buran | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

max time kernel
92s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2024 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware/default.exe
Size

211KB
MD5

f42abb7569dbc2ff5faa7e078cb71476
SHA1

04530a6165fc29ab536bab1be16f6b87c46288e6
SHA256

516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd
SHA512

3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af
SSDEEP

6144:zia1vcaEaA+HPsISAzG44DQFu/U3buRKlemZ9DnGAeWBES+:zHctWvVSAx4DQFu/U3buRKlemZ9DnGAn

Score

10^/10

buran zeppelin defense_evasion discovery execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\Crashpad\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] or [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 348-EE9-A68 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Detects Zeppelin payload 10 IoCs

resource	yara_rule
behavioral16/files/0x0008000000009da3-17.dat	family_zeppelin
behavioral16/memory/4304-33-0x0000000000EA0000-0x0000000000FE0000-memory.dmp	family_zeppelin
behavioral16/memory/5040-43-0x00000000009B0000-0x0000000000AF0000-memory.dmp	family_zeppelin
behavioral16/memory/2884-51-0x00000000009B0000-0x0000000000AF0000-memory.dmp	family_zeppelin
behavioral16/memory/5040-2271-0x00000000009B0000-0x0000000000AF0000-memory.dmp	family_zeppelin
behavioral16/memory/408-7416-0x00000000009B0000-0x0000000000AF0000-memory.dmp	family_zeppelin
behavioral16/memory/408-13207-0x00000000009B0000-0x0000000000AF0000-memory.dmp	family_zeppelin
behavioral16/memory/408-18709-0x00000000009B0000-0x0000000000AF0000-memory.dmp	family_zeppelin
behavioral16/memory/408-26086-0x00000000009B0000-0x0000000000AF0000-memory.dmp	family_zeppelin
behavioral16/memory/5040-26114-0x00000000009B0000-0x0000000000AF0000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (6097) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	default.exe

Deletes itself 1 IoCs

pid	Process
2776	notepad.exe

Executes dropped EXE 3 IoCs

pid	Process
5040	csrss.exe
408	csrss.exe
2884	csrss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start"	default.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	csrss.exe
File opened (read-only)	\??\R:	csrss.exe
File opened (read-only)	\??\L:	csrss.exe
File opened (read-only)	\??\A:	csrss.exe
File opened (read-only)	\??\Z:	csrss.exe
File opened (read-only)	\??\T:	csrss.exe
File opened (read-only)	\??\O:	csrss.exe
File opened (read-only)	\??\M:	csrss.exe
File opened (read-only)	\??\K:	csrss.exe
File opened (read-only)	\??\J:	csrss.exe
File opened (read-only)	\??\I:	csrss.exe
File opened (read-only)	\??\X:	csrss.exe
File opened (read-only)	\??\S:	csrss.exe
File opened (read-only)	\??\Q:	csrss.exe
File opened (read-only)	\??\P:	csrss.exe
File opened (read-only)	\??\B:	csrss.exe
File opened (read-only)	\??\W:	csrss.exe
File opened (read-only)	\??\V:	csrss.exe
File opened (read-only)	\??\N:	csrss.exe
File opened (read-only)	\??\H:	csrss.exe
File opened (read-only)	\??\G:	csrss.exe
File opened (read-only)	\??\E:	csrss.exe
File opened (read-only)	\??\Y:	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
28	iplogger.org
30	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-ms.348-EE9-A68	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\SphereGeometryShader.cso	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pl-pl\ui-strings.js.348-EE9-A68	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosLargeTile.contrast-white_scale-200.png	csrss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\illustrations_retina.png	csrss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-gb\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN075.XML	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-125_contrast-white.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\PREVIEW.GIF	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-200.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-945322488-2060912225-3527527000-1000-MergedResources-0.pri	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.348-EE9-A68	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\SmallTile.scale-100.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-256.png	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\MapLightTheme.png	csrss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSansBold.ttf.348-EE9-A68	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteLargeTile.scale-200.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\LargeTile.scale-200.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\icons.png.348-EE9-A68	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\illustrations.png.348-EE9-A68	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ul-oob.xrm-ms.348-EE9-A68	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-pl.xrm-ms.348-EE9-A68	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_Cliffhouse.jpg	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\weblink.api.348-EE9-A68	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\ui-strings.js	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE	csrss.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-200_contrast-white.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-60_altform-lightunplated.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\YahooPromoTile.scale-200.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSmallTile.scale-400.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\MusicStoreLogo.scale-100_contrast-black.png	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe.348-EE9-A68	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageWideTile.scale-200_contrast-black.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\ui-strings.js	csrss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nl-nl\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-400.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\scan-2x.png.348-EE9-A68	csrss.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\tzdb.dat	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ppd.xrm-ms.348-EE9-A68	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-140.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\share.svg	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg1a_thumb.png	csrss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon_2x.png.348-EE9-A68	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-140.png	csrss.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedSmallTile.scale-100.png	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	default.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	4304	default.exe
Token: SeDebugPrivilege	4304	default.exe
Token: SeDebugPrivilege	5040	csrss.exe
Token: SeIncreaseQuotaPrivilege	1696	WMIC.exe
Token: SeSecurityPrivilege	1696	WMIC.exe
Token: SeTakeOwnershipPrivilege	1696	WMIC.exe
Token: SeLoadDriverPrivilege	1696	WMIC.exe
Token: SeSystemProfilePrivilege	1696	WMIC.exe
Token: SeSystemtimePrivilege	1696	WMIC.exe
Token: SeProfSingleProcessPrivilege	1696	WMIC.exe
Token: SeIncBasePriorityPrivilege	1696	WMIC.exe
Token: SeCreatePagefilePrivilege	1696	WMIC.exe
Token: SeBackupPrivilege	1696	WMIC.exe
Token: SeRestorePrivilege	1696	WMIC.exe
Token: SeShutdownPrivilege	1696	WMIC.exe
Token: SeDebugPrivilege	1696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1696	WMIC.exe
Token: SeRemoteShutdownPrivilege	1696	WMIC.exe
Token: SeUndockPrivilege	1696	WMIC.exe
Token: SeManageVolumePrivilege	1696	WMIC.exe
Token: 33	1696	WMIC.exe
Token: 34	1696	WMIC.exe
Token: 35	1696	WMIC.exe
Token: 36	1696	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1696	WMIC.exe
Token: SeSecurityPrivilege	1696	WMIC.exe
Token: SeTakeOwnershipPrivilege	1696	WMIC.exe
Token: SeLoadDriverPrivilege	1696	WMIC.exe
Token: SeSystemProfilePrivilege	1696	WMIC.exe
Token: SeSystemtimePrivilege	1696	WMIC.exe
Token: SeProfSingleProcessPrivilege	1696	WMIC.exe
Token: SeIncBasePriorityPrivilege	1696	WMIC.exe
Token: SeCreatePagefilePrivilege	1696	WMIC.exe
Token: SeBackupPrivilege	1696	WMIC.exe
Token: SeRestorePrivilege	1696	WMIC.exe
Token: SeShutdownPrivilege	1696	WMIC.exe
Token: SeDebugPrivilege	1696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1696	WMIC.exe
Token: SeRemoteShutdownPrivilege	1696	WMIC.exe
Token: SeUndockPrivilege	1696	WMIC.exe
Token: SeManageVolumePrivilege	1696	WMIC.exe
Token: 33	1696	WMIC.exe
Token: 34	1696	WMIC.exe
Token: 35	1696	WMIC.exe
Token: 36	1696	WMIC.exe
Token: SeBackupPrivilege	5044	vssvc.exe
Token: SeRestorePrivilege	5044	vssvc.exe
Token: SeAuditPrivilege	5044	vssvc.exe
Token: SeDebugPrivilege	5040	csrss.exe
Token: SeDebugPrivilege	5040	csrss.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 5040	4304	default.exe	87
PID 4304 wrote to memory of 5040	4304	default.exe	87
PID 4304 wrote to memory of 5040	4304	default.exe	87
PID 4304 wrote to memory of 2776	4304	default.exe	88
PID 4304 wrote to memory of 2776	4304	default.exe	88
PID 4304 wrote to memory of 2776	4304	default.exe	88
PID 4304 wrote to memory of 2776	4304	default.exe	88
PID 4304 wrote to memory of 2776	4304	default.exe	88
PID 4304 wrote to memory of 2776	4304	default.exe	88
PID 5040 wrote to memory of 408	5040	csrss.exe	96
PID 5040 wrote to memory of 408	5040	csrss.exe	96
PID 5040 wrote to memory of 408	5040	csrss.exe	96
PID 5040 wrote to memory of 2884	5040	csrss.exe	97
PID 5040 wrote to memory of 2884	5040	csrss.exe	97
PID 5040 wrote to memory of 2884	5040	csrss.exe	97
PID 5040 wrote to memory of 912	5040	csrss.exe	98
PID 5040 wrote to memory of 912	5040	csrss.exe	98
PID 5040 wrote to memory of 912	5040	csrss.exe	98
PID 5040 wrote to memory of 1896	5040	csrss.exe	100
PID 5040 wrote to memory of 1896	5040	csrss.exe	100
PID 5040 wrote to memory of 1896	5040	csrss.exe	100
PID 5040 wrote to memory of 768	5040	csrss.exe	102
PID 5040 wrote to memory of 768	5040	csrss.exe	102
PID 5040 wrote to memory of 768	5040	csrss.exe	102
PID 5040 wrote to memory of 4932	5040	csrss.exe	104
PID 5040 wrote to memory of 4932	5040	csrss.exe	104
PID 5040 wrote to memory of 4932	5040	csrss.exe	104
PID 5040 wrote to memory of 3920	5040	csrss.exe	106
PID 5040 wrote to memory of 3920	5040	csrss.exe	106
PID 5040 wrote to memory of 3920	5040	csrss.exe	106
PID 5040 wrote to memory of 3500	5040	csrss.exe	108
PID 5040 wrote to memory of 3500	5040	csrss.exe	108
PID 5040 wrote to memory of 3500	5040	csrss.exe	108
PID 5040 wrote to memory of 1564	5040	csrss.exe	110
PID 5040 wrote to memory of 1564	5040	csrss.exe	110
PID 5040 wrote to memory of 1564	5040	csrss.exe	110
PID 1564 wrote to memory of 1696	1564	cmd.exe	112
PID 1564 wrote to memory of 1696	1564	cmd.exe	112
PID 1564 wrote to memory of 1696	1564	cmd.exe	112
PID 5040 wrote to memory of 4460	5040	csrss.exe	115
PID 5040 wrote to memory of 4460	5040	csrss.exe	115
PID 5040 wrote to memory of 4460	5040	csrss.exe	115
PID 5040 wrote to memory of 4472	5040	csrss.exe	119
PID 5040 wrote to memory of 4472	5040	csrss.exe	119
PID 5040 wrote to memory of 4472	5040	csrss.exe	119
PID 5040 wrote to memory of 4472	5040	csrss.exe	119
PID 5040 wrote to memory of 4472	5040	csrss.exe	119
PID 5040 wrote to memory of 4472	5040	csrss.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Ransomware\default.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\default.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:408
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - System Location Discovery: System Language Discovery
    PID:912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1896
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4932
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3920
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3500
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4460
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4472
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png

Filesize
64KB

MD5
2acf6808554c716dd0a2296f384549dc

SHA1
12c89b177e7dce997f98880fbb5048dc172cb8f9

SHA256
005343f1492e0bd36a9e44f53c5abf1af711987e9743247c022dcd221d833d3e

SHA512
d5aeb983257072598ad18a0760640d5a349b4d24d5f6dc1e8d50e922ba6202e685bcd309b544ee290eb1a065e4cf5035b093b2665873ca938f2203445c2675c5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_bow.png

Filesize
52KB

MD5
76e931cc62c7b00d27093a35b42a44e2

SHA1
8c71192dcfc855ae6d20816d06e528b17a03209e

SHA256
721274cfac82af342fd211c7d1ce7b764302ca166369e4f566edd4ca978c5eb0

SHA512
e5075670f8f49c1500ddc5b538ad35b6c23c0ed03c66fc9d97e9e7f24197b694ceaac536685bd676b9563b91a873e574501e8a26b4c24351db4c6f0148a87a0f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png

Filesize
52KB

MD5
2ff482f4aa01191d41bd22ef1a5f0295

SHA1
cd9c3082c9b2cd29e077e61aae402c3b87f481b2

SHA256
c42500283e86e54897da2e7499b0671071da741b0d9baf6fec588eac98f752ef

SHA512
e1f76c602160c9732ed9611815742f59c9a76a6e86f347348268d27119e9633bd5c392ae3d8e65f6d3deccbd4fcd6a71ca7e2fd110ab018667b1eb67b3a572b9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png

Filesize
52KB

MD5
0d7a7464d42ddfab72a0c288810269f2

SHA1
a07b00bb1801ece51b4dc5ea42834658e5017452

SHA256
f3800207f7cc11e24df32f7965d93c3ffdb923f471056823d067f37c8386b190

SHA512
3973beb888888c5ac496d9632278260113a81fc958746a52b30825e0665dc857a1d27e72af224f68af63ee96b432b08ab996ec077b2a32ef63c7449f90b6ac28

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\ui-strings.js

Filesize
29KB

MD5
ad9ae634b69a0aeaa637a668ab446105

SHA1
9623b1086f7947080210d0965196df8370860215

SHA256
4ceebfebd080b10b8981588ec6bcab057b5834c256c864d8f6ed8b0b9eb46155

SHA512
c40899047e10b248ccc79ccf576793c605b87d5e96eae7b937aae5f967117b583ad5b34efc75a0347dd104969e2a95654bdcf18f826cf9f85da611df2544df8a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js

Filesize
34KB

MD5
3bad393ea7ca3897fc80af5432c08408

SHA1
7fa9b51187cc6fc379a96f27b6f8423b3a24050f

SHA256
9346e0194cdd134d341fd5290a6964830c6162e4386c857e5b2cfe932abc7056

SHA512
a3fcb61d1df17b0d744a82f87ba158f316a75c189464505a227abc9b4a2332d5b4899660a8cc9db854730fe54c4a9d5163059ef1b9a63cc90417b20924b93d17

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\ui-strings.js

Filesize
10KB

MD5
3d878d9bb4d5f7a2b189dbff3a9154ce

SHA1
927bbf2590ce8515ffc856c089f3a2a14cd2de6d

SHA256
90c82ebba4d16a4f0e31e93f916ee2394dce700a16d578d82421295cae98e295

SHA512
17208715721e6fcfd9d9da94b7dbefcb453c1b8cd01829d9005b371b97186c6ac2bb5cee689b06fc89e895ade18314d9267bcae18f15c7bae4c405235ef75cfa

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js

Filesize
6KB

MD5
2f3e4fc18de1da3fdecd1aeacc24c711

SHA1
4a58331a18157af9b2c760b3e0c7a65042d456d1

SHA256
5a46c64b99d840c607a0b19a57e9cd9f13f74b5ac0a35c620508e703cf6f60fa

SHA512
7b9396e9f30e42ce54bf79c16d035017d01c53ffcef285d1d69c20866eda5f4f7a51fee7beb4585fda1b6cb2796bc361d9d6a29a8528216ebcce16c3a0ca2c9e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png

Filesize
16KB

MD5
8096f7a8a19dd7e39ca0e0037a1923cb

SHA1
ef9e631c1948f308ccc816df78c3b8be55ee8a4a

SHA256
d50638b65f1d1d7990ef0453646bdb0c35da85afa21a682c5f128e524631488f

SHA512
c9d92fba771c465c966324436087ea130f2da8cb725f94df7c0d762a7ce044bab0caff21db22689dc2bf45e5bc5094d3194d6f57eda9c105ee9fd2bf559344dd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js

Filesize
175KB

MD5
bf00093c14900475a233d1346bc4294b

SHA1
c34b4bbb623b28a42d33723974dd493473e1f16b

SHA256
91f7e267a7d97016f9c85ede35bd5001a3cfc029261aab6a3c63809dae985f90

SHA512
9ea4231df2a44cc6d49eaac192584d07af8ce15a1002272f0fbd30a3fa27e3234d168a368d94c199615116ee7de27b0d3d2e8f8471e4387bff03f25e6bc6cad9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-tool-view.js

Filesize
395KB

MD5
50a048955204551aa31cea072867fa03

SHA1
84b82d202274c6f5e6151bfeb9397d370b97e15f

SHA256
441f5664fd8c04813fe3cdf610ab060bc5f0469beb0e180ae7ee7c709b05881c

SHA512
4f126358e5e26b2d1612deb45fc0a15885f06ed09c62fa1d8eab2c2373c509f2d7329eaf694fbded45faa5a81bf5dbfbdf2f3a543f68c2f26853f54d55d9e4e8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js

Filesize
10KB

MD5
4d885359b3c7abc7d451b6698d6e74ea

SHA1
95c63ea57dd3929705cf571120ee021751fdfd47

SHA256
8e93fe40961129e51abb0ee08324e11b455e7f96852686d9d1d1154f00f67a5c

SHA512
437fff4d7e8a88d00c9f5b6838015f46a36a1595f7c49042e87700b05d51e6565e3ac4b67d98df8c339368f274debebf0f73cdb00d668802b144eabb8afafc3d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js

Filesize
12KB

MD5
dd0c81a101f3ea746a6782f98fd78391

SHA1
76a4928af97abba62d158d2a8ab3228180a6766e

SHA256
3eb38c7373d8b7f5e782fb654c5fc5fbea4a4a39ff4f2b0a75713c915fe1965b

SHA512
4c1003fedd511e8a2b61126e27f123ac8ab9276d4ef2bbc8f07d537528abbd3dc32065853f8e0bb4935ebe8e02ae804b63b4594e04f95e2fc5559af3d8cb3db3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons.png

Filesize
9KB

MD5
952b03aff5305f1787354f754139a712

SHA1
c02f2edc2559520e15aefabe54801997f169598b

SHA256
02378b56b43afda1387e06793e2e5ff69771042fbd5cbad2cde3166f67d99e6a

SHA512
e063c9aedb15f71199e923c904c02256fe6e291a0ddc65153ecbf29844e5b27f9b2f184fe23328596f2d1e4520a028e1169fb5967ede30265db46a0bb9b46114

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\ui-strings.js

Filesize
7KB

MD5
b26c4ea4659d11659116fc7531fc4e26

SHA1
1553d03afe1d80d18eee8ea84efadd15c8270004

SHA256
6fed10f3254b25e05295865609d3877a1cec04c316dcc963846115a24ef7adf0

SHA512
2b67fa7fc403193e6cbd059e264fe9255b6ad0254bdaf491ea6839c98b9be51b2c06782545489ce5fe220d9e332008445af87879b7779ed33dd2247716b660ff

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\selector.js

Filesize
48KB

MD5
a28a75bcef30f013633b7985a99324d8

SHA1
6230a288d2091c8957425b771e14ea28488eb951

SHA256
3d4546fd2b56f2eaa5a737053eba2e0082cff2c03d2a829ab57965f59b9480b5

SHA512
fe136baf20b00735ad8022c2478c1eb2dbc7b33bcec91ed6b036a30fa36dfcdd01a7f353aa2b880d0b4f828cc5f126753b2bcb06fe1afb6602d2e9353c0831c8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf

Filesize
381KB

MD5
94210ef67c3e8f167e9af057aebd0cba

SHA1
7098c676581711814e9790a95e45db530cae94d0

SHA256
e9eed325d14ce1c97407751db11f10f5356eaa62dfe2fd45bf55172785b9a788

SHA512
04b0ef3c526ccea523f0491d36931c42e8d6e24a78a43936957a5f33997d53698573f27abcaf36eeff920ded7f56f7388ee575eda431cadae3301a1bb7e41011

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf

Filesize
56KB

MD5
11259af35e6020fa7c9392ff66157756

SHA1
abf77a362d3956f29cd29a6ed55a667923ee83e0

SHA256
de10ac5888443bad3f2fb7e1053f9f77d60a5b841393fe892effde6360fbd437

SHA512
1786b91cb56391bf8d3941883b310330ba576357afa1ee0876f36230ec392615520951992c43d106e3d0c30dc778799049042edeec336b138d847cbbed7a1c29

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\ui-strings.js

Filesize
14KB

MD5
dc3d110f8bdb4948bf95436294c2c29c

SHA1
9176eee36b0aa1776052b0decb2f88ea195b4e31

SHA256
aa2c3e9067cd8ec72df920074b640b3410af9686217075c94f3f8e8042b495ab

SHA512
d36fb61d4b7790a11fb6171f0d9e7cb7536c61fa27e83fa382fa615d283e17b6b86f37c579a9726ea27ca135c5abaaa15c2593a055d0f9a64885c0071ec466c8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\ui-strings.js

Filesize
17KB

MD5
b564e9b8dc04908f10caeeec551d5c25

SHA1
c37c77ec83253b3da40f6acdedb65e3bf0cff71a

SHA256
b743d6adf6a4676b2c65c69dada0852fe054038928f5c3a4dab010ce92cd8dac

SHA512
5aac1850fbf128ebc47f259507fc25009560dad2eefd5f9b44b93cdf90a31e3a0bf0094bb0ae7c9581e340bea585080b4121d8970405082319ce4c6783c2e85a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
ad57b0b9fc0af9c3de789fc56729162a

SHA1
d4599f88a4465599cf063dd84e881cfc3189acda

SHA256
78da119d7845c987d264234b7a0dada3a62cfc46bb0f57bbfc6067b981811ffe

SHA512
f50b07a898d79738ac6b9f5a75b36ad956bdf5be7045a66427f4781e6e2bee00383bdf56296e5fc86ba982272cbd54892d51d0d53ae6ce6d07f07a17d56f4230

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\ui-strings.js

Filesize
18KB

MD5
ec01815a0ce440d6c10ed86f992ead6b

SHA1
e63024bdcbad7fa45b27f2ed6518d0a6590cedc2

SHA256
7d555c4c05fa98fb62195d5785f20903d16d3c1736e5d3c405f7833826bfc5ae

SHA512
aaae53f31dc048e9d2aed2709cf4c744226f8873efa443c77bf4aa5bab29874eb2ecb037cad493f8de39b49e38a172c5165180f60fbff6bb7c4a38ab6c4e5787

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js

Filesize
9KB

MD5
98ce96de4bcded389b63a9135c74d6cf

SHA1
4c9d28df5b401999e47035767cfe42e0b1b80dbd

SHA256
cb5b242e54824f881b96a7f6f365532a9bd0536496652fe8f88193e12a82ffec

SHA512
f14fb7e966c03e2e1cb45b7afe9ea0c7374d368bf5ef5b4ba366ee99180a64cef8872022b3e471f07ec746df1006567ed4479fff9c03c432e787c588d1cf1d79

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\ui-strings.js

Filesize
11KB

MD5
644b6ab1f77d7ad73c266a624dfa5fae

SHA1
e289e774e1440fe8c61336de9b52eaa1a6fc09f1

SHA256
eb02b9aec767e3d5bcdfe6432f4e0437cdb5ac7619deaf573c10476ae053976c

SHA512
24cbfbff52d630ebb9522d86df69fb810d1d0be8900318b3ba61c1209fa52ae1d0c393aa643964a7ec6c260fdfd1e0271e6434004998fe2ed136a38411f9c28e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
5bd068e503c073bc5ed25054901847e3

SHA1
76b4895032de2efd854742154b74419ea2886955

SHA256
7b3f9a8e917e48014a9fa806c66f44cb4a4f8165ad48d5bb72fc7950da6bcafd

SHA512
d00b84b9bead1de5aad8bcd476fed7ce4f95f574695c3926e3083a1d85a6a9502798fdd1a8a4fd632e68c0de03fb3fe3f550a45b255d85e5bc0f6de7355572e6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\ui-strings.js

Filesize
17KB

MD5
b4165e313e56702e2bb62e2cfe7a41bf

SHA1
a0a3a770e14428e5994b59dbb68444e27288ae07

SHA256
96cae5a7fefb7b9950006549320272dfce1aa9a0225379bb0b45480eef5efb02

SHA512
cdf812bbca4d6db588102b18bc1895c887bbd53d580e42d9d8b1fdd2664e55f3a858d2a9459266bb884d6319fccae70ebca118c7eb5357a872699177d190f8f2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
0394d318f950cfffc4e34ba9c617f665

SHA1
c26a9c90e456d5abd7de3dff713f9748115ce3ce

SHA256
3ae01b4c8a2bbaede748388b46f4dc9ade33c33312edd07e7a05f7e24b4b2408

SHA512
d5b654f7be901ea2656f4932f8871345260aec73e0bc4237c87b64950f5e0393a77af278f74b00ad3bfcf9ff2c4ead50295ba1b2df57c69d571f0faf6c2df5ce

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\ui-strings.js

Filesize
18KB

MD5
f8f200e785de270f2e8b21c2d2c01e3e

SHA1
cabc834ca7da7a4ec5b3c6eb7cb18e40d93a4a6d

SHA256
a8eaa47d306d6f7d5087abf767a7add5996d9d27b18992a881e4547b83a1a369

SHA512
55069f322ee60ee9205db6a7a555e6862959e847d89952c1b19384e8cfc50067e753ce78cfa5dfc69287ca9a26ba67d8ee10d0046957c3ce8d9ed15f98619289

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\ui-strings.js

Filesize
19KB

MD5
1407ce823594c1a61f99ef12ef712765

SHA1
3b0a62e99de7b27197c541081299a958794992e9

SHA256
3a8e4b05691cc280b3ee5f4cb40f773b8eb0c8ba806c5c9d400ba72f3c0c1e02

SHA512
e5ac1f4f1b7cbfd6856b82096c33d90fb53094258d523d0698a429d8101a63ee687daf9580800b1f24785413ac2f0c3f7011e9b627b60b3e85875e31bed4b3ef

Download Submit
C:\Program Files\Crashpad\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
985B

MD5
4b4e8d2538e8174b7085b1a6143bdad0

SHA1
eef30a949a707b5db005315bcb9441d853f10474

SHA256
ee5f237d14fd1f47af2b3f4c130e17c3c643ad7a3e4db07867bc4b09ba8131e9

SHA512
1ac0a442935d79af3a8b8c66e894eac6104dcf736ac04bb4ce24faf6854e09c077ab44978de68b88a2b861f27fecf5a1994415769685b65bccea8ec2aa206165

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe

Filesize
4.1MB

MD5
9e061cfee19a5e6f5f743dc7c14954b5

SHA1
9aa4dd70336705fc8c16529bece96863e452ca5d

SHA256
9480f445843be3133b3457b13dde38dba501c5c242e63fb255a1f70fc88e6761

SHA512
751c3218e5e53874cf30aaba526b59f951679143b72e89b3d1f4e53ed4753fc66cababb87244f4a00bb75297b356788a4e392c6c87e2aef5c25102d423ec62c6

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX

Filesize
292KB

MD5
3b163ea539429073d42d94b4a5aa3583

SHA1
ead926d672e4b91bb7ebfd377a4be00e179dc8d0

SHA256
7485cc7a5cea2cb6669cb5dbacf2b6efd79c9f38ae74ff2e295ebdb3f91d1c6b

SHA512
55c077dd8f1969d33819536681421f97bdd2ce8a1cbeead5155c68b20d9cb1a2008d1f9e3e7239c4d23c95a33735c7252e910b20ad762c2a94da654b08296078

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi

Filesize
2.4MB

MD5
cc87bd37d2a95e8625297acba85945f5

SHA1
579bb500d15344d3ede3498ed12a14d8c8b70ccb

SHA256
43d3ccde562e0caff461827c57631c58fa57f1d5a56200e71dc0ab9c880a1bde

SHA512
f5fac266543fc5feedd52a0a05c3573d13471a4564ea593f299a9eca592743923a59862db528e0475e2677bf9ff8c826626f8afd4097970737e717405ed3a039

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe

Filesize
1015KB

MD5
cb7d17e6dc6585ba7097f969de5cbf98

SHA1
421606be92d9f41120ed0c621efca6f3a9bb75c4

SHA256
3802691f4092ff4ae803e9d82fd9e5c71a1e7746c5045eb0ea48285178e8ca10

SHA512
6c3aac6344bed08444aa0eeb5636bf31c0e10c471a41db977e1da37ab7678b8168a8c989ab81f782047c87ef0a86f87f703ad63b1e3f6bbbd469b807805475b7

Download Submit
C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
0ebae9638e2559e07f4e7ebce2f7fdc4

SHA1
2f4539324ff59e39ce869203ffe344a5d154cd68

SHA256
3655633ea317847ca620bb3216c06baa6e785bb4d1bfa67dd965a9cbd5903e6c

SHA512
984b05aeb8932d4571c074f46fc984b2d2db9e2a1d7c7c8786c75c695a17945fa595d99f0c0972d9ccba44831675e4bcfc524cd00f8bd74bc7c0bd8492fb0128

Download Submit
C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\vlc.mo

Filesize
610KB

MD5
fc9ef256d5d94474063a520d419697c1

SHA1
f417aa3a3642afe7ffd2a7a083ec0d9ac18251f0

SHA256
d99343de2088e79c772d1152dfdedec65e72c1e7b5d062029a02fd1b6f263891

SHA512
949a3290401ff2a3ddb257f371f30a2f70093fae1812ec0b526cde6a0eb18138d4f106f9b9b4d3bda4b601dc51d4dbc38470291abe2055f73217d7aaf6e1f7d7

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo

Filesize
674KB

MD5
93fbb64b630e41640777f7e65631f63c

SHA1
d6134456177e0eab2f5decbedb316ae1299bf6a8

SHA256
8de3d1647c1ed9e53df6803b63d4b8f1658737bc1ad53df6a8d0f29fde29ee84

SHA512
293c01bb6acd840854c86620ad9e8237cc69e8285122d19d458e4993d826b0cae999aa0a1cef7cb3e67c51c98e6241a435cf351f7a6ccad3ad46687359818981

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\vlc.mo

Filesize
1.1MB

MD5
665bf15ea3d3d3cbda576c7a270bd6f6

SHA1
9fdf4e6a37931e9c235519dcf7337dfca342abc9

SHA256
b3e5b2acf9a67cf5f0932b35e16ecc6a95bbd3aecac4d9ad167f7b22c46d828e

SHA512
a2635a090ba5d5271cb1027021333c9d1d3740f7a5d4509fd29ab2ae3d17ec9ab422fdf0e6986f20e18000f0f8f189c39ad94465ac7ce2bb8983a177ef719825

Download Submit
C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo

Filesize
595KB

MD5
ae9479a163b37be4ba3da175d883bef5

SHA1
63acadccc2a6be5597c09e20cceb66ebea49f042

SHA256
d0866ee3b29d1142ea5a7d9ea52fd0e8f5a7395286b2e39b78177cd270b8fefe

SHA512
6eab8aa8cc8f8f1393ada142fc71fd59582a2f1462c2e73883c70b250c16c5201f62043248efd493a66b26fdf6a4bb63ea7e7d62ef45a38ac0745b8949e5f481

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\vlc.mo

Filesize
617KB

MD5
bebcfd534a3e68370f7dfd785a00dd7e

SHA1
ac2f38643e913ba065d6ea85dfeaf6f5fa4f318a

SHA256
2b569f477e705b989cdc05f7c77cb4d17e04b93ef7b9241a0c0de565f3a514d1

SHA512
8eb0413e729557a33dce85651cc9a4fdf1ca182440ad97aaba6c41c7b1cde39561753544ce6bfc92c1a657aa1dd2713cc63f0fa0c88978433ceaa23d64b3aae5

Download Submit
C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo

Filesize
780KB

MD5
b9411bbe25d638ca0b258ad7c4299815

SHA1
f2040a0356e44dc13cec7f1e4e719181efa913e1

SHA256
2eac4d1f20f3d5ee788e0d42f49fb7443a761c7312514146cc6dedda42171bdf

SHA512
e5f2c1896bda0af367d03426032834f37b85533a1d173ca5730ea668b5f56ff471c1fe0b8cd7fc6e3c88c2210052ec09a4e58e36f0e81ac77bfb48755bd605c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
e496751cd2219f672baccfe069c05607

SHA1
d43326345986e0c3a25bcfef2febf570a1794915

SHA256
272f89d727d01fec581fffb1a38e02ce025eb523663aa3e102f77ae9aa9e0f1b

SHA512
e84c7c29f3aa5b2184bd6590f3660ec3c67b5814e226f4f7c4ae9bfb11080ab0eb2fe43697710bd64beef869e368fa1ddd85495f7f92b0ff6a61a9c59264b5b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78

Filesize
472B

MD5
d554992d4494a99ee1cb814b6a475ac0

SHA1
28f5679ab12b98f1e1cb1db81cc45d2e81bd7eae

SHA256
2305f09094b346b7d121fdf848cd807e31fd3d788e1dd12bab77963dd792c0cf

SHA512
00da55828c7237ce5086b21b0bbeaa73c45ce13b974fc5881e4390d78118721abe690879b21c7b638bbfba7c001d06ddec2db51bd287dd8d8c129f69ee7b2e76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
d8e9a72a6c3f0f85aa9c1191fd7f475b

SHA1
6ca59986f7442dd4cc86f8d9ccbbe60bf0bb5521

SHA256
7be0516557405ce6902e0029557412f8c439745532018adc581770b4177edaa3

SHA512
186de583be2ab6928a31ca38fd6419437a26a3c7c75c854818ccf48ec6d79fa76902cb1ed0168772d4aaf817a26263b8f0a2d9dc338d86d5fa2433920fc16bd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
484B

MD5
970f36da80cbf62b3660e754afc3e7f3

SHA1
5cae99f672bbee2ffefbbacf85c4d3c3d2c3653c

SHA256
98251bd189262a0c6d6daedfa41d8098e1f82615007f30cd77fa85ce2da2eef2

SHA512
e9bff71d89a3efec5cb05edfc9102b6fd6815cf284d35d03bd5e9f7de4f7d38a2267d2ccdc0a1a68cf5e2ae5cdee1ecf2a643976f3f459862aa53c6fbc6303e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78

Filesize
488B

MD5
718f14d46a39cabbfa8373c95669f313

SHA1
b92d00f6892c5d6b7c3fd41011779f30304fc134

SHA256
c4924894a04a011f1c48bf90d2f2c06a9f264b18574f9b2c2203735162378c67

SHA512
70571d133554d41ff761327ac4e4ad348b2b3e3b6e6071a303e3dcb8f07fe37a9122a73cf834ef2fbac3f19f9bf66a6a7bce93821d4eacda932b7e074b9edb7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
dbd439415da2f072543f56e0e0daa1ad

SHA1
238025414074e399f38229a9f3473899bf172209

SHA256
7f47871930aa6ca369175c6e2d311082664b353fd8b8e73eba70cc088c1807cd

SHA512
7032b16b108530d6c59e93cb99c07c10191d68bc53982273fa8b0f23e06004b8fa89706ce122b578f53c0d8aa325892248b4e6f25a5493fc0c75d716053403d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\68XY2BI1\XP9ZS43N.htm

Filesize
18KB

MD5
3c9fb9fbbdd372a9ab7f4e11cde5e657

SHA1
06f7b35568d81ca65e30ac213ff1031220ac090f

SHA256
f363ad44f70cd532e08a53e7ea0323f68d2b58b448349034ccc3dc3b0a96296f

SHA512
dd585b080863512a9a933e39d7542b13b3501f43ddfbd153e266964c37846e4d7ebd798512f705457c2be74a80a1d0aaf98c11ba5e6c2ca3f07f29eee1f68fcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T1CTRFUW\M7WXHNAX.htm

Filesize
190B

MD5
6ebbeb8c70d5f8ffc3fb501950468594

SHA1
c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

SHA256
a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

SHA512
75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

Filesize
211KB

MD5
f42abb7569dbc2ff5faa7e078cb71476

SHA1
04530a6165fc29ab536bab1be16f6b87c46288e6

SHA256
516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd

SHA512
3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

Download Submit
C:\Users\Admin\Desktop\ApproveClear.hta.348-EE9-A68

Filesize
920KB

MD5
d0f03e177303f7b6c25582b0ec58138a

SHA1
1fa05bb33c6c6cece03ee2f3b49fe77633bada2d

SHA256
5474af398ce9c206faeb4b6c2130c5c92014525880dad0fd0d5c4270af36d95c

SHA512
13c1d479031ba1aeca33014f43a1e24887e1ae3233d17c48b51d3880a9ccb517cd415c6f85fd7e886f011e7ca5f4a103843e5e5d8d7cb0e43dd2983cd36fa742

Download Submit
C:\Users\Admin\Desktop\BackupSkip.wax.348-EE9-A68

Filesize
666KB

MD5
bd0abab584615109f81ca89375f54876

SHA1
22580dcbfe52f8d070211699b6ed35115dd01d38

SHA256
f025af423f6946050dba136de05ba04598d722149c12b886dd1312c5be8f892c

SHA512
23e7ebf2dcc86bb7c985e6772285b83d719e8a7f6a38038ae5ee16a7e0f29b2e59074a4bebc06ad89bc2c0e9be670cf6fa78a6adf79c6c9295cc99064895de4b

Download Submit
C:\Users\Admin\Desktop\ConvertToRegister.potx.348-EE9-A68

Filesize
412KB

MD5
57307656842091e04fc58252d8d4521f

SHA1
a633d671d73a037cfcea2229e11e362f298d45f6

SHA256
dbe99928b1e4d69677a47b1968f425729bae00a22f4d9c92b167bd9716efa272

SHA512
4c9739a211a23339cc939de86f7f3dd750fd964e043faf629a3b6d2fcc23cfd4f3fa8d6465769f6aff542a5ef4b8a5d2f11dc721098865a2b497e286082ffd86

Download Submit
C:\Users\Admin\Desktop\DenyInstall.wm.348-EE9-A68

Filesize
490KB

MD5
575c950172c813a89595dbe41c47ab0e

SHA1
a27473bd377a9c20b86f84054536a8ab7be18b8b

SHA256
1017f6476dd282c60c1ee812f94345c5941ae7db577bb30d5bf801f7793ac99f

SHA512
4a5631739e50f3962562b81db738a1c1ad902a22f1abe2fe7d110136505a158608f5eb05d6dfcbb3850044218243240e3ea6dedd14310d8a57543af11f36b3c3

Download Submit
C:\Users\Admin\Desktop\EditStep.midi.348-EE9-A68

Filesize
510KB

MD5
eb379ac40c333ed14cded8576ae5bec4

SHA1
6b6edd76015aceaeb5473fe010bb41d40edd27f7

SHA256
0b301bdd45f538aa733262d8028d4e6340f806978b47ff6d15bd3bb3e56fc8f6

SHA512
7b91f4500b31bbeb77b5cf556896d089715f72cfdec2b6f4ae8558b73ddd529c90d7ed38f95f02fb69fa3941b342ab91bb4a252dc3046348a5d147c07228a91a

Download Submit
C:\Users\Admin\Desktop\EnterPing.vssm.348-EE9-A68

Filesize
255KB

MD5
8b1f655352e0d52f97221e1d39060729

SHA1
52072dab7b219cc7654d3ab4f5979fe838aa989d

SHA256
ff3df3507a3e50e61f67b9aa7846e4b6b02dbcd1f19e1f14942ed3800d5591a0

SHA512
bcadcb6a63578279a22c316fd113d5a25821ba8db06d93b10c9375f9ef2bf497d3fe44d0244e107d6f9313c55462e53207ceba27a77baadeb681d8e2d15d31d4

Download Submit
C:\Users\Admin\Desktop\EnterTrace.docx.348-EE9-A68

Filesize
13KB

MD5
810621f303f9f51ef2ea88ee80fb2a74

SHA1
9984bf7e0d0f616199002359b23fb2737101df90

SHA256
8e2d90e08bb395d5a096b16569c39a1c2b4a8d18914c936653142f4963607d2a

SHA512
b8d865e185fd5f744a36e142fd11c3d2ec8a2714b95aeaadc7b4ceb09a9a964e51621ffa54c4bf3cefecd48b572ec33a6dd3e19bfc9b42bf73f28295994b5c68

Download Submit
C:\Users\Admin\Desktop\GroupPop.css.348-EE9-A68

Filesize
373KB

MD5
fe77e08e480ed3316fa83e8772c6f324

SHA1
9beb769be564b22ebcbc0edb932d42d16f842207

SHA256
6afc8cef26232629d56875c86caf81c07ae8a06e54970f67220f6edcf5d60f6e

SHA512
b7ce54d56f6a0c8ffa3e96d74444dff2ed48466c6efe50b8db9e0e36354c5758f146f38c1783325e615ac012588f3aed592cc2d3a2ebf60f1886bf5404f50861

Download Submit
C:\Users\Admin\Desktop\GroupRegister.odp.348-EE9-A68

Filesize
275KB

MD5
dabf0cf3d056359d5e99ec430de8ae31

SHA1
4208c573535a5ae722b29c8f0dd07edeab126cf9

SHA256
74e09d0e9e4bf7b14a8167408f416f23682ff3c8d77415c1bf36fc4bd7966944

SHA512
5454461518de10eb53d74cebd1fb41f2cbb3f2efa280d52781893ee8a41c27fb2c806af6172f4aed0e3317faa7844c68619221b940cd146c9b000295524b04f0

Download Submit
C:\Users\Admin\Desktop\HideCompare.wma.348-EE9-A68

Filesize
471KB

MD5
8c08ddf29946ee5dcba76e945fedcd90

SHA1
5e58b8e5bc490428e749645197120f92d6eaa0fa

SHA256
3940e6d85dad895c3276cf6e6ec5abbf5f477546f06387b139e50b4dfdc5bf9d

SHA512
9ad951747bccfa7f59310645cfc6756130a44b7becbe77ea92e306896c1ebc0d00b838c949bb37523fbbe2b2f8b90e40a84d01d6856853a87b6e9ee5820b15ef

Download Submit
C:\Users\Admin\Desktop\ImportStop.hta.348-EE9-A68

Filesize
588KB

MD5
0bece49573defbbd4b8ea9c03eb21156

SHA1
c053899391517e33d6e77de4e0f45848a297f0e8

SHA256
9c2931902d65f50122394491dcfdae45fad6b275ffdeffd3f0b818f61b3a262c

SHA512
0f3c817f96fb1a9f17d7aa096b59e799ce1d5fc712dc6a905c9281b5801e9f650aa9a03c8b4fe4ae8009e7897be4451ed2cb1bd6efac54451b6e5061fb776387

Download Submit
C:\Users\Admin\Desktop\ImportUnregister.DVR.348-EE9-A68

Filesize
568KB

MD5
5962dfb84557cfc3ae86b031a71bff2c

SHA1
7d4d8767c10ccabd0e7ef5c88814ddd19f28b306

SHA256
bafcaabeb370accb0ac49e98f9aa9891e991e0b35329eeb9db538ddd50fadee8

SHA512
dfcf1c852360f79e13ef0db833fb4d86811d373a7873886535479954d631195dfead70a121a317cc43821784e5bb6cf9b66da8bd02fe9f2492c86817e6555ac6

Download Submit
C:\Users\Admin\Desktop\LockResize.bmp.348-EE9-A68

Filesize
334KB

MD5
97dc0292441e06c7b66a0a52ec4060ca

SHA1
8a476aa7c625ea006d005e51e3e41b44564f82ca

SHA256
099b038ac681a8738d5a885150d8e526ead06f8f3648cbe08d05201275f2ec85

SHA512
97ecb455ae04cde40de8ee7ed3a07dec1adf49751b3d3fb6e55a4789d588524ef067ecb76cb20af01974502484f20705c47e1db2eaf5bc5e58639500b43285f0

Download Submit
C:\Users\Admin\Desktop\MeasureGrant.mov.348-EE9-A68

Filesize
529KB

MD5
1184a3b76e50cc58e20ba64d045e4b4c

SHA1
d75ba2ad7421f3fc77fcc7237950b954284de27f

SHA256
a63a20a051d416a6a2431ef8bb74ba8c694c16d61e883b9456b6f3ec3c95ebba

SHA512
df29aa92439c8ef96cb9bcc15aeff0a60ea9546fc0c1a07beb3abe92e60edf3eb61e2d67b6fd3070a4eca34a56e8ce416c41a9c645c26a3193f15d678ac31a59

Download Submit
C:\Users\Admin\Desktop\MeasureStop.docx.348-EE9-A68

Filesize
17KB

MD5
ed95aba49ebf3419ebf8057e7022cb5b

SHA1
9a9ce51b460feb3958845e8662e20c584672f1af

SHA256
798b08041265e8e3a9611d1508172b9e8482add7405186905b68da1a4d07c37d

SHA512
cb2757c4b1b29da0c1a94c00fff721edd21b34ab44461f24728840c311426acb8ddbbf67122191463b8dfe115db460f4ff957bfe77833bb52feea6daeaf38fa5

Download Submit
C:\Users\Admin\Desktop\OpenWatch.xps.348-EE9-A68

Filesize
353KB

MD5
d61bac75ba842e14e57013bdfc01e868

SHA1
d0f9020855bd0024cd97b192f6d88f5ae34751fe

SHA256
e199c617699228d1db5aa4895365f84cf05cda8540f82b44fe904a229348d5f5

SHA512
d0022d7aecba420343babe123c7cebc9545e221aba4c144e600b2335e1ac5f41da79037c6bdf69a233cb6ace97c619f835c7ecca43dc7f1670c94299f771e2de

Download Submit
C:\Users\Admin\Desktop\ProtectFind.bmp.348-EE9-A68

Filesize
451KB

MD5
895228e0540ba973306c9e953edc2ded

SHA1
202a6888fd26458e9c3a4a9e688b62638c256368

SHA256
25a083ce38f348c98dfc4024c4f619f1a26daba9d4061f7c5d91187cbe1a8b25

SHA512
18bcd2894ea91c2060c7834e5fbaeb3e0b64eae2d1625f84eb6a5e22691c999f836bc774c21603cce06f3885a00c38a0b25d572d6944e94ccc0574f8f691ed50

Download Submit
C:\Users\Admin\Desktop\RedoUninstall.snd.348-EE9-A68

Filesize
431KB

MD5
588f6fca84d6817cec9e89b0aa0fb26d

SHA1
022a24e194e305d09e89870713ce4597aa9b5446

SHA256
7de44c1aaa9e81c0664d1bbf8afa01efd004f3e7375d762c2bbd4104c9004f5b

SHA512
c04e854fc45f75238f2c514946cc00c9f86fc796b5d5d10f953eb482bebeefa88ecd2d062a6543b96f9fbf571168825cfc2088aa02fa238cae981cae336fdea5

Download Submit
C:\Users\Admin\Desktop\ResolveBlock.css.348-EE9-A68

Filesize
549KB

MD5
70cc0bf07b677ac4bfec66f753541b89

SHA1
01cce9e7023b28472b963c7d9ce4c2e23ca8037c

SHA256
7dd994a82202449a40176b50bb38bbd807579c6b6d32a21aef371c9510c827ee

SHA512
bde7c934d010781affa0d7650adaed316cde5fb0e41a5410f2e40a67c6192cae804aaf74f2189a696fb4ad69621afea8e593f79a2c66f0c9a29c096b281b4a83

Download Submit
C:\Users\Admin\Desktop\SaveSplit.potm.348-EE9-A68

Filesize
295KB

MD5
1b9fc9d3007f6d420f6fa93e19153288

SHA1
49d3542684fac15d05ed039b163aad52c57ef1da

SHA256
de125db81b751d8b1700525f1ced731f617734dc90cd6dbf1a81a4ed2add50bc

SHA512
de10a079f28ece55754d1e56dfe70dee0a088e316c7e2db46b121a0e29d229a01dec5d3b094d79fbb2261155adcc1729a6f44b6d550bbc6b3759b5cedb63fc5e

Download Submit
C:\Users\Admin\Desktop\StepSend.DVR.348-EE9-A68

Filesize
314KB

MD5
975ac1135c650b402afdb033e2eacefd

SHA1
354f5db7c0a772dfb13f60d4f51f0dc87e743a2b

SHA256
0cd97dcdc50ff773ed2772e86285e2864900d7b298c70db4a0fb4a0a32bf7032

SHA512
1a88b9ec16887112dda910ec25d55d37131fd48f9468595e4c013adb7e327225117f7b088cfd3e5e714e07a2b71077427c194b918f6595dcab02432535d2f0fc

Download Submit
C:\Users\Admin\Desktop\SyncSwitch.ods.348-EE9-A68

Filesize
392KB

MD5
dd443c0ea7215579fe3017736c491ab6

SHA1
10bad72cac7c9fb1761febd2edf46adfaa5314e0

SHA256
e0524b159162c7c95c0118249c97821a20f35e9a6f524cdb1bcf44cb591ea8c0

SHA512
2e91c956c60840bccad27f4f2aaf81eb117130025efd376aee650ec411b402ca0c6f9d22514b25bac9c4487e8fc21b084ffa53924d62e17f05ab1afeb9cf03e7

Download Submit
C:\Users\Admin\Desktop\TestUninstall.gif.348-EE9-A68

Filesize
627KB

MD5
6b0b7aff02a71ed985bf7cd9c1951905

SHA1
82931f7b627329775bbb8d198410f26b0e260a9e

SHA256
84ca51991e06aa523f4776d83102307ca001c2d92a9bd7d42fbff979d25bac97

SHA512
f682bd99c7de2172738451d5bb2d25426372c149c5deb889744cc5efcb431a8683be3bb9fe5c8e8590ea1de326a7e56892688b5fc779948d159e0769135fa1fd

Download Submit
C:\Users\Admin\Desktop\UnregisterEdit.kix.348-EE9-A68

Filesize
647KB

MD5
e6e92d7d126a96e9a7c4d76c49bda062

SHA1
02ca0cb979d84d9b09c8fe8c742848e235318cf5

SHA256
0de2650ca64367ca9ea2d23ba2d3b4c9bd7344157fd795d26353555803f732ce

SHA512
9f8cc80a0a515d7649e7c7abcc26bfc094d8f32e43caef449f01b9bb293ce2a248402d5d84d5f518aa96f35021ad7e1a329a66b0eb44da981ab9ad16c4ab8bf1

Download Submit
C:\Users\Admin\Desktop\UseSelect.3gp2.348-EE9-A68

Filesize
236KB

MD5
20ac93bf03a22938e7db5ce63b4399f9

SHA1
20ecbfcf00ce10fc504e9e1b28ee676ff3f7531c

SHA256
84d8d13fb6299c8b8c7518241458aa94a378a312378e913c9b1d92b13c08be16

SHA512
30336241f0f7f9f84cbe9a715beccd710e751edc2849f158cb21a8a4d5af523e7a5be313a9a49ff2b2768b0ff5d7f4e95f0e7bccfd3e90403ec62ad3fd91fbda

Download Submit
C:\Users\Admin\Desktop\WriteShow.emf.348-EE9-A68

Filesize
607KB

MD5
986da9e8acfccbd51ae79a84200b8a2d

SHA1
ebf02d0287219abaac6b5b0ef6922f2e41c79064

SHA256
47e9b85d82b3f5ae578db89dad5571fe1b18213a361c5047ac2998bb8679b364

SHA512
17e379fbc1d803c198833c44bfb46507d5a19d53698d3f7b8d2c13ec02af74ec895591ef7997bd822bb880c72e7e8774fcc7551e124d4af160065b5c0adeb9cf

Download Submit
C:\vcredist2010_x86.log.html

Filesize
82KB

MD5
3741beb1cd093442793caa090f47481a

SHA1
7b3a08dd56e44beb53132b5caf51e9122850f2a5

SHA256
a904b22e6db57180181b756915019f10dc6b51d7d68f990390aa3f3d23df69f1

SHA512
d2cb4efa5a9bc91daa4fe6379db26ef90f68855ca5895ae68a46cc4781bc175925944e9d77b94b54a421ef98169fda6dd837bb013e4fa43703a574159ac7d117

Download Submit
memory/408-7416-0x00000000009B0000-0x0000000000AF0000-memory.dmp

Filesize
1.2MB

Download
memory/408-13207-0x00000000009B0000-0x0000000000AF0000-memory.dmp

Filesize
1.2MB

Download
memory/408-18709-0x00000000009B0000-0x0000000000AF0000-memory.dmp

Filesize
1.2MB

Download
memory/408-26086-0x00000000009B0000-0x0000000000AF0000-memory.dmp

Filesize
1.2MB

Download
memory/2776-21-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/2884-51-0x00000000009B0000-0x0000000000AF0000-memory.dmp

Filesize
1.2MB

Download
memory/4304-33-0x0000000000EA0000-0x0000000000FE0000-memory.dmp

Filesize
1.2MB

Download
memory/4472-26113-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/5040-2271-0x00000000009B0000-0x0000000000AF0000-memory.dmp

Filesize
1.2MB

Download
memory/5040-43-0x00000000009B0000-0x0000000000AF0000-memory.dmp

Filesize
1.2MB

Download
memory/5040-26114-0x00000000009B0000-0x0000000000AF0000-memory.dmp

Filesize
1.2MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads