buran | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

max time kernel
77s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware/default.exe
Size

211KB
MD5

f42abb7569dbc2ff5faa7e078cb71476
SHA1

04530a6165fc29ab536bab1be16f6b87c46288e6
SHA256

516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd
SHA512

3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af
SSDEEP

6144:zia1vcaEaA+HPsISAzG44DQFu/U3buRKlemZ9DnGAeWBES+:zHctWvVSAx4DQFu/U3buRKlemZ9DnGAn

Score

10^/10

buran zeppelin defense_evasion discovery execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\Crashpad\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] or [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 46B-295-7D7 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Detects Zeppelin payload 10 IoCs

resource	yara_rule
behavioral16/files/0x0008000000023494-19.dat	family_zeppelin
behavioral16/memory/4764-33-0x00000000001D0000-0x0000000000310000-memory.dmp	family_zeppelin
behavioral16/memory/3856-38-0x0000000000470000-0x00000000005B0000-memory.dmp	family_zeppelin
behavioral16/memory/1392-41-0x0000000000470000-0x00000000005B0000-memory.dmp	family_zeppelin
behavioral16/memory/3856-2270-0x0000000000470000-0x00000000005B0000-memory.dmp	family_zeppelin
behavioral16/memory/1956-8138-0x0000000000470000-0x00000000005B0000-memory.dmp	family_zeppelin
behavioral16/memory/1956-13892-0x0000000000470000-0x00000000005B0000-memory.dmp	family_zeppelin
behavioral16/memory/1956-20905-0x0000000000470000-0x00000000005B0000-memory.dmp	family_zeppelin
behavioral16/memory/1956-26157-0x0000000000470000-0x00000000005B0000-memory.dmp	family_zeppelin
behavioral16/memory/3856-26187-0x0000000000470000-0x00000000005B0000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (6116) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	default.exe

Deletes itself 1 IoCs

pid	Process
4776	notepad.exe

Executes dropped EXE 3 IoCs

pid	Process
3856	csrss.exe
1392	csrss.exe
1956	csrss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start"	default.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	csrss.exe
File opened (read-only)	\??\B:	csrss.exe
File opened (read-only)	\??\V:	csrss.exe
File opened (read-only)	\??\Q:	csrss.exe
File opened (read-only)	\??\O:	csrss.exe
File opened (read-only)	\??\K:	csrss.exe
File opened (read-only)	\??\G:	csrss.exe
File opened (read-only)	\??\A:	csrss.exe
File opened (read-only)	\??\Y:	csrss.exe
File opened (read-only)	\??\X:	csrss.exe
File opened (read-only)	\??\R:	csrss.exe
File opened (read-only)	\??\P:	csrss.exe
File opened (read-only)	\??\H:	csrss.exe
File opened (read-only)	\??\Z:	csrss.exe
File opened (read-only)	\??\N:	csrss.exe
File opened (read-only)	\??\M:	csrss.exe
File opened (read-only)	\??\J:	csrss.exe
File opened (read-only)	\??\L:	csrss.exe
File opened (read-only)	\??\E:	csrss.exe
File opened (read-only)	\??\W:	csrss.exe
File opened (read-only)	\??\U:	csrss.exe
File opened (read-only)	\??\T:	csrss.exe
File opened (read-only)	\??\S:	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
24	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteMediumTile.scale-125.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\locallaunch\locallaunch.js	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.scale-150.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fi-fi\ui-strings.js.46B-295-7D7	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ppd.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\REFSPCL.TTF.46B-295-7D7	csrss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\vlc.mo.46B-295-7D7	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Shell\Themes\Glyphs\Font\MSNMDL2.ttf	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-48_altform-lightunplated.png	csrss.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_CN.properties.46B-295-7D7	csrss.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\javaws.policy	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\JUICE___.TTF	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\ui-strings.js.46B-295-7D7	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms.46B-295-7D7	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-phn.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.46B-295-7D7	csrss.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-48_altform-unplated.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\zh-hk_get.svg	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\cstm_brand_preview.png.46B-295-7D7	csrss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\javafx\libxml2.md	csrss.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\vlc.mo	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Close.png.46B-295-7D7	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-phn.xrm-ms.46B-295-7D7	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\eu-es\ui-strings.js	csrss.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg.46B-295-7D7	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms.46B-295-7D7	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\WideTile.scale-200.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.scale-200.png	csrss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\de-de\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4.46B-295-7D7	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-180.png.46B-295-7D7	csrss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe.46B-295-7D7	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\WATER.ELM.46B-295-7D7	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-200.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\ui-strings.js.46B-295-7D7	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reminders_18.svg.46B-295-7D7	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms.46B-295-7D7	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\is-IS\View3d\3DViewerProductDescription-universal.xml	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-unplated.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_empty_state.svg	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner-3x.png.46B-295-7D7	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSO0127.ACL.46B-295-7D7	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2String.XSL.46B-295-7D7	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\WideTile.scale-100.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\LargeTile.scale-125.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-150_contrast-black.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-16_altform-unplated_contrast-white.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\3difr.x3d	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-hover_32.svg.46B-295-7D7	csrss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.bfc.46B-295-7D7	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PROFILE.ELM.46B-295-7D7	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\sat_logo_2x.png.46B-295-7D7	csrss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterRegular.ttf.46B-295-7D7	csrss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_contrast-white.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\ui-strings.js.46B-295-7D7	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\ui-strings.js.46B-295-7D7	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-pl.xrm-ms.46B-295-7D7	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-200_contrast-white.png	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	default.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	4764	default.exe
Token: SeDebugPrivilege	4764	default.exe
Token: SeDebugPrivilege	3856	csrss.exe
Token: SeIncreaseQuotaPrivilege	3128	WMIC.exe
Token: SeSecurityPrivilege	3128	WMIC.exe
Token: SeTakeOwnershipPrivilege	3128	WMIC.exe
Token: SeLoadDriverPrivilege	3128	WMIC.exe
Token: SeSystemProfilePrivilege	3128	WMIC.exe
Token: SeSystemtimePrivilege	3128	WMIC.exe
Token: SeProfSingleProcessPrivilege	3128	WMIC.exe
Token: SeIncBasePriorityPrivilege	3128	WMIC.exe
Token: SeCreatePagefilePrivilege	3128	WMIC.exe
Token: SeBackupPrivilege	3128	WMIC.exe
Token: SeRestorePrivilege	3128	WMIC.exe
Token: SeShutdownPrivilege	3128	WMIC.exe
Token: SeDebugPrivilege	3128	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3128	WMIC.exe
Token: SeRemoteShutdownPrivilege	3128	WMIC.exe
Token: SeUndockPrivilege	3128	WMIC.exe
Token: SeManageVolumePrivilege	3128	WMIC.exe
Token: 33	3128	WMIC.exe
Token: 34	3128	WMIC.exe
Token: 35	3128	WMIC.exe
Token: 36	3128	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3128	WMIC.exe
Token: SeSecurityPrivilege	3128	WMIC.exe
Token: SeTakeOwnershipPrivilege	3128	WMIC.exe
Token: SeLoadDriverPrivilege	3128	WMIC.exe
Token: SeSystemProfilePrivilege	3128	WMIC.exe
Token: SeSystemtimePrivilege	3128	WMIC.exe
Token: SeProfSingleProcessPrivilege	3128	WMIC.exe
Token: SeIncBasePriorityPrivilege	3128	WMIC.exe
Token: SeCreatePagefilePrivilege	3128	WMIC.exe
Token: SeBackupPrivilege	3128	WMIC.exe
Token: SeRestorePrivilege	3128	WMIC.exe
Token: SeShutdownPrivilege	3128	WMIC.exe
Token: SeDebugPrivilege	3128	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3128	WMIC.exe
Token: SeRemoteShutdownPrivilege	3128	WMIC.exe
Token: SeUndockPrivilege	3128	WMIC.exe
Token: SeManageVolumePrivilege	3128	WMIC.exe
Token: 33	3128	WMIC.exe
Token: 34	3128	WMIC.exe
Token: 35	3128	WMIC.exe
Token: 36	3128	WMIC.exe
Token: SeBackupPrivilege	3672	vssvc.exe
Token: SeRestorePrivilege	3672	vssvc.exe
Token: SeAuditPrivilege	3672	vssvc.exe
Token: SeDebugPrivilege	3856	csrss.exe
Token: SeDebugPrivilege	3856	csrss.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 3856	4764	default.exe	91
PID 4764 wrote to memory of 3856	4764	default.exe	91
PID 4764 wrote to memory of 3856	4764	default.exe	91
PID 4764 wrote to memory of 4776	4764	default.exe	92
PID 4764 wrote to memory of 4776	4764	default.exe	92
PID 4764 wrote to memory of 4776	4764	default.exe	92
PID 4764 wrote to memory of 4776	4764	default.exe	92
PID 4764 wrote to memory of 4776	4764	default.exe	92
PID 4764 wrote to memory of 4776	4764	default.exe	92
PID 3856 wrote to memory of 1956	3856	csrss.exe	98
PID 3856 wrote to memory of 1956	3856	csrss.exe	98
PID 3856 wrote to memory of 1956	3856	csrss.exe	98
PID 3856 wrote to memory of 1392	3856	csrss.exe	99
PID 3856 wrote to memory of 1392	3856	csrss.exe	99
PID 3856 wrote to memory of 1392	3856	csrss.exe	99
PID 3856 wrote to memory of 4824	3856	csrss.exe	100
PID 3856 wrote to memory of 4824	3856	csrss.exe	100
PID 3856 wrote to memory of 4824	3856	csrss.exe	100
PID 3856 wrote to memory of 4904	3856	csrss.exe	102
PID 3856 wrote to memory of 4904	3856	csrss.exe	102
PID 3856 wrote to memory of 4904	3856	csrss.exe	102
PID 3856 wrote to memory of 1584	3856	csrss.exe	104
PID 3856 wrote to memory of 1584	3856	csrss.exe	104
PID 3856 wrote to memory of 1584	3856	csrss.exe	104
PID 3856 wrote to memory of 4640	3856	csrss.exe	106
PID 3856 wrote to memory of 4640	3856	csrss.exe	106
PID 3856 wrote to memory of 4640	3856	csrss.exe	106
PID 3856 wrote to memory of 456	3856	csrss.exe	108
PID 3856 wrote to memory of 456	3856	csrss.exe	108
PID 3856 wrote to memory of 456	3856	csrss.exe	108
PID 3856 wrote to memory of 4076	3856	csrss.exe	110
PID 3856 wrote to memory of 4076	3856	csrss.exe	110
PID 3856 wrote to memory of 4076	3856	csrss.exe	110
PID 3856 wrote to memory of 3200	3856	csrss.exe	112
PID 3856 wrote to memory of 3200	3856	csrss.exe	112
PID 3856 wrote to memory of 3200	3856	csrss.exe	112
PID 3200 wrote to memory of 3128	3200	cmd.exe	114
PID 3200 wrote to memory of 3128	3200	cmd.exe	114
PID 3200 wrote to memory of 3128	3200	cmd.exe	114
PID 3856 wrote to memory of 1216	3856	csrss.exe	117
PID 3856 wrote to memory of 1216	3856	csrss.exe	117
PID 3856 wrote to memory of 1216	3856	csrss.exe	117
PID 3856 wrote to memory of 2428	3856	csrss.exe	121
PID 3856 wrote to memory of 2428	3856	csrss.exe	121
PID 3856 wrote to memory of 2428	3856	csrss.exe	121
PID 3856 wrote to memory of 2428	3856	csrss.exe	121
PID 3856 wrote to memory of 2428	3856	csrss.exe	121
PID 3856 wrote to memory of 2428	3856	csrss.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Ransomware\default.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\default.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1956
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4640
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
    3⤵
    - System Location Discovery: System Language Discovery
    PID:456
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4076
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3200
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3128
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1216
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2428
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:4776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png

Filesize
64KB

MD5
58e122026b02007d0194c2b2b8df3f04

SHA1
2e58967511806b56ade90b34a32a4157e0a24c75

SHA256
97703bda89d94a24eafd024d49136bccae9e47619c0fa8dbcff7d28b61f25a78

SHA512
316838e74f2ca4d4b1751606b96324f6678754f0df3baa32c61f576f747f9b1b976e8f0c957a31032e8fec1604aad012fd6d94080d57291da9611e41a1bbd631

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons_retina_thumb.png

Filesize
52KB

MD5
c6f6693bade187add42e3c070d4a44cc

SHA1
a813469a3a15b1cd5fd76a5b7916ee9e7b09f89d

SHA256
a572aef184b90f8132b00724ae9edad136a301b6c29375919a28154d4c397194

SHA512
412e0a200b5f44f48b18d63f79d5feca36613f080d9689efd1cd01779ed934545171685156c9374704c4a6464225b7814cebe023779b19244b3afbd4866dc248

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\ui-strings.js

Filesize
29KB

MD5
27372bb88029ba051bb6e3d25820a958

SHA1
aad6bf77b3d873d123cbda19afc359b2e243a89a

SHA256
0a6e3fa0fae0edc0971c0693bafbeb21246a24314ec38624cc65fe63ad26bf9e

SHA512
ebe0a6e1036d443e2c2b447a0f67504c91123ab3924f86e2b44b93b729dac42fcc2a5b253e3a1a3b49185f9398378e6761155817234f6dcf2d3e93285bd2d993

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js

Filesize
34KB

MD5
902be796ec6e529bf9eb5df6b1699b6d

SHA1
b2e7fd21e7e52bb755acd5cf9fd61dcc04786c27

SHA256
fffc21556d63a0abdc75cff12d0ebec7ce3f91d461a4c86110f506793ebfde0b

SHA512
054fa270ea86e863930897e5780eba4673823cef4e8cf09164a1666fd312837aedfc012c2c707ca1c447610ecbfc3e2f12f1b045ddabda6ab94d84e4a105d18b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\ui-strings.js

Filesize
9KB

MD5
65f4f0aa742fe30a9ad4149f3a8d27de

SHA1
3ae07f59e996729d120c731cb5a20dd61d0249bd

SHA256
c8c134f668f1767237d41e46e194662a76d5e130bc30738c81bf033da18e2ff8

SHA512
3422c8ba11c727abb091051eddf2bbcb7565fbea46ad1fce15f84a1f043bd42566becff2af31bda497e336ab8a4264632c61f570ea0ed4636774f85e17ebe283

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\ui-strings.js

Filesize
5KB

MD5
fa2d1caac7e554ca7061ffc437317435

SHA1
2b1492db3e947fb4c69323ed32b9ff245509e0a8

SHA256
59d3be30c9330bb9f0aa64699cfc7f123aa8d1ed3ccda3a1b1eecb5e8d34597a

SHA512
e476e65b39c97d82c80de8da95967f6e7f1ef72a43a47accde6bac888df5b73b7e5b6b7cea06007fefd05e2331dbe24ea214b6d820bfa800ee4b07639096a307

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js

Filesize
175KB

MD5
ef08c81ffa5a01eb7bf2616f0bc363e3

SHA1
4f8f2ea91c5ba3d1b7aa95ce4de160f133641f64

SHA256
7eae364b54fedad71293791bfc6312205d57e4be243b059e043d2e7df1d48a23

SHA512
8b797f4d88c14940074db724d2894727c5021eb9e4e94d61cc584ad81b1595b5a08938ad623f9e0bc89a9772a97453540a8ddf72324f8cc28988ca45f3238e7b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-tool-view.js

Filesize
395KB

MD5
b7e16a934f9284ce1cd8fe27446d09c2

SHA1
f3c60bd1d30499af1ecaf58d880c64a79caffc0e

SHA256
a0ffd9b4c1efe3da6591d1d211137464ccb8ae3904c6d48ad2efdde37d7211cc

SHA512
02b0cc125a8cc0f3a3ba4488a4c9e832a9387b359e58b9b3e618d0b7d003477aa97b645b4dc6a2650326e729f2f2e0cd0820a61aed278c4583eb56a4db9b86fa

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.js

Filesize
387KB

MD5
70e74182317cbbf249d875207808b54f

SHA1
4e4ee1adef684b99e96481f0ceb87d0be241a312

SHA256
72f797e8ed154bce1dc4ce61efa73cf336a3d4b5196390252beb68b3dde74b90

SHA512
f7436cc022f042bfbec639cc27dd6f040734fc2c8c6399dfe5322029a7f86190f2868e8e7aea588ed1cd32591c583d84bdab80a5283f4544799043fe1ec6a2f5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js

Filesize
10KB

MD5
1180645d601cd2e0a79d3d40b4b03704

SHA1
957d90e5f4cf69e71204bdd07ed130f9cb3e097d

SHA256
9fed261f697175978bafe0e5a2c5b82b5ea794009e50c8d4608506c244ed618f

SHA512
f55ddaacf645f35e8c107820a329346cc196c98f2da9ec40898d24a695db550390a300e73cf59129767786b4ddd994077f6258ffb984cf2a1077145d7e19ae69

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js

Filesize
12KB

MD5
6c41ae371298515dd3383622253609a4

SHA1
6f7406232edbc952a4ee05082de675df8def7928

SHA256
60ea3b3151a0c3bcb1d9aa88d442a9854a490d60d789069068ee3d30bdc3ddec

SHA512
1c4110af1fc02b4e048a43d1f97edd119daec819f7fab2794c95b2f1ec63374001c59df06e1878bcb62100ef4e02e410816493e13bcc4a17d713aad4a62dd34b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons_retina.png

Filesize
18KB

MD5
54a50663ae0764fc271dfbd4ef3b8a32

SHA1
98348e32d324f4564d7c2f977f0986a9fc66e393

SHA256
6ad5982653cf79963f5e01289c206a2196061556d755c6f2197a454e0df77061

SHA512
936c36e8d96bdcbbda1abd4674d1e4bf4b92388ae64d15b12c60df2359b32d3f434fa6316f02b99d91f5c4dbdd7eb1cde91a08d52cb87b885580b15f75e8e847

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\illustrations.png

Filesize
10KB

MD5
69367313f0a7e47b5135dc60a103fab1

SHA1
e82727a6b7b91be0b60d22318c16ca63a617583d

SHA256
a817a546d9c44d01c4d109d78734c8ec560c3320f260d00c2456e283bb9030db

SHA512
3a17472d939ce649c0f94809369b6ac90fb5a96cc31a5581ed97f130704546921c42a2ec38a92fa9480f849246828f52aa9f52ad0e3fb45a1ef3678df42a26d8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\ui-strings.js

Filesize
6KB

MD5
627e77a5498f0af6648e8a67abf7d774

SHA1
a72d9b4522e717a891e2e1fde70e38db25467515

SHA256
bb2bc84571f005e820842bf4326ba8addfe9163c2405c8df70d13c4e313f12a9

SHA512
a73ab160a116abc8fc69a9e7d8db61cca7bfc800fcb641ef6ce2227edbdc1f55539eab4316419b83399e50e20fe840e65ed5c7f4a0676503da536b88577c0f75

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\selector.js

Filesize
48KB

MD5
a1a4be1b8b3edf09601b34f753a7f3c6

SHA1
e1e96bc6763f0577036716af501b948b36fbc722

SHA256
ea5ecbf4208ebf321d67ae8c11e87e4fe6e9e438fbe4f204e23eccf57827d92a

SHA512
4105ced18f4da5ce0476b40ae6608d04e96ff4b6e934ba9ddadd8716cd1a4a4ca6f6c09d113de4ab688d09b925e3fd3aabd5b7a87d85ca55340b9796c3492a1b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf

Filesize
56KB

MD5
fda3db9ed61f4a353a7353e2b727a50f

SHA1
5aae038c6cc2a3fa2217f910ee13cb089833eccc

SHA256
2c53604cb5e219977a81876785dd53bce0b757d3efc9b7b3fa0445f0df9e03c4

SHA512
37c92acca5d0d11b6d1d7ad3c77df5ce5245ed2dea396105c313f1d9912d817ab1c69b282d94230651cc7ea418a0baee41afa6782206eeecbce8b1c29257d67b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-variant2-2x.gif

Filesize
813KB

MD5
3eae3fc1f4aa2cf50fb8079aeead36f0

SHA1
62e246a4554086ce51b25428e3cb0bcb56b3d4a6

SHA256
79ef563f20622e87fd7dcbd11590c21fc54652c6c9e6e45eaa3a25d4f6b9f3ef

SHA512
79873c8f92466c5f2b2fe2db788249da69b1cdae41e8c1f8c5866782337b756af87684dcab08aac65b620793823b1d6ffc72988d1729ef7c20d0707c8d454cce

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\ui-strings.js

Filesize
17KB

MD5
d8a112dbd5b19e786290835393f54316

SHA1
363541eac9ad9402b837a2d895c111e013f0e6ce

SHA256
798111014860b950fdd7f76251716cf70d9ee0cbede98333c43672953cfe6156

SHA512
0e6d847706aa631b72880bff268db7678c12864bbc14c54defcc57c3d12ac85436f98d66c41014326d4a46d043fee97f0127cf35c5650147f36830c75ddfb796

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
da94a2e971a8a7eda637a6a4e2242529

SHA1
7ae55def97e032082254c4e81d810900d322ba53

SHA256
25f0ef476358e5de74a3e6d30a1c0e9c208085e795f62f3d2ae43a9e8d916ccb

SHA512
728073ad1bbbc112a587bffd8e05f6ca9c31fe97ad4d3fceb4ed0a0257a69cf599c318bec6140478b7bd881cf9d0a1671f0110a94dea938ac902aa121833c616

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\ui-strings.js

Filesize
18KB

MD5
dd93e9733995865deeadb54b4aac3300

SHA1
6bcc13262643405b86f14f07118c98d2b7fed6be

SHA256
6d556aea38050dd5f62e30acf1c10d2065976fe4d409a24e2b44e07a215e1984

SHA512
c2101f80bf3ae30f3b9f739880620672482977fbfbdc2d74a121f1d0e7641cbd7ed192e65721b8f8871462f92809e6c0b92af76bb0aac40b064751c5ea6ece5c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js

Filesize
9KB

MD5
adf01b028fa2042b591cb164d9cd4a3c

SHA1
731b60345d425a9d5f8b4fa8286b5a0f73ed28aa

SHA256
85399653f3c583560b346630e1c6247f01791f1c628827bc8a3afff1c3edbdbe

SHA512
3070232e30aaba70c8da52bf2532e25187b135a01b4fe9daf4b240c4fa5014e7cf9c664d926279e843412ae83163de03d1a3c37cb705649d86b00a5d42ee3966

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\ui-strings.js

Filesize
11KB

MD5
d0a9032b89b078c307995c04158ff8c5

SHA1
5d19f5b3cfe7b474ec3787f28ee0f2dd3f2bdd6a

SHA256
9e8253736307c55b370ce9af5fc1a8aab8c156f1117c2cf71a117b17806f007b

SHA512
aa6ce31cd9c965c9a56d7bd80d080819a51a1b45f17c0fe71cfd73951af1d9dcad4d5afbc01ef849b2f271f2af39ce939af95afc3297b65b8c4f87b5b5eefdb3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
97c93039457fdfb828c3badb3201d559

SHA1
a1d86903f8fa8c05ecce1102f5bc461702a3191e

SHA256
fbc1aec225f957589fdcdda2bf66817a87ee690387d234cee2c0eac31ef60e2b

SHA512
409bcee609a82461c9184e2483c167455b4ecea7fda9550022e79d342d3751b28b6c2c9c471b9cf5f1796549b12d9152e1caa1b3c95815333c27a991466ea6fd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\ui-strings.js

Filesize
17KB

MD5
0a77fcccc721c71fc8aa2556a2d8c2ad

SHA1
dd7a97050777f01e818b5d367da9f59edd3fb9b8

SHA256
774b9a0e943aaf968e2af29739ebac73709735930eb12f3092714aa2b536b975

SHA512
9519aa53bf2104f80ae0b6bbee6d237048e9cb3938efb9dab3c06a23e30a18290966b3079cd501c44131b0cc92f26e58feb0681967dfc3393f8eaaa1e1f7925d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
3a7318024b7d349b3d9de64468db7c9f

SHA1
08ab76ae04dd0351ce0b7d46697ea539514ec967

SHA256
7dcc69753f5fd6441eaf4671f3cadfbecc66cf90388795be61b5768992d2db8b

SHA512
14fabcfac81008611aa6ea8ba43fb2ee4d3cfd4ca532ccc659fb212dff34544cf3b3eece1b90c083f7ca15b569e2f677bbbb7b1ab34299f5259c6b5ccdcd5306

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\ui-strings.js

Filesize
18KB

MD5
d84cc9811eb4d3ae83ad75f45322e2ef

SHA1
65ca9ab653435a7e81940219ba7b9a22001ca23b

SHA256
6edab284043428187dc2740b6b801b4f6e8f357a0f25d5112112090ca8c1d4e3

SHA512
79c5e0ac8b6011687d8bde0b851c90bbbb3628760f90b2ac8da12637b3f553ab4006dc00732a9bbbc28e74328efe2c7c39d22c59e7fa6657df937614d172b369

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\ui-strings.js

Filesize
23KB

MD5
21fbe67ff520188c513b4814c1395282

SHA1
05132386c1767658fe6d3957b1aafea61f7d39c0

SHA256
5e4af45e5b6a35c24b79c798ed42c35896cfea0f08c99ccbf9383009e453cf08

SHA512
737bce598f084e4dcd0209a6bfddc0dedd0ca6089b3b5120838eec3e8fe3a676c952393d2ff236840ce976077311d5fd5afd94a8693241245486e995250b929f

Download Submit
C:\Program Files\Crashpad\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
985B

MD5
f82b6148f1669bb069924a5a5af12cbe

SHA1
1705597121808a8180292230c229762aea9b77dc

SHA256
e06ad7f8e28cb444e48e69ed321c303115c798f943eadc112e4383c6da9652c5

SHA512
8943cf6dc2c7fd90ee418c00d5d0b169c7e7a73de5463cbb1a09221bdab1cd1f14ac2f67f51edc0256ee5c3a8cc329b2a7e1d4c2a5d76ead3f2dfd5611e2ed0b

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe

Filesize
4.1MB

MD5
6234db9d1b0caf7c052f27fb6cf928a7

SHA1
70701bc43b80490820abe5b185d34f549effcc42

SHA256
45c28775f8e2d1e92e9b75d02cea4ecf6dd2ec905efb8b63293a29ce9311f185

SHA512
2d81ea4681c6cf5524445c67d183d71598db010f6bd864145cddf4084ea5c451204c0ab9d804d880ee6129a2a481e899d818dfa0e42b6c63fbeb0ca46d98936b

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX

Filesize
292KB

MD5
d734fb8603f087c1607b37eebe30698a

SHA1
1bc03a519c374861c62f4aec591b0dbb8a68cb85

SHA256
c8d20ea20ea2b31d1f9320cd6a62f9a708ebb55aa53ceacf23c2710e19dc44f9

SHA512
8b3f954104b3dac0bd000b26cd069e3f441e0ea1518bb0e1e30992f8df3facbb0e0c791ec34f7e207da7ed4f5c380ee62d268f1fe1d4f3630965c23d21ade632

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi

Filesize
2.4MB

MD5
82458136f5fdbcb39dcb4fed21444306

SHA1
11e0cdd45d5ccbaf0681f8df0de40f7b088ea43a

SHA256
917e9673c8fc17668a977944fee8856fe00f4a9eb25d32ebd8148c0989863739

SHA512
c15fd5fbbc064c048d4f3ceb66e3d47dacdff773450ea02283db1c09c6500bf312be34c4b9b26099b7881614f49fa1c6461bff9663685d1c7102827fdc7d2967

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe

Filesize
62KB

MD5
f4ce7480e6edb1281dabfbd8ca6e4798

SHA1
5891cd4454e9301e2a70b0f1f7f6e5c05ed55952

SHA256
e0633461ecc8623c5e463fcec967a3eb11dc69a47726f5c0a5b97b72ea4974b5

SHA512
ce62c79b1003a813d63701af557cef58a46cd5b039d27420b45aa0456037b2e1bf91ec06a85f6cfe13f3ab5aa364dc3ce13f0165acf68f91c4f0796142d68bb6

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe

Filesize
1015KB

MD5
1fb5813a40b41bd65c644969e883099d

SHA1
3314761c585848c8ed07be8cb5b667b010369396

SHA256
ad9f861923e5f086dcee3193892ed28fac0497e1d10bb907da7348f3f9a1d756

SHA512
20604613bca3de9b670dbd89d849c0efa8761965aeaff40f7dd9b002783503cae7dff3aedb1c0f9f5c4005028f257fe1bcd5806fd2d468e6a267d9e0ada05480

Download Submit
C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo

Filesize
586KB

MD5
ced658ea52ae2aa44ad013437b95c1e6

SHA1
80054219c77aeca14207b9948de2167d69d97d4f

SHA256
a3b2837a49ee14a077b0f39a5e120bd84da33a4db459e74d2feae2b2a17145bf

SHA512
44cf29fefc0ec63b6a3edc009aae0d6923322ace3936dc50969643ca996c3a3ac0d6efd4ec8c87b3a64c3037a06cf1e9d45046b51315822f370b74675906f343

Download Submit
C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo

Filesize
615KB

MD5
332f4a0815d7b3250baba6922a51b14f

SHA1
d002d117591366d980c3b065758e170f5d46b15f

SHA256
0d59d47a809775bb153f25b61c2809e92bf31dd97a1d8a1bd0ea9e61e4e488ff

SHA512
a09c5ed6c3fdbd746c898681c1f63cc2c123b9c588ef5941b12dc6b74644d6b796aae523c52f4821a06956f5197ead490d7bf73e1e628038c132e1edaeb777f5

Download Submit
C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\vlc.mo

Filesize
612KB

MD5
1356ecb0bf66569633cc797c552f977d

SHA1
d6ebec4eb94a359ab091c5344db1a43ca8462d59

SHA256
68acc93544ab29cf0942a29ce38a682c70342558fb9df2827228f28c1e944d7e

SHA512
c619a2f83287dd90960d56b4f6c628af507df4138cd1a8ed3172c9458b5998e317060425dd53bbfd599fabe9128388e6196f2235cc113f69f7d179d7c0d7a515

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo

Filesize
579KB

MD5
a159ad0f3d356ac8fce3c7082c70fc90

SHA1
c2893754130d5dd4772cd62374bd962aaa0be253

SHA256
1a07d6a836b51b2232dbea1536d29e1617a6de25912b12039ed709ea8c71b7ae

SHA512
247bebc23a7ecf83655217959fa9e3ec496a542f8589f8a6e23e9e882fe73dbf2f4adf4dc927fa63e90597381597ce18155f83cc00a59365c5a9a5156c4910ad

Download Submit
C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo

Filesize
615KB

MD5
328e33b71f484993ef63459f39000efe

SHA1
d5465fa402893cdbe27a02297b23e5be3097d226

SHA256
e5a41b339dfd791d1372dac5d6494e813bedfa1b12195b138cb3d02c02d6f39c

SHA512
691b9b8d84cd05790b8c0fe2a848758872ab6942dd53e274fb6ced1b8e9b37cac7a6f91f75bc3695b575ecd6695d8691a1b22d6d91bf2682597fee53f5523563

Download Submit
C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\vlc.mo

Filesize
614KB

MD5
432663fe5a7623a74e5dc019c7fceaab

SHA1
743736df198fd6de9377ab6b4787b5fa3f189534

SHA256
9c30bc272a6e2337eb54948687a3bb1cc4c95b5db260caa4bb0b672528ade40c

SHA512
e552d46145d8f5bc7e3c1a22f81d2d424562efd9bc4c72aa52901c88141dde4ab888e016f0770bdf7550c46e5a0cd76c7f33953c98a8282e621c5b4f4776fa79

Download Submit
C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\vlc.mo

Filesize
552KB

MD5
62c1dabe3d9e9a027a04d09c84cfe93b

SHA1
6d25e86bb15acbe5f35bec7bc06b540395c263af

SHA256
298f5da71ef8bed260119ccea444311498c5c54d82b80ed908a10c22b3d67e81

SHA512
5be59bc778ebe4e5b3458c54cfa6bdae0bf1434183103617fda89fbe823a9fc87cdb46d4996d2fb9a02014f0f06a67461cea247a8c8173265f8debf422c791c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
e496751cd2219f672baccfe069c05607

SHA1
d43326345986e0c3a25bcfef2febf570a1794915

SHA256
272f89d727d01fec581fffb1a38e02ce025eb523663aa3e102f77ae9aa9e0f1b

SHA512
e84c7c29f3aa5b2184bd6590f3660ec3c67b5814e226f4f7c4ae9bfb11080ab0eb2fe43697710bd64beef869e368fa1ddd85495f7f92b0ff6a61a9c59264b5b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78

Filesize
472B

MD5
d554992d4494a99ee1cb814b6a475ac0

SHA1
28f5679ab12b98f1e1cb1db81cc45d2e81bd7eae

SHA256
2305f09094b346b7d121fdf848cd807e31fd3d788e1dd12bab77963dd792c0cf

SHA512
00da55828c7237ce5086b21b0bbeaa73c45ce13b974fc5881e4390d78118721abe690879b21c7b638bbfba7c001d06ddec2db51bd287dd8d8c129f69ee7b2e76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
d8e9a72a6c3f0f85aa9c1191fd7f475b

SHA1
6ca59986f7442dd4cc86f8d9ccbbe60bf0bb5521

SHA256
7be0516557405ce6902e0029557412f8c439745532018adc581770b4177edaa3

SHA512
186de583be2ab6928a31ca38fd6419437a26a3c7c75c854818ccf48ec6d79fa76902cb1ed0168772d4aaf817a26263b8f0a2d9dc338d86d5fa2433920fc16bd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
484B

MD5
67d7f731cc707cd0435415341ea206c7

SHA1
afbac43300885a58a42c3235baa88e26887bd207

SHA256
401fb361d6625ba840f4cf3958c25b29f9213e191f49fcf35fcf1a3f2bfd4008

SHA512
9247b1bd01711248a3bdbad428c8b352bdf003a6da0c87864f849eea107d8a877ecf909f15fa70ade3e3ef4189c1c9ec9ae53e736cb568f4bb4561f8b756d1cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78

Filesize
488B

MD5
a708ef84aee38e0c83190407d4f6acd4

SHA1
be34dc7cb7e420c748108944c0febc6d2da0530e

SHA256
d4f8a4f99924d3e30055b9f8f9cb2f7428108ef42eddc806fb9b565cd685ee21

SHA512
d94a288fb27877710361c02fc1d3be63c6907a5a235a68b843c512326fb3e6d443f6724436a980076a89ae230432118bc6ae7b2dd6cc506930cbc892984935a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
75287fef6b9a47d32b15e1be8d1051fb

SHA1
3db4be7e3e5494c462ae81af3230d6fc5d651906

SHA256
d622d2daf8d5e821646b88d13a677f1aee45fbf417c1641ae67adc3d45959531

SHA512
bffbd64349bd8c99231dd9b3baa8f5a76b79eb17d033482c930b6c7d16f4c38272632794126bc1955b8b9e9c074680d52c0d9160b05c52c8b59f3ef621abeb03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CFIOOOZS\Y5K2TY6C.htm

Filesize
18KB

MD5
3c9fb9fbbdd372a9ab7f4e11cde5e657

SHA1
06f7b35568d81ca65e30ac213ff1031220ac090f

SHA256
f363ad44f70cd532e08a53e7ea0323f68d2b58b448349034ccc3dc3b0a96296f

SHA512
dd585b080863512a9a933e39d7542b13b3501f43ddfbd153e266964c37846e4d7ebd798512f705457c2be74a80a1d0aaf98c11ba5e6c2ca3f07f29eee1f68fcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GENTSNHI\H9ZPB4SW.htm

Filesize
190B

MD5
6ebbeb8c70d5f8ffc3fb501950468594

SHA1
c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

SHA256
a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

SHA512
75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

Filesize
211KB

MD5
f42abb7569dbc2ff5faa7e078cb71476

SHA1
04530a6165fc29ab536bab1be16f6b87c46288e6

SHA256
516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd

SHA512
3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

Download Submit
C:\Users\Admin\Desktop\ApprovePop.ps1.46B-295-7D7

Filesize
153KB

MD5
bac0bdd5f7140c520d490cca820638d3

SHA1
6528f1058f17caf19d31d1718c9baa51e0ebb7bc

SHA256
1c3ee169fcfe4fa2e5eb7c2f920a0343475b40ec6415126d135de87c2f3c4494

SHA512
66fd1218dd217aae22e852e8c18695a88bd2bdcc2aae84cd76362514a5cd833f91ccf55b4e84239ec9072ee35dea570bcc99a6fb986df2fed4b2822e2e0065cc

Download Submit
C:\Users\Admin\Desktop\CompareMove.wdp.46B-295-7D7

Filesize
350KB

MD5
41db1cc676939a8d182b13676c3936fb

SHA1
cd47212b7deea2480f5e158c7d1acc5d004085d8

SHA256
8af1284cde2f09e757e0fa642f7550c713e80c366d66c6fbc9b9b175641dbc33

SHA512
2f553f5d7dd81a6c425b84bca26d2a242ca5e271178234524d98e7dbb794376aba8cabc1e8348e2422c6d7b80412f2d19809092d780064fead3febd8202e2d78

Download Submit
C:\Users\Admin\Desktop\CompareTest.htm.46B-295-7D7

Filesize
281KB

MD5
56f4c671cfb74ead9d0ad18f413f53d5

SHA1
4e2a6d4e97cf5e3d5bcaad26773001e768633d70

SHA256
7a68291107fed496ef24c94d03cd5ef22566fb1bd3df15a21e225ec01e9e7908

SHA512
11c62eedf5c327581bfec8148685b284eb408db39e91a4d7091bc50c3466177841492e87985f86d93aadeea6e953b513078570b9076e70c5a65cf4ce74f4ed77

Download Submit
C:\Users\Admin\Desktop\CompressDisable.docx.46B-295-7D7

Filesize
19KB

MD5
f90a451b183ca9b68d3d9ea60635944d

SHA1
0f865edd229b2c9f5b1f04c62e741c72eb40fb98

SHA256
ea0acc2ecb5abfbe964511ffeb9ee81cc82f36feb3dd67b72dc5a0d5a79372a2

SHA512
4c921f3f6e0716efb18d3744165e9918808dc361e0f4f5588c12f8891ebb01b15c73d2e170f36b326743b092d8d1ea261cb2635bc4a79ffa1f292b94c359a89a

Download Submit
C:\Users\Admin\Desktop\ConvertFromSelect.dot.46B-295-7D7

Filesize
212KB

MD5
2054201ae3af03b097fb09ec0843e8de

SHA1
13eebccb2d3dffec459dbb7bae7d030e4488cf3d

SHA256
88e939f82b1a6053d01bd67c18216d4a92df0f2b902577da4b7a47bdd81436c2

SHA512
701329ce976e1b0056555e86b6c14098336956ade8c8978719c53500aa873ce898d1f45264dbec9c7b5a761dbf7229b5f814c33538a947e67320216be74807a1

Download Submit
C:\Users\Admin\Desktop\ConvertReceive.shtml.46B-295-7D7

Filesize
183KB

MD5
14b8a9f88ed44baa245daa6e63462462

SHA1
2cd44895b24f1b940250cf623e1eb78740d19ad0

SHA256
5fd9199570d38458fb4e5cec5d8795a3ff42ca8b7d3aad24ae8a6d790fba11ea

SHA512
b871697990801dafcf512eccf1c7a1c540d548124853380f88ab1b846ea85e50dcb2756062075b6af68087155925bd1f3a5475899c3e93b68df7c430411b8a7f

Download Submit
C:\Users\Admin\Desktop\ConvertToEdit.dib.46B-295-7D7

Filesize
330KB

MD5
5794b4e7129bc2b4593ad8ffda369fca

SHA1
62ec8c8993b6d5a8c865b28ecbab305a54327750

SHA256
fdb43d50c92412122387c4c73782f12ca920a46f61abcc2eefa20e867bf729c4

SHA512
da814cfb4328eb3dfa175801899f428d7cee3b52efc824fc1a0f16cab7aeb861d34faa93aac1b5b5eadb21dd9e90900eab7f780171a4bab3663f24798f18c504

Download Submit
C:\Users\Admin\Desktop\CopyPing.vstx.46B-295-7D7

Filesize
483KB

MD5
017295c13c156581246d47925da06a8e

SHA1
4b26dc59ab7aa2049e9fcd29d3e13bfbddaad95e

SHA256
decea0a5840cf4054e043a68198399c42af31dfb7d222b8af54f31bafd3d510d

SHA512
f32caf218cc0d820c28e3d0d7e84e98467169fba0a5923e6b9447c622ad85a0a79561b0c8d8b2e87bac37d59ccb6ba51780bd23d822401681afcd662f042e9ce

Download Submit
C:\Users\Admin\Desktop\DisconnectBlock.mht.46B-295-7D7

Filesize
242KB

MD5
d3747f78e392d5c37d3980154b4c9ea6

SHA1
36200bf70acce6368341dccd5dcca949e9570b6d

SHA256
32b3e4d9e0b00cdf0e9bf1191a9f45658a6eefb56398c9bc49f53385d765632a

SHA512
51c61278de7c6d898080088942a705ad065a66dcb8d45ce59fc7f9d056023d42a993e215611be226eae0ca17ab3379f6bd17b4f23ec51098d19079865755b506

Download Submit
C:\Users\Admin\Desktop\GrantUnpublish.cfg.46B-295-7D7

Filesize
262KB

MD5
ba6b423b333cc77ec98a359b8d211e92

SHA1
bead627f46c6fa77606d6028419127d001ef348a

SHA256
2a65244559f028456ae9264481d67524011ccb32775296e9b376c18f31d8226a

SHA512
5159fabc9b2120f7896154d68ee68d226b7c30dcd5f248bf684b836e02ed88a5b45cdde5cdbe44b1650f5bdb31dca4be4fc55efc8e606640c50908761dc40a3f

Download Submit
C:\Users\Admin\Desktop\LockAdd.vsdm.46B-295-7D7

Filesize
134KB

MD5
e3797d1422fbb70ae0224291f919d2ab

SHA1
e533e377e5505dadd216c2885d294343571e794d

SHA256
64dc5af9b553c7b6163fc923c4e904483624bb817205cde93c391bffcd567ea5

SHA512
3601fc68badb8d7b3f1fd94ec28929953c5f334c5e4832287fca54c398f0ccf7fc402f4501d94b6ebc59e27d3aa91831ab7fef89bb5f8d52d86e038a4eed068b

Download Submit
C:\Users\Admin\Desktop\MeasureConvert.ini.46B-295-7D7

Filesize
291KB

MD5
4c567e0f194700836664d74676c86b4f

SHA1
f619d9f1872375778c9bdd79162c8992d07b771c

SHA256
a6b98dfa686a00f7c8d58d4a010d9cd1552dd1b3acada003dc86c9cdc9ee0be3

SHA512
fd7092a064dc8e9a0969cea5f438b226fc48e28c276d42a2a0aa4e3a073efc5de56e455eafbd18e5049b4e0663c849005b2e413ac46bb70eea4199e4aa9f20e4

Download Submit
C:\Users\Admin\Desktop\MountShow.raw.46B-295-7D7

Filesize
232KB

MD5
b10ca0fe2e53cb58be4e1f6b83904ad5

SHA1
9103be77159506ae041317f55207b31246d98a62

SHA256
0d03d19d0ce535d09a1ed8d073ace0e3c0a298aa82af52c84d53646eb8b00a46

SHA512
d6929d8eb75ba6aa4baa626aa5e7dd33b38a5b4407ebd8c70dc4a152bd67b4229a3a374a1397f4ff08ca5b6e39d167089c97703684771602a4fed795c35247d4

Download Submit
C:\Users\Admin\Desktop\MoveReset.001.46B-295-7D7

Filesize
340KB

MD5
34eb6ddf4cf2c6370140e7cf26baa9d0

SHA1
9e530ee33d4f8b173bec920b5d98a193c6e9799b

SHA256
e2f14f931822d4c64e870fb51b2eead8c030d55aead0a378ffe41f08cefa8413

SHA512
20afc911f28a0b11a2bdcbb8180c70b8a7540fb89dcc19ac4324dd2bb3a64f6ea6cd74ba90760e72e1bdb1c80614c63e459e48ed5c2c4f532323a1b4df3f85ab

Download Submit
C:\Users\Admin\Desktop\NewOptimize.wm.46B-295-7D7

Filesize
173KB

MD5
eb36236acf2c23628832b802cd581f46

SHA1
f02879833582103d11bd3f1447660e393ed6f73b

SHA256
9a19ae547c6586976927967aed096bc51b6c6297be0d067398aecff2690d9303

SHA512
b668a6ce09e9778e91c2c31363c3e73d934e9952f552ca72de2cedb00da84ecc515a9be1d6c3e7ab610de002389eb625f7006e5c12652e329acad77398d91a05

Download Submit
C:\Users\Admin\Desktop\PopSkip.mht.46B-295-7D7

Filesize
271KB

MD5
76afdd6b25cf48c38b9d3d39314e8ed2

SHA1
73fc697d4f526b8dcd781aa9f4f49bac76bea3ee

SHA256
9fac67ac32c60fb7ecd0379c6561d6abe8c3df316663408eb292359cc539135e

SHA512
af00823d5d6da1ab06016e75d765f25261554073713e25eb0ec14dfb1b4f5508d679ac18ce680b00c4d63cdd4ff15045caf9bc78322a78de4c282c632a3be79b

Download Submit
C:\Users\Admin\Desktop\ReadSelect.ogg.46B-295-7D7

Filesize
163KB

MD5
d2bec0ac81e8414b0116a90e52f9b980

SHA1
d8ec8ad58836be47a94bad887127dfc9d0b5b707

SHA256
d2aa1ee785ab656c67f513455dfdc730ba5af3542f8cceeaf5bd53f2e5158421

SHA512
f5f35235dcb9b1b2876d82869be7dda1e7df2a75cae874e1d78d096d27e56861946d51b1dc6d22fbaec8f2f73dba88f475b60eb1faff1f489c5596896674f0e6

Download Submit
C:\Users\Admin\Desktop\RedoInitialize.vstx.46B-295-7D7

Filesize
311KB

MD5
5cdf83d7474ec853863a71bd0aca0198

SHA1
22cf968c784cd849f0534e76a492967752e3ea68

SHA256
07082c3d1760ab64587c22dbd90fbff71f994cf968b2bff27b2e68f3b33df343

SHA512
898a6204d5efce7c8a6af99e62ba198372e377c30970fa65653c003151a1ddca47906adad2f5595b83175a80b9971191058f8b608404902b8d7194ec47cfbef6

Download Submit
C:\Users\Admin\Desktop\RegisterUndo.wmv.46B-295-7D7

Filesize
203KB

MD5
96efbb4daf1fc646c1f6f2a1128eb5d8

SHA1
1a618232102721a8a888ab9d46f6c937a8035b2a

SHA256
a1e503cddb2b984f3f66ef29d31310ac35796b8da5071986f68e6c36523886d6

SHA512
7c3f030b3cf78ab36f08ffa0fdc41a862be9f47754d9477a0213a7011732b86b7cc76c050970a6d4ace287f8bc393def86434be5d054c335ce8acf2a4b8d7c62

Download Submit
C:\Users\Admin\Desktop\RemoveWrite.bmp.46B-295-7D7

Filesize
193KB

MD5
7c5cebb4290e609f693fec9bf75c5863

SHA1
3f8480e533a03405715d9608730ab83ea699a914

SHA256
c0d68587c02a15ea2b5b7892a87e6b17b96e86f292992fde9024a745dd6bcda7

SHA512
c8317fb1275cb0875e2973fb19b33ddf4af2c22fa2e9fd8d0dd3c85421d86805aaff45feb2e96fe1a8fb31c3f2e101a8f28c504b9287ccf16cae3d2430498598

Download Submit
C:\Users\Admin\Desktop\RenameBackup.xht.46B-295-7D7

Filesize
321KB

MD5
a7dd1c3018112f2ede4bf692e25831e0

SHA1
71da41031a292a545c6243c2a73a2e03a41bb54c

SHA256
6f6f80807211e0a6ed91fea5eb069d4000ca33128655b6248359d46dc7f9b722

SHA512
479a592de800188697c704f430d7469d6326ef4ea98054c09dbb3348e7e6972e3e95578a1f8b2736af6f38d9eb122dc26b3131483811e05de24314f86be3b95c

Download Submit
C:\Users\Admin\Desktop\RenameSplit.mhtml.46B-295-7D7

Filesize
301KB

MD5
e81e11cd9b0b4c1fa4f54adf4ecde044

SHA1
e6ba99701258d5569f1a793b9009c3940005734a

SHA256
904fbad9eb39818435d0037b3c81f41f99b2983088f2846a3c1f603f198250bf

SHA512
94a71295cd19edaf8293546f6bd463b1aa2c15887769ec38311385f7d4f5f17a8d48547be85570ae05ef51c79e4009b1bf822d1ac5aa6df74bbe6e502218ac1c

Download Submit
C:\Users\Admin\Desktop\RepairRename.xlsx.46B-295-7D7

Filesize
13KB

MD5
de5dd1ceab539766372a596936c6375d

SHA1
67c21adde9d694ccc9db60db4e41f09bed340bd9

SHA256
943506b125517e942d09eeda3428d4c4769111fbc7788b5916d132052b717e88

SHA512
6cc5bdca319d53632b1125b6371c64311a2d35e95a38ff07b9a9fb957a4f69694823a922c7c31d6327e91ee403c622765244845c23d138cb94d1728b93ff6ca0

Download Submit
C:\Users\Admin\Desktop\ResolveStart.aifc.46B-295-7D7

Filesize
222KB

MD5
20d08a3fa38793b3a74b6e7fc86ef3a5

SHA1
04c4a8aa742710bc7c35ea16bdcefbd6f18fd0c8

SHA256
dbc24f0377bfe4fd4758fd89e3952b45089187932485c404cd1174f2aeb392a5

SHA512
d9527117de6cc9f2d3b234b19bd1557f1597a0a0fbeca6e8eec0284d0fbf405e766ef2c25e9b2514af89bce1afb43baa862957481eb9b2cdb4b03ce661fd28ad

Download Submit
C:\Users\Admin\Desktop\SendShow.png.46B-295-7D7

Filesize
144KB

MD5
6c9a26dee672832a582080788654fed4

SHA1
0cdfa8e38e37c752c282eede2f26eb219298ec82

SHA256
e1dc2cf6fa0407ab047181e80f36a7060710414a150aca3cb73b7a7a26df6d5e

SHA512
ee040fe1fb46d4bda1c7664fc08cf2988618b44c12caef0b26df7c0f1f6b69e295903199bed6344b9c7bc907b9e5d7809240f788a19a7825a1e9ca6197073d62

Download Submit
C:\Users\Admin\Desktop\SetAssert.xltm.46B-295-7D7

Filesize
124KB

MD5
ac00e011ca0f6b0ee071d4d9baf97431

SHA1
329ba3583d94cd1a266322c7b0b0d6d79dacc3b5

SHA256
0818639192247f22265c6442d53d3d4c5f6cf02f7df2d74b6225e018245ee0f6

SHA512
bb7bdd59b017fd59c6a542de3cb30b31383cafef6336964d73f8c57e2d0f781803be54dff816c64b6086ed04813eb298e2f1b297d2f13d3761ef250b496fd45c

Download Submit
C:\Users\Admin\Desktop\ShowStart.xlsx.46B-295-7D7

Filesize
12KB

MD5
e83bb61859b0d671620b11298aab3f50

SHA1
5f2fbbd863193b7463ac44e710fccc27b9aa4bd8

SHA256
dfe44fff89ddef9aaaba3ffd3e5ff73c3d0b826596eca4923966fd0383324ddb

SHA512
3791196b9d30120f305a2241a2caa81a12ea145297d72b5beff64014ae756b6d1a1ce5b46b04c1a2afc6ebb85a9ee16c4a30045b76117f42eebb278a57b97b9e

Download Submit
C:\Users\Admin\Desktop\StopRestore.ini.46B-295-7D7

Filesize
252KB

MD5
602f0a84952fbd68a91b564ba3112083

SHA1
51eade8d4412f526c0f6f4129a97ae5cc8ed78d4

SHA256
7a98ede94fdc977759eb3b88a2110e8621aa2ef1ceaa3cb0eb8f0fce2222752c

SHA512
de7e0e9b34213d12f7f3093ed9b9357a4915d40d5ae2b0309aecdb511935f2638e06fe94e7a16ada1394675ffe4f9aa74639f807f12ac75d55d7f3adc07f2a0c

Download Submit
C:\vcredist2010_x86.log.html

Filesize
82KB

MD5
ecdfb806d52a04d8aba690d9d0c5415a

SHA1
4fd57fb88446f5f3565a58084cb6af67591ecf9d

SHA256
9ccc746ee08438028852f2518dd9cd51c73c6ff9d04aeeddde2fe65c4e636f8f

SHA512
3988b508e86a8a6a8dea113618a1210c2c65e5da2eae1d796b0e52b2405f50101cd3e7b71aa26a2cb71334abc59849a9697f69286e1c9ccf6dd91ade21c19803

Download Submit
memory/1392-41-0x0000000000470000-0x00000000005B0000-memory.dmp

Filesize
1.2MB

Download
memory/1956-13892-0x0000000000470000-0x00000000005B0000-memory.dmp

Filesize
1.2MB

Download
memory/1956-26157-0x0000000000470000-0x00000000005B0000-memory.dmp

Filesize
1.2MB

Download
memory/1956-20905-0x0000000000470000-0x00000000005B0000-memory.dmp

Filesize
1.2MB

Download
memory/1956-8138-0x0000000000470000-0x00000000005B0000-memory.dmp

Filesize
1.2MB

Download
memory/2428-26186-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/3856-38-0x0000000000470000-0x00000000005B0000-memory.dmp

Filesize
1.2MB

Download
memory/3856-2270-0x0000000000470000-0x00000000005B0000-memory.dmp

Filesize
1.2MB

Download
memory/3856-26187-0x0000000000470000-0x00000000005B0000-memory.dmp

Filesize
1.2MB

Download
memory/4764-33-0x00000000001D0000-0x0000000000310000-memory.dmp

Filesize
1.2MB

Download
memory/4776-23-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads