djvu | 19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696

Resubmissions

19-09-2024 12:28

240919-pnl9bsybjf 10

16-07-2024 13:31

240716-qsvxpsvekm 10

16-07-2024 13:09

240716-qdy1tatgmp 10

Analysis

max time kernel
127s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16-07-2024 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
Size

691KB
MD5

d26082c8ae68b4c546843f32325c01dd
SHA1

32dbba008b93a3c2f8fc8fadccf7d5c7ab096f87
SHA256

19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696
SHA512

2a1656d8c2cf6991780b0665a6815b58eaa31e1584fa6154207b540c5294e0c4848516d7f4717b6cf2fb70edf3ff9ca5f256035ab24eab88417396db80aadaec
SSDEEP

12288:SYJsO0qghZwfnpR+yUAg0BOCtK8V/zKbvDDVKu05dHY30hldLZGUh1U:PAZwfnpXUgOOK+mbvNKd8oldLZn

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

http://cajgtus.com/lancer/get.php

Attributes

extension
.qual
offline_id
KLbRmn6on3AXGFgDLGtd0IkHmV7uHw9VxlcxO5t1
payload_url
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool. Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0876qual

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 17 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3580-2-0x0000000002370000-0x000000000248B000-memory.dmp	family_djvu
behavioral2/memory/1976-3-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1976-4-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1976-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1976-6-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1976-17-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2728-22-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2728-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2728-20-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2728-29-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2728-31-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2728-30-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2728-35-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2728-38-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2728-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2728-39-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2728-40-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exe

pid	Process
2740	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f76f0f81-86f5-423e-a438-976e84c7f2e6\\19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe\" --AutoStart"	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
24	api.2ip.ua
18	api.2ip.ua
19	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

Processes:

19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe

description	pid	Process	procid_target
PID 3580 set thread context of 1976	3580	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	86
PID 4228 set thread context of 2728	4228	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXEEXCEL.EXEEXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXEPOWERPNT.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
3544	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

EXCEL.EXEEXCEL.EXEPOWERPNT.EXE

pid	Process
3940	EXCEL.EXE
5092	EXCEL.EXE
564	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe

pid	Process
1976	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
1976	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
2728	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
2728	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe

Suspicious use of SetWindowsHookEx 25 IoCs

Processes:

EXCEL.EXEEXCEL.EXEPOWERPNT.EXE

pid	Process
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
5092	EXCEL.EXE
5092	EXCEL.EXE
5092	EXCEL.EXE
5092	EXCEL.EXE
5092	EXCEL.EXE
5092	EXCEL.EXE
5092	EXCEL.EXE
5092	EXCEL.EXE
5092	EXCEL.EXE
564	POWERPNT.EXE
564	POWERPNT.EXE
564	POWERPNT.EXE
564	POWERPNT.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe

description	pid	Process	procid_target
PID 3580 wrote to memory of 1976	3580	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	86
PID 3580 wrote to memory of 1976	3580	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	86
PID 3580 wrote to memory of 1976	3580	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	86
PID 3580 wrote to memory of 1976	3580	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	86
PID 3580 wrote to memory of 1976	3580	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	86
PID 3580 wrote to memory of 1976	3580	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	86
PID 3580 wrote to memory of 1976	3580	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	86
PID 3580 wrote to memory of 1976	3580	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	86
PID 3580 wrote to memory of 1976	3580	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	86
PID 3580 wrote to memory of 1976	3580	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	86
PID 1976 wrote to memory of 2740	1976	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	87
PID 1976 wrote to memory of 2740	1976	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	87
PID 1976 wrote to memory of 2740	1976	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	87
PID 1976 wrote to memory of 4228	1976	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	88
PID 1976 wrote to memory of 4228	1976	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	88
PID 1976 wrote to memory of 4228	1976	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	88
PID 4228 wrote to memory of 2728	4228	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	90
PID 4228 wrote to memory of 2728	4228	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	90
PID 4228 wrote to memory of 2728	4228	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	90
PID 4228 wrote to memory of 2728	4228	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	90
PID 4228 wrote to memory of 2728	4228	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	90
PID 4228 wrote to memory of 2728	4228	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	90
PID 4228 wrote to memory of 2728	4228	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	90
PID 4228 wrote to memory of 2728	4228	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	90
PID 4228 wrote to memory of 2728	4228	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	90
PID 4228 wrote to memory of 2728	4228	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	90

C:\Users\Admin\AppData\Local\Temp\19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
"C:\Users\Admin\AppData\Local\Temp\19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Users\Admin\AppData\Local\Temp\19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
  "C:\Users\Admin\AppData\Local\Temp\19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\f76f0f81-86f5-423e-a438-976e84c7f2e6" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:2740
- - C:\Users\Admin\AppData\Local\Temp\19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
    "C:\Users\Admin\AppData\Local\Temp\19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4228
  - - C:\Users\Admin\AppData\Local\Temp\19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
      "C:\Users\Admin\AppData\Local\Temp\19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2728

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\ResumeRepair.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3940

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\SuspendUninstall.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5092

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\PublishInvoke.ps1xml
1⤵
- Opens file in notepad (likely ransom note)
PID:3544

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4588

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Documents\CompareRemove.ppt" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
1bfe0a81db078ea084ff82fe545176fe

SHA1
50b116f578bd272922fa8eae94f7b02fd3b88384

SHA256
5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f

SHA512
37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
a38a6a17af48e099e521af6a8ada5bd9

SHA1
93e68ae0342f06f243ca17abe9ebd5853ed3645f

SHA256
dc7320e491bd5057e329481d4123fdc3bbfd7af9d0b7034af967a2e1abd15848

SHA512
34540908007e88f90b48a257dc6a69199d8b0fe579276a3be40521a48bdfe3b51fb5ecfc6e214e9ef91ecba5681fc10af0e3f99ba57b9a5c1b3deb2e909e9dcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
10b5d1763696402c86c538ca32211b77

SHA1
52410c333c59e12b870c1a2adadf202a8b3980db

SHA256
3221e5edc1f63cd522b93300a321ccaf80db7f9aa4d7b921376dd6f8fb427c7b

SHA512
4dd1b90a032245efdc0d7353175d0681daf4403b60c0bb0d20ee60b5e260decf1c123aaeb65cb61fa4600cb8c00ac5bf3d04331bbd60e498b9913822f8e7e8d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
97f116b7262b4f534769fd48c41b1f9e

SHA1
db0628eb0b0d420a16ea5f3d4b3807fa9db8b4f9

SHA256
fb03c36c2f699686909462461596e93e92e88d8456f678a5c92eb27c0f865eb4

SHA512
1b40782172c21d7c4c89a0043ebb3b889138a84a4ebaf95f27bab256c3f447924a9241b78ad1355466db65fd9b8dee18b69be9193d43cf16017363b524d1ccaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
76040c47a8b85ddf3396d74a33b3c81b

SHA1
cbbc60f28fc743201f109e5d55898170e481e8b9

SHA256
035d9034bcdeafe8e4babff620e6d06a590e872683f280c1e27c91a8fc35b200

SHA512
cafdb54479ed13804bd4b76d3fa16eec4a107064f055e818d5148e9fb18c3512a552b89b87463b8ab51592d7fb858ac8513c8ac9acd92e31725b46be1a48446b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\4E625F28-9D4F-40BE-AEEC-F013CC74C491

Filesize
168KB

MD5
3eb9dabcb953a7d9a64fd65883eea33e

SHA1
ba845355bb1fcc4c457707f9200f0390384d962f

SHA256
47a86b25dc21bffbb0fa57134d6189e121a98f795acd720760c3d23182d48f27

SHA512
3e7bbf33dd7ab2053130af1dec9553e2f9eb475f07fe14850cc424f40f8bc999f61c962193f79b3ab7a78b7c29eac724f4dcc654fe25db72713da258d330a328

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
321KB

MD5
edc5bbd89d21bff468e2b1bc6a6cad11

SHA1
b5a3588cc1c3274357eefae826f9de1876e4def4

SHA256
7c8ecd6695962fe29434fae9505f932f5f4b94196045cf6535566180ac50e0af

SHA512
57c5fb3a4bfbef6c6a9e2c1a8e3c00debec585c2e86857206c7f3ebd349b2436b9d9d6a6032ee0dc76cee44243766e4399cce9d0884abd2e47efb2b799d415f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
085ebd119f5fc6b8f63720fac1166ff5

SHA1
af066018aadec31b8e70a124a158736aca897306

SHA256
b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687

SHA512
adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
53903805f15b088d1e73edd9d630311c

SHA1
2f8fe81b82427f5b43292d061241683cb333bbe0

SHA256
256532a66a8c45e1f08f0e46d959fe2832d033e6b479c943c55524949feedf7c

SHA512
8fe1147a4dbbcd776d8d94feb347a1516d2fc507402cd6a7263ab2ded764fe2fef4ef3c5b5a20f4734620470873ce5002785a99e42686b861ebc1224e29f8279

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
85b9b90bfff2ed4c3e209e6b4c28c0f1

SHA1
83075a4087e777d25ba30748866a1ffc43a08d4a

SHA256
b76ee4e03da55fe599e15991a34dba87ea9b27de372e58da66655ed36b01cb0e

SHA512
c58a62d29c33237033db0a7dd93b61c23dca13a0600ec268880a8ef9a242da8e4aa09e04cb2a3ecd6df73013d530602f10d34de4abca41f3a9828c40217556d2

Download Submit
C:\Users\Admin\AppData\Local\f76f0f81-86f5-423e-a438-976e84c7f2e6\19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe

Filesize
691KB

MD5
d26082c8ae68b4c546843f32325c01dd

SHA1
32dbba008b93a3c2f8fc8fadccf7d5c7ab096f87

SHA256
19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696

SHA512
2a1656d8c2cf6991780b0665a6815b58eaa31e1584fa6154207b540c5294e0c4848516d7f4717b6cf2fb70edf3ff9ca5f256035ab24eab88417396db80aadaec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
289B

MD5
6b015f2b9bb699996a11cdfd13e2f6b0

SHA1
54ac9f0b885bda9c496e538cd815167707cea1d4

SHA256
82de4b989c4b87af92ea738858f6b19279e684e5724efe9a5d248de1e26169da

SHA512
0a86f54f42debd24aec25e90ce1dba0f15a7dd2a825175d7ca8554fe87899166efcc0b0094f98f75c1e02cbd873422d2e662cad535cae650d6f8eaf0645152f3

Download Submit
memory/564-128-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/564-130-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/564-131-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/564-129-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/564-127-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/564-153-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/564-132-0x00007FFD4E400000-0x00007FFD4E410000-memory.dmp

Filesize
64KB

Download
memory/564-150-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/564-151-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/564-152-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/564-133-0x00007FFD4E400000-0x00007FFD4E410000-memory.dmp

Filesize
64KB

Download
memory/1976-17-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1976-3-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1976-4-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1976-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1976-6-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2728-29-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2728-30-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2728-22-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2728-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2728-20-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2728-31-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2728-35-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2728-38-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2728-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2728-39-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2728-40-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3580-2-0x0000000002370000-0x000000000248B000-memory.dmp

Filesize
1.1MB

Download
memory/3580-1-0x00000000022C0000-0x0000000002361000-memory.dmp

Filesize
644KB

Download
memory/3940-45-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/3940-85-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/3940-47-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/3940-48-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/3940-46-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/3940-44-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/3940-84-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/3940-49-0x00007FFD4E400000-0x00007FFD4E410000-memory.dmp

Filesize
64KB

Download
memory/3940-87-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/3940-86-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/3940-50-0x00007FFD4E400000-0x00007FFD4E410000-memory.dmp

Filesize
64KB

Download
memory/4228-23-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/4228-21-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/5092-121-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/5092-91-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/5092-93-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/5092-92-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/5092-123-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/5092-90-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/5092-124-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/5092-97-0x00007FFD4E400000-0x00007FFD4E410000-memory.dmp

Filesize
64KB

Download
memory/5092-122-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/5092-94-0x00007FFD507F0000-0x00007FFD50800000-memory.dmp

Filesize
64KB

Download
memory/5092-95-0x00007FFD4E400000-0x00007FFD4E410000-memory.dmp

Filesize
64KB

Download