Overview
overview
10Static
static
10Dropper/Berbew.exe
windows10-2004-x64
10Dropper/Phorphiex.exe
windows10-2004-x64
10RAT/31.exe
windows10-2004-x64
10RAT/XClient.exe
windows10-2004-x64
10RAT/file.exe
windows10-2004-x64
7Ransomware...-2.exe
windows10-2004-x64
10Ransomware...01.exe
windows10-2004-x64
10Ransomware...lt.exe
windows10-2004-x64
10Stealers/Azorult.exe
windows10-2004-x64
10Stealers/B...on.exe
windows10-2004-x64
10Stealers/Dridex.dll
windows10-2004-x64
10Stealers/M..._2.exe
windows10-2004-x64
10Stealers/lumma.exe
windows10-2004-x64
10Trojan/BetaBot.exe
windows10-2004-x64
10Trojan/Smo...er.exe
windows10-2004-x64
10Resubmissions
03-09-2024 14:02
240903-rb57sazdqf 1003-09-2024 13:51
240903-q59avszclf 1002-09-2024 19:51
240902-yk8gtsxbpd 1002-09-2024 02:27
240902-cxh7tazflg 1002-09-2024 02:26
240902-cwxc2sygll 1021-06-2024 19:37
240621-yca7cszgnd 1009-06-2024 17:07
240609-vm7rjadd73 1013-05-2024 17:36
240513-v6qblafe3y 1012-05-2024 17:17
240512-vty3zafh5s 10Analysis
-
max time kernel
1782s -
max time network
1180s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 18:05
Behavioral task
behavioral1
Sample
Dropper/Berbew.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
Dropper/Phorphiex.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
RAT/31.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
RAT/XClient.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
RAT/file.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
Ransomware/Client-2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
Ransomware/criticalupdate01.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral8
Sample
Ransomware/default.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
Stealers/Azorult.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
Stealers/BlackMoon.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
Stealers/Dridex.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
Stealers/Masslogger/mouse_2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Stealers/lumma.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
Trojan/BetaBot.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
Trojan/SmokeLoader.exe
Resource
win10v2004-20240426-en
General
-
Target
Ransomware/default.exe
-
Size
211KB
-
MD5
f42abb7569dbc2ff5faa7e078cb71476
-
SHA1
04530a6165fc29ab536bab1be16f6b87c46288e6
-
SHA256
516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd
-
SHA512
3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af
-
SSDEEP
6144:zia1vcaEaA+HPsISAzG44DQFu/U3buRKlemZ9DnGAeWBES+:zHctWvVSAx4DQFu/U3buRKlemZ9DnGAn
Malware Config
Extracted
C:\Program Files\dotnet\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Detects Zeppelin payload 10 IoCs
resource yara_rule behavioral8/files/0x0008000000023428-17.dat family_zeppelin behavioral8/memory/4008-33-0x00000000009A0000-0x0000000000AE0000-memory.dmp family_zeppelin behavioral8/memory/4416-43-0x0000000000F10000-0x0000000001050000-memory.dmp family_zeppelin behavioral8/memory/4712-46-0x0000000000F10000-0x0000000001050000-memory.dmp family_zeppelin behavioral8/memory/4416-3139-0x0000000000F10000-0x0000000001050000-memory.dmp family_zeppelin behavioral8/memory/412-9384-0x0000000000F10000-0x0000000001050000-memory.dmp family_zeppelin behavioral8/memory/412-14211-0x0000000000F10000-0x0000000001050000-memory.dmp family_zeppelin behavioral8/memory/412-23437-0x0000000000F10000-0x0000000001050000-memory.dmp family_zeppelin behavioral8/memory/412-26056-0x0000000000F10000-0x0000000001050000-memory.dmp family_zeppelin behavioral8/memory/4416-26080-0x0000000000F10000-0x0000000001050000-memory.dmp family_zeppelin -
Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (6090) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation default.exe -
Deletes itself 1 IoCs
pid Process 4932 notepad.exe -
Executes dropped EXE 3 IoCs
pid Process 4416 services.exe 4712 services.exe 412 services.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\services.exe\" -start" default.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: services.exe File opened (read-only) \??\I: services.exe File opened (read-only) \??\G: services.exe File opened (read-only) \??\E: services.exe File opened (read-only) \??\Z: services.exe File opened (read-only) \??\W: services.exe File opened (read-only) \??\P: services.exe File opened (read-only) \??\L: services.exe File opened (read-only) \??\M: services.exe File opened (read-only) \??\A: services.exe File opened (read-only) \??\U: services.exe File opened (read-only) \??\S: services.exe File opened (read-only) \??\Q: services.exe File opened (read-only) \??\O: services.exe File opened (read-only) \??\B: services.exe File opened (read-only) \??\V: services.exe File opened (read-only) \??\R: services.exe File opened (read-only) \??\N: services.exe File opened (read-only) \??\H: services.exe File opened (read-only) \??\Y: services.exe File opened (read-only) \??\X: services.exe File opened (read-only) \??\T: services.exe File opened (read-only) \??\K: services.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 41 iplogger.org 43 iplogger.org -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 geoiptool.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\localedata.jar.1A5-933-9BE services.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11wrapper.md.1A5-933-9BE services.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png.1A5-933-9BE services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_shared_single_filetype.svg services.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\es-es\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\sv-se\ui-strings.js services.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties.1A5-933-9BE services.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailMediumTile.scale-125.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\HoloTile.glb services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\video_offline_demo_page2.jpg services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\ui-strings.js services.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\eu-es\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-oob.xrm-ms.1A5-933-9BE services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x services.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png.1A5-933-9BE services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_contrast-white.png services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-pl.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL services.exe File created C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-125.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-256_altform-unplated_contrast-white.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_contrast-white.png services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluNoInternetConnection_120x80.svg services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ppd.xrm-ms.1A5-933-9BE services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostName.XSL services.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\proofing.msi.16.en-us.boot.tree.dat.1A5-933-9BE services.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.scale-200.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.scale-400_contrast-white.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\WideTile.scale-200.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-256_altform-unplated.png services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected] services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\zh-tw_get.svg services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\FileAssociation.targetsize-32.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-36.png services.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-16_altform-unplated.png services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms.1A5-933-9BE services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-pl.xrm-ms.1A5-933-9BE services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_BadgeLogo.scale-200.png services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\ui-strings.js.1A5-933-9BE services.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-GoogleCloudCacheMini.scale-125.png services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-focus_32.svg.1A5-933-9BE services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\ui-strings.js services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ru_get.svg services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ul-oob.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\office.core.operational.js.1A5-933-9BE services.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo services.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreWideTile.scale-100.png services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-left.png services.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\SPPRedist.msi.1A5-933-9BE services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-phn.xrm-ms services.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSWDS_ES.LEX.1A5-933-9BE services.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ShareProvider_CopyLink24x24.scale-125.png services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\new_icons.png.1A5-933-9BE services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-pl.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8FR.LEX.1A5-933-9BE services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-100.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-80_altform-lightunplated.png services.