buran | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
12-05-2024 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware/default.exe
Size

211KB
MD5

f42abb7569dbc2ff5faa7e078cb71476
SHA1

04530a6165fc29ab536bab1be16f6b87c46288e6
SHA256

516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd
SHA512

3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af
SSDEEP

6144:zia1vcaEaA+HPsISAzG44DQFu/U3buRKlemZ9DnGAeWBES+:zHctWvVSAx4DQFu/U3buRKlemZ9DnGAn

Score

10^/10

buran zeppelin defense_evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] or [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: D3D-B9D-8F0 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Detects Zeppelin payload 9 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe	family_zeppelin
behavioral15/memory/2236-92-0x0000000000310000-0x0000000000450000-memory.dmp	family_zeppelin
behavioral15/memory/2324-178-0x0000000000DA0000-0x0000000000EE0000-memory.dmp	family_zeppelin
behavioral15/memory/2492-4602-0x0000000000DA0000-0x0000000000EE0000-memory.dmp	family_zeppelin
behavioral15/memory/1720-10901-0x0000000000DA0000-0x0000000000EE0000-memory.dmp	family_zeppelin
behavioral15/memory/1720-19765-0x0000000000DA0000-0x0000000000EE0000-memory.dmp	family_zeppelin
behavioral15/memory/1720-27586-0x0000000000DA0000-0x0000000000EE0000-memory.dmp	family_zeppelin
behavioral15/memory/1720-30455-0x0000000000DA0000-0x0000000000EE0000-memory.dmp	family_zeppelin
behavioral15/memory/2492-30483-0x0000000000DA0000-0x0000000000EE0000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (7426) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

2564 notepad.exe
Executes dropped EXE 3 IoCs

Processes:

TrustedInstaller.exeTrustedInstaller.exeTrustedInstaller.exe

pid process

2492 TrustedInstaller.exe
2324 TrustedInstaller.exe
1720 TrustedInstaller.exe
Loads dropped DLL 2 IoCs

Processes:

default.exe

pid process

2236 default.exe
2236 default.exe

pid	process
2564	notepad.exe

pid	process
2492	TrustedInstaller.exe
2324	TrustedInstaller.exe
1720	TrustedInstaller.exe

pid	process
2236	default.exe
2236	default.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

default.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\TrustedInstaller.exe\" -start"	default.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

TrustedInstaller.exe

description	ioc	process
File opened (read-only)	\??\A:	TrustedInstaller.exe
File opened (read-only)	\??\T:	TrustedInstaller.exe
File opened (read-only)	\??\R:	TrustedInstaller.exe
File opened (read-only)	\??\Q:	TrustedInstaller.exe
File opened (read-only)	\??\O:	TrustedInstaller.exe
File opened (read-only)	\??\J:	TrustedInstaller.exe
File opened (read-only)	\??\E:	TrustedInstaller.exe
File opened (read-only)	\??\B:	TrustedInstaller.exe
File opened (read-only)	\??\Y:	TrustedInstaller.exe
File opened (read-only)	\??\X:	TrustedInstaller.exe
File opened (read-only)	\??\V:	TrustedInstaller.exe
File opened (read-only)	\??\M:	TrustedInstaller.exe
File opened (read-only)	\??\L:	TrustedInstaller.exe
File opened (read-only)	\??\S:	TrustedInstaller.exe
File opened (read-only)	\??\I:	TrustedInstaller.exe
File opened (read-only)	\??\H:	TrustedInstaller.exe
File opened (read-only)	\??\G:	TrustedInstaller.exe
File opened (read-only)	\??\Z:	TrustedInstaller.exe
File opened (read-only)	\??\W:	TrustedInstaller.exe
File opened (read-only)	\??\U:	TrustedInstaller.exe
File opened (read-only)	\??\P:	TrustedInstaller.exe
File opened (read-only)	\??\N:	TrustedInstaller.exe
File opened (read-only)	\??\K:	TrustedInstaller.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

18 iplogger.org
20 iplogger.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 geoiptool.com

flow	ioc
18	iplogger.org
20	iplogger.org

flow	ioc
3	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

TrustedInstaller.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tarawa	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102594.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TaskbarIconImages256Colors.bmp.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_ja.jar.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Copenhagen.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\vlc.mo.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\HLS.api	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107282.WMF.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00223_.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Araguaina	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBPQT.DPV.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Tarawa.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107450.WMF.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18210_.WMF.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18239_.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Budapest.D3D-B9D-8F0	TrustedInstaller.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZFORM.DPV.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunec.jar.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Nicosia.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\vlc.mo	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0301418.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKDECS.ICO	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Status Report.fdt	TrustedInstaller.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00775_.WMF.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\VIBE.WAV.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01015_.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Hovd	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\HICCUP.WAV	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\TAB_OFF.GIF.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_sv.properties	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Slipstream.xml	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21338_.GIF.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\EXITEMS.ICO	TrustedInstaller.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099152.JPG	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00798_.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Composite.xml.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Honolulu.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIconMask.bmp	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Kaliningrad.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp	TrustedInstaller.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveNoDrop32x32.gif.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\vlc.mo	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15273_.GIF	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECURL.ICO.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196364.WMF.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00013_.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions_Response.css.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_left_over.gif	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePageScript.js.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml.D3D-B9D-8F0	TrustedInstaller.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\vlc.mo	TrustedInstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

