mvNcJ92NgmDz5br1vIHzG:h/DlIYYrpSnR4sbmvNxgm5brVIHzG

Score

10^/10

buran zeppelin persistence ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Telegram @payransom500 Btc 500$ adress bc1qas8m3c2jv4uyurxacdt99ujj6gp6xt4tqeul8l Your personal ID: 1A6-721-ADF Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Detects Zeppelin payload 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2172-4-0x0000000000910000-0x000000000094E000-memory.dmp	family_zeppelin
C:\ProgramData\pay.exe	family_zeppelin
behavioral1/memory/2496-111-0x00000000002C0000-0x0000000000401000-memory.dmp	family_zeppelin
behavioral1/memory/876-198-0x0000000000A00000-0x0000000000B41000-memory.dmp	family_zeppelin
behavioral1/memory/2452-4919-0x0000000000A00000-0x0000000000B41000-memory.dmp	family_zeppelin
behavioral1/memory/1704-11953-0x0000000000A00000-0x0000000000B41000-memory.dmp	family_zeppelin
behavioral1/memory/1704-22100-0x0000000000A00000-0x0000000000B41000-memory.dmp	family_zeppelin
behavioral1/memory/1704-29673-0x0000000000A00000-0x0000000000B41000-memory.dmp	family_zeppelin
behavioral1/memory/1704-30543-0x0000000000A00000-0x0000000000B41000-memory.dmp	family_zeppelin
behavioral1/memory/2452-30577-0x0000000000A00000-0x0000000000B41000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (7359) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 4 IoCs

Processes:

pay.exetaskeng.exetaskeng.exetaskeng.exe

pid process

2496 pay.exe
2452 taskeng.exe
1704 taskeng.exe
876 taskeng.exe
Loads dropped DLL 2 IoCs

Processes:

pay.exe

pid process

2496 pay.exe
2496 pay.exe

pid	process
2496	pay.exe
2452	taskeng.exe
1704	taskeng.exe
876	taskeng.exe

pid	process
2496	pay.exe
2496	pay.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

pay.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start"	pay.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskeng.exe

description	ioc	process
File opened (read-only)	\??\A:	taskeng.exe
File opened (read-only)	\??\Z:	taskeng.exe
File opened (read-only)	\??\U:	taskeng.exe
File opened (read-only)	\??\R:	taskeng.exe
File opened (read-only)	\??\O:	taskeng.exe
File opened (read-only)	\??\M:	taskeng.exe
File opened (read-only)	\??\H:	taskeng.exe
File opened (read-only)	\??\B:	taskeng.exe
File opened (read-only)	\??\Y:	taskeng.exe
File opened (read-only)	\??\T:	taskeng.exe
File opened (read-only)	\??\N:	taskeng.exe
File opened (read-only)	\??\J:	taskeng.exe
File opened (read-only)	\??\G:	taskeng.exe
File opened (read-only)	\??\E:	taskeng.exe
File opened (read-only)	\??\X:	taskeng.exe
File opened (read-only)	\??\S:	taskeng.exe
File opened (read-only)	\??\Q:	taskeng.exe
File opened (read-only)	\??\P:	taskeng.exe
File opened (read-only)	\??\K:	taskeng.exe
File opened (read-only)	\??\I:	taskeng.exe
File opened (read-only)	\??\W:	taskeng.exe
File opened (read-only)	\??\V:	taskeng.exe
File opened (read-only)	\??\L:	taskeng.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

17 iplogger.org
19 iplogger.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 geoiptool.com

flow	ioc
17	iplogger.org
19	iplogger.org

flow	ioc
3	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

taskeng.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar.@payransom500.1A6-721-ADF	taskeng.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.GIF	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf_3.4.0.v20140827-1444.jar	taskeng.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382927.JPG	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV.HXS	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImagesMask.bmp	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Basic\[email protected]	taskeng.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\[email protected]	taskeng.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar	taskeng.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE05710_.WMF	taskeng.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\OutSyncPC.ico	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\[email protected]	taskeng.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10300_.GIF	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\[email protected]	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Vladivostok	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03014_.GIF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.SE.XML	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\[email protected]	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar.@payransom500.1A6-721-ADF	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.descriptorProvider.exsd.@payransom500.1A6-721-ADF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGMARQ.XML	taskeng.exe
File opened for modification	C:\Program Files\DVD Maker\sonicsptransform.ax	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR36F.GIF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_bullets.gif	taskeng.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png	taskeng.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\pushplaysubpicture.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21315_.GIF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormToolImages.jpg	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar.@payransom500.1A6-721-ADF	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00956_.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\[email protected]	taskeng.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\vlc.mo	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\[email protected]	taskeng.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd\icecast.luac	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImageMask.bmp	taskeng.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\WhiteDot.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected]	taskeng.exe

Drops file in Windows directory 1 IoCs

Processes:

taskeng.exe

description ioc process

File created C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT taskeng.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2148 vssadmin.exe
628 vssadmin.exe

description	ioc	process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe

pid	process
2148	vssadmin.exe
628	vssadmin.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

taskeng.exepay.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	taskeng.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	taskeng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	taskeng.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	taskeng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	taskeng.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	taskeng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	pay.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	pay.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	pay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	taskeng.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	taskeng.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

pay.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2496	pay.exe
Token: SeDebugPrivilege	2496	pay.exe
Token: SeIncreaseQuotaPrivilege	1740	WMIC.exe
Token: SeSecurityPrivilege	1740	WMIC.exe
Token: SeTakeOwnershipPrivilege	1740	WMIC.exe
Token: SeLoadDriverPrivilege	1740	WMIC.exe
Token: SeSystemProfilePrivilege	1740	WMIC.exe
Token: SeSystemtimePrivilege	1740	WMIC.exe
Token: SeProfSingleProcessPrivilege	1740	WMIC.exe
Token: SeIncBasePriorityPrivilege	1740	WMIC.exe
Token: SeCreatePagefilePrivilege	1740	WMIC.exe
Token: SeBackupPrivilege	1740	WMIC.exe
Token: SeRestorePrivilege	1740	WMIC.exe
Token: SeShutdownPrivilege	1740	WMIC.exe
Token: SeDebugPrivilege	1740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1740	WMIC.exe
Token: SeRemoteShutdownPrivilege	1740	WMIC.exe
Token: SeUndockPrivilege	1740	WMIC.exe
Token: SeManageVolumePrivilege	1740	WMIC.exe
Token: 33	1740	WMIC.exe
Token: 34	1740	WMIC.exe
Token: 35	1740	WMIC.exe
Token: SeIncreaseQuotaPrivilege	708	WMIC.exe
Token: SeSecurityPrivilege	708	WMIC.exe
Token: SeTakeOwnershipPrivilege	708	WMIC.exe
Token: SeLoadDriverPrivilege	708	WMIC.exe
Token: SeSystemProfilePrivilege	708	WMIC.exe
Token: SeSystemtimePrivilege	708	WMIC.exe
Token: SeProfSingleProcessPrivilege	708	WMIC.exe
Token: SeIncBasePriorityPrivilege	708	WMIC.exe
Token: SeCreatePagefilePrivilege	708	WMIC.exe
Token: SeBackupPrivilege	708	WMIC.exe
Token: SeRestorePrivilege	708	WMIC.exe
Token: SeShutdownPrivilege	708	WMIC.exe
Token: SeDebugPrivilege	708	WMIC.exe
Token: SeSystemEnvironmentPrivilege	708	WMIC.exe
Token: SeRemoteShutdownPrivilege	708	WMIC.exe
Token: SeUndockPrivilege	708	WMIC.exe
Token: SeManageVolumePrivilege	708	WMIC.exe
Token: 33	708	WMIC.exe
Token: 34	708	WMIC.exe
Token: 35	708	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1740	WMIC.exe
Token: SeSecurityPrivilege	1740	WMIC.exe
Token: SeTakeOwnershipPrivilege	1740	WMIC.exe
Token: SeLoadDriverPrivilege	1740	WMIC.exe
Token: SeSystemProfilePrivilege	1740	WMIC.exe
Token: SeSystemtimePrivilege	1740	WMIC.exe
Token: SeProfSingleProcessPrivilege	1740	WMIC.exe
Token: SeIncBasePriorityPrivilege	1740	WMIC.exe
Token: SeCreatePagefilePrivilege	1740	WMIC.exe
Token: SeBackupPrivilege	1740	WMIC.exe
Token: SeRestorePrivilege	1740	WMIC.exe
Token: SeShutdownPrivilege	1740	WMIC.exe
Token: SeDebugPrivilege	1740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1740	WMIC.exe
Token: SeRemoteShutdownPrivilege	1740	WMIC.exe
Token: SeUndockPrivilege	1740	WMIC.exe
Token: SeManageVolumePrivilege	1740	WMIC.exe
Token: 33	1740	WMIC.exe
Token: 34	1740	WMIC.exe
Token: 35	1740	WMIC.exe
Token: SeIncreaseQuotaPrivilege	708	WMIC.exe
Token: SeSecurityPrivilege	708	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e05acea94e72eacc59d3180543957e5c_JaffaCakes118.exepay.exetaskeng.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2172 wrote to memory of 2496	2172	e05acea94e72eacc59d3180543957e5c_JaffaCakes118.exe	pay.exe
PID 2172 wrote to memory of 2496	2172	e05acea94e72eacc59d3180543957e5c_JaffaCakes118.exe	pay.exe
PID 2172 wrote to memory of 2496	2172	e05acea94e72eacc59d3180543957e5c_JaffaCakes118.exe	pay.exe
PID 2172 wrote to memory of 2496	2172	e05acea94e72eacc59d3180543957e5c_JaffaCakes118.exe	pay.exe
PID 2496 wrote to memory of 2452	2496	pay.exe	taskeng.exe
PID 2496 wrote to memory of 2452	2496	pay.exe	taskeng.exe
PID 2496 wrote to memory of 2452	2496	pay.exe	taskeng.exe
PID 2496 wrote to memory of 2452	2496	pay.exe	taskeng.exe
PID 2496 wrote to memory of 1628	2496	pay.exe	notepad.exe
PID 2496 wrote to memory of 1628	2496	pay.exe	notepad.exe
PID 2496 wrote to memory of 1628	2496	pay.exe	notepad.exe
PID 2496 wrote to memory of 1628	2496	pay.exe	notepad.exe
PID 2496 wrote to memory of 1628	2496	pay.exe	notepad.exe
PID 2496 wrote to memory of 1628	2496	pay.exe	notepad.exe
PID 2496 wrote to memory of 1628	2496	pay.exe	notepad.exe
PID 2452 wrote to memory of 1720	2452	taskeng.exe	cmd.exe
PID 2452 wrote to memory of 1720	2452	taskeng.exe	cmd.exe
PID 2452 wrote to memory of 1720	2452	taskeng.exe	cmd.exe
PID 2452 wrote to memory of 1720	2452	taskeng.exe	cmd.exe
PID 2452 wrote to memory of 1092	2452	taskeng.exe	cmd.exe
PID 2452 wrote to memory of 1092	2452	taskeng.exe	cmd.exe
PID 2452 wrote to memory of 1092	2452	taskeng.exe	cmd.exe
PID 2452 wrote to memory of 1092	2452	taskeng.exe	cmd.exe
PID 2452 wrote to memory of 988	2452	taskeng.exe	cmd.exe
PID 2452 wrote to memory of 988	2452	taskeng.exe	cmd.exe
PID 2452 wrote to memory of 988	2452	taskeng.exe	cmd.exe
PID 2452 wrote to memory of 988	2452	taskeng.exe	cmd.exe
PID 2452 wrote to memory of 1620	2452	taskeng.exe	cmd.exe
PID 2452 wrote to memory of 1620	2452	taskeng.exe	cmd.exe
PID 2452 wrote to memory of 1620	2452	taskeng.exe	cmd.exe
PID 2452 wrote to memory of 1620	2452	taskeng.exe	cmd.exe
PID 1720 wrote to memory of 708	1720	cmd.exe	WMIC.exe
PID 1720 wrote to memory of 708	1720	cmd.exe	WMIC.exe
PID 1720 wrote to memory of 708	1720	cmd.exe	WMIC.exe
PID 1720 wrote to memory of 708	1720	cmd.exe	WMIC.exe
PID 2452 wrote to memory of 2244	2452	taskeng.exe	cmd.exe
PID 2452 wrote to memory of 2244	2452	taskeng.exe	cmd.exe
PID 2452 wrote to memory of 2244	2452	taskeng.exe	cmd.exe
PID 2452 wrote to memory of 2244	2452	taskeng.exe	cmd.exe
PID 2452 wrote to memory of 836	2452	taskeng.exe	cmd.exe
PID 2452 wrote to memory of 836	2452	taskeng.exe	cmd.exe
PID 2452 wrote to memory of 836	2452	taskeng.exe	cmd.exe
PID 2452 wrote to memory of 836	2452	taskeng.exe	cmd.exe
PID 2452 wrote to memory of 1704	2452	taskeng.exe	taskeng.exe
PID 2452 wrote to memory of 1704	2452	taskeng.exe	taskeng.exe
PID 2452 wrote to memory of 1704	2452	taskeng.exe	taskeng.exe
PID 2452 wrote to memory of 1704	2452	taskeng.exe	taskeng.exe
PID 2452 wrote to memory of 876	2452	taskeng.exe	taskeng.exe
PID 2452 wrote to memory of 876	2452	taskeng.exe	taskeng.exe
PID 2452 wrote to memory of 876	2452	taskeng.exe	taskeng.exe
PID 2452 wrote to memory of 876	2452	taskeng.exe	taskeng.exe
PID 836 wrote to memory of 1740	836	cmd.exe	WMIC.exe
PID 836 wrote to memory of 1740	836	cmd.exe	WMIC.exe
PID 836 wrote to memory of 1740	836	cmd.exe	WMIC.exe
PID 836 wrote to memory of 1740	836	cmd.exe	WMIC.exe
PID 2244 wrote to memory of 2148	2244	cmd.exe	vssadmin.exe
PID 2244 wrote to memory of 2148	2244	cmd.exe	vssadmin.exe
PID 2244 wrote to memory of 2148	2244	cmd.exe	vssadmin.exe
PID 2244 wrote to memory of 2148	2244	cmd.exe	vssadmin.exe
PID 836 wrote to memory of 628	836	cmd.exe	vssadmin.exe
PID 836 wrote to memory of 628	836	cmd.exe	vssadmin.exe
PID 836 wrote to memory of 628	836	cmd.exe	vssadmin.exe
PID 836 wrote to memory of 628	836	cmd.exe	vssadmin.exe
PID 2452 wrote to memory of 2328	2452	taskeng.exe	notepad.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e05acea94e72eacc59d3180543957e5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e05acea94e72eacc59d3180543957e5c_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2172
- C:\ProgramData\pay.exe
  "C:\ProgramData\pay.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1720
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:708
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
      4⤵
      PID:1092
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:988
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
      4⤵
      PID:1620
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:2148
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:836
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:628
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 0
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      PID:1704
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 1
      4⤵
      Executes dropped EXE
      PID:876
  - - C:\Windows\SysWOW64\notepad.exe
      notepad.exe
      4⤵
      PID:2328
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1628

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
995B

MD5
974af3f2f97073f077fbde104a63b066

SHA1
29ef7eed93f6b7bde21171e2ddb595e6d6fd715d

SHA256
f6880d64132a7168a253ed82ad11341aa334f47f74d00736d0f1514b95856177

SHA512
dfc0f37a25914a9988c494f60a55f1e9e4fb38d97d5b2e8b274efed4e9cf4feec4802f2a9c0df145559ee9a981442d40c76c52f18c509b4a28e18d09e23df908

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.lng

Filesize
23KB

MD5
bf17b3cb65d6990ccb38873a0c682db1

SHA1
f6f81c8017bc82c8145316897a1da3a1bdb7fe40

SHA256
bcef275b3c85226a5a7dab06039872eaae12488d7b69d0538987f7f57e9dcf50

SHA512
2efe7ffcff113fe2ea0beb9ca82410dca9cfd8eef10c229d770df63405e9b6287e311e783b2925e172a50bcdd341dee952069906bb058d5fdfc3dd6789a20167

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt

Filesize
29KB

MD5
a4f3c40c7efab96ef3581a362bb7fde3

SHA1
cf88e8b8278021bf7a7d8f3843fa5453b2e2ed19

SHA256
d0f578b135450feb0f1232c96f3dcf029d69c45e9356cbcc7f16192a8e00f8d2

SHA512
5f3893e25ad04a66409f2257e3d6a0d26c0465ecbec56f89750141b2af50244d6a526765a69cbf8453d1937be1fb99fe2f97649d9e0469022022530a2cb23130

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca

Filesize
6KB

MD5
583041bd6d1603fcf696ff6d5d9642f3

SHA1
70b7220626f676a673032973a49d6f55d7799874

SHA256
bc7771222f80a4f51d7499a0c01d205ab93d682615b79d57ecf9f8452155c226

SHA512
e22176f0765423a0aaf5eb619a8101b066e9b66a9a8e28055fc62978a43283f1cb65ff7d9688d408c28e46f0c7c1cb3c0d60861af060a5ec2ac89c5879a4b4e2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME39.CSS

Filesize
122KB

MD5
29ebfb88559ff7868c44e103879767d8

SHA1
175728a31c298e6c48be58fec54b176d77511bfc

SHA256
514b41174895b9734253f56c190e1680c787192ac811908ceb6fb23ecbf2e00d

SHA512
42995aad100c4e96bf944cabbb9da0fd70c1b19b894f360bde07c16a600a0d0a129719cc7d50d8dc26d8cdc039250a23de342753c3f846cb091bef392d73661f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\ISO690.XSL

Filesize
258KB

MD5
854039adb86c96143d5863730cfb2803

SHA1
3c6c86daa9d75940abf511dc6fa28b208b8916b0

SHA256
358602cb5b43f08e6110c27ee311663580787a82eb116755bd0249ef48ff5921

SHA512
1042c9022a0a5e546f9a8c8b2d06a96bf635e5675f4e19b9fa27fe978744f32769c438bc530465d174ed843544590ee82790433c88b0f20900a7c8de7aaaa1b9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML

Filesize
78KB

MD5
d7eba3ecf363895b43f40b785cd65031

SHA1
e8f994b78a818d371a41a91c059de984ece07607

SHA256
3035fa5de6f1b2b2ce2c851497b92b503887b5331ba71a197403049977851e0a

SHA512
a052cf2893218f3dd3992230c7f7ff97350d9ce4f97810bd9a4ae69e1fb17bdf2fcd9255d49220f72b9c2a862d15b3d13208875cd422f24c947cd4098f591584

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg

Filesize
7KB

MD5
d589829b274769339025d0adc18c7f4d

SHA1
37df20b1a8a73259de19ddac666a4c3547bcba74

SHA256
54474190d9fb1a9d9c2dc800a0d46e02827fd14139a5a9a444839c9d20643c0c

SHA512
a3a2a72029d5c2b7c44f4617cd1672cc2f93103d3ec1278d844a566c50e00a2328bc99cd5f482d335194c0bc1d2a5e6b8e1b22f7592ac6a080f51f74456d628a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_OffMask.bmp

Filesize
8KB

MD5
522bcc009fd8c66f1f22a566a177bafc

SHA1
0c29d659073564a82cb4818e5b175a3992a352d3

SHA256
1d531fe72d256d116c7f618f0e71174709d275414a4ed97f93132eb44d53354b

SHA512
790e1a2fb13f5474ea10182e079fcc2a0a3bad41b16e0395169ac88bd90233771254b3021be96bf87ce2a37d9b6e95e54d687c736e9631730c15575f728e1129