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 4008 default.exe Token: SeDebugPrivilege 4008 default.exe Token: SeDebugPrivilege 4416 services.exe Token: SeIncreaseQuotaPrivilege 4636 WMIC.exe Token: SeSecurityPrivilege 4636 WMIC.exe Token: SeTakeOwnershipPrivilege 4636 WMIC.exe Token: SeLoadDriverPrivilege 4636 WMIC.exe Token: SeSystemProfilePrivilege 4636 WMIC.exe Token: SeSystemtimePrivilege 4636 WMIC.exe Token: SeProfSingleProcessPrivilege 4636 WMIC.exe Token: SeIncBasePriorityPrivilege 4636 WMIC.exe Token: SeCreatePagefilePrivilege 4636 WMIC.exe Token: SeBackupPrivilege 4636 WMIC.exe Token: SeRestorePrivilege 4636 WMIC.exe Token: SeShutdownPrivilege 4636 WMIC.exe Token: SeDebugPrivilege 4636 WMIC.exe Token: SeSystemEnvironmentPrivilege 4636 WMIC.exe Token: SeRemoteShutdownPrivilege 4636 WMIC.exe Token: SeUndockPrivilege 4636 WMIC.exe Token: SeManageVolumePrivilege 4636 WMIC.exe Token: 33 4636 WMIC.exe Token: 34 4636 WMIC.exe Token: 35 4636 WMIC.exe Token: 36 4636 WMIC.exe Token: SeIncreaseQuotaPrivilege 4636 WMIC.exe Token: SeSecurityPrivilege 4636 WMIC.exe Token: SeTakeOwnershipPrivilege 4636 WMIC.exe Token: SeLoadDriverPrivilege 4636 WMIC.exe Token: SeSystemProfilePrivilege 4636 WMIC.exe Token: SeSystemtimePrivilege 4636 WMIC.exe Token: SeProfSingleProcessPrivilege 4636 WMIC.exe Token: SeIncBasePriorityPrivilege 4636 WMIC.exe Token: SeCreatePagefilePrivilege 4636 WMIC.exe Token: SeBackupPrivilege 4636 WMIC.exe Token: SeRestorePrivilege 4636 WMIC.exe Token: SeShutdownPrivilege 4636 WMIC.exe Token: SeDebugPrivilege 4636 WMIC.exe Token: SeSystemEnvironmentPrivilege 4636 WMIC.exe Token: SeRemoteShutdownPrivilege 4636 WMIC.exe Token: SeUndockPrivilege 4636 WMIC.exe Token: SeManageVolumePrivilege 4636 WMIC.exe Token: 33 4636 WMIC.exe Token: 34 4636 WMIC.exe Token: 35 4636 WMIC.exe Token: 36 4636 WMIC.exe Token: SeBackupPrivilege 5100 vssvc.exe Token: SeRestorePrivilege 5100 vssvc.exe Token: SeAuditPrivilege 5100 vssvc.exe Token: SeDebugPrivilege 4416 services.exe Token: SeDebugPrivilege 4416 services.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 4008 wrote to memory of 4416 4008 default.exe 87 PID 4008 wrote to memory of 4416 4008 default.exe 87 PID 4008 wrote to memory of 4416 4008 default.exe 87 PID 4008 wrote to memory of 4932 4008 default.exe 88 PID 4008 wrote to memory of 4932 4008 default.exe 88 PID 4008 wrote to memory of 4932 4008 default.exe 88 PID 4008 wrote to memory of 4932 4008 default.exe 88 PID 4008 wrote to memory of 4932 4008 default.exe 88 PID 4008 wrote to memory of 4932 4008 default.exe 88 PID 4416 wrote to memory of 412 4416 services.exe 98 PID 4416 wrote to memory of 412 4416 services.exe 98 PID 4416 wrote to memory of 412 4416 services.exe 98 PID 4416 wrote to memory of 4712 4416 services.exe 99 PID 4416 wrote to memory of 4712 4416 services.exe 99 PID 4416 wrote to memory of 4712 4416 services.exe 99 PID 4416 wrote to memory of 2268 4416 services.exe 100 PID 4416 wrote to memory of 2268 4416 services.exe 100 PID 4416 wrote to memory of 2268 4416 services.exe 100 PID 4416 wrote to memory of 4392 4416 services.exe 102 PID 4416 wrote to memory of 4392 4416 services.exe 102 PID 4416 wrote to memory of 4392 4416 services.exe 102 PID 4416 wrote to memory of 3380 4416 services.exe 104 PID 4416 wrote to memory of 3380 4416 services.exe 104 PID 4416 wrote to memory of 3380 4416 services.exe 104 PID 4416 wrote to memory of 4272 4416 services.exe 106 PID 4416 wrote to memory of 4272 4416 services.exe 106 PID 4416 wrote to memory of 4272 4416 services.exe 106 PID 4416 wrote to memory of 4000 4416 services.exe 108 PID 4416 wrote to memory of 4000 4416 services.exe 108 PID 4416 wrote to memory of 4000 4416 services.exe 108 PID 4416 wrote to memory of 4032 4416 services.exe 110 PID 4416 wrote to memory of 4032 4416 services.exe 110 PID 4416 wrote to memory of 4032 4416 services.exe 110 PID 4416 wrote to memory of 1264 4416 services.exe 112 PID 4416 wrote to memory of 1264 4416 services.exe 112 PID 4416 wrote to memory of 1264 4416 services.exe 112 PID 1264 wrote to memory of 4636 1264 cmd.exe 114 PID 1264 wrote to memory of 4636 1264 cmd.exe 114 PID 1264 wrote to memory of 4636 1264 cmd.exe 114 PID 4416 wrote to memory of 2088 4416 services.exe 117 PID 4416 wrote to memory of 2088 4416 services.exe 117 PID 4416 wrote to memory of 2088 4416 services.exe 117 PID 4416 wrote to memory of 3380 4416 services.exe 121 PID 4416 wrote to memory of 3380 4416 services.exe 121 PID 4416 wrote to memory of 3380 4416 services.exe 121 PID 4416 wrote to memory of 3380 4416 services.exe 121 PID 4416 wrote to memory of 3380 4416 services.exe 121 PID 4416 wrote to memory of 3380 4416 services.exe 121 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware\default.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware\default.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:412
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 13⤵
- Executes dropped EXE
PID:4712
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵PID:2268
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵PID:4392
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵PID:3380
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup3⤵PID:4272
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:03⤵PID:4000
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete backup3⤵PID:4032
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4636
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵PID:2088
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵PID:3380
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
PID:4932
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_bow.png
Filesize52KB
MD50536002db8ae81c27b23b31d800514e8
SHA112fe65e945950225f80a996c51fd598670be381b
SHA256483fb597fcfe5150d9b099b28fab686a9c1b862b524984487b9077073a24f1e5
SHA5120486c53ad63d6bf1af4837d26bd0487856fbf70c78d4bf647532bdde2477d2b6393e9a4ea2f096623f688a2f8466c5a48ece428fed87b05ad2432091aa21d425
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png
Filesize52KB
MD51a3bcd12554248521e97a71be2b095cb
SHA15ac12314a8fd7b2109cd7912665a75d74743c588
SHA256203269d3993b97baf22c03190c682ada8547fada9bfdc9b66703c40e6da36ff7
SHA5123a9fa2eb47651e98593c35810bd4fcb00bfb54bdf696f831f15754bff42e8d38d9ed672d805207aaab8e6f35b013640454cec15264c1f66a5ce52f5bc82cebb3
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png
Filesize52KB
MD5a5c8228f5570c925de66c34e597786a8
SHA17aa11268aa54f95b07803e2f885213f3fe4f243b
SHA2569bda9c4a4fac2b68b49d4f8e94d10978c568a15b9597f3933b4f9b637b455488
SHA5128e57380f2faf857451775c757aee5eac500de4ba32d1f36596097e489e53b0731ee3b79fd9758c7be229e578e25f7903fa95bf095e15a165cca9429afd61660d
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js
Filesize34KB
MD56926ccad8ce77dfb41942be63799cc5e
SHA11b456f523c0fb1387c3004a0e257e7f9dcd82750
SHA256470788f5a11cbda037510e902fb9cfb694f8734bde47059b577ccd391cf3bfa8
SHA5128759c35a46d42d24de3f843556cf41fc6a000e0c0cb0fb6694b511c0a8b542b4ed42bb900d4f3efd1f3e9c3d96806c001794673fd297aa106533e1bb7e81878b
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\ui-strings.js
Filesize10KB
MD58a279b28b890e69f47184d3b0106676c
SHA1a8ff373e08d2b65f167c3b22e0890e2d856b1006
SHA256b013cf3a2d74a5dfefb84ff5300d24a741a35e6df34dbccbe0cb3db021b35742
SHA5120ab51bdc3be7c0afc120038f8a41afc42853cc8f6628893ed933c100a0b47567496243f505566dd2ce174e03c806b399e7d7eef7807bc46b531c3e833672e230
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\ui-strings.js
Filesize5KB
MD5d5170723ed5ef536f09aa61dfbd06385
SHA1c9c5cb06406dcc49a501403e4ce82b5a47cc392e
SHA25682f84b74dc079b5a0b1a230f86711d53e3a09c946e0529f33786f496b9033058
SHA512ebc8716d87036f03ab49901faf4d94ceab7e70d6ba497a9a1e12240375f24923da29eb46fcfade49f1c2bf289eb26c4dfff51cda95d9be2237fc9361d2c4a80c
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js
Filesize6KB
MD5c87a9910dc5c0b828996e355e796c8c8
SHA1147f77f30d3ea8ab6f166b1da20141fac33f6250
SHA256263c18f45e84f93f8207bcbd1d65290e464074044dd315e2137a09197e630876
SHA5123497cdf305786deefbeae8d385cb354019bd860b33f77d92a6865f91b9344be2e511c2a0ef1b9c66a7c27bc25e9b8815b2c850ea8ed1a5b27fa75aaf23ea3915
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\illustrations_retina.png
Filesize20KB
MD54cab55c16f3d30e97b585f1e8c1025f3
SHA13367137255fcfebb3e5ee8bd5802a4c6a3eb5624
SHA256d51a06cb3568dceadd89b5405212acbfc3647736b37dd77c6edb7b9200e79dcb
SHA51206734f79d1c6e99cdfefa66221d6580db75c73f26e06435794a64068b730b6dae8661a216b531860752337c175b40b040be6a7c4fbdfe566e05d7ff227b7b2c0
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-tool-view.js
Filesize395KB
MD5e0b7436f85fc257b9e2de3c6875d55d0
SHA17848f3a6f3e30a915eadd711ea87265ffd8a509a
SHA256b4df63e4ed0e62646ae87f75ae5b4a4d102e963e6626410ea8dce608fcdc850d
SHA5124a526e0ddc0e826da82ed50977c572f5bd71971a689515ad3d160bb88a63868d4aeee5484e607bae28b72dfa4ba407d96ce6c039b903d74c58430fc93b51f528
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-selector.js
Filesize176KB
MD5fed89953adc75375874b5e756e3a79b8
SHA1bc3679f170a10ff7df4c93c926891754a96494a0
SHA256964abaea30dec1a0b2d651643095340cb5ebd668e718b3a3be48b7c06e927ef3
SHA512951ccd587c09f05c356b549fc2a55a137ee27a3954e5ede2acc80e9485119c8d7c34ad7e1d15eb5d0fbd3e645ce2d913a69563f7519706bd647c5e38465e1b1e
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js
Filesize12KB
MD5119432c3a6eae972242087ff653a2563
SHA1e1cfacc2a29eca28ac24cd3065d248483fddb7f2
SHA256233b6b7ee6c722419d07667ab9c2151acdf56783e94952e93e924fdac10428a8
SHA512c74186ba1af9a6d9df00d55c31e4b72eae6eba6ac8d1da7e53fb8c7d0316a635121fe569266e06bed233149e332cb4fe035f31b6a4df3214dd6c49cd5abbb30e
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons.png
Filesize9KB
MD55ebdad9be7d16dc9d3f4f16b66833de9
SHA1ee9da9e55cec7577fb02501a7d6358ffa179a955
SHA256b1b8365c91b0fe1f53b81314fb4656875748ec923d5ded4e701d4069dc373951
SHA5124b67388caf69e2a43fee702121da50cb9ea6c9ee877316780d2afdf1370d019d902eb409bb45589a23be72df80be547bb24609907796737390dca9e22ccf52f3
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons_ie8.gif
Filesize9KB
MD5abccc8f306cd47a7ee1d3ee538b5d770
SHA1fd99fdca336cf99c34fd449168046826f9d3146b
SHA2568f47ba0e8558a22b28f1e3329f0a9a8ef4a584d5c0990ef83def51678c72567f
SHA51255434ab0280e75c7675ce2cb53fca2ffe73ad694b7491db706fa0ee7a8586279fab897884f580bf193b7965ff5a1eaedadcc8ba7deabf20cc90921178b0c79d0
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons_retina.png
Filesize16KB
MD5deca1c0923e1603f66abae0232e43ecb
SHA16d4ec623dd7863e58d0009e1ad15d4c358d70ffe
SHA2561c2ed122e8d20cc3f692c6091e176010fc762a5d016dc48897bbd8a2aca7cfcc
SHA512bb9ba93bd57e1c39d55f1aad58e043ae69f114c2a4c011e0618ca8be8b887eb8a0d5a257ea0b0c92ac51027bdc7a54f414233ca50c2f822c8ed20477e4e9111e
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\ui-strings.js
Filesize6KB
MD5d3aa77197d76e71c782fa958f5a2195b
SHA1cbba571337399364c7e44829b9dfa512d60dd262
SHA256198397889145203c21bdb250c0c8be1c97cae0ce065999b4d105d0de6da52925
SHA5120077385737d339b91f856c146b790ea18a2fbe92635fdaaf07449d041a13fad45ac21327d8beaffb5697aac2dc7fbfbea2fd0b2b97df3e75ef481efdc55cd841
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\ui-strings.js
Filesize7KB
MD5c4a36059d0c3b20c6b53b4368f21f9b2
SHA1684dbc417e5b8ad606504d81d92a3fdcfc01dfe1
SHA2568c08fe8e2c0fd8bbeec202dea0335b359138ee5d706e8be5f012a5dc6a693aba
SHA5128f66664d861561cda0d270cc8a4a5569b9dc687f5ba24e672c6d09583e7c54a7a3c8d107b265b7d686cf40e4dd25f5f2e32fe1342856c46c92b98fc4696eb501
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\selector.js
Filesize48KB
MD5af2e7de2f5c5aab538f5dbf00ade101f
SHA18294b305e97aa65b07dea75d9325b4c84788c7f0
SHA256b5140f824d3486f3b4593a05c635d5e106df5272aceb8cba1402b0b88f7b6700
SHA512d25ea3b98bd37a0d86355324bf49fe37f2d4a59cb86d1ba8b47b14e17a628f5da7c71e8dc4ed491bd87b71b74926a973729d96c41ca52b418d8cafcfefc57c66
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf
Filesize381KB
MD548327bd67dad22ae9dd4eb0b10dea427
SHA1362371609b7611b431b931cfbedd067b26a709b7
SHA2569b01359fccdca6bbf696924d096fcd4853e6734138c3282cb65352e5647df976
SHA512896f1bf1d96a75bb3285d55f77653cc756451e265da4a253c0ea051a6baef48e43748239254da7b80c533035da493693938dd3ee4f20eb4aabeb57ba9c04aeb0
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf
Filesize56KB
MD5eb5f0ad401d5baad41d3d8fba48a1ccb
SHA12eb1a8406aae3900c2aa5a7afd5b0f9ecebed2c9
SHA25654d961046ac888b5982d9bd9e88595c6c38b658a2138eb60398c282f246f604f
SHA512c46f4e1b85d8a4856c329fa490271bfc39b650d90ddbdd36e53e2cdb60f518ecbcebf1f4e274b9565845f0b1adf428f98912e74ba709944199b8489f407416ef
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\ui-strings.js
Filesize14KB
MD58884ba8ec316c1264d14e29c7b091379
SHA17578b1039e8168abf1da9fb39b49ef6d82c7410f
SHA256f4b591ae7f240c8e34c57fd9f9a8e44c623ea3f94cd8fc34eef058b49db1e28c
SHA5127be560b4365b9900c7917ddb2327248572302fe67fab06d3db61cba886828167a802de9f840204c50e366ceccab3adb2cac46302de18dc283131be1176c09ea4
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\ui-strings.js
Filesize15KB
MD5acc85c2ff09e79e403746a6464eff823
SHA1eeccf3147406b02de287c47acbd81981c901c54b
SHA256ddb25196ab116fdeddac03b1bbf509c6847abc9b2c6fbc3cb170eea9361abe97
SHA5121805279fb3cbe5403d39b99a3981747523205fed0c0dde803aaf804a5847692b437956fc7579481a76e6ad3918863a134b09138f9ce3457689c571f29bd2f7df
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\core_icons.png
Filesize10KB
MD5e5e8b2ac2dcb9a15fe253e57d78c117a
SHA14f277ea96827c5125bf0cad6d9f70ce1c462918e
SHA256f6271133edac1b6f4c0f3f088a0b434b4f68749339df5f91262004aac8fe86e6
SHA512732329c8a5908b0dfa490604fb9cd9b83632c9b8621c20f3b260a1f1e832b8e0bdb49528beecde9166e3285311fcf336cbdeaf341a08c0f823ff111d71304aac
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js
Filesize9KB
MD5456cb917c73f7def04a16a75c22a7556
SHA16ff1c36f43939da4b1c46ecc5f83ac2ad7de3ad8
SHA256cf6970ca655ad67e93f1778cb3922bc691e3579585d7ea95efe06fae4f891dde
SHA512325051d37492093a09e60c40a41196a77309343fe11fadfd9a5c52c1591c31d947ff04bb63c6c81239ddd097af1c78c844a4986610c182dd6d66ddfbff249ea7
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\ui-strings.js
Filesize11KB
MD5dd53c0d3acb3ed0481ad4ddf85c82944
SHA11444d9c6d33c79ad3fc883d3e5820f040c8aa934
SHA2567bc3ccf467f25a93190793984841d2dbf377a03347f05e9e2f178eb07976fff9
SHA512eb51dc157dd38958b2d8fd7cf92ffadd82acc9ed6528ac92ae19ea02dc17fcd1daf101baf9c3b6b799a6d297ddbdc242109c4d3abe0d389ccb513f3c6e0d637b
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\ui-strings.js
Filesize17KB
MD56f1adbedda2753b4d817b4d69eee69aa
SHA1e092a6033294d96ea81dd5d514a25b95205efdc2
SHA2560fcec5eb28e297ccabb92df119ac89442a840e592b2bc25db0cbe55cea3ef9bd
SHA512d898a6fa8f6e360d63640960fb76c3aae47f357c66295f7a094961c16f016baf1af276739b1d950be90793bdd80157a611120cd6fefa20123ec2334adf353b3e
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\ui-strings.js
Filesize18KB
MD561baa87d968375a70b3b0b281363c633
SHA13b061898ebe9c3a52b910b7e42821f82da3b29cc
SHA25684805c6cf948066a974263b80fb2312b302fb7530fe3a67f126b1f59a3dcc2f9
SHA51277258c9763d6fb4e74fcbb50fb2b6663b5b31210606c0d308251097e266fca700cc1c2a8658c264555cbcb5843641f259b59b7f6730ca20302ee7fd7e12d286a
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\ui-strings.js
Filesize19KB
MD5b01c1aa7092e4c06c479e424697db4a6
SHA13cac716487da886845c6948fb04d57988b88e9b0
SHA256a8b2940201b1bad0fe7c2dabfbdd8561b6142f908b891390e0bf1bd6e31af33c
SHA51201bb1d4ee7ad00d477ba9d831b3409440174c5ed2c52acef5b3b08a9ae910cc3490866e19fb1522078c991c3da907255a787dc9f1973c353d9721109c41859f5
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\ui-strings.js
Filesize23KB
MD5a7eafc2a8baae6ad0e95de35818fd5a9
SHA1091483bc7e723136f018515688656c6b8f9956dc
SHA256352ed27769854b8cd35e92577f13c9164a88e2f6155ba008cb32d7fc42fd696e
SHA512c4f359ef11775503c7d5a580f418e5856965ff8479cfeb9a70ca97a753a0804a1d0c32cd3e3d3e666b3eb722dfbebeefd094864f266ed0653538e947574e87d7
-
Filesize
9KB
MD54525546ed876d226fbd03b56afa554b2
SHA1ecaad6db82ca5dc134bcb250a9d3e15b01627d19
SHA256a968a6c56286dfcc9c02245ca99c26a7e8c61b56e4318aa08217cdc14b4cd563
SHA51220418e4cc7278a48b5c4844d13489b6bf39246c6d9f0946eef038ca2c57bcf14381e9dcb0fa447cf1ee0315d139d9c2c34abf2d7833b37e076239a7a1e11a4a4
-
Filesize
4.1MB
MD5b37149c66214b93dac8002fdc0e0513f
SHA1c8e0496b6d8f461ce788ff711147f1c6e31e7314
SHA25666ff2061b12045caf34fee6dd24eb4911ca0a800c522f2f550cc6a7278024d61
SHA51236e14ffab558ebb39a53090dac14e0309a84d39c5b12031cc08db86813c0592d479f7dff887fedfbddb4af113963f95683b9ed74e50084de538123781c5fed70
-
Filesize
265KB
MD5da44d68ff308ee3a0be010e584eebc84
SHA17ccdc4adbdacbbbbdc99c76499d55a45779506fe
SHA2568e400b2e6736c5ff2fe0f9276d94cb9c7a209a0eef59401fea0763670ce03d81
SHA5124f0bb133748e0abff43e06d9394659c93916108a16554b83f3a1ecce5529ca00b866318847b3fd5a96680c60d9ef09eae3e590e0a33f5037db994dfeee295c92
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi
Filesize2.4MB
MD551ee9409375ec7d07d9eb0cc1e209fa0
SHA1d8f8c3c59590b0d715bb56075c08717826bc0f32
SHA25665ac52735d9ebb7cefc921d92652bfa32236c04c0c0bf1af9540e7d944106962
SHA512d9a0e65312d823270a353b0d2e0cc90939dfae548f0aaf823ef5eece4fb1fc1bc50b3f0fd8bbfd35ef9fff252a59287fd84d1f4eb1237b14d5e00718ea60bcdf
-
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe
Filesize62KB
MD55f5d123669df25a8298fa1920f58786f
SHA1957bdb7963da1d99520a34067b728d1ca7b464fc
SHA256639308decd65a98f0b1cef8c4d278cb2bf016abe329042729f818f6b64099229
SHA512fb730e9bb316d8e1f8038c9a9056898b1202962c03253e3af3dca91e541a8f9651dcef69bc1de3b974a00bb47d8e2873fd4246793ac874a5f1e90c74790d59e9
-
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe
Filesize1015KB
MD5471fe3bcdc5d7a1da77fe37b285fa006
SHA144d77360343eafac4c72ecf55cf531fe510566de
SHA256b2e28ee39bbd4d00da7b325e1f7c80774ab23f11c884bbc72239b1770d0301b6
SHA512951874df7766a66b3dd0ab22d639de109c3b16c1cced39393f31d55b0d39302d2850f029c4f5ce667e617246e31af81afd7eff87e48f8a27e80f7d2fdbc1794c
-
Filesize
606KB
MD5de3a2c5a7c8ec4a07cb0e1494ed136af
SHA1f910b8a6dd99d0aa18198d10d8f3f1e026cd3770
SHA2560d546e87edad7443bc71ffa7bb6f8f0b51f577570571e7b86fa909578e07506b
SHA512225ca78c54bbf62cc5662408d2fa93e51b0b6122f66a6ee3a8575960c4a15101e1e2c55880162b3e839e7808645d5f3361d8c994ab1c131e48c220b36f90e30c
-
Filesize
610KB
MD525c4f64f39fa724334564d319e6c5c36
SHA1f55da4a3435af0c5d9527737e070bea1458e37d5
SHA2561dde0b0f3e9ad4fb3b96fec7e444643b26b1b45a4a0aaa5d9eec2bcea50c4153
SHA512a7367bede4312d3540e0c62cc9202fa4989ed7e4ed5fea0ebc2acdb4ba1bd0593234db463cdc664d368b2a386569acd21a263ac84f321977d32482f8c426ccc4
-
Filesize
674KB
MD5acb8c1b1b9cb501da03d37a0da1f296c
SHA14d9a6ad6492f064fd7fc85ab7437343afb8aa82a
SHA256199f02ccf26a350cd522001097897bedd55090faf17c2f2e76dd4dc664873a1d
SHA512c015615bee23565e758fbe1f9f0591b7fccf44f7f0048fa1d9ab76bd3ba303e2778dcc8398fac65d42e61ff25e0bae8bab6c6887c33485c0dc1235a7e64faa0a
-
Filesize
1.1MB
MD58697e51590bebeae9fa02ea0b42d1b43
SHA19c6fb4eb2c58d3243d01f337fccf6bc1783536aa
SHA25602988dcfae5ed615ed3dc01bbfbb4a6573b088b43d3fab0391c485872d23a736
SHA51240e70080caca5fd68f79575207be05275b86f80e31716dfe44f4953a335f04ade026ed962d606e3189b10ab0c96220071341e7a7da61d1794c2c1634286123d1
-
Filesize
606KB
MD5bffd16b141c41ba9d6c119968082fb37
SHA154a7842e2bee5cda81ce4a85cf53db8dcea90c65
SHA256c072fa95a010390bb6da9afe7f0f9fddc70ec1221189beae3a9cc90d76165427
SHA512238e7e8e4ce33a7bf907e2d3f3b9d874bdf7ccd0543aa437e258cb9b8a6d561eab607fdb9ad88c255556fa8c2961de374b82ee0f0449e2cee7520820d7f9cbcd
-
Filesize
773KB
MD5197e5cabc90a082fb968b57458164f8a
SHA1e070346905341f4cab594d33f5a69b8ee24c2c1d
SHA25647ed7928cfaab05947f1536593ac28110d9581d63b3e84d8e922ec99bf135d04
SHA51208d2d055364ce2e9acfa3e8b37b7fdfc35ba380b5c0d63c516fe299d70ceb8eea2e289ed59d86c753585142c62531bedffae4243024bb258ec16d20bd8277726
-
Filesize
780KB
MD5c1551cd7337e6b0dbff6529b561cdbd3
SHA17e5497d6d3de80965647bab12cb9cad817d1da4a
SHA25603850b23668f76a2dad2341d0ad71b88330927f3fc57904a7b9be388c2a7192d
SHA512d6cbbc4904ec784a1be2b4051a9ff54de03ba8e6bf72b0bda5591be70a7ed4a6c8da1e5ff98fa9b8d31a882b418b6917d2c0da0a9a30ef76ae23da8b9554b821
-
Filesize
985B
MD53361e127b3d1e990d52e1f966924dfb2
SHA1c81a88d0866f21255770f5671e844f41ccc52b60
SHA256e39189f9b9b351cfa059c5c1303bcded5027bd9eba0c6ddb7ab74991181c1eb6
SHA512c1d3d04f04aa5c9376fd1d7b4bb95a80f0e82e881ad6cefedb267ad3b17da1dd7d35d350c6a8430dd19dc22049f62bc7101bd2f928077845fb1ce6ddba6de649
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
Filesize2KB
MD5c8bba7924f37fd3d5c549ad50f16a2ad
SHA1a199efd5291fd7503e0b4e7362ba863bbe29efca
SHA256f8d1b39724533e12eb12277a4be596b50af71e83693f6099d131d32c04c2c4e3
SHA5129f7813de321580e241dfb0765804bde11e88bddad94ff33d7b89b8454107708f488e965e5b1be1847ab3e3e1080f137816f7ae2762a9478a7fa033a01866b163
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4
Filesize472B
MD5a08472e3b6458d84da6ea50aaa44ec02
SHA1624f1766112acb8f45224b0658d512801eb93756
SHA2563eec2f4519bbfa97b8ecc3d64cbc767de28366dbbf0fa9209ded49741513c98a
SHA51252b82242f6012a12318df97f5ede1d0dc776a1f366afcd422a5df3292b8a2239e4995b9c3a6da5fc57f3fc06e59a3e208ed329d1e2fe1903b779bf556a0f786f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize1KB
MD5a26045c60badc3ea12344117b7bc4403
SHA1e042d0cb3844ca44869d5e01a2e427144b458556
SHA25669872c2a3c0bdca24598431943ea06f46d2a28bee615698ae09ba335b1cfa925
SHA5127b0e7562480066d929e4dce2201ced8be9e7d309d28ada04d7779a9ab232ee4bf5a8ba89317865eb382250f8f529c0c0b95d8eb80cff800e595280f2f395d7bb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
Filesize484B
MD5c6e5a018a5c491e0ac8311cc2cf4cb7a
SHA1ce2f0d5e40eac3d34085a4c520bd8d6406a16978
SHA2566acea50b8f90f8165a65e98b725e7f5b695af259af7caef59805078025cc2241
SHA5125dc8c45c338d49e23745ed5d18ba5fee846ef7dbe56ee79a6bcc9d7dda0933c3446423ec9c40d585a06c42b212c88e7f64ea3d4805a30519325dc6d59ca8ab8c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4
Filesize488B
MD5916642066018657665a755eaa9586d25
SHA1be28cb72fbc8d712e18be65a2f6e73172cca44f3
SHA25625cad7e1c8f2636ffb7dd01fa77df144aa4e2e5d6bcc8fa9cd2c923953b53274
SHA51200ad7545aee624bbb69faf28f18f75b66c84372b7b9e29235eb38b65cdd5d6ecf5bbcbba4171fdbebdb5914640ecb1fde826938b5ad9cf590d5f6f890edbb389
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize482B
MD5afe82ed99ddf6620dd4742ec59e9903b
SHA17680e47c096edec8b2094ff324908aeda78352a1
SHA256a726b8290b4358c0ec54ac7f9b5a492cbe829879df1ce0deec5afdc2967a0f65
SHA512e4d325205dc999de5b9f00e7d40a1f1615f1a391d5085b20b74ede2eae97a5e242df3c7bdf4d6dd1710cf310f839ab53f2af872b5b2f97b3b26fdb1904d8ccb2
-
Filesize
190B
MD56ebbeb8c70d5f8ffc3fb501950468594
SHA1c06e60a316e48f5c35d39bcf7ed7e6254957ac9e
SHA256a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1
SHA51275cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c
-
Filesize
18KB
MD546e7f28a55cdab07533424725a04b9e5
SHA148a915fe8958b0882f364b1e0ceb37e7b7948319
SHA256e40cc25f9a709e182c284705b0b50b448deb4b1b81b456a633638003db77068b
SHA512717be51be74aa8b36d714f35942d40c8c18bea13a49d293681e16f1b10dfbdf3887a887ca40688348eee38b10ec80c96a17c338378c315c70d4abebfd42e9076
-
Filesize
211KB
MD5f42abb7569dbc2ff5faa7e078cb71476
SHA104530a6165fc29ab536bab1be16f6b87c46288e6
SHA256516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd
SHA5123277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af
-
Filesize
731KB
MD52a8c9699903640f7cfd15b1282062ab9
SHA145c822c990e69db3b68e9f6e1e7af660f8b65eac
SHA25669c825b024aac46488f79905c4bc3c89470c10b1de166cf29e9892b95c3efa25
SHA51223f5b2db305b1e699e073b68acd57505577e9176ac4061d1ebff3b599819e299d28b0e09fe0ead7781dc695d3fa274a3b8e45c265e868f1f89c0056b49954815
-
Filesize
445KB
MD5367be71b42a00b06aef0701e08ac8a6e
SHA15248f34b52e977e899735904eed2d47f76f75f03
SHA25696154f6b151300572c7610d8997e203b434c0de2ea4074b84197a190d4520ea5
SHA5125a50fc880bc0293cedef947b581646318ed85a5ab45490a04e2d1b0c4bf958c6c7f8eae06d1529cc5854f7feabd450e66800a62eb8ef451003f5b9d0ada2c2a6
-
Filesize
763KB
MD5b3ebe0a9dd1288c6573f50d578afc47e
SHA163d166e16692b32272206ef6dad150374cdbbf80
SHA256f3eab03aa24c36752c98e1ba5edd331153806ee27b0fe53851cd39d6988b1ad9
SHA512ee115825d8b872b4274416affc660270a21eac03645baf1c09474aab615b233be3efb3e9b979225390192adbc9a6d42a0d6159a3cc1f83eed9d08b1ab6aebc6c
-
Filesize
921KB
MD5c12642067481ad7ee65aa7f5f2938e79
SHA1a37c4b3fd9c7b77dbb218b83f30d1aeaefbb5ff5
SHA256a0dde68ac20c2278a4ce6b073e4a501e51d1deb0e5379ab100479f1c1199676d
SHA512e1c9b444ac5c5b4b60a53a1818224ac592d416554020311c5a2f01903bb96a68177adbcd5b68155b0e62132768d650d070658d0dd69856ffe084e99080084aa3
-
Filesize
795KB
MD565aad671ef2e3d57243542f41947401f
SHA1a1fa3915ec0835159f0351fe28a8e08acaf953ae
SHA25615fe859d97adddd9755cd5f9fc31d028d483dbd89ab75d9a8a4acc1738215d38
SHA51250e9e02caac5cbc6e0e29774f819263429aec0d04930acf125731920f148cfc7d272233db78b11dc692dea97657ebb8c230022ddb270ebeb48ff5e88edb70c59
-
Filesize
414KB
MD53b28a5cdd5e21a408becb53825d4328c
SHA14c592b4a363b76b65b0b49e460b3f1f2ef344e0f
SHA2569b0900d0fd69d4d621791461b890cd61d966a1d72a5b044148570db34ba3a9ec
SHA512f5b6e4ee966813a464cd5ab667479e8266f439e290bf7c7b2872f7eff9e7b4cb6d41db2e7bab000b9bd3c92dfc1d7b9fc4b5cbe4df5191dbf010bdee3371972e
-
Filesize
699KB
MD52bcfad6a11508d645db1ae0c55c5a300
SHA19771f35472cb24b5147465b8fe611210d51e0367
SHA256ae1d7d0942519b7d4d3abba72798cd21f3a7d65815052b536126215e690c42aa
SHA5123d4fbb239fb1ab615b3bc4d29ec2d0cde08626a58d08fd97f00bb85add3fb86353c11b02b2cdd9102e0a139910df6c61d972e68f945ada4acdc5007d0fd91885
-
Filesize
382KB
MD5eaa56d3b25ee246e6f91b9cf5bbabbaa
SHA1a368629b3e986a2b73d10a5dfd7cad15cf9a7bfe
SHA2564effa3d46fc7b4eec038207068fceceffa48502ff7ac4825ff9c0385c42dec2c
SHA512cca7eb72ff4b0f26071cf902564e4443829fae55b809ef8d5423dbdf09f75232c2c065d54734bbb04059c8838e99d0f354033bb0a9ca542e9de21ae0cf4130c1
-
Filesize
509KB
MD52821fdd18f6bdf79f2ca3445dffe877f
SHA19fd58d3fb9bb94ef617d0a3b05718b9f83737a13
SHA256e162186b134c3c385bef17b9f664ef5941ce3c3a4694b112b245e1dd16b666b4
SHA5125aff6b4f48eb108b3c8fe431789f83a7bd8d0bc890525cceb8855a42c8310166638159350c355d91f5f72de6653bed47ac5445c7046031c177d786f4554d77d3
-
Filesize
668KB
MD500f8cda1caaa68a807710a7e561994af
SHA12b98f7dda62cf0b7f2ba50b1319f8514d0184444
SHA2562a279923dce5a9c46e4e480ea1b5e6eee991b7c432480f66e9c7481c344a8272
SHA5129157a61e3263ce0afe12f8e148c0c3f616eacc9fa9d55f53f688592ef7553b529857c4de0ae9916a24ef369b0ae7b3b4ccbb8b4a01722deb8004108b658f9120
-
Filesize
985KB
MD5898aa2bffd4d3a8a2ffc93a2bd86368d
SHA1b0a04ee61c5257f235a7f898467dc4090bbfb5e0
SHA256a11ade3ecefa2cad66e6de47b9a93372428138bc7e6aa2639adfad45d5827ce6
SHA512bbe8665dcae9562ad1a31ef197f3bb71cec1a3ed2af7cfa017096388c07b6ea369d8417cd737608c5fcb6c6f841f93e1f26e8ab9eed17de3dd9cf252b3f7088e
-
Filesize
541KB
MD5c3c772e9801175f82a79c116a3883565
SHA126fb6fb7360670c5091db6cb8feca025798c4cbd
SHA2565d8aeaa0daa70ee6aef74c2d42921d161f7cae7c310be327ae9b08920665c58c
SHA51210fd8627eee70ddf50ffb98355b2c76824b7a9b456d2bd58b10a5fc2728bf7c88f3d850eda87d72f0764f2f80d2c56aecb56dcce6e8276ab8051e8013cb90290
-
Filesize
604KB
MD55c9384279207d4bead0a63179e7c6280
SHA168d7cd89985e58cf6419ba7c58b26af988629983
SHA25669231987ef63c2baa910269424d216a3547f9037902035683ab9db275e5101c0
SHA51295d5f6a0ad129400ea89e38be603b66d6a2261ac53d77c8b52fe947cf02244c8298ad491de4fca1aeada0fb91a0763b0f3c07829901dbe471468cecd0bc23de8
-
Filesize
572KB
MD5726d74cd0da68770fbecada73f4b13a9
SHA13eebd4b3bf1b6064f59aac8bf1aef2387a0cf3b4
SHA256b6e7f8b578cb96d15e47d8f720eccc03d19714f53ca4d7a20bb91798ab213004
SHA512f836793f8fdf1883f91a9cef664bb569862e5119a9c33d4d4373997637efa48cc0ae21338efd78635778181e0d9c83cb34329395f3379b02d2199d7390524ac9
-
Filesize
1.3MB
MD5a2f898ce88a46998b89e31f45ee05b5a
SHA1dff3d911a48c7cc6ab452c9434cf0764f3ace0d0
SHA256e2831eb6bfbaf0b788533eecacec87d8a34a4bac9bb63653cf4eba8e97b5ed81
SHA512a2fca35851a9cdaa1f44923a3447c2fd8d6a52ffea7037fafeec38d267004aa477d533ad2a72d60646bde47b1f68c5b69252bc6d59fb677f098369bfa8840413
-
Filesize
636KB
MD5c09c830318319333cdfbafa1540dac0e
SHA1ac04ed28cb00d315a0ea384445947b59a38ea819
SHA25646a04d7da94682615cc11629251fa6f2d0ee802d37be1ac5eb576d722ad00c21
SHA51220fda3d32d611fb486a484e1c569e9699c119c0afa9c663459b7faff1c9f93b7012092cc6749b1d44afe6edc77f5ec130c3369cdab0a135ba3b2b453813fd484
-
Filesize
826KB
MD5ea1fa9b69b895ee2e3b18f64f7793db6
SHA14e0fd221a2f9cc294df505415edfa5b200f2b7d8
SHA2564ad25d8fb3628508abb925a4fb135cc79ecc636443846d565e85cd07acd55eef
SHA512ea0edfa80f6d2730ae32cecd95d61d55efc97c0852d3ff6e0e61265f62ab25fcdb37e556befe9d924b57d56bc86e79b27b89ece157a2ee9551e91db420313ea6
-
Filesize
350KB
MD582d0610f4221561d27167628c04eceaa
SHA1be7b0a52a68d5c42e863756489686fc03a5329ee
SHA2565b2fa6f0dec8b48923eeb37378eeee8e5b7c448861c1987bd64ca0ea8bde4454
SHA512b0a3cb10f557b44113b10ab2dd58519a870fb6429b1f22298f971584eed58d4ed92426c186f86cb9ce53e954316f0b363d0a49ec0a7f2ef91a6ab2cee51953a1
-
Filesize
890KB
MD595aa76db63ba9b639b68c81d4f262aeb
SHA14aba80506a4f7d68476d052a43627b45bfe77aff
SHA25682ea136e2cf3a71a03569526c312f1e360b30df021c4ec2339fc8f4ba42d9ed6
SHA512dc522e0ac8f57bf8e8e7331ded6f2397d290489b1829969e3bc6f611c205d106a5dd497289ed04168d5b86e852b937db722f7cb243156fff99bae3b3f77908a0
-
Filesize
858KB
MD5a48b69624f50283b745389bcfababc63
SHA130db4589660e3b714e6bccd5e7da6494747d77d8
SHA256537176b3dac779788bd4c6659a7b186a49e18d0531ac87519e2ef49027535ec8
SHA5128be6e52a79c641a81dd9e8a3db8fc9294f9205c4d912cf66aea98df08707afdc7790f8c889240599f56bab70aaaefbe9897b37be9881b90c8a3e51e5cbc4fb01
-
Filesize
953KB
MD5a3f2894956488f58d83f70961b919198
SHA12d4905f443de1371a9ed9346643ce5372e7df58e
SHA256501ec6e0f6be953a9ad131d491f5a4847b051dfce7add51059d7148db62ce631
SHA5122e37f4454a4cd0ff2ee80a7f4c1f75ad8fae47b2a07020537052feaaf6176b2a73329e0a22e74552e7d6449c44e399a1c0cc4152f1b3161786bbf17d2653860a
-
Filesize
477KB
MD58159cc563fe9a0fc80c7fc7ad4fe0f17
SHA1e1a926d9957a29880fcff56c7887f21fdd5727e0
SHA2562edb328a534e456233bd4831243e9ff06957e22da82327bc509dc5087a416edc
SHA512baba824ca81bdb3aadd79772848045606e05065d36cc56cd009d4fd5aa1458ebd4c878c3ffb44e383bb280ad4e1444ed01bc0b94434fe78e6cad156c55446274
-
Filesize
82KB
MD5c8ff19d1f0eeb30a37bf7ca5285b3eb5
SHA126fdcf3654a38a7f2fc732db050b1450682a3946
SHA256454664bb8bd3606e053a41f27dc16d5b97401e911f3ac5a0f6ba06e4a83520f4
SHA5120a42dac726a7d93bfaf19d004a3ff64965721e8262e697496a21f839cfaac97bb0b224581228a6e3b4cc15333fdeb10c55856d505a352b89c1bc017b7ba44efa