624 vssadmin.exe

pid	process
624	vssadmin.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

default.exeTrustedInstaller.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	default.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	default.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	TrustedInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	default.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	TrustedInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	TrustedInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	TrustedInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	TrustedInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	TrustedInstaller.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

default.exeTrustedInstaller.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2236	default.exe
Token: SeDebugPrivilege	2236	default.exe
Token: SeDebugPrivilege	2492	TrustedInstaller.exe
Token: SeIncreaseQuotaPrivilege	1928	WMIC.exe
Token: SeSecurityPrivilege	1928	WMIC.exe
Token: SeTakeOwnershipPrivilege	1928	WMIC.exe
Token: SeLoadDriverPrivilege	1928	WMIC.exe
Token: SeSystemProfilePrivilege	1928	WMIC.exe
Token: SeSystemtimePrivilege	1928	WMIC.exe
Token: SeProfSingleProcessPrivilege	1928	WMIC.exe
Token: SeIncBasePriorityPrivilege	1928	WMIC.exe
Token: SeCreatePagefilePrivilege	1928	WMIC.exe
Token: SeBackupPrivilege	1928	WMIC.exe
Token: SeRestorePrivilege	1928	WMIC.exe
Token: SeShutdownPrivilege	1928	WMIC.exe
Token: SeDebugPrivilege	1928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1928	WMIC.exe
Token: SeRemoteShutdownPrivilege	1928	WMIC.exe
Token: SeUndockPrivilege	1928	WMIC.exe
Token: SeManageVolumePrivilege	1928	WMIC.exe
Token: 33	1928	WMIC.exe
Token: 34	1928	WMIC.exe
Token: 35	1928	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1928	WMIC.exe
Token: SeSecurityPrivilege	1928	WMIC.exe
Token: SeTakeOwnershipPrivilege	1928	WMIC.exe
Token: SeLoadDriverPrivilege	1928	WMIC.exe
Token: SeSystemProfilePrivilege	1928	WMIC.exe
Token: SeSystemtimePrivilege	1928	WMIC.exe
Token: SeProfSingleProcessPrivilege	1928	WMIC.exe
Token: SeIncBasePriorityPrivilege	1928	WMIC.exe
Token: SeCreatePagefilePrivilege	1928	WMIC.exe
Token: SeBackupPrivilege	1928	WMIC.exe
Token: SeRestorePrivilege	1928	WMIC.exe
Token: SeShutdownPrivilege	1928	WMIC.exe
Token: SeDebugPrivilege	1928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1928	WMIC.exe
Token: SeRemoteShutdownPrivilege	1928	WMIC.exe
Token: SeUndockPrivilege	1928	WMIC.exe
Token: SeManageVolumePrivilege	1928	WMIC.exe
Token: 33	1928	WMIC.exe
Token: 34	1928	WMIC.exe
Token: 35	1928	WMIC.exe
Token: SeBackupPrivilege	2200	vssvc.exe
Token: SeRestorePrivilege	2200	vssvc.exe
Token: SeAuditPrivilege	2200	vssvc.exe
Token: SeDebugPrivilege	2492	TrustedInstaller.exe
Token: SeDebugPrivilege	2492	TrustedInstaller.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

default.exeTrustedInstaller.execmd.execmd.exe

description	pid	process	target process
PID 2236 wrote to memory of 2492	2236	default.exe	TrustedInstaller.exe
PID 2236 wrote to memory of 2492	2236	default.exe	TrustedInstaller.exe
PID 2236 wrote to memory of 2492	2236	default.exe	TrustedInstaller.exe
PID 2236 wrote to memory of 2492	2236	default.exe	TrustedInstaller.exe
PID 2236 wrote to memory of 2564	2236	default.exe	notepad.exe
PID 2236 wrote to memory of 2564	2236	default.exe	notepad.exe
PID 2236 wrote to memory of 2564	2236	default.exe	notepad.exe
PID 2236 wrote to memory of 2564	2236	default.exe	notepad.exe
PID 2236 wrote to memory of 2564	2236	default.exe	notepad.exe
PID 2236 wrote to memory of 2564	2236	default.exe	notepad.exe
PID 2236 wrote to memory of 2564	2236	default.exe	notepad.exe
PID 2492 wrote to memory of 1720	2492	TrustedInstaller.exe	TrustedInstaller.exe
PID 2492 wrote to memory of 1720	2492	TrustedInstaller.exe	TrustedInstaller.exe
PID 2492 wrote to memory of 1720	2492	TrustedInstaller.exe	TrustedInstaller.exe
PID 2492 wrote to memory of 1720	2492	TrustedInstaller.exe	TrustedInstaller.exe
PID 2492 wrote to memory of 2324	2492	TrustedInstaller.exe	TrustedInstaller.exe
PID 2492 wrote to memory of 2324	2492	TrustedInstaller.exe	TrustedInstaller.exe
PID 2492 wrote to memory of 2324	2492	TrustedInstaller.exe	TrustedInstaller.exe
PID 2492 wrote to memory of 2324	2492	TrustedInstaller.exe	TrustedInstaller.exe
PID 2492 wrote to memory of 2884	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 2884	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 2884	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 2884	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 300	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 300	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 300	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 300	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 2428	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 2428	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 2428	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 2428	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 1892	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 1892	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 1892	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 1892	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 2632	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 2632	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 2632	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 2632	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 2188	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 2188	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 2188	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 2188	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 708	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 708	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 708	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 708	2492	TrustedInstaller.exe	cmd.exe
PID 708 wrote to memory of 1928	708	cmd.exe	WMIC.exe
PID 708 wrote to memory of 1928	708	cmd.exe	WMIC.exe
PID 708 wrote to memory of 1928	708	cmd.exe	WMIC.exe
PID 708 wrote to memory of 1928	708	cmd.exe	WMIC.exe
PID 2492 wrote to memory of 1724	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 1724	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 1724	2492	TrustedInstaller.exe	cmd.exe
PID 2492 wrote to memory of 1724	2492	TrustedInstaller.exe	cmd.exe
PID 1724 wrote to memory of 624	1724	cmd.exe	vssadmin.exe
PID 1724 wrote to memory of 624	1724	cmd.exe	vssadmin.exe
PID 1724 wrote to memory of 624	1724	cmd.exe	vssadmin.exe
PID 1724 wrote to memory of 624	1724	cmd.exe	vssadmin.exe
PID 2492 wrote to memory of 2236	2492	TrustedInstaller.exe	notepad.exe
PID 2492 wrote to memory of 2236	2492	TrustedInstaller.exe	notepad.exe
PID 2492 wrote to memory of 2236	2492	TrustedInstaller.exe	notepad.exe
PID 2492 wrote to memory of 2236	2492	TrustedInstaller.exe	notepad.exe
PID 2492 wrote to memory of 2236	2492	TrustedInstaller.exe	notepad.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Ransomware\default.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\default.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1720
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:300
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:708
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:624
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2236
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  PID:2564

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.lng

Filesize
23KB

MD5
f9c9a4e7f0bb261bdb7a0a643e00910b

SHA1
99bbd79c43f8790a31fdc6e7cca5961efa9a9540

SHA256
ab2683636997d98bcef63e0c71564149402ccda3fbadec318e4e14ea0bf96f2b

SHA512
e7cf446634712a5bc5ac63ddd134f6975c20c26b96c5fd8e4c5cedfba3c8912d738ec818db90329b4155b3f2b6dc3f839661d769ecde03d3ea076479ebae6a85

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt

Filesize
29KB

MD5
50705bd8149143a51be6d4e6aee00ca8

SHA1
8de9cb6a9db1ef4a2142eee489dc234f16adbaa6

SHA256
8564b86bb01e2bd9bea8ec984c91b951b4a0e5a4c154b9c61e16525d6d4beb64

SHA512
5c64e5fa683ca12fa3007ae85eb34ca829289a9746b22cc5924b6de7df765cf42e5b9723a67ec64f3c85b8ccf0b06b105000035eaf4590ede1d4a155ed985f13

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME54.CSS

Filesize
125KB

MD5
0046afbe7b2a38d1fb1e03419394659d

SHA1
07daf600bb059dac7bafb2408bdbc2405b2c73db

SHA256
db4fa218e482d9abf22a8a2138b9db19c77767a53944fb07cc786d20c628344f

SHA512
5041935edff49b2c3b070d4aa38abc310303492131b9fc6fffe2334129b96bfbabdf2ad19d876a5808a6a106036254fd64de141ec70bcd0d0190a5a64175d131

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg

Filesize
7KB

MD5
84a19c4c106564ace6a94de995d9ecdd

SHA1
447dbccafece70d97eb47356ca81c8d08c3409a9

SHA256
74a2c1e70007f9bb0558980af703a7efa89a40dc8e5905155a0b4045e0f6bab9

SHA512
07e2766833dc42218d2a6c32f5028162c7455a90163fa9a9c4fa162bb29fc1dc5f4498274974f110665735a99fe7896d72cfccfa612388108adc3821079d2715

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_OffMask.bmp

Filesize
8KB

MD5
cb6b84713f49670da38f3c54c00f160c

SHA1
80004a8973f6cdf45bbd90c5b31ed84507e3771e

SHA256
8a82127649468bb5446e5686f0bddcf6c0140a6da374fc3122eb46daa6ea4c90

SHA512
d5ce83d4f558a3d5908ae075887788288a4b48c1c8e392699f07fcae34309207656bd7cde452eaa71bc4d30cf7c460def58314a93826a669b008f6c63f9ffdc7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\IPIRMV.XML

Filesize
78KB

MD5
772c8bd012797b406ddcc4e5aacb0db0

SHA1
17420dd0115810d668019b5b42f6c579f5225efe

SHA256
f4bf77f06d429765914c4fd4421dc1e8b73142eab10d67efadf0ebbd5e355582

SHA512
4d369ef2cf2c23bd7dfde01a382d8ebe1f220412e30d7a1ea0d598d4dea7ad139a4d98abf69831c6b35204e936e5a9dd4380aaffbb8dec74ce7ef28d07c494b4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml

Filesize
249KB

MD5
c155e8aef515364e1af89c199c05696a

SHA1
2e437f3d6c895a0f9044a1e2b30218a5c99ccdde

SHA256
f35aba9c0a33de55786dafd7bdd4b15f13329b809d3cc611db7c5228c6170702

SHA512
081c556a85a7ca0ea92913d68f5e6605c2ff137048c83bd4f2e2c54b48f8b083b690f6e7fce918b5ecb071104cf644e99e3e53b0172a8cb9363b3a9724ba70f2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OLKIRMV.XML

Filesize
78KB

MD5
b470fef260725265a0e9507752741832

SHA1
513565b4b6f2f1fbf3b4dbf930845b73d6f8ccf9

SHA256
204739f5a6a690c923a465110759d9d64e1a6b7b67f14b8c70a5de630a6fc0ce

SHA512
7cf76af35691838267e141c044169e6a5db3afb4bcbf13cb22fa307dfa757a5c4a5d664ebea382207c4759d65726f37f71f89083593411d59991d6fa81f4d7e4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\WORDIRMV.XML

Filesize
78KB

MD5
91223f32db8edaefe25d071ad7ddc89b

SHA1
14db23bb4d29157e432c415beb2da5af6ef4b6c7

SHA256
09f58ed1ec30a69b49117a2ca95747604bfda880d9d797907431383c1eb10559

SHA512
5d3970a48781b843fc7c983de8467af0852d8835f4356061e346b0622586ec94e9acb219db03a51b7d39d73d580adcfe676b1a2ffa575057885f17eabfe93f37

Download Submit
C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
985B

MD5
a79ad509e47f7db225d47087d207a5f1

SHA1
a9143130498663f98b059244a05a2fd1f3959c9a

SHA256
4edf50c85e1fc1801878a33b054b7a598b468d85a605dd3b2e326224eba39440

SHA512
e9dd8eb051290396142042ab25154229098d194cc943c84f5dbd3c4b0518b52a08cecc5e566901e3cae7e836c2318d77fbf591b8dc34778e1d4a0a3dab165d8d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html

Filesize
7KB

MD5
0f62708476c1ee65655a814f24371fd8

SHA1
5b0c9d364ec4b05e3d62124f2833f54d4b145929

SHA256
ff2580ceaeb539b13f4e00932d3fff65a693ca90d2253f1b99c37e75abbc57a3

SHA512
3bc09d039c88ad2ffb7a488d818c71dfc11918c8fef7aba810a751458417e8e1d6191743c8d926dfdf6f887b1373db304f6b67a16607f38092cdfb1998907d4d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
10KB

MD5
c394c1ebc99b74421161d8acf175778f

SHA1
b6cd1656b48adeb9e50081045dc50b0d9800f6a5

SHA256
7d62ba869de8d95f519656d14aaae339dc465cd0a3c705949ebcf6a0faf45013

SHA512
feadace14fa7a9cbd5d0e0c649c788486c7c256f47d502bbd02d912fd6d9653b8a1d274b6eb4b71bf23fdcf88464ede6cb7d5cd98b53dbef93958f436b8497df

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
7208e6f5c49089937989a5457a78fed2

SHA1
0f8765a01bf7327823174f77286b3c266aa1e6a8

SHA256
698c58a8c16b72f00a04397a82eb05eddd60e0e7079a56c3fcf6e3aedfef3bf6

SHA512
47db5637359cbf9bedb3cb81fe8508fe6bd3670d252a23a2ae4d7e084cc0ff7343987f90b3c50e651d7f140131b39f5e3c476efb0c5d54bd2a4102ef1e74b687

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html

Filesize
10KB

MD5
5fa0cd629ffabb0c35604af74b3cf397

SHA1
168d57fea8a15c800d0e7dac8eb3bec1157f0328

SHA256
3b0223aa93f6cb9f1f98cc1a5fc98b7efa4d136e1012eb6272d7e601f76421b7

SHA512
4eb65c2cc47adbe2c8d352de68018072ca72e7c48c3dd597ebc1224570ce372282f2813cfba4636326897c47c12f384e9fbadf9f5be73a82f8bef429dce2386c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html

Filesize
13KB

MD5
571652ef2d0014ca9b0f1088960d6da2

SHA1
339b80685fdace3a8c92fa1b2edace4b5f5e63fe

SHA256
1d1f63d08e299920d05dff0ae3dfe8dfc95cfb062a4093f3fe0a18f33d44092e

SHA512
189e2763a06423e119badfc049067f9e32117137acb419858c390c7655346419fd59817a97643b26c032ee0c90779db1f4306d2cc4e06339a1d63adafece932f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html

Filesize
10KB

MD5
4d8447108303bd0ba65894052841d5b6

SHA1
b492a8eb5207d6c2aa5d3c0ae214235ab075aa69

SHA256
f6c688c7db3bd4a868fc981f4a5818004a90a0c9e29d529ae79a74487712d2d6

SHA512
4b7f40c0428d425e696eebc936775bbcd6b3a139dea46c50a3ec513dccd503698f8b858183b18d8b62d7b2d73dc8a31957fc9c0a6f3c947db566a7d4615c0138

Download Submit
C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo

Filesize
586KB

MD5
d892fb36c4a653d5107a8bd2664ea206

SHA1
cd94c026703bb2e62d4524275f777837b01188b4

SHA256
18b1726f0de68fab7ee066603d05e86e3d61aa4f2dab6c24724948f93d18d246

SHA512
6cb929efc7385bc296fd03dfa573e46ee935004caa7de00612a6e7b708a6e0117a710f14cb587d4017eeb2df8d4b10aa0c1b167e8b5f1018a31128a52a7cec33

Download Submit
C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo

Filesize
615KB

MD5
29bec658ec22bbb744a00f1673220fc8

SHA1
9e7b73ea0b1fe8d11d84827e5510a29f70af4f40

SHA256
a62d5fd9e27fd72ddc91086cdffafbd2c4af2fc2579dbb0952140173b1eefe88

SHA512
abe719dcf4e680a544d4e176ae25deecca999c331ef155785a824e23c6b923451c4a65bf78cee1ca1c8643e7f164f1b84813f0d12cbeabca866eea507c01a0c0

Download Submit
C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\vlc.mo

Filesize
612KB

MD5
6c5cea5cce94df868c29e8619a1cafec

SHA1
dc79a89f79cee390dceeedaae60544abbad2bf5f

SHA256
a10ebe9032d4aefd1b809f9b36b7bb1045ae46d3429c2d5e5614a2ee894b2f5e

SHA512
41afb7d6541fb0456433b3cbe6322ed36368145fd4fb0662bb3859aa58a48a39709bd61ac5d8fd4d88f6377446ca43cf64e9a9c992a3402145667b9f7df6a4ca

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo

Filesize
579KB

MD5
4b2113cda77d06ebf43662dfb39a4497

SHA1
3d5f47700f7c2f03325059f5db00eda3346769f2

SHA256
6c827280dc7b1e1d962c7dd2e045e9016b2e0dc67c0c404e9ec791686dfefd77

SHA512
aa5e53c1fa55a317e13b52f6e9cdb507031d1eac86c48f56554625126f465e6615aef8fd420977bb5630bd40fd1cd8cdc76b62fdbf21b3244ab38e2d9a805ad3

Download Submit
C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo

Filesize
615KB

MD5
9369385656f6bbd2b93c2759ca8ad33d

SHA1
3887540c330dfc86e8fed6a544284cc2a9ce6915

SHA256
fb8e00aeaf10283f0ba97e0d4fde669cc695258c47fb2164ab7d5c7eb971c1aa

SHA512
f2a45ca429e1056a00414c63a5c60070e353e6486413a5f8a5c96d77c75e30f9ebc5812340e8db29004858e93ffdd50ec82a07bdb4ab03c2856b6653e8e35b30

Download Submit
C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\vlc.mo

Filesize
614KB

MD5
6a746400e21dbca784b226b1a299c2c2

SHA1
98cfa2f64ce862fbfcc577c8ad1b86030a866069

SHA256
662d55c6ee2bf4d205c064cb419c207e5fd7d88020706a814a70ea7daf1ba3af

SHA512
cb1799864aed3947b5f143224d0f40a4ab6dd7c146d6948e856ed1f71c78bc7d5cf8ee885424fed03b29983ab506dc8a63143dd82b8ab5d585401348d2d63017

Download Submit
C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\vlc.mo

Filesize
552KB

MD5
f2c098b9f09c74e29540ace44329799c

SHA1
aa6a41ac5ed7f1d5dc02f000c8be97d5c1d868e3

SHA256
305a0182740174718979fa1d3c75e9ac0b27dfecdae63de1b93fdda4f9bcd05c

SHA512
e9c2c8c075ab93639819fa1e36323a099f8fcdb348bc785e7e12243f4c55814022e6d71902ca798f17f554ff1db308921c416a6e9ed7ae14117c389f712cbb45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
793f91b724d85cfbee31286611d24276

SHA1
7ea041859f49b0ddbe169ba8cfae7a012566e901

SHA256
1670d1c6d9364e85bbcc0fed25ee15d08f776ff0cda2faa922d2332bbdefe8e2

SHA512
1a2a569ea31e129b74d72c88a82c4fababbaf1594035587be2c4605635cbe5b208ee8cc5320ff14b9381861be6eba06423c928bc097c9fd7ef6278bb9b4feec3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4

Filesize
472B

MD5
28441017ed2172f154d6a0eb6ee6cd87

SHA1
b2a96dc105d2603b76c8a06da371fe207f44ada7

SHA256
0eb597a1106d9f406c3a235763137119b0c2ecbf4c5ed4776b38742f85cddcb0

SHA512
69f5ad19f1104a9d2918ba113e49bd27f9047a9c5a9300a06dcfbeb76e6cc5161cf53225816d6df1b4b3b680e86e9eb0ad1791189dfd0f1a351250924b6d3923

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
a26045c60badc3ea12344117b7bc4403

SHA1
e042d0cb3844ca44869d5e01a2e427144b458556

SHA256
69872c2a3c0bdca24598431943ea06f46d2a28bee615698ae09ba335b1cfa925

SHA512
7b0e7562480066d929e4dce2201ced8be9e7d309d28ada04d7779a9ab232ee4bf5a8ba89317865eb382250f8f529c0c0b95d8eb80cff800e595280f2f395d7bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
484B

MD5
933dcfbf534a5032d82a1a36f73fbc86

SHA1
c44f3629e9e13f8dd618b44174aba027feebff98

SHA256
4cc5f10538cd2aa3851fe9bec6e2c6b9bd8c5c6fac25bdc97183604378d7046e

SHA512
8a25eade2fa86a7629b9414eca58232b6136556f2b8d69e947ccc867acb6cd0f831e3a3a8fa4ad8c1390708c14dd5d3901f1413fd9bdac7189e4d298aea8fc0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4

Filesize
488B

MD5
117b87ea1228c172667b34b8f1ab418d

SHA1
7a9304a5020b84df10d37298db71f677348fc744

SHA256
9d584380cc24409395d961ebc22d6da39a697641fb458ca939f09cff1cca784a

SHA512
af10a0b8901d161c93be27835110f1bc5d8507f22d44816c612886d1e69aac04ed9c28f9d9e82d95a3e6b68e0cf60e7093c4471ee73ab2dd40d7d447da608df9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
500d56f21ce3ef28922e71f873ad7aa5

SHA1
b87f95a3701e969ae70ec0bca23772df32859053

SHA256
be188ab4a03b20e90b96cc2012e0f08674f456b88b29484f2ca34b3968a1d9ee

SHA512
0a37f5fbc4f03321dad5f7e939f5d7ec0ff0d30f7670bcd1909bf13ad3dbc99d529ea0be23129bf3381fd17d93a82e8b250300975fa1f42bd25a54877489d0db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
596a26e7c1ee05d0839fdcc1352b0e38

SHA1
34debf1e7ac6a6e19995767759a8d988ea5fbaa0

SHA256
f13e5f6ad75661d1e962ef87eca8445fb4cb82cca20a00ec72a9bc5854b20008

SHA512
92562abeacf58622c4921c4b543b5a71bea3cf26219eee61c2b6e93cb4682b959e0a2fc4068528dcc40829797c3d0f0ffbd09d5708449d3ef8d2917f9be6dbd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
202287b309fa7b59db6292078afcd3ca

SHA1
320c3e22be7cdb8bcc283ba160f7fbb04a662b25

SHA256
7f8aafbec825aa447fd2d49897a78bbaa7ebe15757adbae4c7276183589425fa

SHA512
505bb8e7b06dc01aec37b3657d8fe9e38b91536e3edd940f5e7b12d20f24aba0472243943d3042f71619f570289e2a3eccd5d99849965e5d9f6e21991bdf58a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MNCIS1YI\TLOK7AZ7.htm

Filesize
18KB

MD5
46e7f28a55cdab07533424725a04b9e5

SHA1
48a915fe8958b0882f364b1e0ceb37e7b7948319

SHA256
e40cc25f9a709e182c284705b0b50b448deb4b1b81b456a633638003db77068b

SHA512
717be51be74aa8b36d714f35942d40c8c18bea13a49d293681e16f1b10dfbdf3887a887ca40688348eee38b10ec80c96a17c338378c315c70d4abebfd42e9076

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TTL9DZJ3\7V8UNHW0.htm

Filesize
190B

MD5
6ebbeb8c70d5f8ffc3fb501950468594

SHA1
c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

SHA256
a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

SHA512
75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3AB2.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3AE3.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\Desktop\AddInitialize.doc.D3D-B9D-8F0

Filesize
327KB

MD5
57cf1602f09d133b98c787cbc85d19b1

SHA1
bd19b3fe263b1636e677704805e4945ce9d03d05

SHA256
4edddbe39364c6d8b736d02dba0e413e65091ff9c987cbb587680341dd4518fb

SHA512
9296d56d6c14e0021d1e23d4e5d64b06beaffbfecc858fb61956d0f987de272e562c1691f3fe9836eb01393a6a4669cfa6e582a23643b52d9db7a9270eff2e3e

Download Submit
C:\Users\Admin\Desktop\CloseUnblock.TS.D3D-B9D-8F0

Filesize
371KB

MD5
c787a56970401cd5dcc25bf498a6ca74

SHA1
d4d2cbd348dbe0062051cd5fbeda78b444c360bd

SHA256
aa2f5a66846ded73eed6258394f9dfef1fc5a30ce7c3ae72c13ce2605d0f5cfa

SHA512
23ee110070b51b0d705905aee94bc2a63407a888f095e8a8cbe82e870c7fcf42ccf65a3751f26c676c4a30d723804045a8e6052938f3a9ac04c44398c5c69e63

Download Submit
C:\Users\Admin\Desktop\ConvertToResolve.php.D3D-B9D-8F0

Filesize
357KB

MD5
2b342347cf1191969fc169752af3b9e6

SHA1
96a8d5a2bf9dcb6227ede26b49ea9feabcc4594b

SHA256
e3ce494c48d2d251194f90fac6d20c894810529416ab8a00670165106fa78e28

SHA512
d5070e338598cd4ea9949508da115b9d4938d04bc00364997c94c1ad57d83c50ffbebcaa9577a5b6b1291bb4772e0f4f6147a4f91442efc20280f6b351953c38

Download Submit
C:\Users\Admin\Desktop\DebugAssert.htm.D3D-B9D-8F0

Filesize
253KB

MD5
84b990b75e8fcb937bfc7ff863ba101b

SHA1
74952340442b279add6e7a57252646743c50b5b1

SHA256
387e5748c8d65eecafd60840374638467979743c7182bb902eccbb5ca1bfe160

SHA512
9e41426e58accbf2bc1bae9ec640ae6843dd846a070a0ac4e525b07692c76a037e4135261c43ede27e623366d676dbb9a62bfc9088debce92f4ae3d9a69fe8f2

Download Submit
C:\Users\Admin\Desktop\DenyComplete.pps.D3D-B9D-8F0

Filesize
342KB

MD5
b552f15989284e690eb83552cbea4c20

SHA1
805ce7759eb90ffa32bd3d793e14472b7b3936d1

SHA256
20031034a9dd4c3dda5ba80a7cb754ca3716b514df0f41fc089087a7821e7c3e

SHA512
d61658847a2d73bdf03e27c6afb28b0f37b9c1b7ff88fc3af742fda3b16952bbcd5a5c09365c4d12e4c5e8532c5fdf9890f5a19ffaa2f94e1d3da1b2902ec35c

Download Submit
C:\Users\Admin\Desktop\EnableInitialize.mov.D3D-B9D-8F0

Filesize
223KB

MD5
917027652314f3dfa918ac603e2ba917

SHA1
703f66ff4fdf9cdbb44b741b3184caa135d4ea52

SHA256
4b08724c472bd66c3f71fce39962f70a4ddc147625645bd8fdedd38f573bf6fc

SHA512
bcf4fe11ba2eb1425a4eb1b900b8cea16e52fcb0bf8eb4af8cbe409a697389248fc69a97b9f82d56d5dd765db56475bb94c0bec1aa8ba22fabbecb1ba7b5d551

Download Submit
C:\Users\Admin\Desktop\EnterRepair.pptx.D3D-B9D-8F0

Filesize
401KB

MD5
f1920bd5f954024a1c80446a1e678508

SHA1
30e0c2963248b2a18dd367629cb41a87832c6cbe

SHA256
a626497b86b04330516af5be34d1a87199c4853adbe89fcfe23749958bd52be4

SHA512
22593e4872ff05b4da4248018785bd047736a097aba01cde521ec99bfd9f7061a9e468e8f5c17bf2bee3bfe59bb7e23a5f1df47e6224d6f338d46b780d5c13f1

Download Submit
C:\Users\Admin\Desktop\GetSelect.wmf.D3D-B9D-8F0

Filesize
416KB

MD5
ab6c639c954b4bbc1fe2f59f3cafdb02

SHA1
2f16065f4e78a39df2ad5199b018b531e1982984

SHA256
7440d538b36667266d117a3bdec59521c84137f2211153bde81f678d91697af8

SHA512
5e6eabaf8ffd7642d81f57aa6d7d8394254f03b9e00d1c5412e9648780d9027747e9d70b7fcf3ae253317a8be806c44cfc5130565a106c73d70c369dffd8ce26

Download Submit
C:\Users\Admin\Desktop\GroupDismount.midi.D3D-B9D-8F0

Filesize
445KB

MD5
9e02e790189564f68e90bccbb3e1b673

SHA1
b879bd256e0dcd2175efff6f46a2884096fb722f

SHA256
67cacfb7ccccd1f42168c4be349391d6564892e3ff745982bc51035501039c79

SHA512
8abb36a93f31e56156a72271d8ff46c1bf2d3de006040b7ad0e23253936af197fd7eae5333d04f7ac05f88d1e5b015246ce3db837726398576b4ce7a0e45b70a

Download Submit
C:\Users\Admin\Desktop\LimitPing.xps.D3D-B9D-8F0

Filesize
297KB

MD5
edffc290cc3df4f3ec22eafff6847e63

SHA1
aba42668e9a2ec7ff84e5ecb594b20e1a22bc384

SHA256
0ab7663be3a2612af6ea439ff6184541646b82b591a1d7b00594a83b1b549741

SHA512
ee3cbdb1d768c66d9632bbc781977d4c46679a04c95c28ac005ad3d49fbf3b3630cfaf5d44f5ac8126daa3043570b6c0e346c50db030f5b07be03ac8e51f4249

Download Submit
C:\Users\Admin\Desktop\MeasureUnregister.dib.D3D-B9D-8F0

Filesize
268KB

MD5
7aa68695b7d2e4f0e4b72aaaa5037cba

SHA1
9be083906ae9fc42f5f37fe08f1519bd2a4b91b3

SHA256
fa7b13382875b92a3feb20ee7c7b3d0637d30ba5dc6d3316ee1875d0263fa6c0

SHA512
cc5e7d4d446c0bae3647c1aba858bcdf8f0d0d8cd457b4e8688ab51ea4bc59d3f0dd64b051d99e33db5e140870c498c1463b98b242fd01af591c9ff6864067ec

Download Submit
C:\Users\Admin\Desktop\PingStop.ogg.D3D-B9D-8F0

Filesize
283KB

MD5
da3af283fa38f7f5cff83e36f2479fd2

SHA1
1d1e0a5db7d7b885535b08dca8c017cb81268ecb

SHA256
d07048d3891dbcf29be056464a33b8cac2a7a407862f31fee773cfcf6abb2253

SHA512
8a9440b36ab897490d0553fa7dfea6bf9cc279cb44db7c0e8f0ff9b7ac4417ed72c9c743c40262e15c61e0a97f7d7cdbc95fb3a43a294769c0412c5b3dfe9370

Download Submit
C:\Users\Admin\Desktop\ReadUndo.rar.D3D-B9D-8F0

Filesize
638KB

MD5
78982a795929802f315bf68f84aff75e

SHA1
3737f782466cfd59d53c004c5d520aca17590591

SHA256
2fbf02b5773077f48b3fd63d5a354fab8c3c27865cf2e7ae74343981a9e2a64e

SHA512
a51c5b045a7ca5432efe21a19dc431387abdac8307ef59f6f1d17476a5f01647e19dba2edba0ad643de4dfebc9891783b995c069ee1c7b6cb8b646a6776383f3

Download Submit
C:\Users\Admin\Desktop\RenameDisconnect.htm.D3D-B9D-8F0

Filesize
179KB

MD5
769a23290471f958e21672e823c9dcfe

SHA1
cc6f5175d6fe988c2f5012288c221e7374f5e2d7

SHA256
11445bb90cd7d16adf6cb5677136b5a75ccd50c63701c66a208df3597f2d6b9e

SHA512
4a095e1770a23813d32fac8bcbe1435906dd2a122dbb1b4999423f61275d0caa10f273cb2f456fe7c493bfa618a4c3b7e2e3571aae52951e3a8f0dd473eb7906

Download Submit
C:\Users\Admin\Desktop\ResolveExport.temp.D3D-B9D-8F0

Filesize
164KB

MD5
168f5ad3e0f35b6910d073c948764d94

SHA1
22d273c0414f7a3d8516c531d1dcb0610e3a2e2f

SHA256
1c048e90a3b140524976f4f40d02237b6448d3f8f390fdd3a316928fd4a1ae13

SHA512
81651a9b75c47422e46d1e04eaa7660c05944d74bb33774d7cd8bf13d3989b09cc074e08baaa95e540a34bbc919b281d13accf7b07e95d62566daf8546cbff6e

Download Submit
C:\Users\Admin\Desktop\SelectDisconnect.m4a.D3D-B9D-8F0

Filesize
238KB

MD5
949d71abe23421569040e4d784172e53

SHA1
23b3250a3cc84047594facea1e5b79431e26845b

SHA256
1a437b89e74cf2bc5b57ea4ad1f810390089838ee89476abf2878a9bae7affbe

SHA512
79faadeda6f300fde8cae1454a21d4a592a98e1ad38952ff52b3acd8a83ba31b5a04689727f4625f516986b5a624c1b2a1a66632893f6f2b7accc17b7be53095

Download Submit
C:\Users\Admin\Desktop\SendApprove.mp4.D3D-B9D-8F0

Filesize
312KB

MD5
0da719379f2e72d2cbbfbae98cfa8e7d

SHA1
6e289a0b6dade3a5582605b893fbffe2a1bf1c03

SHA256
782d54421c88f2079ed9e616d09f32b6ffb622255e3cd69d9ba6811ef7dcad34

SHA512
15396176018793b74b8e9a990439b694fbc7b16d558f3180b29b01c3f412d1a9728c4744e3a7a4cf34e77370e573179c700dab9721f479a05c812cf0a555e9bb

Download Submit
C:\Users\Admin\Desktop\StartMeasure.odp.D3D-B9D-8F0

Filesize
194KB

MD5
54a726090ab8c21d2acaa4a11a9484c4

SHA1
d8fd91ee2f4893d8224e298242452ae8f26194ae

SHA256
fa785e76beb8f9296527b7301cfffcc06fbcea5b81c5bd4ffe106766175f56e0

SHA512
454371de434ba908269b9eb39ba29303567c631f13d6531aacf955ad3ddff915b1babed8d9aaf2307959441acc56914e3e9d2dc98dd7e700013b9cede6788189

Download Submit
C:\Users\Admin\Desktop\StepUninstall.mp4v.D3D-B9D-8F0

Filesize
431KB

MD5
52337e8e5860fc8737dd5db5f0b14d03

SHA1
c9881ab5ce0b27c8c20493ccd684a8d26170200b

SHA256
309dc94f1c46b386b1bcc915bac76646e933a482f0de388de0b77cfa5a40b667

SHA512
90e1aa34af1091c0b723d6a93c1f210161ba75e046eef0c4b8a20a4823185097d18589c133032068f1a2b1c0d279278083546b46ed386ba2d3767328d3372404

Download Submit
C:\Users\Admin\Desktop\SubmitFormat.vdx.D3D-B9D-8F0

Filesize
386KB

MD5
d8a8255c7e7e80773728ed0405c4ef65

SHA1
0bc679f158d19576095b7e4e811a5e98684e59f4

SHA256
532329d5eede66d301ea379c704e0291ec98def7205b71a0b9d22b46931304f2

SHA512
103b779f1e8e44ad9e31734b55c068021f271aab7962d41b16d039f7fec0cedbd4309866136cf9dfcb194f29dd257a4e93c642e61cb7cda1a576153316399aa8

Download Submit
C:\vcredist2010_x86.log.html

Filesize
83KB

MD5
01f1b2c33af3acaab93bfcbf2cd510ac

SHA1
5d09c34fcc4c8018129935e392dd4986b05582a7

SHA256
db2fc58ee6fe42df4ef544f8a6b847be2786b7c4ddafdd130374a3b5236cb10a

SHA512
a94d0a9caa0840e93374216778d3611ebe7834d592755cb721c3167923a75187521f9f4e9399c43bd8fc2a50b8cccb8de10a6d93267487875d1418fb4a7ebc31

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe

Filesize
211KB

MD5
f42abb7569dbc2ff5faa7e078cb71476

SHA1
04530a6165fc29ab536bab1be16f6b87c46288e6

SHA256
516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd

SHA512
3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

Download Submit
memory/1720-30455-0x0000000000DA0000-0x0000000000EE0000-memory.dmp

Filesize
1.2MB

Download
memory/1720-27586-0x0000000000DA0000-0x0000000000EE0000-memory.dmp

Filesize
1.2MB

Download
memory/1720-10901-0x0000000000DA0000-0x0000000000EE0000-memory.dmp

Filesize
1.2MB

Download
memory/1720-19765-0x0000000000DA0000-0x0000000000EE0000-memory.dmp

Filesize
1.2MB

Download
memory/2236-92-0x0000000000310000-0x0000000000450000-memory.dmp

Filesize
1.2MB

Download
memory/2236-30482-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2324-178-0x0000000000DA0000-0x0000000000EE0000-memory.dmp

Filesize
1.2MB

Download
memory/2492-4602-0x0000000000DA0000-0x0000000000EE0000-memory.dmp

Filesize
1.2MB

Download
memory/2492-30483-0x0000000000DA0000-0x0000000000EE0000-memory.dmp

Filesize
1.2MB

Download
memory/2564-72-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2564-66-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download