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\IPIRMV.XML

Filesize
78KB

MD5
1a4689fabb7e036050a53bf9585cf8cc

SHA1
169664f1ffa297f6b57703a3b4c8170a01f6774a

SHA256
64de3eb25a35187dc5b8059980510d0e17384288acbd33860f9c589450b6fb14

SHA512
0bb6857aa511e7b754c3a6ef97034185030d18d2b7a6562c967184d6a18ccfc1e7e01bd7c56213b58bfa65c620851b5b3d3ad8e0343011f368706636472c073a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

Filesize
249KB

MD5
8f8e5fa64c994f4320edc72fc12e8109

SHA1
dd2b6966a204fd4e85e2a25ab8f40716f927537f

SHA256
ce2f5ea24a77037c35e623a090a481515b07ec8bef52f5f9ba886bc45a8d19b1

SHA512
4625d2f978f600973312f5c99d492cef79086a9a2c4ff6fc680ce54c7cc770eafde167f09c752bd5d4ca72419df08ba4c9177f271862e4a7656a8e76527481a3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OLKIRMV.XML

Filesize
78KB

MD5
db9a3e8ad04134885733653cdbb33841

SHA1
795845c494df1137a86e5149cd2f24a3a3f83cfe

SHA256
f68885aecb9aea546319bfed2e702e069741dd82ca26e3b4755fc9a8869b5882

SHA512
d40c3fc6a74f62841b158e7b59b8ec9b1db223028955cbbe4777fcb287ff29cec2ca45ac2d1081dbe813115dffe1b3cc5d0a1d6fe9472792cc19e16d87b513b8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\PPTIRMV.XML

Filesize
78KB

MD5
1fe360c522f8579bc9695b8e3fff0ba8

SHA1
c8b61a9b1b5f80516cd5db7308d2af7236970774

SHA256
e3cfed46b8873d7dd8c067aaf2f936eda25c6677477dc25d5639c22dee8b32ed

SHA512
ba13d030c4d7e4a8dd44b3fde99582739b5acfdf608865c73626da264f1668b12e597d99b2c8649d6d7ede27b192a6ca1358e7494b16759624f505e0df70f988

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\WORDIRMV.XML

Filesize
78KB

MD5
5bac08b8c52912c98b9a6dd605acc103

SHA1
51c204acb76bbd69e22df11f57835e2f76d65f0e

SHA256
99f0e7771a8d573bdb4e7a8482d8589b894b5811aee24cde3dd3e0b95c1d2498

SHA512
bc66a967a0381407a7b5666ef81b85d9754d276ae6a56b159323ad0ee19b4b52b793fd585678dc7f0ecc6582539264d587e1b8e3d4224db4eebc744a90f23301

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html

Filesize
17KB

MD5
1a7024e0dd0260ad1c280d3ad2956a5d

SHA1
9faa20793774abe39d750c1d8b367310165bd72f

SHA256
8b9546ac912d0e49c2352d28e00e3a58a1f3bef01249261f61735d9b5cb7b2a6

SHA512
40832164b1eec8ae0245a21a41b0549163efc766e6471d9b1c90bae61908f12daae1a384605af9b787bbb535851181fd29a01696f465d9a7f98734f10ccd545c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties

Filesize
7KB

MD5
0886042b2e184101f5499afc8c0e78d0

SHA1
0cc642609c29e26efbea99a063824aa93d76c7e4

SHA256
e423d71ace49f589c6b0d0bdb3dec9260d8575c421d7ba9c36647fd7f63ae787

SHA512
b1bd07f4b5faaedecb82d21accc77c72deaa3ba6447c7dd31cdfa38a900a72b79c473cf0a1a20430309e88ef038fe01bbc33d7da5c99a6f3974832916bb13d5e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html

Filesize
7KB

MD5
d3b4f7b9a16ee68960f588cd4b060c1c

SHA1
69a2e38e3994980c39aca010a272c58aa6291a92

SHA256
7b72b04663604880fa44ad90ac6bf1077871353b86797d2fcaa8f18e88e74639

SHA512
f63ccbe36b0a72af1a5ec7ee1617f48567a8722688c816242af76f059ad45f531e979935998bde644e7100a677cafc002e1414604204f094eca588aeca0b645a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html

Filesize
10KB

MD5
34400e471c5305ba5c111ee88c2814cf

SHA1
874756d519799ce4e4d57f5e1b9580bfc36cf2b0

SHA256
bc18f81ef0f42fb84469425a682e485b5a90a5a779c4cb34cb784821479ed5f2

SHA512
7873663048c4183204216fd83b4800b584e1989fb28091479cc8a93d0c122cc24ed425f3b17f7e67d9dc95a5e9fc82015308c0dd093861b6faa1d114780b7037

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
419e7c8a9c61d400f686daca4b59fee9

SHA1
d93577fe54279992ef3bd456c960197f0d441b2f

SHA256
2726d38aafaf0d5043c581329739d0504311d45777e6827facddde23dc91e761

SHA512
97b153e511507829f6ac2c0e122535899bf105ba5082e2ebc7d414bb74d774a66de360aa92cfa521cb371ad87fad322540a42bfd0c2e7f3b7412fffb60ee0047

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html

Filesize
10KB

MD5
a203c944d98a352fbe36b0af981f9fa1

SHA1
eaa3e1451530d85ffa32772a712a28cba859d4bc

SHA256
6890eb49d60a761ab698d9f91162c2861095cf5b385a9d7d80184850bcd3bbe5

SHA512
3bd2f698da4f69299c69db6a933d095f06a5a40a64580e42b77e4473675024f0899596e49491cb416ee73ebe4deca250edcd5791ff443855b948e474ec9d21a9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html

Filesize
13KB

MD5
5710a7e4135b169f1ba178a111d99c68

SHA1
012145b026dd43b6f68db30669f8424f580b9d88

SHA256
03c7b9e296a8c9e6fe5f08945f75862f3bc4cdfb24935af6e08ebf8d8f3e2682

SHA512
aec99ae30a955312ef93c9beb4fea02caa191564531a6025298cf990ff775feb8a1bde6956d9d25812e23a893f99f5b95b86d49c1fbf2a2e3d3250ec51e16c9b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html

Filesize
13KB

MD5
5ee19b43009f3db980f374ab64b0ea5a

SHA1
49547819ceac9a83e5cb9407a751b97fac51e686

SHA256
d11ff1d5d9573ce69696fbbdf0fd6d2ac84063b9490c2e2d404f3a5b16526057

SHA512
d2d007331444d8a4f1b3ea2291159bdd970642f1704542d77db2b3c535de807ed69b7e02ed2bf8107c157c9fc4e4f43c3acf0f7231217227c3aaf1392d4efcd0

Download Submit
C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo

Filesize
604KB

MD5
a9d8a927ce2216dd4031554bb7e0a30a

SHA1
f6dfee448b58e6ada3ab1e7b05cde13978114003

SHA256
8290a4315056c4f5deddf455f9695451c68f41f561cd514458c5524bfa0da378

SHA512
369e6709a368ec4f5c05cedf3c76bb9b041c2becb6708db68decd6e8270f6412fcd05e1cc4145e809c07025159ec1c938a28b8709a29e7b9d33ab4194daeb60d

Download Submit
C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo

Filesize
605KB

MD5
bc0ab01e19f9f200fa1fec79b6b55c62

SHA1
b7e2945bce751ae2e3f5fb44d2a39862017b1a99

SHA256
0f63db7487876fe22a1be8e3003461cfeb5c94609521a471ae623b953c840945

SHA512
f982a67d7e882a3a111c025aa449ed32212cb382242cae886a88df0ac781fc11d1f8abd93df9d71deea1f4ba9ad54ba2b4e53e8e15581efda72ef25c77d40174

Download Submit
C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
2e7b48638cb2ce5402724ff88dbeda6f

SHA1
a8e3647a72cb47760ec58dfd70a99bbb9a14f4b0

SHA256
69c98ce9a5497a90fd2c86d2707b1a641741948b54465413bde925d612100c16

SHA512
7b886a5617981de370746b540270810a7f9cc2de98a68dadd9cc96e0754b11a257a67faf487c11461432498685df17c26f9929b815555633854f50ae494f8786

Download Submit
C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo

Filesize
785KB

MD5
e58fe55d0c2d3e552c4eaca3a827070f

SHA1
c2cc50450934d702301c3b4a2701c51beb2c974f

SHA256
d1d1de8f69dbf7f41c5f32563a7ce048103d5a17a17897e484b024061cc989ba

SHA512
2ab5e8bbe97df7bc1ce2fa143ff3d3ec88a0f0f6d484a121eb9c6addab3cc23685bb71547d23efa4d59cc4644a5a19091d74ec660360639dae58433c327c32f0

Download Submit
C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo

Filesize
587KB

MD5
fc785b57355b726ebf67cbc1ebccb72c

SHA1
637dbc4e0f71c15bcdeb12844de1fb584ecce19a

SHA256
2848268c37d754a16c5d87b422d2503ed982f8f4e3e29a9bfb2695487c01f6f4

SHA512
e02f3f869ac017f752db9a07919bce76a609e2a3317165891a9fb0e126f4f18abe48aa17343df96a53882669a2e0330fc45465b3f27920231655182593c84feb

Download Submit
C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\vlc.mo

Filesize
527KB

MD5
4324d195324ca292f4e597a42e6f8986

SHA1
997fcf758481dcd50d38314fa8dc5476aa916a89

SHA256
74f33b0afe61f81bc94c81f62ee6cc5068484e0e10419f5325c96e4339030c30

SHA512
11deb3d740ffcf5fb2d999f4de8f2b034f110476c322a85187fc4fc1d6a8cba3adb853390ef22af3db1d86bf6147ebaa4581524e1a549444f7d4b4faf9111c70

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo

Filesize
764KB

MD5
7c3f982cc65426a6a2616fc6d665115f

SHA1
0b3defd4b39197caf2e9e726f3b74ce83d3f3b04

SHA256
73edeb5932e3143582ca8efdf662e9c44dfb25f04e8ae5e5084ae71ee5f01d37

SHA512
ef63766ad94e49b4b7a445c89956c724d8867790044686fcac0e2590f90a23719ffc5bd32e5b629e57c00db210e2148ccf72393ce68c803bfbd7789c565f03a4

Download Submit
C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo

Filesize
771KB

MD5
10b08d5ab17ad6a590f7366a119ac27c

SHA1
9e744f4157a44d6db38b0ab7edb29c5b1d1ef4cc

SHA256
5348675a15d99233bdc7a14e2f772ba20862fc0035c9bbdb0d21ee77f22d711f

SHA512
3c0cf787eeb8ae4b26d4ede0794e2f35fb3d9f58c902546bcfd486713c978b74f109b3ee7b1c356d8d73ee49ee09481c4b88c7baa6cd06ef2da7cccd520b73f0

Download Submit
C:\ProgramData\pay.exe

Filesize
214KB

MD5
9c13ab7b79aec8dc02869999773cd4b2

SHA1
4b4d865132329e0dd1d129e85fc4fa9ad0c1d206

SHA256
774ef04333c3fb2a6a4407654e28c2900c62bd202ad6e5909336eb9bc180d279

SHA512
3854d8b8fc71f6ff48232839c5a2463ad2f94c6560fc57765a36da8121fdae5975a0334c1424a5fff7a3c7c3a4129f31cd8f14df6425d9f7ccdcf0a0e15724cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
0fc3c2e38aee24decf732ef505b5f315

SHA1
af6cc8fad87b2bce10ef0638882d015f163b94a0

SHA256
4c7fe81819d3da0a333b81604dce38c4a0e005d30e63965b8b4a2b65b3929327

SHA512
a74e3914a816296a94032c77b531eb25682e11c5c51334fcf1ed307e3649613cd7c8ed5b994a2b88b9f8d8a127a20d911e721fde59ea6a71237bba7dd6c06bb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4

Filesize
472B

MD5
2873d49fa8c71b3ed40282713043e485

SHA1
b64888f51d73effea786532a91bb07f5392325db

SHA256
5c611fb2d9be15713d19153924b914b5838e5b1bd07becb09717fd2f5304fbbe

SHA512
7ca48931d3a8b3a5827de30f184be09af5ed4d9199cdad4405326a540ef4bd562b00534a027214c88cb7edba82e604afa9ee2b9dd4758bae4d028332bedb2738

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
0edd390a9ee9f40e466c803a9b62ea8a

SHA1
614a61309859badbae8df3fd3cfda54762e2cae8

SHA256
c3fd50b460eda0bdb628a07078dc6902f9b5446216e12b900015e46f7306563b

SHA512
277b4bd3bb8823936d18fb9efb12261e579d1ba454a56285ff8160739656f7c8af3fb42ae9e8986290d8de055e0bc65c81fc5296afe36a8bb716858d6fd8b51a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
484B

MD5
2b455467355ab381093e0e5a625ab84f

SHA1
25d0f88dc7640669effdb25050347b0b26c85acc

SHA256
2cdbbbc493cbd21dd1ad9bdc1888d25de0c78722944f1aaadc691c2b0776fc96

SHA512
592f63df40d01d88d782a80a80f58d74e576b3edbec94f00577e91fcf5d4e36acfb640b0571484e171c1a4a17c3ce1c6254d5035b96c3337012982c23e21fcd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4

Filesize
488B

MD5
4d1896723b1b2ebcaf6b8379810d08a8

SHA1
b4f88456da611462edc786fdcea0da1f58d0492a

SHA256
8738eafa30b06d0abf609e1c0728fe088a084d46f26b7ebd026001dac30d7111

SHA512
ba3bab40980b0076e4fd5bf06614c76bc375d629f44e5fc8997e6b1ba274f76d7d2106d1064e8d44f0e96a75cb19878cadaada0401aa1f42c1444fed23aefb99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e9179f2cad9faa57900c98f45b393bc6

SHA1
dcc808a0fe430e63da35c575bf649025696588f3

SHA256
c7c727e8dfae9f9637f216f0925987df8d96565cbbadfb82297bef40f3249622

SHA512
3909ee76d2cd6780484772068a37c70a1ab8045002a3795ac71d6f516a749365acfabd5aad5a8c9eab5861027f07225b4505d0b3e64b1f7091fb67539decf998

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3eb96296ee864cf22504796aebeb3ac0

SHA1
2b894e93edf9161f5fea39b17e36fe206241eb58

SHA256
1f0633c67c003aa9d5f9f61d60ce94fa95977463fa7a85de6c715b3bacf39856

SHA512
f3238447be13d7a7f2e616d95e9659e606592f6a2da95067814c1a94c29f6b7f2610cbd559066b6314cc1082c828793610e508821116af45b3138b5102b91e96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
7aa31beca6ac25504e918a473ef145dd

SHA1
ca9a3edea7a0e71b3f0fc423b471034f9ef0de0a

SHA256
078c29c9dc7e4d1ddb1da4b7cf976b415f52adf2d449443a74e64d8f5bce17eb

SHA512
c06de4013aecbb9c6f5514b31aed7668ac381b5859794b73886d0472156f9fbc64d2b73811ca891b358462eb21b6d35c7c28dd012a9f8fcb564275f7bb294ac0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\NCLUPZLZ.htm

Filesize
190B

MD5
6ebbeb8c70d5f8ffc3fb501950468594

SHA1
c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

SHA256
a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

SHA512
75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\NHYI4CZ1.htm

Filesize
18KB

MD5
46e7f28a55cdab07533424725a04b9e5

SHA1
48a915fe8958b0882f364b1e0ceb37e7b7948319

SHA256
e40cc25f9a709e182c284705b0b50b448deb4b1b81b456a633638003db77068b

SHA512
717be51be74aa8b36d714f35942d40c8c18bea13a49d293681e16f1b10dfbdf3887a887ca40688348eee38b10ec80c96a17c338378c315c70d4abebfd42e9076

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar31B2.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
406B

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
723KB

MD5
f27ec148f7dd8b6fd3fca9b7c9a05c58

SHA1
8894451278ea658eac2e6f3ff96fb672de12d31b

SHA256
8014240da1741d7036bff1f5a58d0e5d2c4393e57928810fcbc4119faa08aa5f

SHA512
2f05d60f10dbf927791b2edbbc39bef66ac72d6d62ca8a50d843c70df79f344492f0b3b2da1c0951d273556e0741ddd21e731e23e3abdee1bf92c730001550a9

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
266KB

MD5
8a2f6c5e0ff4876e21de0bd99ecb277c

SHA1
fd931b2630027e10698a629de9207cc23bb61c84

SHA256
68359493460c3b954d28d8fda7bf4906fb5ea9b76ba846f3f89e67d84e2667e9

SHA512
1e1f7692549ce3f46a3333c0efa3009df0a88d4aa6b7fb4ef16fea84be6722bac69c6aa8f3850eb8b1e4fdb740bb361d112123c06e1377939136d5c802cba38a

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
339KB

MD5
30b595382b3720ace99d2c7f04c00c36

SHA1
4280550615c6b5185f03c8be0dedc30cfbe4a8c5

SHA256
bf8679772fd61feec8023e1099789e137d94cb83a1ead79010df84bbd281e1c8

SHA512
98258b58e2b2bb302922ed9a6cfeb62673d9fffe6402c93064d9cb2fad85e874f4f9914bba6e6953d07f1efdccc43898a0f8bdff0cc4655e0ef56af2f3fa059a

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
357KB

MD5
769c3956bcf1273f049495edbe30dca2

SHA1
07ab9317c81ec71f0b16fc3d56efc77f6dff5e26

SHA256
2c59cba1da03e2a55789141d0122b8243aae6045f9b1f764a7df6d0f012d5818

SHA512
0797c9d1c8d763337b9ff524b2591682984d720116c8c711e244c1f73b9713f82ba243a7de2254c5db4d6e2187266772c4d7d4447644e47285b4e7e57bc50ad8

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
503KB

MD5
f2a9618eded22a57c935029173127f83

SHA1
2258fe5b9e2bfc671ed9565abdbab6736fb8d50a

SHA256
32a968420e06239a5b36755d7c41ddf22e86af9319bd47d15a8730f107fef5c3

SHA512
2dcbaa312766e360a8e0921bd4f72b94c5e4314a945c3b7e74b906e6b90009edbb1f4658038ef7aa57cecb69075ef67f7418b6300db4a9048de15ad7e2cda300

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
613KB

MD5
3e45abb9cb2b7fd37fd85c05d317c63a

SHA1
665d0ab21daf1ad00cca7e201f73a13923fc3ad3

SHA256
de8b4f4af04dddddb5548f73c06c41854bab590f839b75cca504425a7e039db2

SHA512
2d7f9ba6cb7a88c8c22d80bb4e85154120fee0cb3fe06d807595b5776e01e5b3f5f6effe45a70b1f3b594fef529bfa689a400731f6d55c66f4c73bdcf3aecc8b

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
558KB

MD5
bc1bd84b471f4d7340449aeeef4d891e

SHA1
43712ed5e83d2a2346cb1f22f2346774cfc1ffc8

SHA256
06af7a99c826f30271c94ba44410e7ca90c1d6f94fce8b55f46eec205b2df68f

SHA512
8571cbc9029fbcafddd46d4443cb6a2a2c001084b9e6489a5724c0087bd48ac39b7d86214f2d4a3fb37621f3fb8210a002f89431fab7c021866fae6c3166286a

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
759KB

MD5
3f9a15c67ef94523864f496c45a42aa0

SHA1
0116ac9437cdb91d052c85a6d0571f62faa29dad

SHA256
bfbefe5cbcf6e0f7db0043626a3b2e573b6936d858ae9c65829db4d34c09824e

SHA512
64a5a87923558c50c6fb26a875732068bff577a7cd61c1c399a0de7726103b5ea2c8dbf900fbac1dcd60289d1644d0e30f75522dab0b4a75bc3c01ec1ec31970

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
394KB

MD5
b0a063c85a6e0c33a9dcf435551ca3b1

SHA1
b29937c593d0812616069a07a5690ad9b36f6241

SHA256
9f4ba695590cd377c6a6b044625841ab49cc93d8aaf74638cc7af43e3c23625e

SHA512
cb5c601bc49e1b504121e1c8ced20e318ce2d7d9da79ea518224204364b75c75b19822cb67d4abef8ffd2ade3e9ea8cc6df3ad173dbe7a314e07f5c7f0f78641

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
412KB

MD5
a9caf7b880e2575db47aa4f8d631178c

SHA1
c2b8df8b6ac2e7e14ad2ef580603990c68e2a659

SHA256
ed5ab85038e3610c84a15440551d1beb846837f4667b5a750e061429764c56d7

SHA512
a1a4dc2cf73c3d1241733ef686f4d92a2ea1e79095a89e92b6f6443df034f9d2c0e192ecada904c216d8c927752e4c47dc0b3154c49cfafe2971c66db904c1ca

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
449KB

MD5
fe31ad261d394f7a90902fb4f27a8769

SHA1
1b40ca96b87e211756c00da3fd2e2ef100a8adda

SHA256
9cc239c7652b06dfeec4db8f4a9e3f2c66cb8299cd621538a18aa658484916e1

SHA512
3b39560b3284964f7d140aeb3242b26c36a567849a38d1065b112c212ff226940544d1039328afbd081ba5ad6b53ab5bdad286d3ab38c69cf08513d26d484453

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
321KB

MD5
8cc557fe2286bacc69ce46f76742dcb5

SHA1
798ee6da8b2892f0548adda65b70192b41443647

SHA256
27bd33e176ae45137f8e28ae68661f022069bfdcf570efd3ca35da199cb7a082

SHA512
52285697aec385ba5c8a105292c0e9ee001500e0fe72a73cf26a5bd261f1110f46498c57cece1b035ec0fb207f39c548ccf826c9e543c59e6773c2d05aa832da

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
595KB

MD5
28ae8531a81df0459cad505fe5ad1a6f

SHA1
73637de0b2889851a341170be1cde2c1a2c3dadf

SHA256
331c71fe90fc55477e26cf4f998830dcbeb2b8b6e2cc34bf9f94d95d969a3a69

SHA512
e1a5ae3a1c78eb238f3ab0562ea629f9c5c691676dd044884615d78673cece6e08363cb26e0e04902b8c7dfdb4687ab7d01ece1d45f3ccc23c2af9dd6fb32097

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
631KB

MD5
9f60d7549a68db5cf47424da89e36d2d

SHA1
57309ef295b9380ea605dd715eb5d7637fccf69d

SHA256
31a45802b6a22dc6298653c03035897f2d0fe85007e4a89987069bd312a17139

SHA512
5323f1524e2dfc6d83e3dd5446748b8284bad8119a6961ad7051055ae7a2352be2d747eb6aa2baecf64982d477829c83db76ab9dab51eb322416b64d3b65e044

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
522KB

MD5
4d2b4bebebd10dac6650e68c0c3b0dfe

SHA1
7d0a32dd65b5c2311c67943a144bc8a938daec4d

SHA256
b1eb59297682ea30fbc897c9536dd0873a02b93b4b05e26ee05cb0d35238c1d7

SHA512
50be97990301a68128b81783ae74fdfb80d7647dff6029a97817e0143052f1a2d90076051afe43c3555601e940603ca2ae646ff1b3fddb9fb1cf705dc33f3cae

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
741KB

MD5
6f10313adecb6ecc40a7556c74996405

SHA1
193c6c1a4c8d969fe28e7970b5c97ea953e06b58

SHA256
9734b14a4be7b04717ddfeb369d2625da98781d0728cbcbf0d9325b9280eef0c

SHA512
1653d16a93ab7acfeadf94889f02777acf5c596e8b3c669828572de9ea5ac1972d7c4f556919afc07e866fb3d7d299d8400c185cdd8713575a80f6d73356b21b

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
540KB

MD5
1651f86f672f196bad6119f2a6d9cca8

SHA1
826da4b4c99010b5d1bdb0354e78b163fe934726

SHA256
54505bfe0d9ee5dbccfee976a9e8dbcf84544134c7737e68ec2ed806e330a302

SHA512
50d579dada57ccb0fc1bc0ff837541e882be0bb120ed82df5dc86390d920ecebd8c845e79b375e62583acf2b1909687bc78ba75a2a2cb7d977af5f6ff1545d43

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
686KB

MD5
651131d2576363bc26663226f4528d4a

SHA1
cbf4bb9f6bf7b1e54bf340cbbc26ec5a75903aaf

SHA256
24a29267a5fe6e38f7dd1c7e48370571efa1bc77b8d139e2d71ba08da325bfd7

SHA512
18baaa4b5c876aa30aa82a6e70b3048db7e2abbd1fcd4ac692c22d00acbeaa91eadd5d1e8547b4452de55411a702d12c5ce6e98ff3338ffca4b37909abac1320

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
1.0MB

MD5
91f49869bc2356f7e8685e5288d2daa3

SHA1
4c1db50d4a016b9f6083b88045fc78c07c791e28

SHA256
aa4ab4ed8a6783acc2101d671710e6326d960eef4edabb850604f5c2c90ae70c

SHA512
233bb9488b0bb3a466ba5c74d088e465cb530ff115733da47ca8e9f513241f8f7f58b356836868f139d7e068b86789d19bcfd09e0461ed98b67f5322d65e3473

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
430KB

MD5
478c9d35abf738717ea291d1b3699790

SHA1
7a10938bbd958eec5b5363f4036abbdb4064ab7d

SHA256
a20d97d1234d8164b19f3694ab2137c0e571bc148ff8f6ce938c6710df85bbf0

SHA512
ccdbce9cdd9723eb5122c7e5c59516eaf2e27c8e15795ea6c11632d40334c1adc361d63bbde4d69a645eda640d641e4954b276c42e3f7f0d7541b32e7b628cc6

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
302KB

MD5
478b3620df41dd1985d2373c033050a7

SHA1
91a82055eb6e53ae1405ba7c48244afbfb8402eb

SHA256
30054c261ceaeccba80837550dccb63a5bca3108001892a4fd0d1df64b654180

SHA512
61d55c956d4a2adc98717617ca3370f3cd8dea0c3c57e5b9f84b3ea8ebf3b26fbc37bf4457d99315667ad3ad1e7714d213cfdd508b97848c19e5feb800542c72

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
467KB

MD5
e1131705f12f26ec28791efbc4ba6eb6

SHA1
5ba91e5d5998aba271e789b3a17cd49ec0c544b3

SHA256
53e8cd5a6768e5c549df2b1f4d8fbdc3dc6bfbba19b90cae8e3e186f4660778d

SHA512
aef560593191d0cbc1a4764264013516a12d183d00e6c38d5f834c57484a5574870cf391fc44b250a76a431740d120eab96ad65ff81cc533f8927a60ac4d7676

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
649KB

MD5
cf7a44cc4fa846dee635afab12309a0e

SHA1
7c06dda064dd7f2527cd74e007bb4c54161dab41

SHA256
f5cc518658055a69ea4f2fe6a4c4fb773aa9c1779ca9a9ddae86e784d9b98114

SHA512
5d6c35ac4b6b8ef0ee9c6eedd587aaa95ab21f80ad3235283346d234705bad53c4379c3bfa4af301f8ebf9948724b981271402fffbeb8673dc7855d784e1fda4

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
284KB

MD5
4137afca94407e8aaca2a78fafc1ecfc

SHA1
e6ec4bc7be50381243997a6ad8444d385b5574b8

SHA256
7b97218a0d124a991d80539c44117184af69d196f00e7d66572c2e784840d7bd

SHA512
3a99df5cba59d248a0e523041871d2436658d727c1ee0c8a1283f98bdf5e15ed08ef4973ac06651a0196893ef867b7e88aa3028950b0e7df6e3819facb253200

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
704KB

MD5
a5127b581243c4f6be1fb932ddf4759e

SHA1
d89fffb54e276751900d0c148ceb991b46cd00b4

SHA256
3a1fb04368213c85db125a8448265e91e2bf867b9e0f77765df5aa8cb5e2ad3d

SHA512
9b27ae54f1ea5a6899c1e030f5f1b95bee84b232d7fb9841267bc1bf4b01eb62382992d123db6c7312ba9c299697e5246e4ef9565ceb575af7844b767d4972af

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
668KB

MD5
22b5c219d24793f65bf1cdf2c85d437e

SHA1
65e9b3642a4340a23e3ad24c07f7aca17afe1108

SHA256
719ffd76bebbe70fa9a57238a2ed23756e5784b2f1358cd74847f319f2693697

SHA512
1fe9e530d604d893bf456be29f50108416a652e976534404ef2c49b47019cd245233c0c184aec17ab4eb94e56334dd2d779f5744ad421a0472b5ea593b46768e

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
485KB

MD5
205bed6d5fbe60cc8e540ccac9f30d26

SHA1
e9a2f583d7c6206e5f173069eaeb48a397701582

SHA256
7237bf3138656788ba6e6f6bf50b1cf25d432310c481eb0f4d2c3bc13837d0aa

SHA512
6673b385fee7ffaf9d7670849fe01cb150f72fd842527b61a6784bffc3c60e0a8a69f4a27f6df6d109dd91a270cf1d3bd998b005535070a366a08cf9980e26d0

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
375KB

MD5
2f24b6c587157902545ba6413d9d3809

SHA1
0550e49408d1c2857a065f6b488c0251cef0c584

SHA256
b1b4a9afd22504dce3db88dcd010cf81a700fe2471ba5075f21f1266475a978e

SHA512
d70ff6042512754b68f3d191a006d9d1e6d18848952797f5f2418c4ae8ae890311c3b343e080c03a75682e48856c36ff7896e8184f737895508fda833d56b130

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
576KB

MD5
219ab8eee0f5a78adf6af52a8d0940e9

SHA1
7b64d11c706f226f4d2fd693ae11061c86a9837a

SHA256
fe718845bea5224c8f91b6b1295e8b81a0045d3028fff7e1f36022bd94ea2954

SHA512
10da75b85153038dee2e3889f1b643c0c7bd3d754c81a2578635c7cc17d7a8644c728284c0d8d4462be1a3931b71de0e387c858e0789a8686e8030764fa796f5

Download Submit
C:\vcredist2010_x86.log.html

Filesize
82KB

MD5
fa3adce13ac4c2e7cb04c04567c4083a

SHA1
f67363704b24ea7f3620535df4f8611ba1348683

SHA256
a086a42586bd4ba5d0fe320c72bc8d20e21ce27e32efa64b17945fcc72b86fa2

SHA512
442dc14c590382bf9132528c45a0884dd2f39ee0d5c318537284ed449b040006c6991d416ef3b579242ed11b172792d5752640a364e2f6bc547ac907fe98ea19

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\.imposter

Filesize
513B

MD5
ecfe8a0cfd448efa54714199b9baf1b9

SHA1
66a3ec5947a3df360c2f2e4eb2980a877b1bf252

SHA256
8623a5f2e4e5506ebc5c18ee5d29d5f4e85970d8dde8dc474666c7724f209791

SHA512
4fa9ca5ec02281f9c2e18ccaf8296b823db2a558017a46fd1e4cb89fedd1c5be731b2fd3000e11dea7c5ea3b69399ec6c7e093876c44a36f6e54b6ab87f266cf

Download Submit
memory/876-198-0x0000000000A00000-0x0000000000B41000-memory.dmp

Filesize
1.3MB

Download
memory/1628-84-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1628-90-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1704-11953-0x0000000000A00000-0x0000000000B41000-memory.dmp

Filesize
1.3MB

Download
memory/1704-22100-0x0000000000A00000-0x0000000000B41000-memory.dmp

Filesize
1.3MB

Download
memory/1704-29673-0x0000000000A00000-0x0000000000B41000-memory.dmp

Filesize
1.3MB

Download
memory/1704-30543-0x0000000000A00000-0x0000000000B41000-memory.dmp

Filesize
1.3MB

Download
memory/2172-3-0x000000001BDE0000-0x000000001BE60000-memory.dmp

Filesize
512KB

Download
memory/2172-1-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-2-0x0000000000670000-0x00000000006AE000-memory.dmp

Filesize
248KB

Download
memory/2172-0-0x000000013F280000-0x000000013F2CE000-memory.dmp

Filesize
312KB

Download
memory/2172-12-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-4-0x0000000000910000-0x000000000094E000-memory.dmp

Filesize
248KB

Download
memory/2328-30576-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2452-4919-0x0000000000A00000-0x0000000000B41000-memory.dmp

Filesize
1.3MB

Download
memory/2452-30577-0x0000000000A00000-0x0000000000B41000-memory.dmp

Filesize
1.3MB

Download
memory/2496-111-0x00000000002C0000-0x0000000000401000-memory.dmp

Filesize
1.3MB

Download