buran | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

Resubmissions

12-09-2024 02:23

240912-cvfznswere 10

04-09-2024 00:09

240904-afvheascla 10

03-09-2024 18:57

240903-xl8csavfrb 10

03-09-2024 18:12

240903-ws828asgnm 10

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-09-2024 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware/default.exe
Size

211KB
MD5

f42abb7569dbc2ff5faa7e078cb71476
SHA1

04530a6165fc29ab536bab1be16f6b87c46288e6
SHA256

516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd
SHA512

3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af
SSDEEP

6144:zia1vcaEaA+HPsISAzG44DQFu/U3buRKlemZ9DnGAeWBES+:zHctWvVSAx4DQFu/U3buRKlemZ9DnGAn

Score

10^/10

buran zeppelin defense_evasion discovery execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] or [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 17C-043-979 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Detects Zeppelin payload 9 IoCs

resource	yara_rule
behavioral15/files/0x00080000000173a9-61.dat	family_zeppelin
behavioral15/memory/2560-89-0x0000000000A90000-0x0000000000BD0000-memory.dmp	family_zeppelin
behavioral15/memory/2604-106-0x0000000000120000-0x0000000000260000-memory.dmp	family_zeppelin
behavioral15/memory/2756-3652-0x0000000000120000-0x0000000000260000-memory.dmp	family_zeppelin
behavioral15/memory/1908-9146-0x0000000000120000-0x0000000000260000-memory.dmp	family_zeppelin
behavioral15/memory/1908-18270-0x0000000000120000-0x0000000000260000-memory.dmp	family_zeppelin
behavioral15/memory/1908-27082-0x0000000000120000-0x0000000000260000-memory.dmp	family_zeppelin
behavioral15/memory/2756-30238-0x0000000000120000-0x0000000000260000-memory.dmp	family_zeppelin
behavioral15/memory/1908-30199-0x0000000000120000-0x0000000000260000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (7380) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2616	notepad.exe

Executes dropped EXE 3 IoCs

pid	Process
2756	taskeng.exe
1908	taskeng.exe
2604	taskeng.exe

Loads dropped DLL 2 IoCs

pid	Process
2560	default.exe
2560	default.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start"	default.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	taskeng.exe
File opened (read-only)	\??\S:	taskeng.exe
File opened (read-only)	\??\R:	taskeng.exe
File opened (read-only)	\??\P:	taskeng.exe
File opened (read-only)	\??\A:	taskeng.exe
File opened (read-only)	\??\Y:	taskeng.exe
File opened (read-only)	\??\K:	taskeng.exe
File opened (read-only)	\??\H:	taskeng.exe
File opened (read-only)	\??\B:	taskeng.exe
File opened (read-only)	\??\M:	taskeng.exe
File opened (read-only)	\??\V:	taskeng.exe
File opened (read-only)	\??\U:	taskeng.exe
File opened (read-only)	\??\T:	taskeng.exe
File opened (read-only)	\??\Q:	taskeng.exe
File opened (read-only)	\??\J:	taskeng.exe
File opened (read-only)	\??\E:	taskeng.exe
File opened (read-only)	\??\Z:	taskeng.exe
File opened (read-only)	\??\O:	taskeng.exe
File opened (read-only)	\??\N:	taskeng.exe
File opened (read-only)	\??\L:	taskeng.exe
File opened (read-only)	\??\I:	taskeng.exe
File opened (read-only)	\??\G:	taskeng.exe
File opened (read-only)	\??\X:	taskeng.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	iplogger.org
19	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.api.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099159.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PROG98.POC	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CET.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Davis	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\APIFile_8.ico.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151581.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR24F.GIF.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Mendoza.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Dublin.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Kerguelen.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01015_.WMF	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\view.html.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00121_.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CERT.DPV	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB5A.BDR	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util.jar.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Mazatlan.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03331_.WMF.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01785_.WMF.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cancun	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107480.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00095_.WMF.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\BloodPressureTracker.xltx	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14594_.GIF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImages.jpg.17C-043-979	taskeng.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.BR.XML.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBRPH2.POC.17C-043-979	taskeng.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\US_export_policy.jar.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTAREA.JPG.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\UnformattedNumeric.jpg	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE.HXS.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0238959.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15060_.GIF.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME20.CSS	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Belem	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\ED00172_.WMF.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Abidjan	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.io_8.1.14.v20131031.jar.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00361_.WMF.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Black Tie.xml.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.XLS	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-remote.jar.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01084_.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153305.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00641_.WMF	taskeng.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR32F.GIF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\LASER.WAV.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Resolute.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_ja_4.4.0.v20140623020002.jar	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\Xusage.txt	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107544.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02404_.WMF.17C-043-979	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\SectionHeading.jpg	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	taskeng.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskeng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	default.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2432	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	default.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	default.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	taskeng.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	taskeng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	default.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	default.exe
Token: SeDebugPrivilege	2560	default.exe
Token: SeDebugPrivilege	2756	taskeng.exe
Token: SeIncreaseQuotaPrivilege	1228	WMIC.exe
Token: SeSecurityPrivilege	1228	WMIC.exe
Token: SeTakeOwnershipPrivilege	1228	WMIC.exe
Token: SeLoadDriverPrivilege	1228	WMIC.exe
Token: SeSystemProfilePrivilege	1228	WMIC.exe
Token: SeSystemtimePrivilege	1228	WMIC.exe
Token: SeProfSingleProcessPrivilege	1228	WMIC.exe
Token: SeIncBasePriorityPrivilege	1228	WMIC.exe
Token: SeCreatePagefilePrivilege	1228	WMIC.exe
Token: SeBackupPrivilege	1228	WMIC.exe
Token: SeRestorePrivilege	1228	WMIC.exe
Token: SeShutdownPrivilege	1228	WMIC.exe
Token: SeDebugPrivilege	1228	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1228	WMIC.exe
Token: SeRemoteShutdownPrivilege	1228	WMIC.exe
Token: SeUndockPrivilege	1228	WMIC.exe
Token: SeManageVolumePrivilege	1228	WMIC.exe
Token: 33	1228	WMIC.exe
Token: 34	1228	WMIC.exe
Token: 35	1228	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1228	WMIC.exe
Token: SeSecurityPrivilege	1228	WMIC.exe
Token: SeTakeOwnershipPrivilege	1228	WMIC.exe
Token: SeLoadDriverPrivilege	1228	WMIC.exe
Token: SeSystemProfilePrivilege	1228	WMIC.exe
Token: SeSystemtimePrivilege	1228	WMIC.exe
Token: SeProfSingleProcessPrivilege	1228	WMIC.exe
Token: SeIncBasePriorityPrivilege	1228	WMIC.exe
Token: SeCreatePagefilePrivilege	1228	WMIC.exe
Token: SeBackupPrivilege	1228	WMIC.exe
Token: SeRestorePrivilege	1228	WMIC.exe
Token: SeShutdownPrivilege	1228	WMIC.exe
Token: SeDebugPrivilege	1228	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1228	WMIC.exe
Token: SeRemoteShutdownPrivilege	1228	WMIC.exe
Token: SeUndockPrivilege	1228	WMIC.exe
Token: SeManageVolumePrivilege	1228	WMIC.exe
Token: 33	1228	WMIC.exe
Token: 34	1228	WMIC.exe
Token: 35	1228	WMIC.exe
Token: SeBackupPrivilege	2272	vssvc.exe
Token: SeRestorePrivilege	2272	vssvc.exe
Token: SeAuditPrivilege	2272	vssvc.exe
Token: SeDebugPrivilege	2756	taskeng.exe
Token: SeDebugPrivilege	2756	taskeng.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 2756	2560	default.exe	32
PID 2560 wrote to memory of 2756	2560	default.exe	32
PID 2560 wrote to memory of 2756	2560	default.exe	32
PID 2560 wrote to memory of 2756	2560	default.exe	32
PID 2560 wrote to memory of 2616	2560	default.exe	51
PID 2560 wrote to memory of 2616	2560	default.exe	51
PID 2560 wrote to memory of 2616	2560	default.exe	51
PID 2560 wrote to memory of 2616	2560	default.exe	51
PID 2560 wrote to memory of 2616	2560	default.exe	51
PID 2560 wrote to memory of 2616	2560	default.exe	51
PID 2560 wrote to memory of 2616	2560	default.exe	51
PID 2756 wrote to memory of 1908	2756	taskeng.exe	34
PID 2756 wrote to memory of 1908	2756	taskeng.exe	34
PID 2756 wrote to memory of 1908	2756	taskeng.exe	34
PID 2756 wrote to memory of 1908	2756	taskeng.exe	34
PID 2756 wrote to memory of 2604	2756	taskeng.exe	35
PID 2756 wrote to memory of 2604	2756	taskeng.exe	35
PID 2756 wrote to memory of 2604	2756	taskeng.exe	35
PID 2756 wrote to memory of 2604	2756	taskeng.exe	35
PID 2756 wrote to memory of 1152	2756	taskeng.exe	36
PID 2756 wrote to memory of 1152	2756	taskeng.exe	36
PID 2756 wrote to memory of 1152	2756	taskeng.exe	36
PID 2756 wrote to memory of 1152	2756	taskeng.exe	36
PID 2756 wrote to memory of 2912	2756	taskeng.exe	38
PID 2756 wrote to memory of 2912	2756	taskeng.exe	38
PID 2756 wrote to memory of 2912	2756	taskeng.exe	38
PID 2756 wrote to memory of 2912	2756	taskeng.exe	38
PID 2756 wrote to memory of 2308	2756	taskeng.exe	40
PID 2756 wrote to memory of 2308	2756	taskeng.exe	40
PID 2756 wrote to memory of 2308	2756	taskeng.exe	40
PID 2756 wrote to memory of 2308	2756	taskeng.exe	40
PID 2756 wrote to memory of 408	2756	taskeng.exe	42
PID 2756 wrote to memory of 408	2756	taskeng.exe	42
PID 2756 wrote to memory of 408	2756	taskeng.exe	42
PID 2756 wrote to memory of 408	2756	taskeng.exe	42
PID 2756 wrote to memory of 1340	2756	taskeng.exe	44
PID 2756 wrote to memory of 1340	2756	taskeng.exe	44
PID 2756 wrote to memory of 1340	2756	taskeng.exe	44
PID 2756 wrote to memory of 1340	2756	taskeng.exe	44
PID 2756 wrote to memory of 1800	2756	taskeng.exe	46
PID 2756 wrote to memory of 1800	2756	taskeng.exe	46
PID 2756 wrote to memory of 1800	2756	taskeng.exe	46
PID 2756 wrote to memory of 1800	2756	taskeng.exe	46
PID 2756 wrote to memory of 1660	2756	taskeng.exe	48
PID 2756 wrote to memory of 1660	2756	taskeng.exe	48
PID 2756 wrote to memory of 1660	2756	taskeng.exe	48
PID 2756 wrote to memory of 1660	2756	taskeng.exe	48
PID 1660 wrote to memory of 1228	1660	cmd.exe	50
PID 1660 wrote to memory of 1228	1660	cmd.exe	50
PID 1660 wrote to memory of 1228	1660	cmd.exe	50
PID 1660 wrote to memory of 1228	1660	cmd.exe	50
PID 2756 wrote to memory of 2132	2756	taskeng.exe	53
PID 2756 wrote to memory of 2132	2756	taskeng.exe	53
PID 2756 wrote to memory of 2132	2756	taskeng.exe	53
PID 2756 wrote to memory of 2132	2756	taskeng.exe	53
PID 2132 wrote to memory of 2432	2132	cmd.exe	55
PID 2132 wrote to memory of 2432	2132	cmd.exe	55
PID 2132 wrote to memory of 2432	2132	cmd.exe	55
PID 2132 wrote to memory of 2432	2132	cmd.exe	55
PID 2756 wrote to memory of 2120	2756	taskeng.exe	56
PID 2756 wrote to memory of 2120	2756	taskeng.exe	56
PID 2756 wrote to memory of 2120	2756	taskeng.exe	56
PID 2756 wrote to memory of 2120	2756	taskeng.exe	56
PID 2756 wrote to memory of 2120	2756	taskeng.exe	56

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Ransomware\default.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\default.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1908
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
    3⤵
    - System Location Discovery: System Language Discovery
    PID:408
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1340
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2432
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2120
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2616

C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.lng

Filesize
23KB

MD5
c044b98edcfb5319d33583ccb74486b8

SHA1
d1580856c0994383e8996990eb6a3c76ff63c9bd

SHA256
e4da1a1f2dcc31d1f82617d1e7750195eb43546ae8b1af714b3d0676f94b6c68

SHA512
828e19852c6c01599c5f3c2b192d2fa5eb87dc157d9d02201cfe532d4fe6bbebb214994c0bff9485876ee2e8da6427afa90c2d913e8c48b63967fa7ccce03b29

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt

Filesize
29KB

MD5
fd4bc5cbfede34cb4e70e0247b09211f

SHA1
bc652b6b96149d93f558aba34b04aaceb129c184

SHA256
4853fe95e3aeef5515079ff05b55ce6d846f850db307b980da06961e42b4f346

SHA512
f5f2b354f6f1b15da2e26a7ceb8101630f493311e6db6af7361d81a0bb63765f5544418a9721361f87310d70010fae239f83357386bea2d22776f0323d436a36

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME39.CSS

Filesize
122KB

MD5
3d0d02849b44cc038e070827cf1507e6

SHA1
49462522f1af65f35b6d1feca72af373ed4f49d1

SHA256
4ff3b832a82fb1f4fdd55c21a8c9cead5c1538454ba99d1ec9c726d03717b126

SHA512
540678286e2f30c67fa8de33913a9a2080f9dcf977d47a08bdcf84998db56fe268467f2f9954ce336b9fd01544daa96776f5b4b6354787af7fba2b4b2157606e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME54.CSS

Filesize
125KB

MD5
17a16558cba36a80be200058166527dd

SHA1
31c69439bc65971aa80430cd09e2603171140651

SHA256
e1399967ad9aeeb8c8f92ab6c5257448347d279d72bca3f9ca2e71120ddeb10c

SHA512
0f89dfde874daff91b9b39a744166c42486288fb9e98237772c720056d3844cbea3feb290b976eacafef3cbaaae3cbf1ab8da7a1a69ec67ef2ab5d080bb06dba

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\ISO690.XSL

Filesize
258KB

MD5
5a02b6f7ed2a6c2157c0fad2db2bda0f

SHA1
f800f897651e84d9a6e506143f986f260685d828

SHA256
42b7ef221bb80891f8c74c93011bf79065c004f612687a2a5552b1246480d9ab

SHA512
7a2de46c902f375513a8363974b2f752304569a6f9fc24c853a748d6d7b1cb94fc23ad2a440227df0476fb4e57ab6a42d5054a413b7bf3ce95f65df75d8d6e31

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\TURABIAN.XSL

Filesize
332KB

MD5
43806d3450122dbf7fb954c8f694c87e

SHA1
e405bf5ea194a51f8a60cd746b0afb0acb7e84bb

SHA256
f9626224e8acd8b548e08ece624871f1ac5c1b7604324b686cd21bbcaef05942

SHA512
e8beb2790b0f229be9dc4594179c8947427b91ff8a0ae9c4dc6700dc25246e084db7e34dc4ba349ae9eb94f061b3a170c2af5f9cef2478fb41e33830e8a2df97

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML

Filesize
78KB

MD5
361a4240933257db1e973b8f1bbeeb0c

SHA1
0ac03818294ae99057ef25cad492a514b1064426

SHA256
0c8f81f7669b16a5cfcd6dae0b827cdaff1b237d7ecf5a1af2322c62f8e26e3c

SHA512
008851578ab9d1e3ad1803a6102d1d71c7a8da2158728af1732db6bb54609205a947436ab4e74fa5e12bb4dbcd10cb30d8acc6955aeecbec6133472574810762

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg

Filesize
7KB

MD5
f39bfafb6054f4d27e3328fc1fda8661

SHA1
3e191e7ed8c8947061f8cf27ea995f675d76e069

SHA256
a7b4936f71b9b04c3e4d999cc16dc8c828fef29660efa952fbb7f3f194f8f299

SHA512
9c660a89c8ebbb098f9954e180f38a2c1405989cdcad1dca82e0d3e8d890ef5d312f06a1117064d3c5c719f68918d2f37e1903df9264cdd181a7de6781470010

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\IPIRMV.XML

Filesize
78KB

MD5
83b22d4b622be74bbb183d21c18b8f69

SHA1
96b78f30f4c43e47f62b7370e9e3a78abd347142

SHA256
61eb8f46ffb8ad8dde0eb1e0e05084c30e9945583b7da15edbf54216035add6c

SHA512
e65955a062f902569524fe921831f84a66658a446f1e9d5802084972b2fba8dde8316b2cab1baa8fe8813bd349a6561381f697691ed909dae82cf0c4ce56d446

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml

Filesize
249KB

MD5
49af78f1442339c9f454a4f44a291fb5

SHA1
84460710c20f2d2125e6db8226e29ea1154a4a81

SHA256
21019243c962899a6d686dec85391c06a3250c92fa0fa03a385d9193705cad32

SHA512
24663f5c9a79d13461fa3e37c42fb559c49f1b74db7bb59940037e0bb84bd6f08cb355138f1afa4ad5810b3e73d4508b9b3487b32dab73c1d1c7d76d3157fc07

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OLKIRMV.XML

Filesize
78KB

MD5
a0c8b46168fcf7fc0ab104fa1f1461aa

SHA1
193e5363745e37a4478d64461d1e95b8cf643f79

SHA256
ce2e6c5d6c26785a320dbc451f32141983d975367badc0c510cebee4c76a4b08

SHA512
02c8977f20cc048c1df85fbf44830955afaec0f421d4ceba28ccb2ff4257109bf3284f31fb181020d78689bd3a1d6961af506a099ecbba036422fea6518c143a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\PPTIRMV.XML

Filesize
79KB

MD5
8df7ce39fa7e71b80258edeb7db3243c

SHA1
aa0e3ae0299ac19caa7aee6485da380f6a8451d3

SHA256
43830af05af7f0d6f5d0dc77c94bd1a9f690b31b94ae7b7562c3ce7a91f4eb91

SHA512
cd97b6f5a59a6391aa5499d24c6255587ef0de026e6d7a6a1d5dc5b26840ec0c076c84f2107771b12de26da8068c86451141d3c876472a2c59a58b7d1acbf89e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\WORDIRMV.XML

Filesize
78KB

MD5
53c54fde1c9c7b8c6fb707fc3a42396a

SHA1
3deaa319f98ef6e1c08dd5cc45791f9e9c157548

SHA256
8c761188c20d79084f02f1908199a64266ffc6f8d098f9bd95e1bea55fe758de

SHA512
b0efbd5be06380665bc78a2c540d38281a3c1d0ec8c2f65b63319999dfb45dd6b96ec501f41200d496e085e40c7b6279db0f513ca80bcaea1e6e5f133a53d3fc

Download Submit
C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
985B

MD5
d987b72b4606c0cdb87df03dec1ae086

SHA1
4f7e3e24f591a64637b546848cabfa1cc7a2b0ca

SHA256
e23f1622a9b2ab0d91aa10981964513117887a27cb357cc68bc719d8f40ce474

SHA512
58de201b45beb015b39e3786e02f612b3f4845eb6f57becac884bfe6e53cc1e8f00aa82d5598c5c62ee486663d64a585ae2a24afc5f5933d6c0b777c371983d8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg

Filesize
22KB

MD5
a82ab7a063a9d819b184d1e0b2dd3093

SHA1
1557fa4ee8207bbc22e5de61abef7a87b046a2ff

SHA256
2d50d4adbb29c31f56d28f7a5a63e71ab21bfdfd8b6ce0e40163ac3f5e5bc03a

SHA512
c20a2574a3ac23fd203205f63f266ad3873ac456443b6ca8325035f2fc412799e8f1ae10516ef548af0d47936eecc92ae88a9a41a89f9f4cc872c6973fb57e8e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html

Filesize
17KB

MD5
0ad186fd4063100c2cd0bc238df11bb0

SHA1
2a0af79475b45b49e758d138dc2d419f46c03ae9

SHA256
f46323213b35c59bea3ef961d11161824eae9a083bace8961d300b37ba4703f9

SHA512
133b33a3742ea674bdc32f2e8c28c946f12e1baa95fb3d1b6ab9859a5de49008ec63c9d3ab787b82df6316d9c91a16d8b25c92ec421d52ced8f1e93e7f23d6ea

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties

Filesize
7KB

MD5
c8e0fd6babf160056186e7b1edff3376

SHA1
30a2006c2c3c9af9d63e5c3b6f842a1e33f76d9c

SHA256
1fe3058688742a08eef43d04927a3bd554e6e17d7d7ed2001ead593e7015f79a

SHA512
12b45fb9d7db0ebdaff98349df6d6809c236581e168f7654061f7f17f20ac0f7bdba2fe02d952916979d692fbda404f6c03b5443c032f47a354b31469a43fdc9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
53a45965a14352fc3a3e62748d9ca970

SHA1
126dfa207a249fca9045acab076341f346593f04

SHA256
b6589dc15c1cec3850ed506194bcbfe34c4477bb0822f3601ca41a512fcb943e

SHA512
0a1bc5886a82b208e29feb18310f8fc3980e9475174c785709b3a3214263cc29c493ab466afd36b9fb29a394ea8e8151486242f98c8af2ddb2b959ff69e56335

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html

Filesize
10KB

MD5
1fa619fc88f65cf7cfa16d39cd5857b3

SHA1
48ca903111b32a0e85d506ca4fbc5dbe8272ed19

SHA256
7fc5918629480f7396f593248132e9e6825731d1a234d88745a043b27c12e2a7

SHA512
2c4e824349d1c86dff90097fccc4185a58568b786d6b9952bd355e44c835fa3558fb2cbbe2cdddcc6b38e4076c9770e8c95e8e7250f310b7eb1c3f61a23b984c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html

Filesize
13KB

MD5
8a23828e10bf6b1a25dc02ab4e8fe520

SHA1
f18968257f04b15fcc066611bd0ac4673462a1ae

SHA256
8615f9bbf40e820f48637ad278fd5527fd9a0041378b9e9a2a7a65bed5459ae5

SHA512
8cd51ef5ca00efec03e461dd6028aea12d05a11dabb989ed5ad7f10c927dfbc1158092147bba45622799536b93ea11fd4c6d2474f2393f10b347f99621660701

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html

Filesize
10KB

MD5
62f6de7a6a31c85b630dfe9689b8b036

SHA1
5867fd93bbfcfa4df146046bb006621194b550c1

SHA256
0b910487c6c7ca865b2b54f01408399f47c27b44e0f5f20ad1c599a888ea2593

SHA512
9819c66a31f181ed011acddc4038ffd392d63b31837ea9fd5064b8480ac4de061d304796501a430e5a906f8ea09ae6db8ebb131c0c5a2d610e793a94d7bfed16

Download Submit
C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
009b205c9428301699f6df83eff8122f

SHA1
dc56a7fe23ff66ff92ab542935814d18278ba022

SHA256
d007a7ae6b345842924fba8e8358bbe6defc7022fda7a1b932a4f12b4571d182

SHA512
b1af3b246621dcc46c7072d66f9b077749480fd923333f4956fe57ff2ffb5ab0cd193e575e4bfd813a43e62adec41269d3e89688f73ca79c48486145b9a6f1a5

Download Submit
C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\vlc.mo

Filesize
610KB

MD5
1c4fb3d3dc1ee3f28fe82df1ac01ea0d

SHA1
2b2feb09d9fa5e75f2ec6b5173f261edc1927186

SHA256
d8aee4e5f7a01c027961b20a9c8707d283fba194235c1f30aeedc5f43789eaa2

SHA512
837074c5137694bb459e85b7c210ef7a175c3effb6c0824ab6111c77fe42502d84f48b4069c2cd0e7e43fb8c0613511dce05efd43249b202d1e3cf4ec77029f6

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo

Filesize
674KB

MD5
47d3cbd01b833975eedc412da13badd5

SHA1
20f4cbb9d1e992c5f08b136146dff7b7af4229ee

SHA256
6b414ae79858d2ad01d11b1587e7806a0b5e38e178b8e4a0fdf123e0ff251dcf

SHA512
301cc022d5f197668933d8c3056fc6096d5a89540e68d3ea7e067d8e7c453f1a0a8bb2dbfa3d2c4b5b9bb83d7383b1313403de94c97af7081de5b3ca9a3e02e2

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\vlc.mo

Filesize
1.1MB

MD5
e3d495c1fd890ec00caabb801cbc425f

SHA1
8f634085d49e9502d694409ef0229ccc3c5411d9

SHA256
33cccc5d2decdb4e7784ed9ea02419e1fbc7f6f8d287e7eb7a35527a8243c74e

SHA512
387459ff13b82e0ed37c454ee80441cf161f0162dd912ff8783d71d46cb3217daeef31eadf5e2acb3e9cd504e45973519fe01e9ce44bddb1f11f73e3f6c70df7

Download Submit
C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
086a91c9c1716260b86cd85eb4a9ff19

SHA1
f501be79ba48e0db3ead8fcb9e0a4881c242ef71

SHA256
0b46251e29b35edce74a271578dc2f9cb5f4062f0c0ae48410804f3a58b30c08

SHA512
da5df56a39fe29414272df1ade29ff25bdf025efc81fb35a5a1bcd306f6be05554aadcee627be25a7ccf56e53dd4a4fc157d2d00bb584bb122de93ecfb9927b4

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo

Filesize
773KB

MD5
5996f00e5bc4ce64c61e2614f9cefecb

SHA1
9d7cbd42ac3edb9fd323485113680d9c5d72800c

SHA256
dd8f1047f59a628e2955c31c6b3345aa16e139a4dba99134bf7a995ce7ecd0e4

SHA512
79af9eaf002a52a7a669d1cb48c7a5c2edec693317c35aba3baf001d480fb4d2f785a7710c924356ab25d5067d6aacc62da4de8e768b020dd307c54335852856

Download Submit
C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo

Filesize
780KB

MD5
5eebbd5d5f9b4cf869aa90de8575a10d

SHA1
7873003049ba71de5f732bf55ae329eeeb66ebaa

SHA256
203f4526b1701d483bcc26f51363fd188e79c9a2b48dad63d22cdf54742a6d90

SHA512
8456c8b71766af337bc9f35f66c4e0af4042826506fc3f6fff336ec50b2d4a4395c70616b02b6800ed2eb1e6d143352337dcc71bb35d4209688b30903ac35fdc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
e496751cd2219f672baccfe069c05607

SHA1
d43326345986e0c3a25bcfef2febf570a1794915

SHA256
272f89d727d01fec581fffb1a38e02ce025eb523663aa3e102f77ae9aa9e0f1b

SHA512
e84c7c29f3aa5b2184bd6590f3660ec3c67b5814e226f4f7c4ae9bfb11080ab0eb2fe43697710bd64beef869e368fa1ddd85495f7f92b0ff6a61a9c59264b5b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78

Filesize
472B

MD5
d554992d4494a99ee1cb814b6a475ac0

SHA1
28f5679ab12b98f1e1cb1db81cc45d2e81bd7eae

SHA256
2305f09094b346b7d121fdf848cd807e31fd3d788e1dd12bab77963dd792c0cf

SHA512
00da55828c7237ce5086b21b0bbeaa73c45ce13b974fc5881e4390d78118721abe690879b21c7b638bbfba7c001d06ddec2db51bd287dd8d8c129f69ee7b2e76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
d8e9a72a6c3f0f85aa9c1191fd7f475b

SHA1
6ca59986f7442dd4cc86f8d9ccbbe60bf0bb5521

SHA256
7be0516557405ce6902e0029557412f8c439745532018adc581770b4177edaa3

SHA512
186de583be2ab6928a31ca38fd6419437a26a3c7c75c854818ccf48ec6d79fa76902cb1ed0168772d4aaf817a26263b8f0a2d9dc338d86d5fa2433920fc16bd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
484B

MD5
2374e8d6d4523d6d5adc2c50c33adb95

SHA1
968fe43be02a568b466962fd0ec19a6de7f2a0e6

SHA256
970564085c107c3dd6fccc3ae0a69f04c3af8889f1a13618668c49fee063192f

SHA512
9cca0c241da3767a8098df77d16f1e1a67b3dd63cc83040b81e43203bdb5b5fbec29adf95d42840ccfb52f7f2178dcc02611dc3e861c38e40c559e0d29e1621c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78

Filesize
488B

MD5
665fb3631f43d7c4a82a29663c83ed31

SHA1
b75ddc008f777ed29793fd25cb0ee3bae6c0cc86

SHA256
e68ab90b99193261a5454f7e9401dd527cf314c0b7310f27ca7728cb76ff31a3

SHA512
62a7fb0ee98660dc3f2ee9c07476f5b1478bd5c820024f8036335e80f21e8771850d769f0053455fdcc96c18137d14bddf1e1c976e409a7a600395551372dd6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92cfab8e61fe1b0fe1035258fd343c3f

SHA1
28a199b96dfa3cd350efd2e601ca890edc033496

SHA256
593c0d3b8bc428ac00d8cf1962001131723aff46e6504d51eac5ecad451aa02a

SHA512
70dfd918507a0f2a0ddfc1211beed56b6d476ccc2b47bbf77e2d03b8413a48fba2f262c97699b83efe3a4cfaf61d4022815f0656bc979ffbc46b500b14f95d31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
0b74634a900586c50d91684cf74339a5

SHA1
11e8b6309d13483f71992082fe6d3a2878b38b37

SHA256
a894351d82ca6480fbd8b30de4b0a2d95eb636aef34e84190de6a0736dbf8858

SHA512
209a246f5e2964db94ae899314f142913f990602c29d2135518c645c93aab1d3d41beec7bd058068aff07412387a76c56c3a1f45e5d49bbd4ea5a5b10f64007e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\IQXOH1LM.htm

Filesize
190B

MD5
6ebbeb8c70d5f8ffc3fb501950468594

SHA1
c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

SHA256
a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

SHA512
75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\PH0USO9U.htm

Filesize
18KB

MD5
3c9fb9fbbdd372a9ab7f4e11cde5e657

SHA1
06f7b35568d81ca65e30ac213ff1031220ac090f

SHA256
f363ad44f70cd532e08a53e7ea0323f68d2b58b448349034ccc3dc3b0a96296f

SHA512
dd585b080863512a9a933e39d7542b13b3501f43ddfbd153e266964c37846e4d7ebd798512f705457c2be74a80a1d0aaf98c11ba5e6c2ca3f07f29eee1f68fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC8FC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC90E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Desktop\ApproveUse.vsdm.17C-043-979

Filesize
954KB

MD5
2290dcad3e92177109b2765623e23f24

SHA1
ae69e2e5a6f7aa099417a76a0b6abc726f75a862

SHA256
dcaadf6cf747851737eba954d91a740775dc4245bfc5459a3d4168f92b4af3e8

SHA512
0bfca2aaf85721b65dc4168ab51469ef22eb495a87e08e17018c767e4e2c1f73207cd46443679cf8f13fe0b1279212f9d7257a265f3debb7fa9570f430d28c21

Download Submit
C:\Users\Admin\Desktop\ConnectRepair.mpeg3.17C-043-979

Filesize
619KB

MD5
f2bf9ffc4d5b6aa9123171598c59be9f

SHA1
d109a8b88bffae5d9cb74b0bb561bff10799d8b1

SHA256
0b27795c77e3e60ba32f4bb7e39ba7bbc83e8293d6e52340716cd49cfc8105b1

SHA512
5f4604dace5430b7f3ed2c8e843e5873a0faa0506e6ce387420ae7bc8a9ea82040a484aa5739fcabc8c85c915819bf757f45abc3c93ba0511e9761ec50b9a58c

Download Submit
C:\Users\Admin\Desktop\ConvertToSync.M2T.17C-043-979

Filesize
465KB

MD5
5dcf53c1b0bc4730b34c7e63955762af

SHA1
8c3a523c38c67cb3ae70d3f03b9c1a2ecc47327c

SHA256
fa81eff1fc6fdac240a3bdd60c2b4a7815d441b42bb9a37b4df9356e8b341782

SHA512
d494167aa575513652b7a13431924c26519f9787e27aeec7ff514b79cde10a80f25d9a58cc9a3e59d1c7a2524667a53b11bf22cd08a5588029ff885558a22c57

Download Submit
C:\Users\Admin\Desktop\DenyRevoke.xlsx.17C-043-979

Filesize
15KB

MD5
f6bb8e3ff1cbb52062581e4f36041317

SHA1
6c252a6ddb73a1a6c1ba77e6af18f6bb361d2fd9

SHA256
31555f41fcb3171cd505bbc86cad41a3e5e6b6f4e5ef5363774633066c934bd5

SHA512
c54a45601e3d9988c13e9ea7a54cde5ccaee18fd2b1071ae9018c8cc9017dcc25e34e7e3fb3c5c3d78e9b8d8820f2700f333f9f2e70a240854c73feb36d98b5c

Download Submit
C:\Users\Admin\Desktop\DismountApprove.xlsx.17C-043-979

Filesize
14KB

MD5
055f4485964a5e031f3a8893515c1a05

SHA1
f65818d71273101d1a4b3344c05e65ff3bf547c5

SHA256
4bba92780f99d2aa7a89dc989d8fa127482f8ed55f30bd4117aacd289406ab5f

SHA512
be9a494b06e236e474e4486069147a2df5074da0327e7839e3a37113e4b8c77f6741ab95e438affa835c4d897ce2785a143d7c54d43b0e5bd8a7a16070f7472e

Download Submit
C:\Users\Admin\Desktop\EnableSuspend.zip.17C-043-979

Filesize
877KB

MD5
f1995c1a6e7e545ab7e0ff9474f1a427

SHA1
04a059448585f384c3e41455f8c594066b6b5627

SHA256
5ab6381bde75ecc38361b97d0550318cee18a351de8e13386f704649f66053db

SHA512
a3a729349d36d3af6ad71c853f613437376cd649fea92dd1d0555b793a62591501a03181461d61ff10d2c7848df672f44299551674dfb19befb4466416ffdeef

Download Submit
C:\Users\Admin\Desktop\EnterRestart.odp.17C-043-979

Filesize
1.3MB

MD5
95228d4aef34192432a8748c4f4c7a08

SHA1
df10568e8cf5e4defc299adb7f58ffcd6d88d98d

SHA256
d1ff637c58a7adb4232216ad693e8d42b32caae7755cbb85e722186e6eae450e

SHA512
b3b9c9fdc48af619e35e9e22a22f1cf3d41144e357434ba70686d859e490422dbe1d8bee68e03de414c8a2dba6c4fdda4007a3dcd27ce5ba8268aa48f8fbae0c

Download Submit
C:\Users\Admin\Desktop\FindWrite.mpa.17C-043-979

Filesize
722KB

MD5
23a34e1c5c48385f702cfed7901454b9

SHA1
43f81765b1dd92e09c1a19e19e84da014280c0f4

SHA256
340c141d787434cf9d233eec6966bd436c508b988e5273380e7f7689f726c760

SHA512
c7455679b6c31634d59c0f35f35ef7cf3f03e65917e76f66d48f22997a4771f52ef71d0f44bcafbf38f55a8429f60650051851d5c50890f2f5e422052ae9600c

Download Submit
C:\Users\Admin\Desktop\HideSwitch.tmp.17C-043-979

Filesize
336KB

MD5
0bb244daf6506ae5f958b7cfe47084b7

SHA1
0aa89d6698e7b4bcdf805a8b965cdb9a309062e0

SHA256
91b11184702637201c2e7c4c56219bc86018ffc01d6d5a70b7a90f6106dfc0ab

SHA512
f54c78410873237994b09adf9b40ad1657182a2fbb0556545f41ece44fc25537bd01e4c19c21730592e99fec9a4f0a8819355a8c77f2e1fcf28cdac560abeaf4

Download Submit
C:\Users\Admin\Desktop\ImportCompress.jfif.17C-043-979

Filesize
645KB

MD5
cd9625aea15e391fe349f08db6a8b9af

SHA1
e68deb4aedd1cb3235c643ffccbb714ae00c248f

SHA256
fdc1034af97df75ff760af82735b78453a189b30899d1046ace67cbc88aa4458

SHA512
635ed66a616008a22f22e3d6c61b5261de7267722efd65bd2d65aa26b96e832b1caee32c1a4122bbfecbead8bb69290bf47adde0b2d48e85d8c0d9dfc595c6e2

Download Submit
C:\Users\Admin\Desktop\InitializeCompress.xlsb.17C-043-979

Filesize
568KB

MD5
3346041bab818f362eeef57aec190ca4

SHA1
c0cbc110ef9ce2988678845faba65cf352c8d25a

SHA256
e1ddcc7983e0eeaefba5604c89dc615d98d56befcfadcd5db98a809cbb127089

SHA512
04141d4852930a13b3d2fe80ba5c2c305b1654dc2863f64696a95a8f6f4aafc839c719ab997d5fa6dde66bad3bfa4a19edcdd57dc4ebf73fbd5c9ee8cdba4f1f

Download Submit
C:\Users\Admin\Desktop\LockExpand.docx.17C-043-979

Filesize
362KB

MD5
c0a34fc3e79ea0a37cbeca2c8db6047e

SHA1
81c3e8ca126288cc7718eeb2c85121b8ca90b14f

SHA256
940d8308bc26684dde591dfe956f610a8f938de9fedeeeeb472962f3571a358b

SHA512
71ff8f1d29ad706ccba180c12ead518e76e4cc1b45562ceccd57f378adcddfaa30f9572b966775b2dc4df8af72fdce86c25138c5da18a299c779b8211ea29d74

Download Submit
C:\Users\Admin\Desktop\MoveRestore.wmv.17C-043-979

Filesize
902KB

MD5
4be5ac6e27ab335d3333a76cbc7e621b

SHA1
ef06855b45a655f27c0a68b54e096e95f57ed0df

SHA256
645da73c99bc4f9a67d00c6bcddfceef5b448ade80053466ac4ac230b27088bf

SHA512
b4d3cefbcec8f51828d8b441f1f3a69181259b9e1ec72dc6487429a2c5e257cd4e98b5d6e2647e5aadddc3381b76db04f38caf8dd0e42aab31c625d3001d3a0b

Download Submit
C:\Users\Admin\Desktop\OutRename.xlsx.17C-043-979

Filesize
13KB

MD5
d8d5a9597658ca1fdb3ad27ff7e11422

SHA1
b2707b1b3b659a0cface45371aba31f53e43071f

SHA256
063b793fd5421cd4176ecad1b46fca9e2196ca5be8871ffbe625c42f455fea8d

SHA512
24f5530a27e69c20e76673d75a0dd39acd39ad3cc984a67259a9543047e2d594fe4ca9897d3c517a6b9d67f850959d22f536d74a13f64bb9868b3264bfcac2fb

Download Submit
C:\Users\Admin\Desktop\PushGroup.emf.17C-043-979

Filesize
387KB

MD5
8c34ee6926277da9e1273f0553655fa4

SHA1
62caffd0354f0937013793dca8ece7656c194006

SHA256
b958060e49718292d18d6f898d76e463c586c7724eda7651688365e310b15ddc

SHA512
c16467ad227e457ee36204ab1c63d012fe3db14e27031e8324975fcf43c3fba43c07308c1edeb2868614052c33b95f352001eb9eecc5ee031ec980efc4f66f9c

Download Submit
C:\Users\Admin\Desktop\ReadMount.search-ms.17C-043-979

Filesize
696KB

MD5
d25b1236ae0d86bb1c4f5a9fd93b980e

SHA1
6ef26fbf9dbd60d82c7c5160cf5f46196f63391b

SHA256
c0b33a2167d4e4cd4dc114db485636b48400edfa64f98c747ec5ed1c31990ad2

SHA512
f2939b0d42f30fcee2614e7350c60ce6a79f25c5d84597bed81d42251740350ca85825330bfb9fd8d714bd51f8168da6cc9118b709f5619b6799be04c921d7c5

Download Submit
C:\Users\Admin\Desktop\RepairRedo.xla.17C-043-979

Filesize
439KB

MD5
eb87a4eba47624b7bf3d360a05247c22

SHA1
810f6007c424a2684b4219f053eed09744c48df7

SHA256
41d4ae281e274f473c11be7b8152865fa66689ba291f699c10ce43e40fe86bb1

SHA512
26fb9a9e9f03918ff5fd370450ae2c8e568ed8979a8b6d2887b4c37c5768d860ba6bcdc839cc9c4692f60e11ede7d12db7249b570de10c0fe99440be9adbc9b3

Download Submit
C:\Users\Admin\Desktop\RequestConvertFrom.clr.17C-043-979

Filesize
413KB

MD5
1ea73d9bbfec8bd3e9f0101d5c1fb77f

SHA1
f8e4e1a556e3824aeaf42a3a30d1ba77dda6de19

SHA256
b4d8091b69f3556d6f617d7d1d9c4d2f54703a42da6b80adc7c787e07f8ebab7

SHA512
e706c0c6299f6bd45cecc6f1516e6fbe98bbcbc3198026538da198b79f353919ea5a9184c683bbedfecea8ce0faa115e49c366b885b33ce54d9ad32dd37bad02

Download Submit
C:\Users\Admin\Desktop\ResolveApprove.WTV.17C-043-979

Filesize
851KB

MD5
9d6a9c8a07df987a82d464bb997f87a0

SHA1
25d965761bd08ee432fc4334218c329b9057d3dc

SHA256
862eabeacc5829a7710d08fac63a8ea7185a6568c2938c80c53f01095504c228

SHA512
69143e233033a911ee9789adc21e71f6a9ef0366a02f4ea69ae9322d525a162f6680444d2b8a3e14a89ad21a3b5017d542e6a4178543c09364a112f42c0c5f8a

Download Submit
C:\Users\Admin\Desktop\RestartRevoke.M2T.17C-043-979

Filesize
593KB

MD5
9491c6f3b373f15cd604a456d0b27560

SHA1
5b6be34b0a9f4f332a825cfea905e3804ed150b8

SHA256
3e94c0ae58d91ec43c4bf237175a0a1d968967286072ebd73824767b4e60d843

SHA512
c1fccac375954ca18b6c06f674b57f7ec9ba0c0cb16d0af64b77f09d36f7f4e5e14f96427655a456544440d6788a1f4059e8e62607151eec1a33de4361156e51

Download Submit
C:\Users\Admin\Desktop\RestoreSelect.xltm.17C-043-979

Filesize
490KB

MD5
4963c85b7addb834927134c35fbc380d

SHA1
514c026d25bc07529aed263958724838ea3f9509

SHA256
9364259517d2db238118265499f913befde8c44dd61bfba088b02955d031fccf

SHA512
dd2828cca6d9a7dc85cedfa6faf7fef901365905eab87812f445064c6505fbd22cd8e5558e438e07707cde5a6e2d23096727c40b0b774840cb88a2ed2a978c50

Download Submit
C:\Users\Admin\Desktop\SaveReset.tiff.17C-043-979

Filesize
542KB

MD5
c550fd19acc2dff7acd437ce42ca06d5

SHA1
1fb96a13fe2e90719f77e3fc5bfbc8f68a315b5e

SHA256
1818eb679aaeefab1fc52367b8a5527779c13a0eab7f436b918142dbfe9d6e57

SHA512
29b2a27a1e29d6091f75dce486702784974155792276e3f0e4b71ebe4b14444e08b01c2c781baf0a141514637d46079f02812dd05036c94732fbd7b021adcb48

Download Submit
C:\Users\Admin\Desktop\SendUnlock.gif.17C-043-979

Filesize
516KB

MD5
f270847948ed66879518bc5eaf2d9a63

SHA1
3ea60cff88756d5f626ac174e213b48d93abd1cd

SHA256
68e4fee6877044ca6bd2d7a7054b7870260ff8e635ffa6c2430a6cb7b5b40a8f

SHA512
ccde4aa8dbaac56979435b9a76aa27cc6ac8226dd59d68f7c4e02bb84df420bfac102e86f1e866880c3bbd08f8753cf743fcb00b1fb56cb3c79b95079f2af476

Download Submit
C:\Users\Admin\Desktop\SkipRequest.m4v.17C-043-979

Filesize
748KB

MD5
3563a82373ae3db386fcbf8264276f3b

SHA1
bcc194393164775896b95ca085f899eeed7061b4

SHA256
10bc026e00821b19244f75a2429db66ebce4ae764a1fcc72718e155c2b754c5f

SHA512
84745d5587f66c8616aec9a20f51260428d3e792dc4862bfc183b417086542349e997233611d3eaccbf2468444baf516e73eac832c8f15157af6054ff0ec59dc

Download Submit
C:\Users\Admin\Desktop\SuspendRepair.midi.17C-043-979

Filesize
774KB

MD5
e611a0f9bfe5de43bffb9bd75384e9fa

SHA1
10faad7ecb752536c14f0925d2276ff444298dfe

SHA256
6efd6d28f49348b4c1054d30fb369e7689db0c5a840dfd155057ce88ba005191

SHA512
33956ba1ca0c52d3ebe3bb92b1b19199497c983ae1f46e77d395a088da310ea7e0ce37ad3cdb9582c2774d9de5505ec5538f05cee65f1e74228a683abf6eade9

Download Submit
C:\Users\Admin\Desktop\UndoUse.xlsx.17C-043-979

Filesize
12KB

MD5
4d2446e913e572594557065da87d1276

SHA1
fd01a9c7c2d69bd188159e9f4cf316a73d2d9a0c

SHA256
7b7fe2921da0f8f2695841a759f533d040577e4a11fe3e4c531e86012e892764

SHA512
500380d001bef7df587a98367150270153573a35d8d8021b3ef09adf963b2a4c7ff27b9966ce54a6a8243106938b6142598ed960fc610881ade78f5e4ed0adb7

Download Submit
C:\Users\Admin\Desktop\UninstallInstall.docx.17C-043-979

Filesize
14KB

MD5
9a9a8503017d128b72edea8ee7e67f45

SHA1
fd3dc11cdbbb6e8a23c16c2e5e0bff07ae2e3536

SHA256
d4f7127f68dcaab6f469f98ede561982bce17228b95f357543b2ea43f9dcf575

SHA512
9f7dc1ae06fe30baae59a4790e954debd608d3f70258756c66f9154acf85145851880cb4760a87a9f041ba38a8b12d5c14b614cc5f78a283124b4f4abf5bbd51

Download Submit
C:\Users\Admin\Desktop\UninstallPop.aiff.17C-043-979

Filesize
799KB

MD5
d0e75bc9705bbbed5d59aa4d2a2c2eb4

SHA1
f53497beb74a7fbc84409792fa9fc1c80c7609d5

SHA256
067703d015659c04587516c09fadd0de6773ee6d001a35caea4aa5729ccb9f56

SHA512
5c02a5f18bf92039baccf7e7d61a0175cbe46440d21e0c723b9209c04f116e598155a95f4d4f4fbdeb7106277446bf7df8d62c5ec673fdf3376697116bf418da

Download Submit
C:\Users\Admin\Desktop\UnprotectMerge.vssm.17C-043-979

Filesize
825KB

MD5
b5b09978a1ed619ae9242f7f718a467a

SHA1
9793afef748e3b14df2ceb96df51e23e31d8bf56

SHA256
23433749055328e5521051c465e497864ecbe09d742371f8255314b79bda72ee

SHA512
4fe99828162901fa3b3ad06caa4f90a64d05f19d2139114fa46c0456b48f56177f42065a16e4a1d8b09700b7406b830557c00c9993dc0f710494c6aaf04c43b3

Download Submit
C:\Users\Admin\Desktop\UnregisterTrace.vsx.17C-043-979

Filesize
928KB

MD5
47d23abf26e33d4b64d78676ce24f8b8

SHA1
4ad35f4c36f572b19c081ca5a44bb34d585f6aa8

SHA256
c11ea57bd3117e589d58f94008bd2d0a7c003f6c7b1236bc287a316b5b4eaa59

SHA512
bdb1c9244d43e8acca0ce145630cd6a65234123d5e1f439ad1cc1694e539abd1bd468c7264f31410acdfbede41bb958ba3d44011daca4ab06f61ad5c7b1268bb

Download Submit
C:\Users\Admin\Desktop\UpdateDismount.docx.17C-043-979

Filesize
15KB

MD5
3e1096c60e2b8551a0d7c4a4a3a6438b

SHA1
5a1392e06ba345d6b44568b9c165ce22a4af9753

SHA256
1dd4a6e25197f01fd1da11a44150ab428cace00ad6f5e09b41d1184bc5c600dc

SHA512
cf802884c3fb0691a12d8e0ba9f8f06847786d23e133c0273664aaaa208be20de71ebd98da17578ab04262167fba55ac876950a7985f7279a9cb7df695710290

Download Submit
C:\vcredist2010_x86.log.html

Filesize
81KB

MD5
17433bcf3c12b807e0979b4212f5bd75

SHA1
77334ea8f799c8a3cced632e0aef88684034ba57

SHA256
215afb8dfde2c3e5c665c6a243a9b4663d6f999c4770a2c972de10dd2837bf9b

SHA512
1cd7375fd7a6198579783d16c71896b75be0372563f09f68fc9a7b05f6579ed9f269116028635a97502bf5cb6773b07aa9818575295a89246cca87cc935b59e3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

Filesize
211KB

MD5
f42abb7569dbc2ff5faa7e078cb71476

SHA1
04530a6165fc29ab536bab1be16f6b87c46288e6

SHA256
516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd

SHA512
3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

Download Submit
memory/1908-30199-0x0000000000120000-0x0000000000260000-memory.dmp

Filesize
1.2MB

Download
memory/1908-27082-0x0000000000120000-0x0000000000260000-memory.dmp

Filesize
1.2MB

Download
memory/1908-18270-0x0000000000120000-0x0000000000260000-memory.dmp

Filesize
1.2MB

Download
memory/1908-9146-0x0000000000120000-0x0000000000260000-memory.dmp

Filesize
1.2MB

Download
memory/2120-30237-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2560-89-0x0000000000A90000-0x0000000000BD0000-memory.dmp

Filesize
1.2MB

Download
memory/2604-106-0x0000000000120000-0x0000000000260000-memory.dmp

Filesize
1.2MB

Download
memory/2616-66-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2616-71-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2756-3652-0x0000000000120000-0x0000000000260000-memory.dmp

Filesize
1.2MB

Download
memory/2756-30238-0x0000000000120000-0x0000000000260000-memory.dmp

Filesize
1.2MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads