buran | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-09-2024 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware/default.exe
Size

211KB
MD5

f42abb7569dbc2ff5faa7e078cb71476
SHA1

04530a6165fc29ab536bab1be16f6b87c46288e6
SHA256

516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd
SHA512

3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af
SSDEEP

6144:zia1vcaEaA+HPsISAzG44DQFu/U3buRKlemZ9DnGAeWBES+:zHctWvVSAx4DQFu/U3buRKlemZ9DnGAn

Score

10^/10

buran zeppelin defense_evasion discovery execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] or [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 123-E77-4E1 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Detects Zeppelin payload 8 IoCs

resource	yara_rule
behavioral15/files/0x000700000001a2e7-59.dat	family_zeppelin
behavioral15/memory/2096-90-0x0000000000A20000-0x0000000000B60000-memory.dmp	family_zeppelin
behavioral15/memory/664-98-0x0000000001170000-0x00000000012B0000-memory.dmp	family_zeppelin
behavioral15/memory/2076-5917-0x0000000001170000-0x00000000012B0000-memory.dmp	family_zeppelin
behavioral15/memory/2568-14138-0x0000000001170000-0x00000000012B0000-memory.dmp	family_zeppelin
behavioral15/memory/2568-27096-0x0000000001170000-0x00000000012B0000-memory.dmp	family_zeppelin
behavioral15/memory/2568-30372-0x0000000001170000-0x00000000012B0000-memory.dmp	family_zeppelin
behavioral15/memory/2076-30409-0x0000000001170000-0x00000000012B0000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (7426) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2100	notepad.exe

Executes dropped EXE 3 IoCs

pid	Process
2076	taskeng.exe
2568	taskeng.exe
664	taskeng.exe

Loads dropped DLL 2 IoCs

pid	Process
2096	default.exe
2096	default.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start"	default.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	taskeng.exe
File opened (read-only)	\??\R:	taskeng.exe
File opened (read-only)	\??\K:	taskeng.exe
File opened (read-only)	\??\J:	taskeng.exe
File opened (read-only)	\??\G:	taskeng.exe
File opened (read-only)	\??\E:	taskeng.exe
File opened (read-only)	\??\B:	taskeng.exe
File opened (read-only)	\??\V:	taskeng.exe
File opened (read-only)	\??\A:	taskeng.exe
File opened (read-only)	\??\W:	taskeng.exe
File opened (read-only)	\??\S:	taskeng.exe
File opened (read-only)	\??\Q:	taskeng.exe
File opened (read-only)	\??\M:	taskeng.exe
File opened (read-only)	\??\I:	taskeng.exe
File opened (read-only)	\??\X:	taskeng.exe
File opened (read-only)	\??\P:	taskeng.exe
File opened (read-only)	\??\N:	taskeng.exe
File opened (read-only)	\??\L:	taskeng.exe
File opened (read-only)	\??\Z:	taskeng.exe
File opened (read-only)	\??\U:	taskeng.exe
File opened (read-only)	\??\O:	taskeng.exe
File opened (read-only)	\??\H:	taskeng.exe
File opened (read-only)	\??\Y:	taskeng.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
17	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Median.thmx	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDCNCLS.ICO	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\oracle.gif	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar	taskeng.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02845G.GIF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Opulent.eftx	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18222_.WMF.123-E77-4E1	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_zh_4.4.0.v20140623020002.jar.123-E77-4E1	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\vlc.mo	taskeng.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIcon.jpg.123-E77-4E1	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL104.XML	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\QP.DPV.123-E77-4E1	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861261279.profile.gz.123-E77-4E1	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107138.WMF.123-E77-4E1	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR44F.GIF.123-E77-4E1	taskeng.exe
File created	C:\Program Files\Microsoft Games\FreeCell\it-IT\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\vlc.mo.123-E77-4E1	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl.123-E77-4E1	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152432.WMF.123-E77-4E1	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386267.JPG	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15034_.GIF.123-E77-4E1	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_zh_4.4.0.v20140623020002.jar	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WSIDBR98.POC.123-E77-4E1	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLLIBR.DLL.IDX_DLL	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OL.SAM.123-E77-4E1	taskeng.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Waveform.thmx.123-E77-4E1	taskeng.exe
File created	C:\Program Files\VideoLAN\VLC\lua\modules\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099154.JPG	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\IPML.ICO	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\Management.cer.123-E77-4E1	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUDGESCH.GIF.123-E77-4E1	taskeng.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-next-static.png	taskeng.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png	taskeng.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG_PAL.wmv	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Sakhalin	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\HEADER.GIF.123-E77-4E1	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jce.jar	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01848_.WMF.123-E77-4E1	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR15F.GIF.123-E77-4E1	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\vlc.mo.123-E77-4E1	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04326_.WMF.123-E77-4E1	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00261_.WMF.123-E77-4E1	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Pushpin.eftx	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_F_COL.HXK.123-E77-4E1	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Galapagos.123-E77-4E1	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml.123-E77-4E1	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Madeira.123-E77-4E1	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00090_.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME12.CSS.123-E77-4E1	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif.123-E77-4E1	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\HEADING.JPG.123-E77-4E1	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\button.gif	taskeng.exe
File opened for modification	C:\Program Files\DVD Maker\sonicsptransform.ax	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.HOL.123-E77-4E1	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif.123-E77-4E1	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR45F.GIF.123-E77-4E1	taskeng.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	default.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskeng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2420	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	default.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	default.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	default.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	taskeng.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	taskeng.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	default.exe
Token: SeDebugPrivilege	2096	default.exe
Token: SeDebugPrivilege	2076	taskeng.exe
Token: SeIncreaseQuotaPrivilege	1772	WMIC.exe
Token: SeSecurityPrivilege	1772	WMIC.exe
Token: SeTakeOwnershipPrivilege	1772	WMIC.exe
Token: SeLoadDriverPrivilege	1772	WMIC.exe
Token: SeSystemProfilePrivilege	1772	WMIC.exe
Token: SeSystemtimePrivilege	1772	WMIC.exe
Token: SeProfSingleProcessPrivilege	1772	WMIC.exe
Token: SeIncBasePriorityPrivilege	1772	WMIC.exe
Token: SeCreatePagefilePrivilege	1772	WMIC.exe
Token: SeBackupPrivilege	1772	WMIC.exe
Token: SeRestorePrivilege	1772	WMIC.exe
Token: SeShutdownPrivilege	1772	WMIC.exe
Token: SeDebugPrivilege	1772	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1772	WMIC.exe
Token: SeRemoteShutdownPrivilege	1772	WMIC.exe
Token: SeUndockPrivilege	1772	WMIC.exe
Token: SeManageVolumePrivilege	1772	WMIC.exe
Token: 33	1772	WMIC.exe
Token: 34	1772	WMIC.exe
Token: 35	1772	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1772	WMIC.exe
Token: SeSecurityPrivilege	1772	WMIC.exe
Token: SeTakeOwnershipPrivilege	1772	WMIC.exe
Token: SeLoadDriverPrivilege	1772	WMIC.exe
Token: SeSystemProfilePrivilege	1772	WMIC.exe
Token: SeSystemtimePrivilege	1772	WMIC.exe
Token: SeProfSingleProcessPrivilege	1772	WMIC.exe
Token: SeIncBasePriorityPrivilege	1772	WMIC.exe
Token: SeCreatePagefilePrivilege	1772	WMIC.exe
Token: SeBackupPrivilege	1772	WMIC.exe
Token: SeRestorePrivilege	1772	WMIC.exe
Token: SeShutdownPrivilege	1772	WMIC.exe
Token: SeDebugPrivilege	1772	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1772	WMIC.exe
Token: SeRemoteShutdownPrivilege	1772	WMIC.exe
Token: SeUndockPrivilege	1772	WMIC.exe
Token: SeManageVolumePrivilege	1772	WMIC.exe
Token: 33	1772	WMIC.exe
Token: 34	1772	WMIC.exe
Token: 35	1772	WMIC.exe
Token: SeBackupPrivilege	2736	vssvc.exe
Token: SeRestorePrivilege	2736	vssvc.exe
Token: SeAuditPrivilege	2736	vssvc.exe
Token: SeDebugPrivilege	2076	taskeng.exe
Token: SeDebugPrivilege	2076	taskeng.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2076	2096	default.exe	31
PID 2096 wrote to memory of 2076	2096	default.exe	31
PID 2096 wrote to memory of 2076	2096	default.exe	31
PID 2096 wrote to memory of 2076	2096	default.exe	31
PID 2096 wrote to memory of 2100	2096	default.exe	32
PID 2096 wrote to memory of 2100	2096	default.exe	32
PID 2096 wrote to memory of 2100	2096	default.exe	32
PID 2096 wrote to memory of 2100	2096	default.exe	32
PID 2096 wrote to memory of 2100	2096	default.exe	32
PID 2096 wrote to memory of 2100	2096	default.exe	32
PID 2096 wrote to memory of 2100	2096	default.exe	32
PID 2076 wrote to memory of 2568	2076	taskeng.exe	33
PID 2076 wrote to memory of 2568	2076	taskeng.exe	33
PID 2076 wrote to memory of 2568	2076	taskeng.exe	33
PID 2076 wrote to memory of 2568	2076	taskeng.exe	33
PID 2076 wrote to memory of 664	2076	taskeng.exe	34
PID 2076 wrote to memory of 664	2076	taskeng.exe	34
PID 2076 wrote to memory of 664	2076	taskeng.exe	34
PID 2076 wrote to memory of 664	2076	taskeng.exe	34
PID 2076 wrote to memory of 1848	2076	taskeng.exe	35
PID 2076 wrote to memory of 1848	2076	taskeng.exe	35
PID 2076 wrote to memory of 1848	2076	taskeng.exe	35
PID 2076 wrote to memory of 1848	2076	taskeng.exe	35
PID 2076 wrote to memory of 2660	2076	taskeng.exe	37
PID 2076 wrote to memory of 2660	2076	taskeng.exe	37
PID 2076 wrote to memory of 2660	2076	taskeng.exe	37
PID 2076 wrote to memory of 2660	2076	taskeng.exe	37
PID 2076 wrote to memory of 2908	2076	taskeng.exe	39
PID 2076 wrote to memory of 2908	2076	taskeng.exe	39
PID 2076 wrote to memory of 2908	2076	taskeng.exe	39
PID 2076 wrote to memory of 2908	2076	taskeng.exe	39
PID 2076 wrote to memory of 2868	2076	taskeng.exe	41
PID 2076 wrote to memory of 2868	2076	taskeng.exe	41
PID 2076 wrote to memory of 2868	2076	taskeng.exe	41
PID 2076 wrote to memory of 2868	2076	taskeng.exe	41
PID 2076 wrote to memory of 2480	2076	taskeng.exe	43
PID 2076 wrote to memory of 2480	2076	taskeng.exe	43
PID 2076 wrote to memory of 2480	2076	taskeng.exe	43
PID 2076 wrote to memory of 2480	2076	taskeng.exe	43
PID 2076 wrote to memory of 952	2076	taskeng.exe	45
PID 2076 wrote to memory of 952	2076	taskeng.exe	45
PID 2076 wrote to memory of 952	2076	taskeng.exe	45
PID 2076 wrote to memory of 952	2076	taskeng.exe	45
PID 2076 wrote to memory of 2772	2076	taskeng.exe	47
PID 2076 wrote to memory of 2772	2076	taskeng.exe	47
PID 2076 wrote to memory of 2772	2076	taskeng.exe	47
PID 2076 wrote to memory of 2772	2076	taskeng.exe	47
PID 2772 wrote to memory of 1772	2772	cmd.exe	49
PID 2772 wrote to memory of 1772	2772	cmd.exe	49
PID 2772 wrote to memory of 1772	2772	cmd.exe	49
PID 2772 wrote to memory of 1772	2772	cmd.exe	49
PID 2076 wrote to memory of 2284	2076	taskeng.exe	52
PID 2076 wrote to memory of 2284	2076	taskeng.exe	52
PID 2076 wrote to memory of 2284	2076	taskeng.exe	52
PID 2076 wrote to memory of 2284	2076	taskeng.exe	52
PID 2284 wrote to memory of 2420	2284	cmd.exe	54
PID 2284 wrote to memory of 2420	2284	cmd.exe	54
PID 2284 wrote to memory of 2420	2284	cmd.exe	54
PID 2284 wrote to memory of 2420	2284	cmd.exe	54
PID 2076 wrote to memory of 2848	2076	taskeng.exe	56
PID 2076 wrote to memory of 2848	2076	taskeng.exe	56
PID 2076 wrote to memory of 2848	2076	taskeng.exe	56
PID 2076 wrote to memory of 2848	2076	taskeng.exe	56
PID 2076 wrote to memory of 2848	2076	taskeng.exe	56

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Ransomware\default.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\default.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2568
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:664
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1848
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
    3⤵
    - System Location Discovery: System Language Discovery
    PID:952
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2420
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2848
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2100

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.lng

Filesize
23KB

MD5
86d97d5b87c8d52e8d050f6e90cd89f1

SHA1
8da1a0bac83ff121ccb7bedaf66e819e63d5ddcf

SHA256
be26cb140a05891158d09446fa319c59314d900c865f68b88ef3f434150977d9

SHA512
7936fb235771309809d94035ef407a2bc20bf938342d25014317ac76f2c21b2c316e3702a9a50c04ac9963fc54836697b255bdfb3201876b1b4a0200c6dddf5e

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt

Filesize
29KB

MD5
56f7b9b1d3330e6f00976d5500c3e1a1

SHA1
2c19d740c8a1a340121705c70adc6b96b2cdd0e1

SHA256
7a5b722f277fca9d4f4b220c70e8fdc6abb23c042a305e00a6789c98c5fb3629

SHA512
7ec278f7e0084556f1593ce21f761383fe854985959131cb652fa1e1b1317572a4624a0f7a7cf761e9bada883e4b3860a45e44ec593e4dee2242381c4ab14163

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca

Filesize
6KB

MD5
f5bea87a1813a4e6b810d3f3a09252ba

SHA1
6105850d199081bf5f411fc861ab179682a4a69c

SHA256
7615ce5545f57294a6daba71a1dbcfa3a5f5b9bb44106fdfeae02e3072f2ebba

SHA512
45842640f1643d52a1f9c22b1eac76c1523b3d7798216c81244f649ea4e233d97abcd024fc369b6c3ff760c98efdb5e26c2f3e70828c634ebd783d7ac894895c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME39.CSS

Filesize
122KB

MD5
6475486591b5b02573054be71199c793

SHA1
5be8d8e3602f72180c3736e21c8d37df7f103d00

SHA256
ea5b73f867c9745275323f53470aa13c447c3b14d1575119bcad002f5e5d8879

SHA512
d886012e62d994978a31b449ca18facbd598c939b6829e15b4062955516cc5d96c845d86e4d7efdb41db2a53f8399e3338d3ca0b23f98b0075204d82ccc4c201

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\ISO690.XSL

Filesize
258KB

MD5
fd997c71e37c3bf166ad69d939a7e063

SHA1
f50735caae4186dbc335abe50aee07dba59327a8

SHA256
63aae8d3c4473c9ba3d69a15ea1f3c089a8e9db0f2b43b3c63d57c9ad0b8b0ee

SHA512
566641d7788131da1350d26d1c2abc005d59110b0867290efe3a1ea17f24f80578d81e03f68bd463ac46f1c83cdd5ac10836645f58616f267481fb65aefeb0f6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML

Filesize
78KB

MD5
63555b07054781e89278582c2a58ed33

SHA1
efce3891b3f6a5b0f207b86c0d19ccccd8d62c1b

SHA256
15aa02411c35cf05018b2234d99be726181651b27faf4697eeb95bb8e787fa1c

SHA512
b29e8a0e8e8068493fe6383baaa30f8e058bf3cdace12e01eee1781f26cd79ea925905bd23ad2c161347d7f0e0501d8767654d3bdccfdedeef2a8bebaf4c125c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg

Filesize
7KB

MD5
09ee3920e23a8a426a0365391f26c048

SHA1
db07614853c6e8cf6e91012d9dc012680c11921b

SHA256
b572fa4e74fc93ec33ed9d08668ca59d3862e7c924b048708b99d249f3f098ce

SHA512
84f4168e9edd28955a39fc4bc4e7138f40e9fadb0f9d17681e780daaa2f5a3ad9da36e4d45118c212e8078fa59f90c275c415d086f32106626a5e34e251a2099

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_OffMask.bmp

Filesize
8KB

MD5
d40ea5e82a7dd3b10755f7db310ed049

SHA1
b0574c5686812dfc2e6e79e0f284ce075aba2705

SHA256
276ac078852f0f0c161b1bb66435be7bc3fbadb26a9386801430d0cb7e161574

SHA512
3474afc52e9efbf2b81f15a3fcd4ba2b6c53801c6c824b59655ed39f22f0225c03f5347d31cad578f0d0440b8b8d59597ef3f606945f0106a7c33b1b4d1b8316

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\IPIRMV.XML

Filesize
78KB

MD5
d52e7ec9f99ec2a5a2f8440204caff6c

SHA1
d2bfd64c66f1e077789a76c9b7ce1d64b2e7e793

SHA256
e4a713c34949ed5a27b34611004b8445dbb89c938c38e9b0f36a66106a246f65

SHA512
4a169d4f738b7fa69b5a7acfde652ddb2b9483669b13654acc87e8115f7365ad9259c289a1a86ef7742c568a01029d180a73d84cf3284aecdccb770269140090

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

Filesize
249KB

MD5
383599db6b2a896cf0f3c12e0f804824

SHA1
99b546f79f3c4d33928c62ae32e5c04c9cbd761a

SHA256
c1948ae5eaf62a88a1d44c9d2fd2a361af82f189793d200deef6599d2c928ee0

SHA512
5d8c39415cd1201fb93c92c63a068010582b8aea278537f9061e806cb47ccf12332c1b1eece49db1d33d1e082155532061694e367727fe97dac7574fe053e311

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OLKIRMV.XML

Filesize
78KB

MD5
6ffc348a2ccd093c820c457f4e16ff22

SHA1
793a4f477271ab906b4cd2dbca29c0fe78d7766f

SHA256
3d9feacb67dddc85718a0800f1f74c6ebc16d69367fefaef1288b8b66d41aabf

SHA512
63945026e2fe89977368dd52880cc8e81b00d1b6094192f0d2522cd2de62523de4325cd4dac8b789c6338d68a23a591e55cb37457378e2841bd51bf0ffb662fa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\PPTIRMV.XML

Filesize
79KB

MD5
75ae6b6eedf12bbe44867e11db36010c

SHA1
174df7d174779f53ca3fdcd09337fe131b363894

SHA256
535a8c7508fa3b494ca24986b38e703083726f74b7f9ad98a49f5c346ddfaf8a

SHA512
41c5091dcc833d2e23a945899bc761a5d151cd40c11332dc0eedc297e348591bad239798c4bf6e506b251a534e4a3e93203ef24bfb980047e5da42bd7f33a353

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\WORDIRMV.XML

Filesize
78KB

MD5
60a430f6d74e39841da76b31d19b440d

SHA1
ca8fb840c7e7a7005c3735dfa4b0dbede7b4e6c4

SHA256
e610881a4e146835cd41108a56c977d3a8534a4d387262fcac056a0491b2ae34

SHA512
c3541fff05b8a53ce3dc04b27fc1bc73de91f600ba42b48c7c3930aac510dabda7a05cb6ad5390c299fd9e2a88a8759c9c4fc5d6771f047daba9864294eea575

Download Submit
C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
985B

MD5
5cef554c9efdf5606da567cbdc6e0b2c

SHA1
56a699e0a56b14c299aee7604dd97813bd99a2ca

SHA256
bd10b0761a1fd0d1635333bb2f1ddfdd0096adeb8e735f81aa5696247b25238b

SHA512
c037a19e004ecb07c1c63597cc7633e487a3f1e05c48d9b6cc5dde217ecfc0fbbf6147b3e02ade64f5d4515c69a44bf503e7f5fae19e56fcd837e6697dc819a5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg

Filesize
22KB

MD5
71a09fbc3dab452de06fe9a24c5280ed

SHA1
17ab3f50eb1651ea18f5350bb4b8fe40476055de

SHA256
85e2f5eb9fd6473d81f7083dba2e37a6609564fcabe3cba593981b72506ffd4b

SHA512
a784fa4094aec10747a15046845987fca0ed5c70fde28080c8c328bbb2afdd095e673e85a3c4bdd7928dbc2e67a2d043034675d6194499e6cb491db431d7839b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
c8b9160b7bf52b0c6a6ce1c682e6a0db

SHA1
f62ea22833aa825f17710bd1da8de021e85fcbeb

SHA256
41111c488563c04673e3f96cd168e14276163a6fb5a7408b82fc9660ed67e176

SHA512
c471a5c8ae2683b6ae7bb167e4ae8919d64a924898805584abd803935f63b6922d9eb9ce0f3f19cbf64ffc82a341d1d60ff6dd64a01e5a63de2d4d053e22befe

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html

Filesize
13KB

MD5
994be98b299aa7cb70d19f97d11ef862

SHA1
617ce63aaf1a72af7e3b48ef3c51077edb13cba1

SHA256
8f16c3519aa19d2c235b420012edb6f628f5faeeaa2b0ec30779df3ca44c5dfd

SHA512
c366870f1b8baac52e0263461c6a8711502cb5c4aa8b5453d73cb4e7341e5ff266334a87ba5406310503f70fd01af9ebb6d434225d1882801963f5051af6f358

Download Submit
C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
96b9a692b5bd1464c84b9ed1347f61bb

SHA1
f93d9bac12a0864be13ede85faccbc8be7fef52c

SHA256
4d257bd897cecf2cc4b6d3b8bea1b544ca5ad238051a4ebc056d6f31b99cd368

SHA512
b7ca9abfb4935d9055f875a41ecca115ba1d8756e79ce85b257ef60e77e1ec2f1484197e92ff487c635d60d6fc58f8fd2c18736a47691eaa0e11141274691bf2

Download Submit
C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo

Filesize
611KB

MD5
706fe49b1d5aadd104cf14cc110dc4f0

SHA1
34416eb3e02049e59ac77b7e7360184eaf3653bf

SHA256
5715f81b972333f1d051dc791639a38ce7edab002fa7709fc9a167c005e31d8a

SHA512
8075ecfb4e999849f78645be1589c60035614bd030160864d57e976d13994b67fab0e1f3c43465651911bae64e8a5794b9dfa9dc3d1fb7b6df91aae89e1d3dbb

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo

Filesize
674KB

MD5
31d91a4dfa88ea185d459ca4630db4c0

SHA1
c669db86bdc542c98f20b08ca1381bebace697f4

SHA256
69138dc3ad2632a22858f0142244949503c89015db29ed9041cc7b71c85601ef

SHA512
69f12c355acb1258fe2cbd0ed75cd60a0cc6074555698756a9a6e141bf60d2039c628d1df6c617ee01cc51a4f039ab15f23d58a5b69f81d1fec781f6fa5ac3b0

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\vlc.mo

Filesize
1.1MB

MD5
b11b4387f4fa5f15aaedc8c649554a27

SHA1
ac5fd544d2f29eb5062c0b509695bf8de9bfe54d

SHA256
46543a80dcd267e1492df7ca1ddb353ffd7e4208a6a7c5732a3370b86201447d

SHA512
7eb4c907919ab4dec66bf8afe27b908143e5b025d0d902f27b6dc56a8332763c4ea5175d9f7a8b4fe44393e44b513bf73fe6e7b67817d3d269fc4fd43ed6322b

Download Submit
C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo

Filesize
595KB

MD5
78a5ec6e428088e4e25194826980a5d0

SHA1
edc0be4f4c8340a45c96f568db65fd2194567f70

SHA256
1247b14233607594c7920c9841164b4b4f8a5bcce9785f7e07ce88e4f2ebb020

SHA512
02859c51e645b03af7e85746bf2c542c8b59eab207b93705fd692f58a6b0af7509c765c8023160a0eff4d7c30ab86d03d8aea8c9fa665e9efe9b40974dfc0b15

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\vlc.mo

Filesize
617KB

MD5
02ff6a90442f87358fdabc6b9d6535b9

SHA1
4c72e22902a86e21a17d2dfb7d1c78d48f273e60

SHA256
f1fab035cc774c34b26a6664c6fa86de9bc770b13f1646268d740294346b67bd

SHA512
9faa93ce8123f16b4e67c888740cc11d0d86f9d4cd8f88113e9c15e0036ed16493c364ebd7090e73fa890fcc57005c556ac6370f00d5e5617d2f2d2c9f0e09f4

Download Submit
C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo

Filesize
780KB

MD5
ebc6cbf6cd750e2f6e0752ee62cded97

SHA1
72400a29320d4ec806098b8f6fa408ed9b0d12c2

SHA256
2d0c502efa73febd5ff78e1a487015dd2c9920e8dc9bee29c7e33f3e976ba372

SHA512
bd91f39ffd030b8b3685928ee1ba9797fa15594b317f340a1e4a77e00b93b785079b60b5d6ad9e59a1b3a2ec86f14f2df0e1a8bfb026bff211170ecf460229f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
e496751cd2219f672baccfe069c05607

SHA1
d43326345986e0c3a25bcfef2febf570a1794915

SHA256
272f89d727d01fec581fffb1a38e02ce025eb523663aa3e102f77ae9aa9e0f1b

SHA512
e84c7c29f3aa5b2184bd6590f3660ec3c67b5814e226f4f7c4ae9bfb11080ab0eb2fe43697710bd64beef869e368fa1ddd85495f7f92b0ff6a61a9c59264b5b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78

Filesize
472B

MD5
d554992d4494a99ee1cb814b6a475ac0

SHA1
28f5679ab12b98f1e1cb1db81cc45d2e81bd7eae

SHA256
2305f09094b346b7d121fdf848cd807e31fd3d788e1dd12bab77963dd792c0cf

SHA512
00da55828c7237ce5086b21b0bbeaa73c45ce13b974fc5881e4390d78118721abe690879b21c7b638bbfba7c001d06ddec2db51bd287dd8d8c129f69ee7b2e76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
d8e9a72a6c3f0f85aa9c1191fd7f475b

SHA1
6ca59986f7442dd4cc86f8d9ccbbe60bf0bb5521

SHA256
7be0516557405ce6902e0029557412f8c439745532018adc581770b4177edaa3

SHA512
186de583be2ab6928a31ca38fd6419437a26a3c7c75c854818ccf48ec6d79fa76902cb1ed0168772d4aaf817a26263b8f0a2d9dc338d86d5fa2433920fc16bd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
484B

MD5
cc8be407fb0d9552ff4c7282cf5fbe2f

SHA1
4f426de114641dbed74416763a696022086e31a2

SHA256
8713cfce5040956f5a419c7517555355202a7c6aae46f5816099cecf4b8b473b

SHA512
490b10f61de6398a95bd573cc828ee938121dd18f53944f0a114681e9d429c054eb5be7dbc30492c8672251c7cf14a976dca8964aeca63982182541a46eeb339

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78

Filesize
488B

MD5
4d19defc83583226405e1d75e2a0b47d

SHA1
6b2e72cca272d547443b0d998b10a6ceb38b7f20

SHA256
46a88652bf814eaffbfc2c4335e106b3c7717b2741a4c77ce746db24a69ff448

SHA512
dea657abd26426a3ac9d1fe46e181fbfc0b107331cb4cd9d9ccd7ec7d9ddc669ab34f3fc76f3e91a9e92ffaaac5e7ac8a8a3635d9ecc681c69e401fd21604cb5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
067583ed5581989628def927ee91fdaf

SHA1
a66817e0de91b149a9c641e47e017906fef6a78e

SHA256
0cf057890ba903a967ca38bf063bce91aa8f0ec7aad085f14955eb954f163679

SHA512
8c518ca86e159fdb9de431fd97e32e7c62fcce57ad4c28e99c77ee547901e71c8a97d0429e25beb24b32036cdc73c41c6b247b6151375313f9648f4354158018

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
9403705c253bba1222a113b285cdfc06

SHA1
19c2b0c2fe5bbea97a1a001b47299ec1682f2d82

SHA256
14032c0e8d494db99fce02ce87dbb995188ca27a723ea07422f1419f79350f9f

SHA512
7fc11c0ed95e996d7c6860721118879d93009421f55d7607cb81173b8a443fd4553e36ae18de8c81156cbd58bdf8d76c898b3d8ca5822809b220622c4fc025dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\LT206NBH.htm

Filesize
190B

MD5
6ebbeb8c70d5f8ffc3fb501950468594

SHA1
c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

SHA256
a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

SHA512
75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPUI9R2R\M5YQAO5Q.htm

Filesize
18KB

MD5
3c9fb9fbbdd372a9ab7f4e11cde5e657

SHA1
06f7b35568d81ca65e30ac213ff1031220ac090f

SHA256
f363ad44f70cd532e08a53e7ea0323f68d2b58b448349034ccc3dc3b0a96296f

SHA512
dd585b080863512a9a933e39d7542b13b3501f43ddfbd153e266964c37846e4d7ebd798512f705457c2be74a80a1d0aaf98c11ba5e6c2ca3f07f29eee1f68fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7C72.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7C85.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Desktop\ApproveDismount.inf.123-E77-4E1

Filesize
126KB

MD5
e06e57a66085fece7fbb5f17cc0fa1b3

SHA1
7dc310a248d8f42da0c89e7106112564e2f2bbd1

SHA256
43337a0722b0af10ea6579e6936b48ef5518e33710302627e6a9d5bbee266c75

SHA512
a09deccd987e6d23eca0a264679b8c755ba1e26e911ec6363704423b90228a96defed2cb0b72e881e0a08a9d87c17ef2bdd4e52d46a1f1091672550d4a3c4e08

Download Submit
C:\Users\Admin\Desktop\BlockResolve.pdf.123-E77-4E1

Filesize
158KB

MD5
ad565ce712bbc3c844ab1dfe93012172

SHA1
f0b4736d46ce04c0b3ddb2ad58f25a7eb332cf75

SHA256
c2ca442bc48c735f0092ab7ef2c2855d0bfb6be2b93953fc19ca7a0e9d193583

SHA512
2054e08ee4e85584189e3f8760e814df59a66b91a029f5a3faf48d1d704e8ba32387b869a7e5b8ed10981bc91778e310c3f24df4e9c46a750a254e69da6ac4bd

Download Submit
C:\Users\Admin\Desktop\BlockTest.xhtml.123-E77-4E1

Filesize
134KB

MD5
d822da61d269887a2af8b79d9e946e38

SHA1
bed5a4b25c3201365bbe9a417fc52bff53df0d04

SHA256
f8844c55b2ef55ec05359bf0cb54edc4ec1021c71453797cf03d207ce4088930

SHA512
56046265b243cbdc10883dff2ba303273cb55bb95d0c745f54e8175b45cc090cf43f48ec695ea00d8f63f306915a8a3ec18422fc8bda689735cca67dda151d04

Download Submit
C:\Users\Admin\Desktop\ClearAssert.tiff.123-E77-4E1

Filesize
205KB

MD5
4dcef334f655947ad392a62dd013332e

SHA1
da4ee8bfa391776c8d35705cd8b520d32e26351d

SHA256
46684fd07a6ae7f56aeefed1a7214ef45b83c2ca8fa47ed36ff5537c8887fb6a

SHA512
fd7520d17745fc0865e5882a22baa38e4e543100426d826064a229cb1331c77b3bdc19cb0cebcb29ef1a363fa877271f66dd1842d26e88cdb43bcf2c3d99fb9f

Download Submit
C:\Users\Admin\Desktop\CompleteUninstall.odt.123-E77-4E1

Filesize
275KB

MD5
fc4483f0a616001ab2866622d2e44a52

SHA1
7ad33066ef6b1ce9bafd2bf0025d896bce08058d

SHA256
2ba6baf9eb52d9c336ae1ee781b7cee38236d0e2b78ced9a94c0f19692c94a34

SHA512
793def2ee6379ad42b8f39b52c912a4f3adca4e357f5727cbd8988a453be6ef0296327643bf622310ee3a2a1621b09c6b87cd05b330fc2d4191600e692e26a56

Download Submit
C:\Users\Admin\Desktop\DismountSuspend.midi.123-E77-4E1

Filesize
283KB

MD5
e905eeeb81f7c6cf51d714fa6738d19e

SHA1
086ae73a2d3f534b2c91763206d152467ceccd02

SHA256
025fa13bab21ac336501b56de0eb3769567819b2c2333fc0b5a9c7ff0c0e6328

SHA512
ad28fae647d8449944ba86e2512a75212583b7a1bdd010066df7eb3cbe1955fdf3fe59ab88146e4df3f5a85b2e061e9a9f569561060a3bdedc67533221aff745

Download Submit
C:\Users\Admin\Desktop\HideRepair.mpg.123-E77-4E1

Filesize
111KB

MD5
4925873702477c31ddc690bf9e2848b8

SHA1
41ad66bac8a78808182e3847a57c5d2ed6c84437

SHA256
6fc00b75e79cdacec0a41e4b965ce17638b74bf31a3edb6909c92c2162de7ed0

SHA512
bfa6694376e1830c89e61b4b55fcd377cdc65b1de5d51db9bc0bc552bab0086115a78a9bd06a0838e65de516a075116c31bc3f2936fddc829b90d79872a7c1b1

Download Submit
C:\Users\Admin\Desktop\ImportPush.m1v.123-E77-4E1

Filesize
299KB

MD5
6d045fb7dc52b3a4f9d758dbf1de73f3

SHA1
52c516502ef8708ac629f267c3e7f604737f8520

SHA256
fc574ae7b6dfa3720d2ef626d8c4c6fe0f72bb906d08e809376550281826b2d2

SHA512
c00b3b3aca6e95895c219fe31a072004975a25ec3943188f56e0f8695cdf62eb0cb286f77a2b7d386bd2ad639f7e0d94bbb8cbdd08e325367faacea215b5a985

Download Submit
C:\Users\Admin\Desktop\ImportWrite.rm.123-E77-4E1

Filesize
166KB

MD5
6e0aba430ca173e5af60c9105499dbea

SHA1
ea6008c3012538ec40a28f12e5d9d91c12e05da4

SHA256
779ce59906c5786f3caeaab6f7eeaf451d5b4647ba26db0363eeae133c451743

SHA512
a5873afb83e43cea1991adb50173140a6e6f1c49ef5fd7d0da0df0b45ddf845ccd07e6dea547d2a2ba7cf69e4b4de047c5c2ce8ebc211352ad70f95cb5a42611

Download Submit
C:\Users\Admin\Desktop\InitializeHide.ttf.123-E77-4E1

Filesize
119KB

MD5
d29149c327db7762d1a92e2fcb898e8b

SHA1
095b9d46f28f805a4978a4ed691b8b6e7a8b3775

SHA256
e4d84413ca4ee3aed4ab78174568fb21688428c6793aa8d55e1303bed9fa6d71

SHA512
b42f9681333791c63365defc84b539d03f8360540f0781782bd71a665918912d6e5e4f051a668f6b73258b9b2c2d584ea2165bd24b5a9310dfff0bf9e0aaa7a2

Download Submit
C:\Users\Admin\Desktop\MeasureGroup.vstx.123-E77-4E1

Filesize
268KB

MD5
af25e74b4270e3c3d6204785425c3f6c

SHA1
a57f304f91e4a1da5da3b02540ad930e6030f2cc

SHA256
96353929de101081ef5cd5093aae53a0237da7ab12e1b9479c9f754a204a0dc9

SHA512
b1c1f65c434c6ef88e6c140c4d6ccf45e1aaf81e9dff7c492c3aa6345cf7919415604772ee1533128ee9dca896dee6e3614741ea0b7e1bb60687a6804577d556

Download Submit
C:\Users\Admin\Desktop\MergeConvertTo.tiff.123-E77-4E1

Filesize
291KB

MD5
27d8d48c37fd029d678b216ab77dc1f3

SHA1
d90547896f25676586075ad22bd280622c48b058

SHA256
be083a6e9b4369d09074fafb87b4f5af610bf8bca5d8657fa48b38d8b4112a9b

SHA512
8c7c32dba94a0f100563cbbc1f3260cbb473daacb2354318eff7beec347adf2e9f3d2a83484ff7648baf2607f27206d9a4b9ceb9fd85f1325daedacfdd75fe0a

Download Submit
C:\Users\Admin\Desktop\MountWait.mpg.123-E77-4E1

Filesize
236KB

MD5
1caff01a558689d3bcb4a2b6bc86155e

SHA1
074f6eafaf7c89be6fc2ff3262f0a76374056831

SHA256
6d242c287d7bb3163fabc358f48b2826837152ba123103cb60c453d1d81d30db

SHA512
7fc938865b0b54cccfa2d6ff7a823372419aaa4abf1244bb805c8ce947636c5a4e4c4741903dee493cdbed6c16c957015c582bb32db41293dc8deccc43e2ce82

Download Submit
C:\Users\Admin\Desktop\MoveSearch.nfo.123-E77-4E1

Filesize
315KB

MD5
8cda8ef0c050abf9d8a9662de123fa11

SHA1
1d1d4f5f1f9d898aca6b31a2ede395867af9a266

SHA256
8ade5be01cf32c9af5b621f677c9c059ee9aa084a57110bae6dc926f21895d6a

SHA512
a59edad87a39f931bba6cdb6421308e74d2722c9ad11036727df06278a8823163e62e214b43a8bf9c50ff958b416344b3d38f9eeabd60f4ca1bb2aecd07a9265

Download Submit
C:\Users\Admin\Desktop\NewJoin.vstm.123-E77-4E1

Filesize
252KB

MD5
fc5b42c00182808513e105580423b023

SHA1
923ba85b9ff609d728ebc830cda228c9b6779ba1

SHA256
e1ebbbaad4cd4350cdbc1157631a2c31bde48d79f7df8012edbc5816341b03f1

SHA512
6a52a12615021e2957ac61c2743d94880786c27d0504f9eb92c69b9e106a47856c313f6d4508fa08ccb1d358cd2551da9f4520b8b2c2bc46c7f5eb640e0bc7c6

Download Submit
C:\Users\Admin\Desktop\PushFind.xml.123-E77-4E1

Filesize
244KB

MD5
e753827a6ea020362b85861519eee3b5

SHA1
4e9d0bd4029fe624d7d76a00c8fc01ae9fdc8838

SHA256
a782a76bd8d378819c29ca2e4de27a803ca15cf88e77f35cb3a5052209050a30

SHA512
6570ce3abb1319a1e79c41769a9b45b7ccad16cf714105e48a48f8e1edb6eaa1667a746deafb768fc057bcd67958450a8dd1f1ff21781c9b646d41e134887c9d

Download Submit
C:\Users\Admin\Desktop\RenameCheckpoint.m4v.123-E77-4E1

Filesize
142KB

MD5
645a5862aee6802e67fc70be65ee3b02

SHA1
d22917862861d4064e0b0af73bd4632f0c041f31

SHA256
5b3b0d58c5d77368947ef9bfd5f0a4dc968593f7300656a91f8440abe937fd94

SHA512
6f2d66184d545f328b1fb5b30ba0960460620d4da535cbbbffc7d110b40350e8693001a751f1cd175ed903c8db5e88145307cf679a28f4904bbb2205b91551d6

Download Submit
C:\Users\Admin\Desktop\RequestInitialize.crw.123-E77-4E1

Filesize
432KB

MD5
3ad328a10d81a6d79a07e9339f14dc67

SHA1
1eb9b0f19b8e961f1583449a507b68f4bb39114b

SHA256
86f6ae0a858fa0fc3bf5067d5d1c43e279e5f91f18778f28c5ed7a5828d738a6

SHA512
2c823a7b41090f6cb4bb25e1715654765e0360cbf1b51629740064c63b705f99811ac0cd67aaf20d956d754062f284bb8154efc2e1252d260c72b9ca44fad318

Download Submit
C:\Users\Admin\Desktop\SaveApprove.vdx.123-E77-4E1

Filesize
197KB

MD5
2715bf0bd6eb167bf242f2ca2d161a73

SHA1
2dcc51ba61179f3fd4569390d5fddac15c0461e3

SHA256
d44d2e49e6d1932ceb89a6a781e86a7858d7fd5d8ccea14ba1e52b3b115eda33

SHA512
20ca4c76450a61bba243c22e397f3161a122f588e27deef2588a8679ceed9b88ea57ae513f2b07b08262d3ac18e4e4b9418c9280043d990406e9858510c06184

Download Submit
C:\Users\Admin\Desktop\SelectDebug.docx.123-E77-4E1

Filesize
16KB

MD5
8bdfec41f6f15658314b1c2588deb1b8

SHA1
6d712ef305aa358ac41224731d5925ad5486c04c

SHA256
de4a9af787479e0746f96518bb8c935b7eec911a1bbad1207f22fd8a69341fc2

SHA512
9ed8de23ca127d20507f2d5ca0a43cd63954c6db795079231e8ef15c371e2b215456e8feeb8661aee37c93b8bccbf188f0fa418aaaff5d120466f1a211a79658

Download Submit
C:\Users\Admin\Desktop\SkipComplete.ps1.123-E77-4E1

Filesize
307KB

MD5
b4a089c4c9473f5055fc71ac96c05276

SHA1
b18b99f8a302897fdd2822be17b9d1762c62c71a

SHA256
2a976dd5b0007a0dac53d4b47a1c34ce9436fb714733e9650b0ee0eea9688ad3

SHA512
427b6ac88bebdfe0da9c6ee063c28d19bcb64c4ca4164e355632b58adcdf014cc9a684d5d3405fefb54e6c18b1a3e2e5f6540323891e1ade46d3bb9715330ea8

Download Submit
C:\Users\Admin\Desktop\StopInvoke.TS.123-E77-4E1

Filesize
174KB

MD5
c4cbd2b2b50a2ad6ec30548069a02ba9

SHA1
9d54e9e2966ee39152a63daa66ca64daddd95111

SHA256
a2d9f48bada3f554bb142e468b18cf4c48d9f5e4c732e83b1ca0b50fbef4be7d

SHA512
81fa71c514928b53f3fb89c236454e46c6a31619f3a80bde62f1e046d1cb7aa39389352bd1e6eb3b7b9c74a9681c40b756ee391c719636fcd7e53497c34d8ad8

Download Submit
C:\Users\Admin\Desktop\SubmitEnter.doc.123-E77-4E1

Filesize
189KB

MD5
e31d52caebf4dbe6573974f96c6bbf2c

SHA1
cf4ddc27fcdcd78b4381e8f777d43fb7e39bcec4

SHA256
e4dd2f393695317aa8af6e6b548e42a53e19bb980518567a71115bfc7512cf70

SHA512
2e56bcdb746c6cf7dee9f08a85a2dec58eea3a023a3c9f68d754be5eb008860d62b0286ceed46a41888d91740690d809a3f5d3d3c16fdb4694e061de6616be1a

Download Submit
C:\Users\Admin\Desktop\SubmitRegister.xlsx.123-E77-4E1

Filesize
15KB

MD5
989547ac59edcdee8c83d682c6e323be

SHA1
493a192f972142de7ea7889c6356e8e70276cae6

SHA256
2ebfb83a8fe62100272cc76566dc452d648c8d1768334aa3a96f24c6b740ff94

SHA512
d47e98be0afac265451229b028b2dde762affdcdffea703c6018f8e18e0b034ff6d324a90a9c54455d494b6a245d44eb6c8b75d83f95b95b55cd4fd3c1c84bc7

Download Submit
C:\Users\Admin\Desktop\SuspendLock.png.123-E77-4E1

Filesize
213KB

MD5
595bca9c4b94568edd638eb154a29199

SHA1
f50d93e79fc85042d428f39443dcc74aafb9ae45

SHA256
d1e60a3717e37b1759d42d48954e3f9eb7494e1f74f8283d27ca9f3a58037508

SHA512
6b90472fe3b0ed4e09743594f261dca66e58672953c5532d462d732dfb6cd4c788195c41ebf851c28a96341a2ef0f8dab3775c85dc8901a061a22aa123470aca

Download Submit
C:\Users\Admin\Desktop\TraceMerge.emf.123-E77-4E1

Filesize
181KB

MD5
596dead9f4a199212a07d853fefe3e02

SHA1
93f1fa397be2362e75810f64251da7d866c70906

SHA256
1b9cb3637dbade7be1b145533555c18cd63c51ab8960619fd99afb867c7c6d09

SHA512
aaed8390a47f2439815880a6bfa950f69c355204f80d113184873406146dd07cd2173b2fb3b54f2da17a06f2b22ddfcbc96374b2611475f12b1f73434ad7b73b

Download Submit
C:\Users\Admin\Desktop\UninstallDeny.midi.123-E77-4E1

Filesize
228KB

MD5
68bd67d39d8805bd570b393b6d0bc5fe

SHA1
54f683fcde73477d90322ad68d4f7355011507d4

SHA256
3cc1044cc2f4e9801539e787cb89e1d3a66aa976dea876972b910e0e64699a11

SHA512
4870e2caf29ba022fe74cdbde907608e77c0fc20faee1097cd456d9f2caa43f98c779b651c8958df059bf3967f3aeceeacf1869da7a8c8d5be082ce94c15a95b

Download Submit
C:\Users\Admin\Desktop\UnprotectStep.sql.123-E77-4E1

Filesize
260KB

MD5
3e3a887d926e20f1cb82d349512534c0

SHA1
38ce841950c1a81f8c260b251e16d45099ea4268

SHA256
1b4c03e562342ff9d6cfdfbc4456cbbee2bd8e589ce2aec4e7e18b2ccab67fb0

SHA512
ce2d52045bf19544233279a49b96ad799e4f9f9d24c0d9cd2bb22416569aa571247c40c422ea939f274d192b0d6940ef1693ffecc347803d4c092a6b931b002d

Download Submit
C:\Users\Admin\Desktop\WriteSelect.pot.123-E77-4E1

Filesize
221KB

MD5
511e862c5495fcd4f80be4dce314a22a

SHA1
a1d0e146984948021b025595bed84d7839a1ed3b

SHA256
9d6366bbd0d237a4c4c88d5e8361ac11807eb0daaa656d9bc52f7df9e48f0309

SHA512
3ea6db116054c70df16cc33722db691fb54cefcddc784a1398d653bcba50c8d9e409bb989ec587e9b8abffc5f2ac9ba654f34102512eba5809b910bc6e7b6dc9

Download Submit
C:\vcredist2010_x86.log.html

Filesize
82KB

MD5
57de3039c72fce763a1ee7fef7d55164

SHA1
c7fe45f4b975bf5d58c30bd4ef90e681be583eb7

SHA256
96c27ffcf6ac988137e9368cbdd69027948f77093a2385c9ed3e50b5ad4c5fed

SHA512
0b08fccf5e64938289ba8a81c5b30311573d81a6efd132607e824d783f95507755452a0a4aec097becfae0a1d67eebfd3f20b3d2131d7a2f3692a812055a2420

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

Filesize
211KB

MD5
f42abb7569dbc2ff5faa7e078cb71476

SHA1
04530a6165fc29ab536bab1be16f6b87c46288e6

SHA256
516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd

SHA512
3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

Download Submit
memory/664-98-0x0000000001170000-0x00000000012B0000-memory.dmp

Filesize
1.2MB

Download
memory/2076-30409-0x0000000001170000-0x00000000012B0000-memory.dmp

Filesize
1.2MB

Download
memory/2076-5917-0x0000000001170000-0x00000000012B0000-memory.dmp

Filesize
1.2MB

Download
memory/2096-90-0x0000000000A20000-0x0000000000B60000-memory.dmp

Filesize
1.2MB

Download
memory/2100-72-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2100-66-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2568-30372-0x0000000001170000-0x00000000012B0000-memory.dmp

Filesize
1.2MB

Download
memory/2568-14138-0x0000000001170000-0x00000000012B0000-memory.dmp

Filesize
1.2MB

Download
memory/2568-27096-0x0000000001170000-0x00000000012B0000-memory.dmp

Filesize
1.2MB

Download
memory/2848-30408-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads