buran | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

max time kernel
130s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2024 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware/default.exe
Size

211KB
MD5

f42abb7569dbc2ff5faa7e078cb71476
SHA1

04530a6165fc29ab536bab1be16f6b87c46288e6
SHA256

516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd
SHA512

3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af
SSDEEP

6144:zia1vcaEaA+HPsISAzG44DQFu/U3buRKlemZ9DnGAeWBES+:zHctWvVSAx4DQFu/U3buRKlemZ9DnGAn

Score

10^/10

buran zeppelin defense_evasion discovery execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\Crashpad\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] or [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 154-78A-FB0 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Detects Zeppelin payload 11 IoCs

resource	yara_rule
behavioral9/files/0x000a0000000233cd-17.dat	family_zeppelin
behavioral9/memory/4284-31-0x0000000000840000-0x0000000000980000-memory.dmp	family_zeppelin
behavioral9/memory/6016-43-0x0000000000D60000-0x0000000000EA0000-memory.dmp	family_zeppelin
behavioral9/memory/4004-47-0x0000000000D60000-0x0000000000EA0000-memory.dmp	family_zeppelin
behavioral9/memory/6016-5660-0x0000000000D60000-0x0000000000EA0000-memory.dmp	family_zeppelin
behavioral9/memory/4488-6345-0x0000000000D60000-0x0000000000EA0000-memory.dmp	family_zeppelin
behavioral9/memory/4488-11743-0x0000000000D60000-0x0000000000EA0000-memory.dmp	family_zeppelin
behavioral9/memory/4488-14228-0x0000000000D60000-0x0000000000EA0000-memory.dmp	family_zeppelin
behavioral9/memory/4488-20980-0x0000000000D60000-0x0000000000EA0000-memory.dmp	family_zeppelin
behavioral9/memory/4488-26106-0x0000000000D60000-0x0000000000EA0000-memory.dmp	family_zeppelin
behavioral9/memory/6016-26138-0x0000000000D60000-0x0000000000EA0000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (6101) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	default.exe

Deletes itself 1 IoCs

pid	Process
784	notepad.exe

Executes dropped EXE 3 IoCs

pid	Process
6016	explorer.exe
4488	explorer.exe
4004	explorer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start"	default.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	explorer.exe
File opened (read-only)	\??\T:	explorer.exe
File opened (read-only)	\??\S:	explorer.exe
File opened (read-only)	\??\O:	explorer.exe
File opened (read-only)	\??\J:	explorer.exe
File opened (read-only)	\??\U:	explorer.exe
File opened (read-only)	\??\R:	explorer.exe
File opened (read-only)	\??\M:	explorer.exe
File opened (read-only)	\??\L:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\B:	explorer.exe
File opened (read-only)	\??\Y:	explorer.exe
File opened (read-only)	\??\X:	explorer.exe
File opened (read-only)	\??\V:	explorer.exe
File opened (read-only)	\??\P:	explorer.exe
File opened (read-only)	\??\H:	explorer.exe
File opened (read-only)	\??\G:	explorer.exe
File opened (read-only)	\??\A:	explorer.exe
File opened (read-only)	\??\Z:	explorer.exe
File opened (read-only)	\??\Q:	explorer.exe
File opened (read-only)	\??\N:	explorer.exe
File opened (read-only)	\??\K:	explorer.exe
File opened (read-only)	\??\I:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
28	iplogger.org
30	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nl-nl\ui-strings.js.154-78A-FB0	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\REFINED.ELM	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\thumb_stats_render.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nb-no\ui-strings.js	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-30_altform-unplated.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_contrast-white.png	explorer.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif.154-78A-FB0	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\EVRGREEN.INF.154-78A-FB0	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\THMBNAIL.PNG	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_MouseNose.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-36.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\selector.js	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png.154-78A-FB0	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\Hx.HxT.154-78A-FB0	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Dark.scale-250.png	explorer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-pl.xrm-ms.154-78A-FB0	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-ms.154-78A-FB0	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-40.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\PLANNERS.ONE	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Velocity\FeatureStaging-SnipAndSketch.xml	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-black_scale-100.png	explorer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_checkbox_unselected_18.svg	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ppd.xrm-ms.154-78A-FB0	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\JumpListNotesList.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_Success.jpg	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\edit_pdf_poster.jpg	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ppd.xrm-ms	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-oob.xrm-ms.154-78A-FB0	explorer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-36_altform-unplated.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-il\ui-strings.js	explorer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\cs-cz\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL048.XML	explorer.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe.154-78A-FB0	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-200_contrast-white.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailSmallTile.scale-150.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-hover_32.svg	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\7px.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_contrast-white.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\iheart-radio.scale-200_contrast-white.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\nb-no\AppStore_icon.svg	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7EN.LEX	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_contrast-black.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.b783ffe3.pri	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockLargeTile.contrast-black_scale-100.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.scale-100.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hr-hr\ui-strings.js	explorer.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\zipfs.jar.154-78A-FB0	explorer.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe.154-78A-FB0	explorer.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\vlc.mo	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.scale-200.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.scale-100_contrast-black.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_altform-unplated_contrast-white.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\ui-strings.js	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-pl.xrm-ms.154-78A-FB0	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\msipc.dll.mui.154-78A-FB0	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-125_contrast-high.png	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	default.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	4284	default.exe
Token: SeDebugPrivilege	4284	default.exe
Token: SeDebugPrivilege	6016	explorer.exe
Token: SeIncreaseQuotaPrivilege	4756	WMIC.exe
Token: SeSecurityPrivilege	4756	WMIC.exe
Token: SeTakeOwnershipPrivilege	4756	WMIC.exe
Token: SeLoadDriverPrivilege	4756	WMIC.exe
Token: SeSystemProfilePrivilege	4756	WMIC.exe
Token: SeSystemtimePrivilege	4756	WMIC.exe
Token: SeProfSingleProcessPrivilege	4756	WMIC.exe
Token: SeIncBasePriorityPrivilege	4756	WMIC.exe
Token: SeCreatePagefilePrivilege	4756	WMIC.exe
Token: SeBackupPrivilege	4756	WMIC.exe
Token: SeRestorePrivilege	4756	WMIC.exe
Token: SeShutdownPrivilege	4756	WMIC.exe
Token: SeDebugPrivilege	4756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4756	WMIC.exe
Token: SeRemoteShutdownPrivilege	4756	WMIC.exe
Token: SeUndockPrivilege	4756	WMIC.exe
Token: SeManageVolumePrivilege	4756	WMIC.exe
Token: 33	4756	WMIC.exe
Token: 34	4756	WMIC.exe
Token: 35	4756	WMIC.exe
Token: 36	4756	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4756	WMIC.exe
Token: SeSecurityPrivilege	4756	WMIC.exe
Token: SeTakeOwnershipPrivilege	4756	WMIC.exe
Token: SeLoadDriverPrivilege	4756	WMIC.exe
Token: SeSystemProfilePrivilege	4756	WMIC.exe
Token: SeSystemtimePrivilege	4756	WMIC.exe
Token: SeProfSingleProcessPrivilege	4756	WMIC.exe
Token: SeIncBasePriorityPrivilege	4756	WMIC.exe
Token: SeCreatePagefilePrivilege	4756	WMIC.exe
Token: SeBackupPrivilege	4756	WMIC.exe
Token: SeRestorePrivilege	4756	WMIC.exe
Token: SeShutdownPrivilege	4756	WMIC.exe
Token: SeDebugPrivilege	4756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4756	WMIC.exe
Token: SeRemoteShutdownPrivilege	4756	WMIC.exe
Token: SeUndockPrivilege	4756	WMIC.exe
Token: SeManageVolumePrivilege	4756	WMIC.exe
Token: 33	4756	WMIC.exe
Token: 34	4756	WMIC.exe
Token: 35	4756	WMIC.exe
Token: 36	4756	WMIC.exe
Token: SeBackupPrivilege	3708	vssvc.exe
Token: SeRestorePrivilege	3708	vssvc.exe
Token: SeAuditPrivilege	3708	vssvc.exe
Token: SeDebugPrivilege	6016	explorer.exe
Token: SeDebugPrivilege	6016	explorer.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 6016	4284	default.exe	96
PID 4284 wrote to memory of 6016	4284	default.exe	96
PID 4284 wrote to memory of 6016	4284	default.exe	96
PID 4284 wrote to memory of 784	4284	default.exe	97
PID 4284 wrote to memory of 784	4284	default.exe	97
PID 4284 wrote to memory of 784	4284	default.exe	97
PID 4284 wrote to memory of 784	4284	default.exe	97
PID 4284 wrote to memory of 784	4284	default.exe	97
PID 4284 wrote to memory of 784	4284	default.exe	97
PID 6016 wrote to memory of 4488	6016	explorer.exe	104
PID 6016 wrote to memory of 4488	6016	explorer.exe	104
PID 6016 wrote to memory of 4488	6016	explorer.exe	104
PID 6016 wrote to memory of 4004	6016	explorer.exe	105
PID 6016 wrote to memory of 4004	6016	explorer.exe	105
PID 6016 wrote to memory of 4004	6016	explorer.exe	105
PID 6016 wrote to memory of 820	6016	explorer.exe	106
PID 6016 wrote to memory of 820	6016	explorer.exe	106
PID 6016 wrote to memory of 820	6016	explorer.exe	106
PID 6016 wrote to memory of 5452	6016	explorer.exe	108
PID 6016 wrote to memory of 5452	6016	explorer.exe	108
PID 6016 wrote to memory of 5452	6016	explorer.exe	108
PID 6016 wrote to memory of 852	6016	explorer.exe	110
PID 6016 wrote to memory of 852	6016	explorer.exe	110
PID 6016 wrote to memory of 852	6016	explorer.exe	110
PID 6016 wrote to memory of 5776	6016	explorer.exe	112
PID 6016 wrote to memory of 5776	6016	explorer.exe	112
PID 6016 wrote to memory of 5776	6016	explorer.exe	112
PID 6016 wrote to memory of 1044	6016	explorer.exe	114
PID 6016 wrote to memory of 1044	6016	explorer.exe	114
PID 6016 wrote to memory of 1044	6016	explorer.exe	114
PID 6016 wrote to memory of 2864	6016	explorer.exe	116
PID 6016 wrote to memory of 2864	6016	explorer.exe	116
PID 6016 wrote to memory of 2864	6016	explorer.exe	116
PID 6016 wrote to memory of 5664	6016	explorer.exe	118
PID 6016 wrote to memory of 5664	6016	explorer.exe	118
PID 6016 wrote to memory of 5664	6016	explorer.exe	118
PID 5664 wrote to memory of 4756	5664	cmd.exe	120
PID 5664 wrote to memory of 4756	5664	cmd.exe	120
PID 5664 wrote to memory of 4756	5664	cmd.exe	120
PID 6016 wrote to memory of 5940	6016	explorer.exe	123
PID 6016 wrote to memory of 5940	6016	explorer.exe	123
PID 6016 wrote to memory of 5940	6016	explorer.exe	123
PID 6016 wrote to memory of 4076	6016	explorer.exe	127
PID 6016 wrote to memory of 4076	6016	explorer.exe	127
PID 6016 wrote to memory of 4076	6016	explorer.exe	127
PID 6016 wrote to memory of 4076	6016	explorer.exe	127
PID 6016 wrote to memory of 4076	6016	explorer.exe	127
PID 6016 wrote to memory of 4076	6016	explorer.exe	127

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Ransomware\default.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\default.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:6016
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4488
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:4004
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - System Location Discovery: System Language Discovery
    PID:820
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5452
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:852
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1044
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5664
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4756
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5940
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4076
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4768,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=948 /prefetch:8
1⤵
PID:4424

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_bow.png

Filesize
52KB

MD5
90159bdcc9b8d04d51b5ce006f50d4e6

SHA1
3aaaf45ccd64ebce08965be15ae6d3980e16f774

SHA256
fdb241264f6ec81e4986789c35151a7a05bd93e9d446097a98a657e5f654b397

SHA512
d64bae84a73dcf7be25be49e41162648e748fe99f3a2497708b6138e747200ef56299d1823eb83b220f6eaeb40ea2d83b0d6aebd1e2372d34869a563cd23b0af

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png

Filesize
52KB

MD5
ee6bbb223fa6380133c1ed18054a9fdb

SHA1
d742014c667a74a770495bfe3a012db2067fa7cc

SHA256
3d4d2db1dee612a4321eedf0afe279c9a4f55679a49060e2c9b5653dd26be697

SHA512
0e35c8a29a091c07f1f711c696b39c4b1404fe03f860ac54a90e9415813251fa3b93727405196f297ebb0e2db04507da65c881a8ed25971bc35b97c290eb86ab

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png

Filesize
52KB

MD5
75fedc56515a707eedaa89154904c33b

SHA1
ae27065c3725bfab85f4a8d16dbdd35c9ea38f20

SHA256
cee199960e6298d70620b536ae67e21bc8e9532c21d4390fde95cbbff0d38e28

SHA512
51692db6bbaf894b872ee127db061871964f451821fe261e6c208404baee93e01751ddbc2223a31f4f401c7de814584a5483dce554fc531aa1db40f0e32027dd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js

Filesize
34KB

MD5
22fe9ee1e72d3a06a1ee1a97d1153fe9

SHA1
c83a065475f3b8209c1def00006fa1f72e439ff5

SHA256
1d41f6d339a6557dded0c7941e00f8e3f3c3e23f5ef0a1d5ba67ada4aaae2f8c

SHA512
bbe31442125449710d3e4488b448c228389e33d78a732035624e8238e8a8c2670dc75bd82dc8f4c9fddf4bb9073c60476fab377da7f84a91c575e50a83159e2f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\ui-strings.js

Filesize
10KB

MD5
8cd8e15e90a92d7f61dedfd81e200c39

SHA1
21b3d246d4f4a0d454318b0d24dcad6236906ca9

SHA256
07cb81e2c054b9e20251bf108ad70cf91da2c2f932d9fb966144cfea763edd62

SHA512
43ca0da61a74a1326822bae4fb673c1bfd5d7404274714abb3ece5c8058dc52c5805e1ba68c0161b913c1d097b3e3fa1141f8f797b39864a58a13b5163dfcf8a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\ui-strings.js

Filesize
5KB

MD5
37664980e3149ad565f9add0cb9e69f6

SHA1
b8dafc01d060ca03eb864dd2ea7188eea88cd1bf

SHA256
b2c9062874438f4c652558905147732a3a759c924915326506b27b06f29024d0

SHA512
66e4a86a69328bc50f2cd27e8915ee773e059676241440f062af80deec0d3477edb5b5b4176eae0a30365a85a045e4c2265ecd653657310f5e1bbce483eb55f2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js

Filesize
6KB

MD5
80088882c9fb1dfc1b9e6b9109ed1cbe

SHA1
9a8fec7c74525ea27bfc14eb25c521a7fa57c687

SHA256
a851409778e5c3d42f5ff2ee176dd6599ad881036fc5bf7664a4e8b521efb19f

SHA512
b634db21ee78cdf58fa8e429a05384187ebdd1b86f315bdfa2ffb8e857524b9d516fee0a230c3f0d6978150b4d8cd9af8b65a2923aa1c14c13291d260289c27c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\illustrations_retina.png

Filesize
20KB

MD5
215a6c74e85dfa3b0c7247e6f4f85abe

SHA1
36662e519c4de7a4adc033bf5367015ff806d5a6

SHA256
92761c550d1e444b983d4414ff7ff474d77c3c0ad52d9cc318c0692936a50ca8

SHA512
aa736580abab25afa4b837e68b5677fad926597a31fbd9702966f5aeeffb7a90b0b97944d3e0254fcd0fd7aa25dc9bddf9e90b0a93825b5fa64067260d3c8d1d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-tool-view.js

Filesize
395KB

MD5
d0f088089a359f999a7acbe2157ca75d

SHA1
469b0d0b43cf552fa87be934e79d73e1cdbf535e

SHA256
7dc3a4055f7a73cb865f475c1dcd2205e9d6b63146f68c387307474dc3814b66

SHA512
8bc1595047f45d032a17f60fddc5203d2d48f803735181414ed48063f8b0dccd22eb1542796fb93ce439f4c3873cc6f7b20a21a2c17bb5186f23bfa3214ad21e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-selector.js

Filesize
176KB

MD5
279114b9fcf245cf333d88444569a66e

SHA1
dcb7dd891b185a1e1cc345c14086c989bd18cd55

SHA256
0904915b9f73c961a4e60dc6ae592cdab436d230cf7e77133db5f6d165a0faa7

SHA512
d61b25d0b0a4fe0091199c896e6fee735486f9db38d4e56c5d1d6536f384164f33995fb21bdf5a89be3daac02b657b50e9df7d309d97aece3710e263540d0145

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js

Filesize
12KB

MD5
300c7aef370f783f316eb3a0ff51da81

SHA1
3467ff28435fb2a0df09f1f8b8b6de0b495c1e52

SHA256
2fe2ae0eac0bf0b422ccc598630105faf46da4616e574e325f10732330265454

SHA512
a854c3ce64e4dac267569a86e494c7e3b2a1e6763dd4287df7dbc45f43d1a80804caf1b463a9a100cc7152b49fdf0ca835aac6a73d0940f309168f9eacfe6e3f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons.png

Filesize
9KB

MD5
374c921a6142c8209401e6e6fd8e8783

SHA1
7d2457fcdece9b3852d984bbbdd10046ee4542c2

SHA256
371ecbc51878cbd5608bdbdbdf54e3572f9b740b7c6c4ae151a887064bc1c901

SHA512
7341253f28f7543c573a260b3afdf0756d05f40e1050ec499825f6ea3ee456186599ec00b95f61c5efc23d68a4c9d243572824770b87c04d3868fa8926096ad3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons_ie8.gif

Filesize
9KB

MD5
9600b0e072ad639719b84d002ed9ffa1

SHA1
53f2e32a3744caacd104207b0cc815147712ba30

SHA256
760d6435c1e88eceeca8b44483e92a9b63c0843ce0b5de25b066d4295bdfa145

SHA512
5b0d2d8e94344580d82b2364f4504e857045638bca30f84c7ba08aa26f1252239c60fe81f8d74be3984cfde9ca092f886ccebd435716a0031b91be249ddd1d65

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons_retina.png

Filesize
16KB

MD5
e99a17f2a83bdf52fb75e5ad092de36f

SHA1
c5a2e67b15b8e8b2889aca3e1b324f15ed16b259

SHA256
c1b831dadcd1d3377792bb9ae7f7c64eebeb7279fac0d3eb14f7867267ca7e9d

SHA512
d68742873cbc0927d680d465e1f380b03ac8e7ecc61e0bdae2ffb7457c7a086b099e6cf0d50b03b1166eb595a5efda6ba232a5ec9cbda724b66e574af9d7fddb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\ui-strings.js

Filesize
6KB

MD5
6c4e713aecd430d949d953ca5a11f3e9

SHA1
1ed5d458d158cc80411f3d20a1b6430a36e1a88e

SHA256
5b296eca16173bd7f008399a16f32ff0c7457e31ff145c072726f74748a01ed4

SHA512
2b589720213e9b8f5482246238a5feba4c5a518842b4690869c46ec899bc993533eaf304e3edd54a023588e3f75c7fff353fa327f8c648c678f47a34efe869c3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\ui-strings.js

Filesize
7KB

MD5
511b37feef51e05d48f8ab7101a70b14

SHA1
c5a8c24fde37e0614303c3c209b206fa17bb0a68

SHA256
e23158baee9ba71afd57276777d5f855da824d171cda9e4526cf759dbc558336

SHA512
6ba3ae51b4f9c184ed9199cbbaa4f701c4558e6caf028d362c94745f121f3425181c5f56fe4be02bd842c43d604b64dd7143f45851bd87d69285c479d27585da

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\selector.js

Filesize
48KB

MD5
a724e61206e8340874ba4a6a73a69f08

SHA1
90a1a1209cc7f9f8ecbba6bfdd06819ea1d56a7f

SHA256
e4ee25ab9304a745cc77a96c1f96d945b5c9a754203f6d8d3d3048ba5b17ecf5

SHA512
2ef57d14b26aada9ba90a2adcfff7d8281bcfa6fe66d7bbae75fbe06dc67678a108e60c87cc73382795f923754450080ff996a5e19e8c79b09f15c9e5a1cc2ca

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf

Filesize
381KB

MD5
bfdde31ca60ab908d9c94c5c9bbaea1b

SHA1
3e9763250f501e06cc9703334941e5e65822379d

SHA256
fff1d407a216be76ab123f3b7b734df2ca1417cb7125c0ee40002b8900354fcc

SHA512
306d938e445bca9405d8196d17a65e3fabd6577bcb488a10fc4bcbcd9e83e6716071d2789f54110cb9f1fc47a1584ea1b3bccac5c751d07d64bf6d1b91d0761d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf

Filesize
56KB

MD5
cd74d29de6dd6c1f71b0c8733a5ac6e0

SHA1
abb436eee548672c86dc25ebfb2d7259dde4924e

SHA256
0a4199700fc3a91f8482fc94d1f850ea51324bf9b0d531dda7d8e34a1b261dbf

SHA512
aa5baaf64e3122d98f2afd3c3128fffc0dfb5247c2034569659cc6c5fc962cb0b50564d1eba324b58b97cdf1c5ad174dc695c14ae6779e652208a2e98197f8c6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\ui-strings.js

Filesize
14KB

MD5
d1fa5f9caff9d5524c1499aa10f74b77

SHA1
429a7c8c3e7ae5dc6767a47ddf3094b7c888d6ad

SHA256
1f9eb4e426c487f10ef9006f7b86ad127a49b8bd08c6f983eb22c8fee2541365

SHA512
eb224bf133a57f5d145f9a1391efc8e81a08c06668a915006ba797726cf5f34b3183229c6a6b338c33ae43090b5fd6d3118a8517b498afea00552daa47f2fa9c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
affd1c9c176c9913336ad61a8e78f4da

SHA1
905be1020822c8662bc1de1a472705ca86aee02b

SHA256
c181aa6834a741fecc82a380422bd8fa1d52e7d24a6e627e3561c85d510a1698

SHA512
d19899c9969bb3593a08b6c0e3168efb9cf2f794e1fcda703fa8dee621357223f5da99aabb8a4ec73c03ce3e7b1b56f2d6e595c6af6724ec408e8192d166d4b2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\core_icons.png

Filesize
10KB

MD5
cb50075db8a1e603b049faaef3ed86e2

SHA1
233689e2a8097db2238dab64d9ad6edd1a796ad3

SHA256
95bc62b4b8c5b7f71774c5973dc2bed118ccbdad255acd8dafd3bdbcbc050fe6

SHA512
5b52f8687c61d0d800b6453707dbff41234cd2be1659f018ec1d04bd76da963f45ffbaa77b254782dad0cf0977e6e5201a8a25caa411f961e9ebd36f3f25e6aa

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js

Filesize
9KB

MD5
fc0b8a1cc701a511f9085f1f95cec4d1

SHA1
187ccb2bc3a97d07717b22cc29343a6c036f54e4

SHA256
8301c6f8de77aa136f01502d663fc4af3bf550cc05a1cc06689a0b2f502981a9

SHA512
47a845ffd99636dae2711edd298ea9747ca11c706f490985e03fa4a8acb1b5b632ba55931b43609a435b22810bc6648b27e112e270268b92e30e54f229162a64

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\ui-strings.js

Filesize
11KB

MD5
8a5e98701c07f1beff51b2f92df35055

SHA1
f599946fb1885715c3fe4400aed2c0c6b24fa7dc

SHA256
df93aaa3dd05794b20f9375ccb14faa239fa7f1fb3d0b1e30427f188a050cd1d

SHA512
bcf71217ff006a5c2335ca2afe4c1d8d421df20a85483e4f6f9037c1b3f45374c2e3f78b95ff45253e928649b011a99050a500168400f7e25d08ed871534e8af

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\ui-strings.js

Filesize
17KB

MD5
ee434fb0e11a7a0731ccbda85f45b842

SHA1
f6ee48e6b75589d9dcd974bfa8ac57608b094d8c

SHA256
94c6737a3b9313437fcd92d9feaa40ae3e0e2f151140a5678c14b227ad2f8206

SHA512
80253db9bd1e55354eae2682d37bc3186cc1234f84a4e87d823d16bdf761da8347f5a3d1dbb34dcf928c79e4ceafa779bee8457a533d7b1181eea95124e121cb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\ui-strings.js

Filesize
18KB

MD5
756c7023c4ddf54ad7a384aca124d428

SHA1
a3a15c48c4241f586f13f7c7679c7c72dd4cb3c6

SHA256
086c9a601377d53ceaef9a7930ad45dfbfc2cd963bb1709c191c879a144e76ac

SHA512
d9ca77a0a9d4031cee80d81b22a4a6bc25cf5e1f486d4638e4387fd82bb26b859a9b48e572019c51cafc84b2b52195bcca6330eb4cc2de1923417237d2cf13c5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\ui-strings.js

Filesize
19KB

MD5
10ab5bf9acd352b3b8a90831174b54eb

SHA1
ec4aa40157084e5c3936fd60782606101e8a3198

SHA256
7b615d0dd086ce6a9f923a019c34382b39d06699787f5a71d3e51fd1401236ef

SHA512
123b491e4290bac94d2aa14f162a99aa1c430b29b0bd28cbfd0af088c2f9b7b55807fdc4b9234a81a5243d33a8822559a7af12ad15c9077017ca2da6eefc7939

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\ui-strings.js

Filesize
23KB

MD5
f2182e04b9aa9c6f6b2bd7489531ad31

SHA1
3dc7f38495b5b0ebea363e7ce45836394c65a190

SHA256
ed288d74bff7d5e3aa9bb8e245192647ec17305b2b87e76b08ae5bd441e9ff8e

SHA512
715da5eb4bdd98cb2fe95ae8523da9adcd693d7d44eeb963e41fb637716b6f1e484f65437c5dad9bcd083f0dde51569ee7841f04602d391d461e72ef8214e35e

Download Submit
C:\Program Files\Crashpad\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
985B

MD5
5b4582540d0d37669298b8dbdd143374

SHA1
e331f66576f575c9e040f7f014d1c85042c815d2

SHA256
4d28c1bf75f83424031f685df83a408f8add33b3577252ecd4e752464b26853b

SHA512
82a0c73d6aed33a27fbf961e4ae4794be9245b49063436a6fb77d3686582394958613312d1d961870904a8ab4c82eda8a0054664285ebb0d2c44ff0c4531513e

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe

Filesize
4.1MB

MD5
b9b73ffc5929c81207da47e71d782178

SHA1
e584a028423d071750196e9233e1b7958878b682

SHA256
bc3d65309373c65a8c66efdf943d64a818dcef6731a477ed59183844988c9389

SHA512
a8d8bb06f89c60247fe02f63249832beed630fc3124ec3fcdfb79e607f5bd0fbc7b261add0518a822497c2d5d6c3407de9ec60a7237a9eacaf2aa144d7a81582

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX

Filesize
292KB

MD5
a039ec325be6a95f069f3d80df32f087

SHA1
89d0c9577565a0482a2495f53509add8913dde20

SHA256
3b3bbd8bce7aeee7018d1ae55e8283b244b27edbd7c5e60ccaa270ed683bd81e

SHA512
ec4a30f8d9a024786fc71e2c694ab6f92b9c9b9d0dcb524ee5f22633301f804b330c376f94a2e0693a4e426bbffb57f569d765eb0affb439bb22000410eff8e4

Download Submit
C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL

Filesize
265KB

MD5
48ae42c18ceb4ca149503cc3f5225f80

SHA1
b130ce0059111871ec402157dc883d67a2f7c34e

SHA256
04f665059e3b7cf8e7ef391fe2751d88edf0ed6429e16341cbb8d4c0c7f6cdea

SHA512
c8c48c5fd44ee2b27e0a29c4de30a54aa813bb02843c267fb3dcfae70f1903a0d351a4384f67d2c72a268952af27672567594b688d99b5835c5bfadd2db52a21

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia32.msi

Filesize
3.0MB

MD5
845cd9e3f8e98e38b604c2d55df72691

SHA1
bed3625651b510a3cee744b4393c101bd8e568d7

SHA256
da78ea8a67ca1f6ed498950b3951184ec1ac12f6cc5e2acfaf0cb6d0f9ccd24d

SHA512
67443ec666cd45e55451afc3ef725fb122162a5a312e2672923778c263d67982906434755d52ccdf707c7a37c175280bf31aaa068a79ab848b287d706fca013a

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe

Filesize
62KB

MD5
21813ffc53d6f7116f502c4b685f6f4b

SHA1
a10d875c0c84a9c23a9d641a5a2489867f5ef3f6

SHA256
8078c48d2d68cb66b53d3a60b0f4e1f666d37a6723a9c167df238831ec72788c

SHA512
145d8abf1a993756d44ad881f30112c6ea15f04ce4c0fc64f92c7feef9f8def5605aeb59bed801c0e01a2a7ec3aa26705b363620fdfa0731163d887e0458694b

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe

Filesize
1015KB

MD5
a8bdc4bb9676a1578dcae39a6d506d68

SHA1
cb04b775c94fb4b7f0f75162e4de33c6fda5d448

SHA256
c0a15e7c7e4314dee245e66398a516d1ab271395db6914407773c4203b4cf0dd

SHA512
361d3a24605f43eda566f58a1eb33b4626da3c532e415b3c711b9cb3fc9db4099cf876654c2b0f6c67ad6cc04ef03d63793b4e65d24c4fdb988d0a99980b4188

Download Submit
C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
da737c308daf416c131d7c9f54663b3c

SHA1
ec7d6d4e329a1c213fe8d093f7fd5c498b0b3b89

SHA256
461a15c794930aadc03ca9055aa2c7132394a1848fb56c1df28b1bdf1feac57e

SHA512
e39877cfbd662b10069bd570cc16ef0b58e0e89f9fd7c2b530e735031f09f2c0b639c57907b6a06b0f1c2b8df47c752659ebf749dc26e9c30db5770b48dcd313

Download Submit
C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\vlc.mo

Filesize
610KB

MD5
d25ddca74532415610b3eec02595b06e

SHA1
cfa5c08352529a0390265be87fa54640b7bdf58e

SHA256
2c252fb4fe421a97ef243675210e45f2f0853e0636bae38fdda6bee752ec53e1

SHA512
595cbcdb9cd2ea20744a398100fe3a531132fd05613ce4274b542a8473d59c56dfb794156da706fda6e4e9ccefc4c2588d3e27e1600e77496c6119b084cbe8e1

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo

Filesize
674KB

MD5
668e9437ce0e46d419fbcd5b998f1449

SHA1
43ba884472fde37e391f0133558edd481ae54434

SHA256
922f6ebfe55601b6f0283b8a2cf17b3f7f20017f4741382f47357c2e25fb9cdc

SHA512
098bc6dc7ca9b012a3ab46d2e0b3ca21cee7e676f2ff1d44ac2558c1f9c227ca39198d0b38be15f64449c853037f444fe467bde53e2d5ce968fa99d45bfc0406

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\vlc.mo

Filesize
1.1MB

MD5
76e123dd084fffaf41f0fa9aa7b101d9

SHA1
a135a9ef59c69701f6409c581933048fe0247b09

SHA256
19c48e1980ee827f375527619796f9bb9c2da4c22c0a33f0866582c18e70fd20

SHA512
c6b64e1aac18a3df1ba82bba0886ba693ac583ee0331ccfa33695ee0f5a5af13b50df3e56555e851b603732b987cff0641de64de6f3786a340d1390c3d45b772

Download Submit
C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
07524d09aa2e4752323568bffefb6e28

SHA1
b4e95b4f2ca715b6102b844137e7dde9efdd1626

SHA256
e519e1499acb35d9710a1e842a31aa9801980de8df96cd741380e95c2cb55f64

SHA512
ec63094ae3b61ade7fc0b977d0ac1c8057a2fef8335d51621242e8c8dd6f179e0ed94b61ee69de4b3a8660bb5b3f3120e15205648434366706aa2bfa5679c584

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo

Filesize
773KB

MD5
aedb1969fa3e60a1ea6e164c91f84920

SHA1
29581aa2af8422fc3248f2fdf40c461a1b157f9b

SHA256
b8808ba22e741160fc93e24d61f1feaebf374fd842c2dc85e06034b914a194b2

SHA512
1a80a98d3a4e8d64614ba4807a04ff91a2609822508fab832ac8b7c05eb59149fb1114ffe34a1b7234f032139ccc478aafb5a1522aa8d0ad0f0600513c3a09cf

Download Submit
C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo

Filesize
780KB

MD5
8970908a50e8e72426eaf895783d86a6

SHA1
46de55fec18eab2304306073feb0e8f5fe939d88

SHA256
758c18e23c69adea15f7b10c85b766de97f7fec85748682c525fdcdb3c655d48

SHA512
7696f3f50f16d25f270696b7e39b9e0993894224836af3f62fc96ad86ce3ebc90151a4f3cb025dc5309991360cd85ec9ee7499670e093537ad999c7f74963b8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
e496751cd2219f672baccfe069c05607

SHA1
d43326345986e0c3a25bcfef2febf570a1794915

SHA256
272f89d727d01fec581fffb1a38e02ce025eb523663aa3e102f77ae9aa9e0f1b

SHA512
e84c7c29f3aa5b2184bd6590f3660ec3c67b5814e226f4f7c4ae9bfb11080ab0eb2fe43697710bd64beef869e368fa1ddd85495f7f92b0ff6a61a9c59264b5b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78

Filesize
472B

MD5
d554992d4494a99ee1cb814b6a475ac0

SHA1
28f5679ab12b98f1e1cb1db81cc45d2e81bd7eae

SHA256
2305f09094b346b7d121fdf848cd807e31fd3d788e1dd12bab77963dd792c0cf

SHA512
00da55828c7237ce5086b21b0bbeaa73c45ce13b974fc5881e4390d78118721abe690879b21c7b638bbfba7c001d06ddec2db51bd287dd8d8c129f69ee7b2e76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
d8e9a72a6c3f0f85aa9c1191fd7f475b

SHA1
6ca59986f7442dd4cc86f8d9ccbbe60bf0bb5521

SHA256
7be0516557405ce6902e0029557412f8c439745532018adc581770b4177edaa3

SHA512
186de583be2ab6928a31ca38fd6419437a26a3c7c75c854818ccf48ec6d79fa76902cb1ed0168772d4aaf817a26263b8f0a2d9dc338d86d5fa2433920fc16bd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
484B

MD5
d85eb5e2cef0bf29513fdc7614806863

SHA1
acdd5f8c11e926b738e40d80c0b676ef895c5ca3

SHA256
7532cb47e7a0f6333ee88cdb0c0aa09d17417a465fc5174074a0f01a85c6810e

SHA512
14a78025d89136143aaa85602ca84d22115f5fa17670fcad3f126b47e9605626f8ca2557c99d735765b40bdeb2b933084586f93accb0274d5dd40b931e151cf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78

Filesize
488B

MD5
fdd44db99132ff99e8351759da3821d4

SHA1
5bb2acdbc5c22e22f37973b31f644372494356de

SHA256
f139e625eb0fbc39897724fdf0da8b2f2d3af4e56ce52eee5c16de08b754fdb1

SHA512
0064bda3953c26aec12ddabd726fc2573b401c5d58c9d1a53015177a09a1faacc088abf3d83e2c35d53d837202e8b868ff4e385ffc88a7c91adbb4c11fd1a545

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
f304f6b00819fc5ef59365474c417ecb

SHA1
4877edb2e808651dc6ca2e65a2941c7a7dc4ff7d

SHA256
eae381225a7e4f9c304366a9e6becb0d7d682e5df714e42a909dd2dfeeb8618f

SHA512
fc9cff027246c63a35f64347fd64011f369e4c042cccbcc93c6cec861b29790085bdeabdbed093c5fd70dc9072652ebffd6690e757092c6c60ba65f82a0ba70f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0KP8BKDN\CQZ0LLEK.htm

Filesize
18KB

MD5
3c9fb9fbbdd372a9ab7f4e11cde5e657

SHA1
06f7b35568d81ca65e30ac213ff1031220ac090f

SHA256
f363ad44f70cd532e08a53e7ea0323f68d2b58b448349034ccc3dc3b0a96296f

SHA512
dd585b080863512a9a933e39d7542b13b3501f43ddfbd153e266964c37846e4d7ebd798512f705457c2be74a80a1d0aaf98c11ba5e6c2ca3f07f29eee1f68fcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCPU4OJ5\1U3NGGBP.htm

Filesize
190B

MD5
6ebbeb8c70d5f8ffc3fb501950468594

SHA1
c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

SHA256
a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

SHA512
75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

Filesize
211KB

MD5
f42abb7569dbc2ff5faa7e078cb71476

SHA1
04530a6165fc29ab536bab1be16f6b87c46288e6

SHA256
516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd

SHA512
3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

Download Submit
C:\Users\Admin\Desktop\AssertEnable.xlsm.154-78A-FB0

Filesize
283KB

MD5
3478f318a6af0b3c4b48c399a817ed9f

SHA1
55797323b61bcb428425cd01752bcf7b90635e17

SHA256
49cf53bfa8adccb0487e1aec452e6c643dd0012942a2fba2ed366882eba2bda9

SHA512
5f646ca0a2ecea46b6a1dd62c43767c71a3ee535e13687ee8311673bb846ad4203178618bd393278927aa20657e8ff749db4b30fa2c2e0aed75e8e6bab016bba

Download Submit
C:\Users\Admin\Desktop\CompleteConvertTo.asf.154-78A-FB0

Filesize
241KB

MD5
95ff57c9c6e254257e1af457bc3404be

SHA1
d49852ee869da3dda7b78daff5d601b79bdc6ced

SHA256
b7fbc5f61e5d50715025fcde65270629ff28cc8d6cf280bbaaf02328b341f244

SHA512
1a8fcc6eac1544167857e7b732116e2ae6e53f353ad80c85715f6097dc26a71ca26416e570337d1b33b4a0a34291f2ee9d213461b777e3cfc28bea003a89d385

Download Submit
C:\Users\Admin\Desktop\ConnectPublish.mpg.154-78A-FB0

Filesize
189KB

MD5
b506096d9876954a5863f03a78a5f99e

SHA1
0619de433207233dd8bdd6c9ae4d486430d3155e

SHA256
520669376f679ef1fef946f57a7e0ab6336adad7c70e7d13f30712a3abd0835d

SHA512
dd661606d06d936611c0e64a41a86b0e1783a476d71f4dc8433cceb24c5c2f3f20ad59328bb23f3018729dbc2971ef299a29021b3eeef723c0a26794787f6a2a

Download Submit
C:\Users\Admin\Desktop\ConvertPublish.xhtml.154-78A-FB0

Filesize
304KB

MD5
6217196abaf7f5cc486cfaab2a126553

SHA1
f7706b52f38159516cf5e3cd6aec5fca6bfa4f87

SHA256
c68b8b80bea4995a0d8001001765249921472a0bd3d6d332ec0a159340faebb7

SHA512
16c8e1be5af416999061ad013804cd04833a65a385a14785322abbf10838131ee6fbcb065c61358ee9a9fa5681efd00b6b9c561324d691736c6846769613531d

Download Submit
C:\Users\Admin\Desktop\CopySuspend.dotx.154-78A-FB0

Filesize
210KB

MD5
9aa9db9a4c08cc5b041b4b8431cad9f4

SHA1
af677cb4e7075829bedadbf0d10e609d580bc0f2

SHA256
b2578d081c56767dcc56a191d924ffdfc44cb66b646bdf0875772dbfcfc20ec0

SHA512
e0d7ac4cea5c0983a31f658bcfc0fab287bd4a9553ba0a075f780257b9c5f316f4fbdbc3d0df3bd0276d558acebdb8ffdbb8be282ff133b0f2d8559e088eaf72

Download Submit
C:\Users\Admin\Desktop\DisablePublish.xlsx.154-78A-FB0

Filesize
16KB

MD5
81394701f57f7d1d6ea2f7bf8f93f79a

SHA1
dcc7ac5228f7b10d0b04877dd02e67dfe956c1cd

SHA256
b7105b0f0136a732337a3b57ec3d0183c9626f3eb933d7b39d6bc10ca32743c3

SHA512
c62f56570c1499594ce0a3a38791b022e3e4c742b1bd03233210c769011bf4ee80909a6810de2369f6f42382e118a68391bb3e11d32ffc0c56718d36cfabe844

Download Submit
C:\Users\Admin\Desktop\ExitSuspend.pcx.154-78A-FB0

Filesize
262KB

MD5
c594018072249f7650583a1a3707d877

SHA1
cff56904f8f37fdc1c68e91a6774a2c2da62396e

SHA256
48ba25ddbee0e043e670e44ee2bae4bf225fb1705a91de7dce9e33f2e643b37d

SHA512
357cea8306a865f6e284182e0de473cf283e5d407a39adc5ce2584697187690922b7a5f790a0906ffa2697383603cce561615ea7f3fbe8d14f4d6feef7ab7e16

Download Submit
C:\Users\Admin\Desktop\GetEnable.js.154-78A-FB0

Filesize
377KB

MD5
86f01e3f0347f894c707b799dc6f52cd

SHA1
df744991a7496ed38e54808868911c1be930fa1e

SHA256
e343b6409b3e83bcc4c0ea6b91d0f7bcf4113ce23254627861ab980f90467c32

SHA512
d44b8ef0b346bd5b454797b5b4fc16232b2fdf4f26152b9c2483ee1714b4b00b46eb0146411a0e705d38432ce50b1a5fdb1225f5afd3019a7bb0e8937a07edad

Download Submit
C:\Users\Admin\Desktop\GrantMove.xlsx.154-78A-FB0

Filesize
14KB

MD5
f3e032b85090f58e4015e86b8fca3574

SHA1
9ea560541b476ffd79911d423f984c47c7b60dcc

SHA256
cea251c3b9d4460343e13dbb94ae4df072d7afdb1696c9189d85c85ff7d7bebd

SHA512
6f93aa74899c959f685a2908d3cf40d977ba6e5e2c16137b7b83dd4f51a8e9779c41b5a29abfd77943a25824be983ba05278a2c1baaef3ef3596d3a7bcf1b1fb

Download Submit
C:\Users\Admin\Desktop\ImportProtect.png.154-78A-FB0

Filesize
294KB

MD5
0d4f2ebd7be8ef5e289d16cac2dc438a

SHA1
2b20037fb4b001e3988fdc65d7b93d9901db36c3

SHA256
afa9a6dd8933ade7e3756047fae3a17739ceaa7eb23a1bf85adf22f98209ae00

SHA512
fe985bacae9d623eb483129945a62e43f8d577425062b10d26be76925b6d84b8e469b83a603b8c989eef6f5ddc85a42860732e1b8c4f5b18862568417345a167

Download Submit
C:\Users\Admin\Desktop\InstallUnprotect.docx.154-78A-FB0

Filesize
576KB

MD5
af492c31fcd6fa0be16260204cdcca29

SHA1
e5a4b000002285f2ea9d9b058ca0d818090ccb5c

SHA256
0f112df35f4ed3c7e6dd005fc78bd9e9ea5f347d1681789a3f911dd7269591b3

SHA512
977145d7f0ee7b835388049f8b7f44275c43d76a53ff0ce97a538f136160f7a26bed653f55096b8c9c910335cb99c75e4609062c54636ce2cc37ef7cfd8f9ce7

Download Submit
C:\Users\Admin\Desktop\MoveRestore.xltx.154-78A-FB0

Filesize
409KB

MD5
44f869cb4ff00c27b8019b26a0d3494c

SHA1
9d8c8ab5a723aaddb01495a09c8b7acabb5a924a

SHA256
fed44396739988c1bccb6588ea46bc599d126992bd51eb9f398dd64ee6bdbd5d

SHA512
03a693e9ee90e33e4b6e5578f4cdd5433cc93656ebbff134fb4f21ae42f409bf66c9e9065591ef8cb04096c8bad24d6bc674fb6f39023f0b6bb79381a3bd2c7e

Download Submit
C:\Users\Admin\Desktop\ReceiveRestart.xml.154-78A-FB0

Filesize
158KB

MD5
b5007b9e023fcef2e8a2a80d1df3c5c2

SHA1
bde61e1841e5f53e2005033d3ef022945bfd832c

SHA256
f761637d2ed4edbfe8cda525bd01d5d53f070a68fa856da01a1823217bd4eb58

SHA512
902da4235ab168d2c61720a84d071e419bbb4a5b7f96da6ab0185296fe4f9019dbf946d6937a435f5a6561ea118923bc1debf2ba6104c96ea0796db05a27c337

Download Submit
C:\Users\Admin\Desktop\RedoClear.rar.154-78A-FB0

Filesize
315KB

MD5
80c541cecf009ffaf14d50e9cffa88df

SHA1
733ddf90e3489e901ddd3699d3b8de9e20d4568c

SHA256
d58511299e2ec76cc1b727c356b16752727fc393ed4a41ea37f98dff3e9ae810

SHA512
94fe2fa76b6ecf8e11fb45750aba6466e1320ee6099ecaa54477ebaf738c43e0f241cee200254d0545f3f9ab68e573252ee5071d37967188caa5c452e4b85316

Download Submit
C:\Users\Admin\Desktop\ResetRepair.wmx.154-78A-FB0

Filesize
252KB

MD5
b7769cf07401aca7a1643955d416f1e2

SHA1
8fa35631e0c622f8bc06a499a0cb48f423c529c8

SHA256
b37e20a0fa266ead61100bf8dbbb03ec1c1ad8f4660a615da94ab4e9415fbab0

SHA512
fc48b4acab86d9f20f22187a4551cd9457f7fa568b84ce4a0b0d680a3d5dc967efad2e30f1bc6f7259eb845d4a7fdb7b4389b50ba76581473e896246a7d95215

Download Submit
C:\Users\Admin\Desktop\ResizeStep.ppt.154-78A-FB0

Filesize
398KB

MD5
5b1729cd9450de3929102f49d86025b2

SHA1
644c6161b41c06fd83f2757cb14094568ae4d04c

SHA256
43dac010b9fa3cfdb15cabc965a26fe27df2e2033fc2b4d0f1dd88ac3db85ec1

SHA512
6d8538b649902bdc62063ec593ccc5e417d88f7f05ee8b2389b95787a7e038503c735f0765c528c5e1e12187d5b753d31bffe071f8d93a0045d140c8a75faf09

Download Submit
C:\Users\Admin\Desktop\RevokeAdd.docm.154-78A-FB0

Filesize
221KB

MD5
f61173011ff53b3a04bec6c2e75b0a71

SHA1
9735fba000f067444b4c2c11e252ca2b7cfd8813

SHA256
9925b431453e6a2644abca70ddcf85a204bb72ea19cdc5dcaee694585c9fd2d9

SHA512
1f652db48d88a43ff1b5547d5c596b2f118d94d32de7f80c25e7999acbb963c5cf39d4672850997a39a86bf692d088ae57bce919142e4baa3bc39c3e4c8e24db

Download Submit
C:\Users\Admin\Desktop\RevokeUnblock.zip.154-78A-FB0

Filesize
356KB

MD5
6f11323bfb5f8a224e466fea8b3413bb

SHA1
f45fff2a9a8129fbcc59c8fb11e891a306f74920

SHA256
ea7cde3395c01dba9842f0e9fff2672a84e46e3086db8cb115ff8e7f03212418

SHA512
92eb567b66174c1391b82e07e7aadfe19318b9f8cac9ec5040ec1e58911b93e39fff5837981087874a7a9b40d81f445f9d46eaf30992c922ff64dee68179b14e

Download Submit
C:\Users\Admin\Desktop\ShowSend.xlsx.154-78A-FB0

Filesize
16KB

MD5
919e48fed4d16454fa9ca9dd9b69d4fc

SHA1
7ac725307d4b7b08417291a0a7a0085e510fc8e8

SHA256
7fe733d7349331d21f615de5b3e4c657fe5f4c051f776dac3265fcc78169becb

SHA512
2551f023f842cadc2346d699946d62659eabdea2452c8d1e2cf670196a7af3027ec186cc28159bb0c65bd10e7537068ac2797b90ad1abd8fe778558459b28087

Download Submit
C:\Users\Admin\Desktop\StepShow.asp.154-78A-FB0

Filesize
147KB

MD5
29fb694017b0d6905d5f05e86c5c8dec

SHA1
9ac8a2da465e9f11873b452fa85778ce393c9679

SHA256
9b3d5892ada0aab69e7a05092ef8dbd093c215ac4b4cf352be2b1e59d035b2c8

SHA512
f6c01cee6de36f46cb8c0215c6f0b44aab405903f2fc3891fb6a3ec2ac045809d4bcd9df928b0142c9b1351dfb567687cc8e50922daf8b37964e2e51ac0457d3

Download Submit
C:\Users\Admin\Desktop\StepUnprotect.M2V.154-78A-FB0

Filesize
200KB

MD5
c3e82cb9228986ba174d0bc0b1da6c9c

SHA1
f6f6e44d1f75e8036256793b3b275f7ecfc84e14

SHA256
66e70d6242f8784add7b7405c1c4e3960147cc3a69cf997d60944bacdbc2b280

SHA512
785293b2cce00cd55f4f7484f0d4b92a3bac766e314806b54dab9068d2fdea09a40759db18a12f2d84dc0e9d19913c715102fe6274348b468db1acee568f692a

Download Submit
C:\Users\Admin\Desktop\TraceUnprotect.wm.154-78A-FB0

Filesize
325KB

MD5
942cf7f628b58a35ce2ad2890116f8a3

SHA1
07ee7b0a45222048952706ee515dcffeb72e2c04

SHA256
bb3a58d994caad29ac6628d09a7b2f4d1a65dbea529ae7a5a7b0ecd25fb9788d

SHA512
875d146c516bcadc066b78ec2b5784d98d959fdd25ea3c5d9951f507573e3b62b6e45f749907b37d51c4b15961ef89004a6bf19c845d3d2dce961c812baaff20

Download Submit
C:\Users\Admin\Desktop\UnlockSkip.shtml.154-78A-FB0

Filesize
419KB

MD5
83d859c5fb307245a76e32909108ffcd

SHA1
509fdcbd5930b2789ec47cb65ec93fec03dccd81

SHA256
4d5a719633f71d4399131fece6d5e60b7f72413130354d452ccb9a649aebe018

SHA512
449b8d7c1fa6bc47c4e1f02351c7f3c9cb3e61f15bcf2653c9169a64a5c88db24419eb2a2139b1d965ae45a20918e5bb80cdcf44b8ea9fcd0ed786db7155a9f9

Download Submit
C:\Users\Admin\Desktop\UnpublishResolve.m4a.154-78A-FB0

Filesize
168KB

MD5
89c4cb44cf7834527e64bdd0ebd0008a

SHA1
2edeb43fa022f00bb0929596abecd9c1a450eddc

SHA256
639bb7d22cc5ce85c7f7b9a66274347a22b01c2df9a78702ad47577993eb1246

SHA512
feedc6bc8ed77a6b9f3bbc1fb9458e345cd74ad33058d5db73ef7ca882f7903750f2e77a35c37022df35f2c6cf9afa361ba44f5e32bbf2a25e190e3f239a02e1

Download Submit
C:\Users\Admin\Desktop\UpdateDeny.docx.154-78A-FB0

Filesize
231KB

MD5
75e8090a2db1777673ffb8e5a3996f7b

SHA1
f0b6d6a6da807faad03d4eb16f9bf0faec4cf3a2

SHA256
f2f9f1543b1b14457887d9b9f507acf32062912cf5d6b51319bc177c4e116536

SHA512
12a0cee7d6a38e7fba0d86a6d28b9c911b90d66a8702ea0976f71994bb1c37027cf3d974e23c0f5703530ac54b6c9496be511509f326f4ef4a7b9d54ac1ab1d0

Download Submit
C:\Users\Admin\Desktop\WaitOptimize.dotx.154-78A-FB0

Filesize
346KB

MD5
c672f42567b1b76ecf9af7272d67f402

SHA1
42a892332031153ec4bd225ba2ea0240b1c75edc

SHA256
bec2ef55d8688385f0299947aaf8df794711700098843fbd3a7e6a8cb2a7dd15

SHA512
8f6d06c66860d96137a53acc9626fdaf91378597d97a90e859d7d66084764fc865ff816ae76296660cb202707f0a044d4994fd7016ab5332a61f4047f33d9662

Download Submit
C:\Users\Admin\Desktop\WriteGet.asf.154-78A-FB0

Filesize
179KB

MD5
9970f1ec02e0cde136672284c7ea57f6

SHA1
c572046080ed0388595b057f87d8e7a1502e5f0d

SHA256
4c6a937be7ecfa374ff529df629474357fe24fa1c3525164ab57ea0021ab8bf9

SHA512
224f652017fd234cadf65009a74c290303fc3affb9324847211951532e3bb2886617e676dad701da176a06eec8344823dd0c0a3d25cf0c3df388f2bb94a9fdb8

Download Submit
C:\Users\Admin\Desktop\WriteLock.MOD.154-78A-FB0

Filesize
388KB

MD5
78b6ffeee29cad4b406c38ab69e29574

SHA1
3c8482903e48c67ffe24d2a2a071f943e482f966

SHA256
394e24ed439966fbeed0af42a625218f6fc1c99415707d19e48a8fbd915fc213

SHA512
c75b432d709aa143bd185196176af0271dc333d80273fe0e5c6dd91eff116a535858395a457108dad95b05ac868fabe969f960b2ad8c12ec1ec6ecc6291965f7

Download Submit
C:\Users\Admin\Desktop\WriteTrace.mp4v.154-78A-FB0

Filesize
273KB

MD5
92ba9d4dabd318e60dc33b899faac604

SHA1
4abea7e187579d9714b979157b745c774141830a

SHA256
f0f0867d40c74792f6469d097336727589644fa0c269c497076b326537573df8

SHA512
0c81621c068b4ab8f7562059adf23c736af54526b2771fb44f31f284b3bd8ec0f7df4acb457e5134d5e7a7b3c2c5cafd104fab0b58ed90579cae146110db5d91

Download Submit
C:\Users\Admin\Desktop\WriteUnlock.iso.154-78A-FB0

Filesize
367KB

MD5
37c25b53ade81590f9f6b06ebfe48131

SHA1
c5773b2ebb716a622a8897c31fb8f49febb60104

SHA256
1a886e594926a18be02fdbd7fa486150fd1d6727ac26975d0a4dcf9221f47ce0

SHA512
23541a74f115313c5351ceadb5d7106f9c8ede9d533eba8aa3c1420aecf15b89b644dc8dfc370b550d6183777627e60479152df8a1441681b600be653f303d5f

Download Submit
C:\vcredist2010_x86.log.html

Filesize
82KB

MD5
ecaeda7a10aae1cde848c382e036426f

SHA1
d3d36743feb2eb8747bb59021ef5136ac1267a6b

SHA256
dcdbbe3edacebee1bc0a3c3c4dbeef99dafb90cd1f4d2054c1dcac5b7b9bfc1e

SHA512
21292cf70cb6d54c1604519403e02e79068b4af901be1ec00b2e81d120f9026cfc0c6fe6c53903343d2105069c7267c434ea049b23bc201aab031b6319b25a2e

Download Submit
memory/784-21-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/4004-47-0x0000000000D60000-0x0000000000EA0000-memory.dmp

Filesize
1.2MB

Download
memory/4076-26137-0x0000000001280000-0x0000000001281000-memory.dmp

Filesize
4KB

Download
memory/4284-31-0x0000000000840000-0x0000000000980000-memory.dmp

Filesize
1.2MB

Download
memory/4488-26106-0x0000000000D60000-0x0000000000EA0000-memory.dmp

Filesize
1.2MB

Download
memory/4488-20980-0x0000000000D60000-0x0000000000EA0000-memory.dmp

Filesize
1.2MB

Download
memory/4488-14228-0x0000000000D60000-0x0000000000EA0000-memory.dmp

Filesize
1.2MB

Download
memory/4488-6345-0x0000000000D60000-0x0000000000EA0000-memory.dmp

Filesize
1.2MB

Download
memory/4488-11743-0x0000000000D60000-0x0000000000EA0000-memory.dmp

Filesize
1.2MB

Download
memory/6016-43-0x0000000000D60000-0x0000000000EA0000-memory.dmp

Filesize
1.2MB

Download
memory/6016-5660-0x0000000000D60000-0x0000000000EA0000-memory.dmp

Filesize
1.2MB

Download
memory/6016-26138-0x0000000000D60000-0x0000000000EA0000-memory.dmp

Filesize
1.2MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads