buran | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
02-09-2024 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware/default.exe
Size

211KB
MD5

f42abb7569dbc2ff5faa7e078cb71476
SHA1

04530a6165fc29ab536bab1be16f6b87c46288e6
SHA256

516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd
SHA512

3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af
SSDEEP

6144:zia1vcaEaA+HPsISAzG44DQFu/U3buRKlemZ9DnGAeWBES+:zHctWvVSAx4DQFu/U3buRKlemZ9DnGAn

Score

10^/10

buran zeppelin defense_evasion discovery execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] or [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 134-8CC-7A9 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Detects Zeppelin payload 8 IoCs

resource	yara_rule
behavioral15/files/0x0007000000019309-59.dat	family_zeppelin
behavioral15/memory/1992-90-0x00000000001B0000-0x00000000002F0000-memory.dmp	family_zeppelin
behavioral15/memory/2372-107-0x0000000000B00000-0x0000000000C40000-memory.dmp	family_zeppelin
behavioral15/memory/2936-4107-0x0000000000B00000-0x0000000000C40000-memory.dmp	family_zeppelin
behavioral15/memory/2028-12407-0x0000000000B00000-0x0000000000C40000-memory.dmp	family_zeppelin
behavioral15/memory/2028-24574-0x0000000000B00000-0x0000000000C40000-memory.dmp	family_zeppelin
behavioral15/memory/2028-30206-0x0000000000B00000-0x0000000000C40000-memory.dmp	family_zeppelin
behavioral15/memory/2936-30241-0x0000000000B00000-0x0000000000C40000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (7382) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2672	notepad.exe

Executes dropped EXE 3 IoCs

pid	Process
2936	csrss.exe
2028	csrss.exe
2372	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
1992	default.exe
1992	default.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start"	default.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	csrss.exe
File opened (read-only)	\??\R:	csrss.exe
File opened (read-only)	\??\P:	csrss.exe
File opened (read-only)	\??\N:	csrss.exe
File opened (read-only)	\??\G:	csrss.exe
File opened (read-only)	\??\E:	csrss.exe
File opened (read-only)	\??\A:	csrss.exe
File opened (read-only)	\??\W:	csrss.exe
File opened (read-only)	\??\O:	csrss.exe
File opened (read-only)	\??\H:	csrss.exe
File opened (read-only)	\??\V:	csrss.exe
File opened (read-only)	\??\S:	csrss.exe
File opened (read-only)	\??\Q:	csrss.exe
File opened (read-only)	\??\M:	csrss.exe
File opened (read-only)	\??\B:	csrss.exe
File opened (read-only)	\??\Z:	csrss.exe
File opened (read-only)	\??\Y:	csrss.exe
File opened (read-only)	\??\X:	csrss.exe
File opened (read-only)	\??\T:	csrss.exe
File opened (read-only)	\??\L:	csrss.exe
File opened (read-only)	\??\K:	csrss.exe
File opened (read-only)	\??\J:	csrss.exe
File opened (read-only)	\??\I:	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	iplogger.org
19	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304875.WMF	csrss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Bucharest.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01191_.WMF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00965_.WMF.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MARQUEE.POC.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00440_.WMF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0144773.JPG	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_gtk.css.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.rst	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\Notebook03.onepkg.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-awt-j2se-1.3.2.jar	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\TAB_OFF.GIF.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00161_.GIF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Modern.dotx	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_ja_4.4.0.v20140623020002.jar	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00008_.WMF	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt_1.1.1.v20140903-0821.jar.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Curacao	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host.jar.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01629_.WMF.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00808_.WMF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\Hierarchy.js.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util.gui_1.7.0.v200903091627.jar	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00417_.WMF	csrss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLYER.DPV	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00095_.WMF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IPIRM.XML	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	csrss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	csrss.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Invite or Link.one.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19827_.WMF.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01176_.WMF.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Apothecary.thmx.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR47B.GIF	csrss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_ja_4.4.0.v20140623020002.jar	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV_COL.HXT	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\DELIMWIN.FAE.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files\RepairMount.mpe	csrss.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\OmdProject.dll.mui	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Choibalsan	csrss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-1.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00437_.WMF.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\INDST_01.MID	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.di.extensions_0.12.0.v20140417-2033.jar.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00810_.WMF.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\HEADER.GIF.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04191_.WMF.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01298_.GIF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.HXS.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar	csrss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Thimphu.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Gibraltar.134-8CC-7A9	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar.134-8CC-7A9	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	default.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1756	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	default.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	default.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	default.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	csrss.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	default.exe
Token: SeDebugPrivilege	1992	default.exe
Token: SeDebugPrivilege	2936	csrss.exe
Token: SeIncreaseQuotaPrivilege	1544	WMIC.exe
Token: SeSecurityPrivilege	1544	WMIC.exe
Token: SeTakeOwnershipPrivilege	1544	WMIC.exe
Token: SeLoadDriverPrivilege	1544	WMIC.exe
Token: SeSystemProfilePrivilege	1544	WMIC.exe
Token: SeSystemtimePrivilege	1544	WMIC.exe
Token: SeProfSingleProcessPrivilege	1544	WMIC.exe
Token: SeIncBasePriorityPrivilege	1544	WMIC.exe
Token: SeCreatePagefilePrivilege	1544	WMIC.exe
Token: SeBackupPrivilege	1544	WMIC.exe
Token: SeRestorePrivilege	1544	WMIC.exe
Token: SeShutdownPrivilege	1544	WMIC.exe
Token: SeDebugPrivilege	1544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1544	WMIC.exe
Token: SeRemoteShutdownPrivilege	1544	WMIC.exe
Token: SeUndockPrivilege	1544	WMIC.exe
Token: SeManageVolumePrivilege	1544	WMIC.exe
Token: 33	1544	WMIC.exe
Token: 34	1544	WMIC.exe
Token: 35	1544	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1544	WMIC.exe
Token: SeSecurityPrivilege	1544	WMIC.exe
Token: SeTakeOwnershipPrivilege	1544	WMIC.exe
Token: SeLoadDriverPrivilege	1544	WMIC.exe
Token: SeSystemProfilePrivilege	1544	WMIC.exe
Token: SeSystemtimePrivilege	1544	WMIC.exe
Token: SeProfSingleProcessPrivilege	1544	WMIC.exe
Token: SeIncBasePriorityPrivilege	1544	WMIC.exe
Token: SeCreatePagefilePrivilege	1544	WMIC.exe
Token: SeBackupPrivilege	1544	WMIC.exe
Token: SeRestorePrivilege	1544	WMIC.exe
Token: SeShutdownPrivilege	1544	WMIC.exe
Token: SeDebugPrivilege	1544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1544	WMIC.exe
Token: SeRemoteShutdownPrivilege	1544	WMIC.exe
Token: SeUndockPrivilege	1544	WMIC.exe
Token: SeManageVolumePrivilege	1544	WMIC.exe
Token: 33	1544	WMIC.exe
Token: 34	1544	WMIC.exe
Token: 35	1544	WMIC.exe
Token: SeBackupPrivilege	1760	vssvc.exe
Token: SeRestorePrivilege	1760	vssvc.exe
Token: SeAuditPrivilege	1760	vssvc.exe
Token: SeDebugPrivilege	2936	csrss.exe
Token: SeDebugPrivilege	2936	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2936	1992	default.exe	31
PID 1992 wrote to memory of 2936	1992	default.exe	31
PID 1992 wrote to memory of 2936	1992	default.exe	31
PID 1992 wrote to memory of 2936	1992	default.exe	31
PID 1992 wrote to memory of 2672	1992	default.exe	32
PID 1992 wrote to memory of 2672	1992	default.exe	32
PID 1992 wrote to memory of 2672	1992	default.exe	32
PID 1992 wrote to memory of 2672	1992	default.exe	32
PID 1992 wrote to memory of 2672	1992	default.exe	32
PID 1992 wrote to memory of 2672	1992	default.exe	32
PID 1992 wrote to memory of 2672	1992	default.exe	32
PID 2936 wrote to memory of 2028	2936	csrss.exe	35
PID 2936 wrote to memory of 2028	2936	csrss.exe	35
PID 2936 wrote to memory of 2028	2936	csrss.exe	35
PID 2936 wrote to memory of 2028	2936	csrss.exe	35
PID 2936 wrote to memory of 2372	2936	csrss.exe	36
PID 2936 wrote to memory of 2372	2936	csrss.exe	36
PID 2936 wrote to memory of 2372	2936	csrss.exe	36
PID 2936 wrote to memory of 2372	2936	csrss.exe	36
PID 2936 wrote to memory of 1616	2936	csrss.exe	37
PID 2936 wrote to memory of 1616	2936	csrss.exe	37
PID 2936 wrote to memory of 1616	2936	csrss.exe	37
PID 2936 wrote to memory of 1616	2936	csrss.exe	37
PID 2936 wrote to memory of 1104	2936	csrss.exe	39
PID 2936 wrote to memory of 1104	2936	csrss.exe	39
PID 2936 wrote to memory of 1104	2936	csrss.exe	39
PID 2936 wrote to memory of 1104	2936	csrss.exe	39
PID 2936 wrote to memory of 1720	2936	csrss.exe	41
PID 2936 wrote to memory of 1720	2936	csrss.exe	41
PID 2936 wrote to memory of 1720	2936	csrss.exe	41
PID 2936 wrote to memory of 1720	2936	csrss.exe	41
PID 2936 wrote to memory of 2328	2936	csrss.exe	43
PID 2936 wrote to memory of 2328	2936	csrss.exe	43
PID 2936 wrote to memory of 2328	2936	csrss.exe	43
PID 2936 wrote to memory of 2328	2936	csrss.exe	43
PID 2936 wrote to memory of 1164	2936	csrss.exe	45
PID 2936 wrote to memory of 1164	2936	csrss.exe	45
PID 2936 wrote to memory of 1164	2936	csrss.exe	45
PID 2936 wrote to memory of 1164	2936	csrss.exe	45
PID 2936 wrote to memory of 2424	2936	csrss.exe	47
PID 2936 wrote to memory of 2424	2936	csrss.exe	47
PID 2936 wrote to memory of 2424	2936	csrss.exe	47
PID 2936 wrote to memory of 2424	2936	csrss.exe	47
PID 2936 wrote to memory of 916	2936	csrss.exe	49
PID 2936 wrote to memory of 916	2936	csrss.exe	49
PID 2936 wrote to memory of 916	2936	csrss.exe	49
PID 2936 wrote to memory of 916	2936	csrss.exe	49
PID 916 wrote to memory of 1544	916	cmd.exe	51
PID 916 wrote to memory of 1544	916	cmd.exe	51
PID 916 wrote to memory of 1544	916	cmd.exe	51
PID 916 wrote to memory of 1544	916	cmd.exe	51
PID 2936 wrote to memory of 2364	2936	csrss.exe	54
PID 2936 wrote to memory of 2364	2936	csrss.exe	54
PID 2936 wrote to memory of 2364	2936	csrss.exe	54
PID 2936 wrote to memory of 2364	2936	csrss.exe	54
PID 2364 wrote to memory of 1756	2364	cmd.exe	56
PID 2364 wrote to memory of 1756	2364	cmd.exe	56
PID 2364 wrote to memory of 1756	2364	cmd.exe	56
PID 2364 wrote to memory of 1756	2364	cmd.exe	56
PID 2936 wrote to memory of 1484	2936	csrss.exe	57
PID 2936 wrote to memory of 1484	2936	csrss.exe	57
PID 2936 wrote to memory of 1484	2936	csrss.exe	57
PID 2936 wrote to memory of 1484	2936	csrss.exe	57
PID 2936 wrote to memory of 1484	2936	csrss.exe	57

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Ransomware\default.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\default.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2028
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1164
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1756
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1484
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2672

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.lng

Filesize
23KB

MD5
f62892357ca984dd21379e01074e6f77

SHA1
8ef39af9546d73a83fbce4b4eddd38d24a487258

SHA256
86bab1d37b39be2fe03404faee538aa2093cffd3a4e74cbb4ed33b95f3e13cba

SHA512
34f462c450485bab3c2ad590a4922500b9ae88f29083ba4d237313416875f20022076bd243759bf43c692dec409ecb9ac91477e7eb178003e2dfbb872f354f41

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt

Filesize
29KB

MD5
9416ecf1c6747e6b59dcbe03a481ade7

SHA1
5919e027216ba61dea25756dc6249706ccb80d0d

SHA256
cb6e3d9505caba42dab4017968d939f61c28c4ce58a00e52a77254f8d83566a7

SHA512
0e7c104d7ff328c0693f80e4f4f368ef8e9c1b6fdbce2d2ccd45829f81d78fcbec0449915a654cc0c82147b1dbbd645f9596491e0db222454e1420f2c02283dd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME39.CSS

Filesize
122KB

MD5
ef3f182aa4b66f3f92dade550e5fe34c

SHA1
7ebb82a1f50cad656cf6ff100e02c679422f50ab

SHA256
85b25e47bdbc3cfe23197625e155d54369ee3a671397b0ce252523d52a38b293

SHA512
6cc0df46990cd82afadbf46d9426f9efb46066f812f06dcce17227813d102eb3bc7beae01d0d163dd4e820a69669b1e63cba8bf5ef1864aaf7e5d176a82e15b6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME54.CSS

Filesize
125KB

MD5
7d9e6ba9937c7e59458ac27b6d78e0e7

SHA1
ee3a499a61514e0bdf55b25b3838608498f44296

SHA256
8e2623d868db5d7cb3c214775f27f0fec79b09c9e0da7314400738a957f57c22

SHA512
47944b729497a781aba2e5d43d4f460de1efde9ce7b287dbe3fcd0339eb2a1c3e052380da9d8a6bebad321e1f9391cbd80e46e9f2f26e6bd71f468a7dc644d39

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\ISO690.XSL

Filesize
258KB

MD5
c65dd3ca537813343845f460998b74f5

SHA1
25de1ec558c2d82de52df5acf27a9ae3d6ce58f2

SHA256
3f089dcb6bcb5e7483adb6e136688cbd09f183e5fac46cf796c171656d8a707f

SHA512
1e5ae767450cba8ebae9f689cf889c479e4772c43579e06682b29e400ba22cd468cd43342857a93fe21948b76a908f9dd57a2ddc20abf449aab5df54788666ae

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML

Filesize
78KB

MD5
bbd42e445758fb99c74e35b88607bf97

SHA1
3ca2c70de306063c3d88ef1b8c6bde1b1d2912df

SHA256
be7b564d1ae27af23be3d890debfffb856a44d50811c5e179698bddffbca181d

SHA512
adef58e44086478e98d36a9571fdb14ade56a089c999e0f374a689f0a2cfd279af37188b25bca7536d609df2ca14598bd0aaa909097377c2c78f0b001161323f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg

Filesize
7KB

MD5
037d0637f74e2f8ce5fbc1a5aaa35581

SHA1
3b7c8b9ede3feef326de339d01fd58823c9bd969

SHA256
c4ed33eb81fc87d2504d22cf1c31c4c5730bf58a2c66c4aeed1072502463032a

SHA512
9e66f929d606a28aa9684721f3419b270fa13bd425cc14ef0fbfdb060df8668ed72928ce3123fede0a2f733c670dfc1dae2c1872e5f5c5765c116e16ccf31aac

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\IPIRMV.XML

Filesize
78KB

MD5
fe89e0e15567ec12746b0a30718ad323

SHA1
0871a4ec64ce3db7851663697e61e0d348de6c54

SHA256
6b58bc02e6eb297f62bdd2f1da9d429a9b6444d694e1f71fc541f27e9a9d2989

SHA512
d8280ea637b6013b8b0b8c590c1f72a2085f35841809ade27769ffb3d83e962026c7422113f434a2de896f77db5289714c1696388da9047aa2a2d40977e74bd7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml

Filesize
249KB

MD5
df469d381399c8e3d697a84d857a83d9

SHA1
0b1723c1bf43213468e34d69d582baac24cc533d

SHA256
3d27836fc2fa0cad3becd537d392de029a8db9c4ab393d8aca3fa445c5a9f775

SHA512
ff03da17cbf5793125d161470b2b634e19f9f1ff119f6c4b393df171d70cd9eef4558470ddde828be02bb01d5f356e9d868413f3fc208bd868b5fc24694bfc5f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OLKIRMV.XML

Filesize
78KB

MD5
e419f262e9c26fff34e782d177bc9589

SHA1
62c6791cb7ed35c31b3ea5a361ee80e48301fe5a

SHA256
7e0a646cd0a1b57bc52d17ac1f74d40331a159d9732fb907f8b10c22da5b6bca

SHA512
8e75e89c0deb2f33d8b28d15dad8a6e767e4214c34ae4cf089181971b372a565df6d7bbff4bad0b747f6be86b082e2a7ac3fed72b380755f007c4665cb441e1c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\PPTIRMV.XML

Filesize
79KB

MD5
8402c1fb4a591f412e8f85c91e18f663

SHA1
275b6597ce48a81e63fbdd1a08c812e6a4aaadc8

SHA256
4624e4f87e4b7abf2026756334a14c641e67a22b2bcefcad3baa39b97d393312

SHA512
45d7114f6c0d9fe1e8c0397e4df1a3543b4d7fffe92e3d17a24eff676a8ac52c3fea920dab82bdbb42d6ff3ceb4a20f1e56b6cadac3c5f4aa9e8330eb9761a75

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\WORDIRMV.XML

Filesize
78KB

MD5
1e4d2497606b48c7405620a60e43a23b

SHA1
b8292ecf59e3a56f9717130fc8e06021e18a66dc

SHA256
04c04d886e084411330a07cbc56c06d807cfed0602dd2d02676826047dd93330

SHA512
8adf2cd672b78f74385d4b176d49d78212030f95d01ad23484a6c2d9c5d088a0f8dfdc12eef85ba9cbeb9d6de16f6a214f9f7c21d50fe15f79e5a3d62b3aee42

Download Submit
C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
985B

MD5
b122926423b436093305400da617cb49

SHA1
18eb4d77a5736f992acbbf364826fb7936b0e7c1

SHA256
9455c73b9f57a2d0b732466c4e98bf64d4e87812e801e09dad86d5f129ea62eb

SHA512
76a25f5379cfbfe3c44dc648a60feaf98d1032e24fecc16f8e4fa6a137982f2974d5e92cae37bc2b25c8ab6029a6c1bfe32fcddb47b9dcf84347bad7af7bf7a5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg

Filesize
22KB

MD5
108a3cdf318131aaa826926292f5ff4b

SHA1
f325546484ba2eb715398cc0c75e512954cdf785

SHA256
cb6272aebfdf26bfa03a3d92cb4040fcbdc6ebd5d8faa1d87fa8db411d58cd35

SHA512
3ac142a4288ee8abbff1103781c35a65fe6a83179f3afeeac2e837bd36c101920a25f64a9252e6964026db2b1ade7d6dd201e1968e19eceaaf4a1b3d61ac9747

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html

Filesize
17KB

MD5
2e1aa44723d6ca203a0f4cbc6e43c599

SHA1
c6cae7842fd4c9662edc1336c353756ab18b76f9

SHA256
ca549148020627b1e06f8e8ba94c0dbb7d87c9b5d30d6a342d6f1856c39ac1cd

SHA512
0bd75ff6563de82e59c746917c9d92f631675ced4b55caf765a435d2a7b3548df97e1888b6f423f097d85b60ac9f564a191a25dd8ee8ce10b9010277fd57ab51

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties

Filesize
7KB

MD5
d2a6b20658589ad37a679c1f66db2f48

SHA1
4cf3fcf5e9e9f624633e77121f047dfdf8634bd6

SHA256
b1571f175145dcd6c73c04ade4b63e9e8373fcdf7c70a2a7e5b9277b7cc4d003

SHA512
bd618eca6949431710d005b64b562cb94f33b7797b1dae3c12e6930797ed4ccf4aa70dbde3e930a4b9c97a7add59aa3a3267883401cb42f564ad3b8e6a6faed2

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
1685924d91cf8a71e3f27a9e68015c44

SHA1
54490898a0d7299e2698fabcb4ddf1b4c5dc0a2c

SHA256
b920b7e59f395750134b1901f83e0b6ec90bc4a91f25defba0b2bc0476df4a88

SHA512
a298a4df476fa7bbe2f068f633551ff46b3603f96a8f3fab0ae2673b5e708cf4a2a0583fc897fc4692340f2e7d393716a5a59dbc19918d0b60841e978034e648

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html

Filesize
10KB

MD5
374086c9a5e4b6e33d077b5b864d97f4

SHA1
2afe9ff62e5939904ce44965304457b44dde74bc

SHA256
210741d91daa44b8607a7566f99fc4f07df74487a3b4b62cc78179a26727f52a

SHA512
d5912191c3d427fc3b72798292dac02a80dae78e4e63984860088a712bc3a6ac541f008c7a6c7ffdb0cde803f183f8527c7fdb4c71f44a3138218431c57d9c13

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html

Filesize
13KB

MD5
93dc4fafdc6d9369d53b5256ccadb813

SHA1
965740adbb1319b9111b7c5790ff303c97dcbd7f

SHA256
f44a14c74fe041a2b6b661d2063b3025376015eb081d4752bfec4a4b74e3456b

SHA512
5366318e5c234f30cc6561fd94d8cae7c2f7b96f97595b0a774cc1b08ffa4b98fe164df00d6393703d05168ceffcb84d9091a7927a1cecbf0c418a38d8bad910

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html

Filesize
10KB

MD5
44edf49452ef1ddc2f43f710615d282b

SHA1
2f1fc52e2727ae99d1aae04ec95302b2e2cc7900

SHA256
5bfeea9593dfec9f4692168d918bbeb9d8df936696f16647d629d74f0e73a144

SHA512
59c0a433346c5e84ca154a9f447f7cebb7b713c0f26481111f45317d1468f8c3963648491d530a5e0a636fa7ef8c69bab985e0428bc6f5cd5dd96df976ac120a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html

Filesize
13KB

MD5
5307722b94555efcaf1b25f7b95b4a81

SHA1
0957858dfba7aea190f5aa926736ad775eed0900

SHA256
6c844ffc69916a8c04cf7cc86ed7ffa423326494c91835f55d9d482682649b79

SHA512
9930a42c53056240636625329278fd9727e0fab18ab5094071d0e4c247988897d57c12bedb62d03bb6a4cb167c73bd31cc2dfb065c78fa8383cac4114305d1c6

Download Submit
C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
6fd7b0dbaa6c5c1014113770e092e532

SHA1
b4ee353e45ad7709fe579661f99576bd4f123ed2

SHA256
965c72d1555e170d6dea4a49ce754d2d11587d2a2f2be5fc01c15a4e15e403a0

SHA512
e79907552dfbdba52e15fa75c7bc878f682a3402e2350790f0fd9ee6748b0595933cd645ddb2fe0fc7e7dd254924fd861fc6cf34e02819960dded5f829f35c1a

Download Submit
C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\vlc.mo

Filesize
610KB

MD5
8fa9a56559ee4482880e5c54357e845e

SHA1
fdec9b364e8375d3d48b81d3908d56742977ddbf

SHA256
cf60a377f482188da0268312045158246e3924978510d178cc5a512f3174e299

SHA512
efd1893eb5881254a31ee266809696e30c86c78632ae39af1ffec081c9816465c44d82f609f28f78f570284acad5a866e7753d165fb57370a029ea870405e72d

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo

Filesize
674KB

MD5
30030ab68f04659e3b7e8690e9a79aa3

SHA1
12a104ed55bddaf655c1e9524979c01e263f6c70

SHA256
e622b089900eec51cdc941271fafde0ecc8a1fdd72d26c53bb43ae5c4ef9b370

SHA512
0427c263773390b269d1a0d4b4fc1d8950396d0442529d659e2b7941149d06dc1a5a91f1f253c750b2c3146c35b7052ab54ed3a798c5cdd8e36308434c850cb9

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\vlc.mo

Filesize
1.1MB

MD5
9b214a8af100d6e903c0a01094b70170

SHA1
336ac64991051af0c70af443f9c7ad7bdc668dd5

SHA256
4fcb8a83c6b4374b37fcca841f03d5318391d58824e4eaa2522603753c7602f9

SHA512
1a7b4237fde5aaa20efc2515f6fc205079b441e9018671ba18aae5a5a1a628643917f9800078da9f671c93b8eda91ae77ca203b80aaa26c059c93e054c67dd31

Download Submit
C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
4ce0a402df813d3a39a8572925e6f19d

SHA1
491e030c920a27c53bc0cc74a6f55dfa46c4b6cc

SHA256
7ecd88cecf54d46e39a2b9b331cb03bdbdc5cc6043ce4546d14d513b06c08c30

SHA512
005e66f618e6fd237ed7368245a8414ad21dfd1db65670a6951f93c8e27e6bba7180abb01d1f261eb2f415e2568c7ce49d046cb3486ffedc9d02c4db19a99e45

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo

Filesize
773KB

MD5
0cc9a754f72f839b6d1c48d8c4453a36

SHA1
9847b571010c85bf926903e1c192407796be347e

SHA256
ac26c0d550a05fecfd1d9cea15c9a646f725618d320a94c68974cc63eb9a1ba2

SHA512
7c34e31a76bf63aa611b5ca2bd505482d32d17db5338850b156db7647ee106edb49d15855632e1c45d1042130b3f9fc513eb69d8b6a640d82cc07bd48cbf7703

Download Submit
C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo

Filesize
780KB

MD5
c2b85dd86e672138348177a3c53268f2

SHA1
432932a04fe8255d5a7d7a1426bee6d85d843f14

SHA256
ce0ba284585a4e67056caca82af0de9cf034c9ec3908f96f74223b929ac50325

SHA512
cc776f5ee1c0765cb4c4a6a824e2b38c5f0fc6e280e902a50fbb2c856e22ad05c77c95415357d48acbc0c482f06abb7a76d655622d6680958d5b30c492d4ae49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
e496751cd2219f672baccfe069c05607

SHA1
d43326345986e0c3a25bcfef2febf570a1794915

SHA256
272f89d727d01fec581fffb1a38e02ce025eb523663aa3e102f77ae9aa9e0f1b

SHA512
e84c7c29f3aa5b2184bd6590f3660ec3c67b5814e226f4f7c4ae9bfb11080ab0eb2fe43697710bd64beef869e368fa1ddd85495f7f92b0ff6a61a9c59264b5b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78

Filesize
472B

MD5
d554992d4494a99ee1cb814b6a475ac0

SHA1
28f5679ab12b98f1e1cb1db81cc45d2e81bd7eae

SHA256
2305f09094b346b7d121fdf848cd807e31fd3d788e1dd12bab77963dd792c0cf

SHA512
00da55828c7237ce5086b21b0bbeaa73c45ce13b974fc5881e4390d78118721abe690879b21c7b638bbfba7c001d06ddec2db51bd287dd8d8c129f69ee7b2e76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
d8e9a72a6c3f0f85aa9c1191fd7f475b

SHA1
6ca59986f7442dd4cc86f8d9ccbbe60bf0bb5521

SHA256
7be0516557405ce6902e0029557412f8c439745532018adc581770b4177edaa3

SHA512
186de583be2ab6928a31ca38fd6419437a26a3c7c75c854818ccf48ec6d79fa76902cb1ed0168772d4aaf817a26263b8f0a2d9dc338d86d5fa2433920fc16bd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
484B

MD5
2d8618e14344dbe8757143c568b5ca02

SHA1
f5513c69af2b28d76680c37915484ff2e48b4910

SHA256
6658c6e2469c7bd2fdc464fc62b7d12f777b18e535dc880966185197eb3c68e5

SHA512
56f1659c2d1684c0611c4a7541101d80edc8891095b300073c043e36207b6e25e56fba9c01b351e26431433d63f5b56c1a36bc2283530bc932c13761917fdc84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78

Filesize
488B

MD5
3e101774152e2ccf66e0ef00f162699f

SHA1
051324a9139bbd4eb5b03d120c7d38c07579b2cb

SHA256
176f3ffd5008b2748a457a2f6017f6d3bbcad665e656c8309398c76009573d8f

SHA512
9729a8f18cb23c7a448fc3bed247ffe417c5144cc4eee0aeb3a822191aa843ade52d4f1f519e13defda864c5f3cbd39097287b9fe67ca7f9d39ab3780cadfda5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1c71bafb3ff36527c45d128fbbbfad8

SHA1
0961d95c729232c5dc95d0999dcf6fda1b6db3ad

SHA256
705c3cb3b3896d01571955512ea8fe7c86d28f143a6ac44f5cc01bd2a8c7e8a7

SHA512
3f40f89e53ec1b7d8acf9ad4320f8e2872357e54ca54b135e570a5c7944a0a150b3d9f09170a6273fc80294748ad06985e5124a905039f9c3cddd5233d75564c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
5560875b40edad68cac0f3f229cc2800

SHA1
6f5f70e86e92d5feb9c38fd431821e3d3258fabd

SHA256
1b9e7eddb02e35e3b5777b45a4b467c3f4259b1540ac0b7b184ae3ab6b175873

SHA512
1a587d875b37cbc6a1b11970c38e0138de05808f56e1592ca9e4d31f2b60b60d4124597543eaea279caa4c6338b5529d43ba9b9f952d1886966456845c2f9b35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1VX38S3F\99KVPL56.htm

Filesize
18KB

MD5
3c9fb9fbbdd372a9ab7f4e11cde5e657

SHA1
06f7b35568d81ca65e30ac213ff1031220ac090f

SHA256
f363ad44f70cd532e08a53e7ea0323f68d2b58b448349034ccc3dc3b0a96296f

SHA512
dd585b080863512a9a933e39d7542b13b3501f43ddfbd153e266964c37846e4d7ebd798512f705457c2be74a80a1d0aaf98c11ba5e6c2ca3f07f29eee1f68fcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M7GT0RRO\2OSJI4SC.htm

Filesize
190B

MD5
6ebbeb8c70d5f8ffc3fb501950468594

SHA1
c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

SHA256
a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

SHA512
75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBC5F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBC81.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Desktop\BackupUndo.3g2.134-8CC-7A9

Filesize
599KB

MD5
7f6c0c844c2cdbd2296210188d5636c8

SHA1
6288167c3696e985c4363e5248012e8228f8eaea

SHA256
70ca66f8c856ceb56ddeeb58365db384c1992b37407a05c48393bd9b397e27ec

SHA512
2b465b749c1231ed9f0e4e1c8f5ef612283a61a0b5cc54a560b0038c2b2f93ee11034e1379f7edcf23eca2e385195adbefc744fe6a70b24546f8bfab5b166935

Download Submit
C:\Users\Admin\Desktop\BlockFind.exe.134-8CC-7A9

Filesize
883KB

MD5
80a3f1b4c2a8b780ef03c07eb723d436

SHA1
78f557617ca48fe7522a6fa7ae18b4620447517d

SHA256
d12706d70a45552416c0a8e372c9be05e4d9ec7ffa9d6f5b363246d0a4486d73

SHA512
77b9c04052d4d0f046054192904dc71bff84731f32a46344308a36b64efeb70d3e16741bf62c8563897b1df697b241ef80c8bf28eebe803ad61dba00c780458c

Download Submit
C:\Users\Admin\Desktop\ClearMount.docx.134-8CC-7A9

Filesize
343KB

MD5
c57d56183e2930f7dd7a6f4352278054

SHA1
30b5e8d3abfc7054faa4f030a34603397f8e7d02

SHA256
bb5967fc1551a11ecb63f987b425113c36e906d634d5b9b96cc9b27c61e3164a

SHA512
00d2489261ba8021adb386debdf1ff6d4b3aef837bc3868331c4e50aca874e82a31bd8fdf6791c535963d68e53fa17c834883abd6808945e84d8f4c97ae04ad7

Download Submit
C:\Users\Admin\Desktop\ConvertFromUse.xlsx.134-8CC-7A9

Filesize
10KB

MD5
9d0e2b570a32a986553322d9ae5f94d5

SHA1
58e4eb72d91ea28d3f97f35ddc90e30272ab8204

SHA256
ccd3a158ee0b3cbb588ae0fc738a66cb642cf769d0b4489cdb70ccb1d4ff1db7

SHA512
42f7cc21acbd599611adad832f66c7b3e03f381cab60c3974fac786988b5acda7cec243835bc81b5bc69c3329d7274f4231211d8c46dce33e1f80e170889864f

Download Submit
C:\Users\Admin\Desktop\DisableLimit.kix.134-8CC-7A9

Filesize
684KB

MD5
57950c005c54e779fa12d79523f3dfdc

SHA1
520c95d1c7f62e488d06ccf77ea14d119969a551

SHA256
3da73c681ebfc0403784f64609f27a4298646be3a645fd9f5d3eee9ca9fffa31

SHA512
7d330436e79c4fea0f6b42ec38060a507db9951e48d161fe8ebb2493739ffe8e0a9da4824f5580971c09b7dc774a78479344e760b7b993b67dbe99cd24020ba3

Download Submit
C:\Users\Admin\Desktop\EditSend.xlsx.134-8CC-7A9

Filesize
11KB

MD5
b555c8bd1f945d131143e4dde87718e4

SHA1
f961c3109394bb005a63be5193e45e48aa92dd1c

SHA256
10950dde48d5fdb5953de84fc1c798d2553704e5adf8a2b5f0682ce4a9a072fb

SHA512
b7926050ad197573509163beac0cfbecff4d3bf2aaf86a92f46cf536dc3eef515fe8cd6eba37e231d8c3d9ee42b0d0124c1d0c5ad808f09b464fd128d7e34bd3

Download Submit
C:\Users\Admin\Desktop\EnterSwitch.docx.134-8CC-7A9

Filesize
18KB

MD5
5d45e82bc987c564c6cbed060e4796da

SHA1
d6c48f0b2fd5cfb4dae67ac5b1639976f1421ca7

SHA256
959ed43e88f5d0f81a4b2a5452c110605d79896e5cf733dde54522b7df97a979

SHA512
031aa54c01ccc26fb961fc2aad85ae2f89c05887b9e98db1a489bc1b141e495200d9e2c2eb6c0b33edfe0b5c87dc292b7e3fa054e7cff9f10ef9ad7286eb6b6d

Download Submit
C:\Users\Admin\Desktop\ExitSuspend.mht.134-8CC-7A9

Filesize
855KB

MD5
b5a02cd5f06bc2c8b7f937f2e3211e0d

SHA1
09edd8059ded00ff2fb1ad87b6f0f5ea0fa3287d

SHA256
4556204ef9579c6d25225e641de63533a393aa5312419c60260d55b8163d7c8f

SHA512
25ed6b857b818284276c6263c74a523b800fa2ea8749d635e434c9b52373ca7b43837a29ec17f7eb0f6d2c4e6360d8dda7dde85af34259e28dbb231a1e0dc869

Download Submit
C:\Users\Admin\Desktop\GrantSearch.vsd.134-8CC-7A9

Filesize
741KB

MD5
c7ff9b1cdc084bc201cf39caaecba7e6

SHA1
72a0b10800f866d7d56138afc56495c52dd3d2c4

SHA256
cd85f9a727caf5ef5e806b33458b31003f7136f93d36b720f1ca66350c0cf17b

SHA512
ff0d61ca025c49c5e2f1e618a510df00db05db2ddf51961dfaff58c85e78f73517306de95ee21f62b6c34c7ed97ca0ddc369a5675b46fd055f5e0345a857e35a

Download Submit
C:\Users\Admin\Desktop\GroupApprove.avi.134-8CC-7A9

Filesize
399KB

MD5
53a55d7de6747543014535aa26ce271b

SHA1
c9936e8997d39246e6164f789ae64f07576eb292

SHA256
d02c778a5f52895e90b93489091fbcf777add79fa7796da22c0bd6937a563b09

SHA512
0e28a1b0238a708d7a80054e68b844796436a0519d080950240fe144574ce37d0f97593910de8bdf9cd4a8fb7baea29d1bb1ce2beb97b8853e1b46d9097d763a

Download Submit
C:\Users\Admin\Desktop\InstallAdd.mpe.134-8CC-7A9

Filesize
798KB

MD5
4aa0fcc47a89f25290fd627a3a5b7fa8

SHA1
787167312b98209133c829c531b78101593f28d4

SHA256
53ce90dc2490f0655c0cb4c6bcc609a39de5ce1fc9d6578eade81b2707e0c3ee

SHA512
d2ab13dc74c2645ac4dd1a4224d6742e2829b451581dfd394e764c3f6c48d9774de66c1b700c18883484994e4ecd974751a17aa9ad9855daf04b14ab01983c60

Download Submit
C:\Users\Admin\Desktop\LockClose.m1v.134-8CC-7A9

Filesize
627KB

MD5
051a197f2811a3be68946ab0a8971fb5

SHA1
6861ee0e45432b0cf37e3f9ec2beb7ed0df8f9c4

SHA256
0efd564495afd49e02daeefc595485b23927c79abb5ac09836552d394e78e0f4

SHA512
b4c1961d3ed6b7f142855cfc99a59c6e717f51337501667e61920c89e90b95c76b15e427e3ad9820ad49a3ea106ea1fbc3bbc10ef15a74c01f5b45ebb524225c

Download Submit
C:\Users\Admin\Desktop\MountLimit.dwfx.134-8CC-7A9

Filesize
428KB

MD5
a53d2b33387d31464c0f7d8d553d522b

SHA1
ac8dc3feccec625bd15fdd0a705e700b075acdd2

SHA256
23b7fafa6fdfd440d357bb3ca8f2a9db58ad88b3f7a4e3e14ddcb7c26485a75f

SHA512
f7bc3f334d65b4a98a2e147ba3b871eb3df5c447314b0baeb2a8a71f477c02fe4513e591f49e8e0b0f21e368d0e99ed27645ddcf9888d3ba7ada3cfb4d9b9db5

Download Submit
C:\Users\Admin\Desktop\MovePing.aiff.134-8CC-7A9

Filesize
485KB

MD5
8ac70b29a3ef465fc8efb46b6dc9c3b2

SHA1
eac2ae33e0fa276ded16d69daf656f7db059eef3

SHA256
1e66498ecc42a011029b30b24d424c7d9c5149f2b8b0ab3805b8bd8d62c30a46

SHA512
f5fd9450ba0953fc1c303b37ce0fb1b4625b353463efc4df18ec059e128fe24f7448e3fef3bc4aa8baf1d263c9890eff568d7caf4fe6a8bd4669bd3b0115e00b

Download Submit
C:\Users\Admin\Desktop\OpenBackup.xlsx.134-8CC-7A9

Filesize
15KB

MD5
2ad699fe16823e1b4b03cc60c0074674

SHA1
1f170ff5f27f2c3cc4e372bbb6e1f409cdd98ffb

SHA256
996f020785fde8a6ee909fc391f2ec362009953e256d7eba21ee3cb8f3fd51b9

SHA512
14dd64a46e5d5f92c1b4614e38bb7e83180883b704931fe5539dcb606b02228116d094c2ca3de8e7937f6e625d77cbea1088e52fb2607730033c9200eaafb3f8

Download Submit
C:\Users\Admin\Desktop\OpenInvoke.tif.134-8CC-7A9

Filesize
911KB

MD5
1522f7949e9fbc163ef0caafa71bdbdf

SHA1
f02c8573631f97d2d9dc53aeeaceb9610f8284e2

SHA256
3fb5ad2648063ac25852c6810d41736a82380dd6dfcd5d0f0f962ed1ca487cf7

SHA512
deb15e34dc2a02d2301f29597454fca8b2e7e366c540c021d52d3daacc8fa057502881b731ddec49ceebdbdc7b19f2f0df0e1b8451251e942c3e41f53a3fa0f5

Download Submit
C:\Users\Admin\Desktop\PingBlock.vstm.134-8CC-7A9

Filesize
940KB

MD5
f4dcfda1d3f52dc69f54b8ba9c76012e

SHA1
888f22ec8e4f8c9f62b45d8981ddc197339f54d1

SHA256
250ccbd3f546e7b9620e0b84e6f83f7f18560cd087c79dcf45a068e33f07fe23

SHA512
a7142f3d097e0ef88310599eb7e996a8b2953e7dafbaa8e9dfc84ccc7e2fe5397644a7f7309abce48636a98d8461494648cf2226f7ae99336f1090d96a14cd55

Download Submit
C:\Users\Admin\Desktop\PopImport.docx.134-8CC-7A9

Filesize
456KB

MD5
0d4c035d87db17b020338aef28c01b1c

SHA1
a8e384df080c20ee5ffd15ac797cac906b38a187

SHA256
1b331d1f34e4fbbbc89ba7c81670c4079d118a3b7ae420875ff8e1945c6d1fc7

SHA512
4ae15c0656e432aa3bbc7686dfe365dc65a6981a30a4463e5cf85f44df42690a1ae0f6e87ad243ce5cee89ba2dfc80dd5fa7a5b2f1d0e232ff14a6c8dc1229e5

Download Submit
C:\Users\Admin\Desktop\PopReset.mp2v.134-8CC-7A9

Filesize
371KB

MD5
6a93ee9e27e03c9e62613a06c2e85d4b

SHA1
cbfcb70ea752e69fc764b9b5c6f53d13dfded49d

SHA256
461fbe68764cb4eb15cea6b25303c2a34c5df6ab484d45911f219f02db8be198

SHA512
683014c93c64df4e7c4b458f388d20a6835faa938aa3cc475f46a0307de770e8bd45c2847ea5307db22cd9bda0d3b9fc33f1c685081ebcfd701202016c61c766

Download Submit
C:\Users\Admin\Desktop\ReadCopy.easmx.134-8CC-7A9

Filesize
655KB

MD5
0af710b8e0da4f52a51068c75adcb1c2

SHA1
8391ea2edb45abb05146b89c7ecf89bb11718ba1

SHA256
981c14bb8d6752e8996d3eae0f24d95bcbb53c8c6bf633c9acc454ab07ecd6c7

SHA512
2abe9e744ad40dc54fd0f6d167644fca18fb5f378bfc00ef94684a3465994ca8aead54a1d0b5884c146f2de305731fe765f87042f6fdea8c16bae337daa8da40

Download Submit
C:\Users\Admin\Desktop\RenameBlock.mpeg2.134-8CC-7A9

Filesize
542KB

MD5
ed1c03985969e32ffc31902bab0310ef

SHA1
a6f82370a322a556f598cf0312ad135ea0c2b641

SHA256
5bea09f8723b781578864349e042e3dcd6b3f455d7c8996cc4adecbe57aba245

SHA512
b4bcae0c2c6d52c1f589f3fa6498aeb384c186735ba974099ead86891ff3792a983f550a9b333e8cba2c04810da9ae0300974b36ef85cd486d9e1f9c9008f05c

Download Submit
C:\Users\Admin\Desktop\SelectSend.mpeg2.134-8CC-7A9

Filesize
570KB

MD5
dfaf52e9afa396864e8e65b6d99f202d

SHA1
52a0bef32860a4f62584a172bbb68d3133e173cc

SHA256
5ed004282d0c1976124b43ab683d0743c8b6ea138a97d80a246fa6e9de314ee8

SHA512
9c9c8477409ed386626b9def375c52c9b876595b20dd3ecb89a59637e03309e62b4489dbd2a9f6e61c480ef2e56084198f6adeff83d3ce060669eb9ed615437d

Download Submit
C:\Users\Admin\Desktop\SetShow.cab.134-8CC-7A9

Filesize
826KB

MD5
da8a48d046cfdd8efe3ab15922cb4db2

SHA1
7a97d81689746a19040209991fc6fef847197603

SHA256
e0db96d344745b00976c5d178b9fbb318a95d12b54a367d5db735e947cce69c3

SHA512
b2079920881fa9605f426265ab228fd5e33903f5a901a584e87b8c1b954705bb36fc6872b8f65c05e87e13dc3e7c8554313e64dc0c5a10e81eca44ccae2efb33

Download Submit
C:\Users\Admin\Desktop\SuspendSave.mp4.134-8CC-7A9

Filesize
769KB

MD5
5d8980ed9d1cf9f7c596311ddb8d6874

SHA1
4d80bc01a46669e1252758f0e5adb2e2e034cb31

SHA256
f9e055c724c326a44e3bd7938975f85730dd63785c22340e1460d3e0d0922f04

SHA512
f8e27893f3f2dfb30f2c0b6357bbfedcea6f7ff6fd8dd3fa11f9ec1af2cc6316a49c6978c27688e512964e681b3eb687de0a1369ac38fd504f4ee9f63e729c9b

Download Submit
C:\Users\Admin\Desktop\SwitchClear.3gpp.134-8CC-7A9

Filesize
968KB

MD5
385a5d2fcc0677ee49330035298d5dd1

SHA1
5c59d2b19c78ecb2f6764ea06af0f992a40fe95e

SHA256
3a23c499ca7adf8e98d95ba10dd676210efb202631c0a28cb524a7924b72b6a1

SHA512
0508b3f9af64a52884b796a760512dcac40b9844306758e4d9b28fb0ca238fc9d21171e74c5adf5b2de59502fa79cd75bc556c99a28262acb9861c36180e3f06

Download Submit
C:\Users\Admin\Desktop\SyncShow.rm.134-8CC-7A9

Filesize
712KB

MD5
f927723c37493b3c008cf92aa75cd026

SHA1
a3469d6c7687f58cdff5a4f6a75516ecf05969f4

SHA256
faddbfed68808de74d4866a01f17f9d3c806563771aecdee376ba846098419f4

SHA512
86c1b2993f47ba4b4956528781a92845f15b247bd7d7051882785bc55bfb1f6b0a5c09c089cf14fcf456e9e6696d24ad0b537b22af4b972cd117b561fdb83273

Download Submit
C:\Users\Admin\Desktop\WaitSend.contact.134-8CC-7A9

Filesize
1.3MB

MD5
597194c258d7567784f35b962f6ed885

SHA1
6e3039da2d169977528fb48ca948a6d2894f0b16

SHA256
bb3af222f22f755a7b2270ac82390710fba6a814c505cd7a3414c89a621fb287

SHA512
ce6fb5f7c6e0fd36c5c9425d1c71b3674ad87d0ea6b38ace3e924bef25f8c29a9121283b5e574439010df7884303e76293659791d6ea077cb3a63b618a95513c

Download Submit
C:\vcredist2010_x86.log.html

Filesize
82KB

MD5
606edca36c65de47e312b0b484989a0b

SHA1
8388fc7bf1a05486c4794e09a0d016c155b787a5

SHA256
8bd0898f6fc1c53a0e48cfa31c655901ea471669660aa9a3f7d4402d32e725d8

SHA512
071d25a3e2c406442c3f6b2fe8691812f986a2cc113590d46ae7811b42fa4cbad8c70ba7214100b1083d0e54a96dd96ec46411199849af56461edac00e917c9e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

Filesize
211KB

MD5
f42abb7569dbc2ff5faa7e078cb71476

SHA1
04530a6165fc29ab536bab1be16f6b87c46288e6

SHA256
516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd

SHA512
3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

Download Submit
memory/1484-30240-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1992-90-0x00000000001B0000-0x00000000002F0000-memory.dmp

Filesize
1.2MB

Download
memory/2028-30206-0x0000000000B00000-0x0000000000C40000-memory.dmp

Filesize
1.2MB

Download
memory/2028-24574-0x0000000000B00000-0x0000000000C40000-memory.dmp

Filesize
1.2MB

Download
memory/2028-12407-0x0000000000B00000-0x0000000000C40000-memory.dmp

Filesize
1.2MB

Download
memory/2372-107-0x0000000000B00000-0x0000000000C40000-memory.dmp

Filesize
1.2MB

Download
memory/2672-66-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2672-72-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2936-4107-0x0000000000B00000-0x0000000000C40000-memory.dmp

Filesize
1.2MB

Download
memory/2936-30241-0x0000000000B00000-0x0000000000C40000-memory.dmp

Filesize
1.2MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads