ragnarlocker | d850d741582546a3d0ea2ad5d25e0766781f315cd37e6c58f7262df571cd0c40

Analysis

max time kernel
10s
max time network
38s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
17-09-2024 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PCCooker_x64.exe
Size

22.4MB
MD5

317c5fe16b5314d1921930e300d9ea39
SHA1

65eb02c735bbbf1faf212662539fbf88a00a271f
SHA256

d850d741582546a3d0ea2ad5d25e0766781f315cd37e6c58f7262df571cd0c40
SHA512

31751379ad7f6c55d87e9a5c1f56e6211d515b7d9ae055af962ed6f9205f5abad302c2e47dd56325abff85327ec3b7f9a6cf76ed34b8cbe1da06549c622c7031
SSDEEP

49152:yIT4lj7Rl9HFoDi+3JK5CS2bV5IRtyrp63FDysl28Wvp/pUOmrscrdXuMIgqJ95+:yI6

Score

10^/10

ragnarlocker xworm bootkit defense_evasion discovery execution impact persistence ransomware rat trojan

Malware Config

Extracted

Path

C:\Users\Public\Documents\RGNR_BC248C0F.txt

Ransom Note

Hello VGCARGO ! ***************************************************************************************************************** If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED by RAGNAR_LOCKER ! ***************************************************************************************************************** *********What happens with your system ?************ Your network was penetrated, all your files and backups was locked! So from now there is NO ONE CAN HELP YOU to get your files back, EXCEPT US. You can google it, there is no CHANCES to decrypt data without our SECRET KEY. But don't worry ! Your files are NOT DAMAGED or LOST, they are just MODIFIED. You can get it BACK as soon as you PAY. We are looking only for MONEY, so there is no interest for us to steel or delete your information, it's just a BUSINESS $-) HOWEVER you can damage your DATA by yourself if you try to DECRYPT by any other software, without OUR SPECIFIC ENCRYPTION KEY !!! Also, all of your sensitive and private information were gathered and if you decide NOT to pay, we will upload it for public view ! **** ***********How to get back your files ?****** To decrypt all your files and data you have to pay for the encryption KEY : BTC wallet for payment: 1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4 Amount to pay (in Bitcoin): 25 **** ***********How much time you have to pay?********** * You should get in contact with us within 2 days after you noticed the encryption to get a better price. * The price would be increased by 100% (double price) after 14 Days if there is no contact made. * The key would be completely erased in 21 day if there is no contact made or no deal made. Some sensetive information stolen from the file servers would be uploaded in public or to re-seller. **** ***********What if files can't be restored ?****** To prove that we really can decrypt your data, we will decrypt one of your locked files ! Just send it to us and you will get it back FOR FREE. The price for the decryptor is based on the network size, number of employees, annual revenue. Please feel free to contact us for amount of BTC that should be paid. **** ! IF you don't know how to get bitcoins, we will give you advise how to exchange the money. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTCAT WITH US ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 1) Go to the official website of TOX messenger ( https://tox.chat/download.html ) 2) Download and install qTOX on your PC, choose the platform ( Windows, OS X, Linux, etc. ) 3) Open messenger, click "New Profile" and create profile. 4) Click "Add friends" button and search our contact 7D509C5BB14B1B8CB0A3338EEA9707AD31075868CB9515B17C4C0EC6A0CCCA750CA81606900D 5) For identification, send to our support data from ---RAGNAR SECRET--- IMPORTANT ! IF for some reasons you CAN'T CONTACT us in qTOX, here is our reserve mailbox ( [email protected] ) send a message with a data from ---RAGNAR SECRET--- WARNING! -Do not try to decrypt files with any third-party software (it will be damaged permanently) -Do not reinstall your OS, this can lead to complete data loss and files cannot be decrypted. NEVER! -Your SECRET KEY for decryption is on our server, but it will not be stored forever. DO NOT WASTE TIME ! *********************************************************************************** ---RAGNAR SECRET--- QWZjY0QxRTk2MWU4RTIwYkVCRUNhRWMzRjhCQTdlZDJkNUJCN2JkNDdDMzREMTYyNjNGNTdiZGFDYmI3ZEVhNw== ---RAGNAR SECRET--- ***********************************************************************************

Emails

[email protected]

Wallets

1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4

URLs

https://tox.chat/download.html

Extracted

Family

xworm

Version

5.0

outside-sand.gl.at.ply.gg:31300

Mutex

uGoUQjcjqoZsiRJZ

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 50 IoCs

resource	yara_rule
behavioral2/files/0x000700000001abc8-726.dat	family_xworm
behavioral2/memory/4396-752-0x0000000000320000-0x0000000000330000-memory.dmp	family_xworm
behavioral2/files/0x000700000001abd4-745.dat	family_xworm
behavioral2/files/0x000700000001abdb-763.dat	family_xworm
behavioral2/files/0x000700000001abd7-772.dat	family_xworm
behavioral2/files/0x000700000001abde-777.dat	family_xworm
behavioral2/memory/3256-800-0x0000000000BA0000-0x0000000000BB0000-memory.dmp	family_xworm
behavioral2/files/0x000700000001abe0-817.dat	family_xworm
behavioral2/memory/3740-841-0x00000000006C0000-0x00000000006D0000-memory.dmp	family_xworm
behavioral2/files/0x000700000001abe6-878.dat	family_xworm
behavioral2/files/0x000700000001abe9-880.dat	family_xworm
behavioral2/memory/3208-943-0x00000000004C0000-0x00000000004D0000-memory.dmp	family_xworm
behavioral2/files/0x000700000001abf5-932.dat	family_xworm
behavioral2/memory/4232-1056-0x0000000000CD0000-0x0000000000CE0000-memory.dmp	family_xworm
behavioral2/memory/908-1055-0x0000000000C50000-0x0000000000C60000-memory.dmp	family_xworm
behavioral2/files/0x000700000001abfb-1028.dat	family_xworm
behavioral2/memory/3252-969-0x0000000000CF0000-0x0000000000D00000-memory.dmp	family_xworm
behavioral2/files/0x000700000001abf9-949.dat	family_xworm
behavioral2/files/0x000700000001abf2-947.dat	family_xworm
behavioral2/files/0x000700000001abf8-945.dat	family_xworm
behavioral2/files/0x000700000001abfc-1057.dat	family_xworm
behavioral2/memory/4216-1090-0x0000000000880000-0x0000000000890000-memory.dmp	family_xworm
behavioral2/memory/1160-1089-0x0000000000730000-0x0000000000740000-memory.dmp	family_xworm
behavioral2/memory/4460-1082-0x0000000000A20000-0x0000000000A30000-memory.dmp	family_xworm
behavioral2/memory/4304-1079-0x0000000000930000-0x0000000000940000-memory.dmp	family_xworm
behavioral2/memory/4596-1064-0x0000000000DF0000-0x0000000000E00000-memory.dmp	family_xworm
behavioral2/files/0x000700000001ac03-1094.dat	family_xworm
behavioral2/files/0x000700000001ac0a-1153.dat	family_xworm
behavioral2/files/0x000700000001ac08-1159.dat	family_xworm
behavioral2/memory/4356-1206-0x0000000000BF0000-0x0000000000C00000-memory.dmp	family_xworm
behavioral2/memory/804-1243-0x0000000000830000-0x0000000000840000-memory.dmp	family_xworm
behavioral2/memory/2400-1203-0x0000000000370000-0x0000000000380000-memory.dmp	family_xworm
behavioral2/memory/2320-1194-0x00000000005C0000-0x00000000005D0000-memory.dmp	family_xworm
behavioral2/memory/3200-1256-0x00000000001D0000-0x00000000001E0000-memory.dmp	family_xworm
behavioral2/memory/3504-1185-0x00000000004C0000-0x00000000004D0000-memory.dmp	family_xworm
behavioral2/memory/2752-1183-0x0000000000D70000-0x0000000000D80000-memory.dmp	family_xworm
behavioral2/files/0x000700000001ac06-1157.dat	family_xworm
behavioral2/files/0x000700000001ac04-1148.dat	family_xworm
behavioral2/files/0x000700000001ac09-1147.dat	family_xworm
behavioral2/memory/4560-1130-0x00000000006C0000-0x00000000006D0000-memory.dmp	family_xworm
behavioral2/files/0x000700000001abfd-1129.dat	family_xworm
behavioral2/files/0x000700000001ac07-1128.dat	family_xworm
behavioral2/memory/3136-1131-0x00000000004B0000-0x00000000004C0000-memory.dmp	family_xworm
behavioral2/files/0x000700000001abee-877.dat	family_xworm
behavioral2/files/0x000700000001abed-874.dat	family_xworm
behavioral2/memory/3188-839-0x0000000000360000-0x0000000000370000-memory.dmp	family_xworm
behavioral2/memory/3248-835-0x0000000000EC0000-0x0000000000ED0000-memory.dmp	family_xworm
behavioral2/files/0x000700000001abe3-826.dat	family_xworm
behavioral2/memory/4300-803-0x00000000006E0000-0x00000000006F0000-memory.dmp	family_xworm
behavioral2/memory/1272-838-0x0000000000380000-0x0000000000390000-memory.dmp	family_xworm

RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
ransomware ragnarlocker
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (543) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8fa8629a.exe	explorer.exe

Executes dropped EXE 31 IoCs

pid	Process
2728	4363463463464363463463463.exe
5080	a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
4428	asena.exe
3508	Bomb.exe
4268	CryptoWall.exe
4396	25.exe
3188	24.exe
3256	23.exe
4300	22.exe
3740	21.exe
1272	20.exe
3248	19.exe
908	18.exe
3252	16.exe
3208	15.exe
4232	17.exe
4596	13.exe
1160	12.exe
4460	14.exe
4304	11.exe
4216	10.exe
3136	9.exe
4560	7.exe
4356	8.exe
2752	4.exe
2320	2.exe
3504	6.exe
2400	1.exe
804	5.exe
3200	3.exe
3708	epp64.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\8fa8629a = "C:\\Users\\Admin\\AppData\\Roaming\\8fa8629a.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\8fa8629 = "C:\\8fa8629a\\8fa8629a.exe"	explorer.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	asena.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-addr.es
10	ip-addr.es
19	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	asena.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	asena.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipRes.dll.mui	asena.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\RGNR_BC248C0F.txt	asena.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	asena.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man	asena.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\chstic.dgml	asena.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado20.tlb	asena.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	asena.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml	asena.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Hand Prints.htm	asena.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui	asena.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	asena.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man	asena.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\RGNR_BC248C0F.txt	asena.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\da-DK\RGNR_BC248C0F.txt	asena.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml	asena.exe
File opened for modification	C:\Program Files\Common Files\System\uk-UA\wab32res.dll.mui	asena.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jcup.md	asena.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui	asena.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\FlickLearningWizard.exe.mui	asena.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb	asena.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Stars.htm	asena.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\nashorn.jar	asena.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	asena.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	asena.exe
File created	C:\Program Files\Common Files\DESIGNER\RGNR_BC248C0F.txt	asena.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml	asena.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\uk-UA\sqlxmlx.rll.mui	asena.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\ecc.md	asena.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\javaws.policy	asena.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui	asena.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md	asena.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr\RGNR_BC248C0F.txt	asena.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\public_suffix_list.dat	asena.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\SoftBlue.jpg	asena.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui	asena.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md	asena.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\jsse.jar	asena.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\uk-UA\sqloledb.rll.mui	asena.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar	asena.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	asena.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui	asena.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\jfr.jar	asena.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	asena.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Bears.jpg	asena.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\management\snmp.acl.template	asena.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	asena.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui	asena.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	asena.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui	asena.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties	asena.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\jpeg.md	asena.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui	asena.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui	asena.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui	asena.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\java.security	asena.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	asena.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	asena.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Bears.htm	asena.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\default.jfc	asena.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\fontconfig.bfc	asena.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	asena.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml	asena.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat	asena.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PCCooker_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asena.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoWall.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1584	vssadmin.exe
1372	vssadmin.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4268	CryptoWall.exe
1904	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3880	wmic.exe
Token: SeSecurityPrivilege	3880	wmic.exe
Token: SeTakeOwnershipPrivilege	3880	wmic.exe
Token: SeLoadDriverPrivilege	3880	wmic.exe
Token: SeSystemProfilePrivilege	3880	wmic.exe
Token: SeSystemtimePrivilege	3880	wmic.exe
Token: SeProfSingleProcessPrivilege	3880	wmic.exe
Token: SeIncBasePriorityPrivilege	3880	wmic.exe
Token: SeCreatePagefilePrivilege	3880	wmic.exe
Token: SeBackupPrivilege	3880	wmic.exe
Token: SeRestorePrivilege	3880	wmic.exe
Token: SeShutdownPrivilege	3880	wmic.exe
Token: SeDebugPrivilege	3880	wmic.exe
Token: SeSystemEnvironmentPrivilege	3880	wmic.exe
Token: SeRemoteShutdownPrivilege	3880	wmic.exe
Token: SeUndockPrivilege	3880	wmic.exe
Token: SeManageVolumePrivilege	3880	wmic.exe
Token: 33	3880	wmic.exe
Token: 34	3880	wmic.exe
Token: 35	3880	wmic.exe
Token: 36	3880	wmic.exe
Token: SeDebugPrivilege	2728	4363463463464363463463463.exe
Token: SeBackupPrivilege	3572	vssvc.exe
Token: SeRestorePrivilege	3572	vssvc.exe
Token: SeAuditPrivilege	3572	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3880	wmic.exe
Token: SeSecurityPrivilege	3880	wmic.exe
Token: SeTakeOwnershipPrivilege	3880	wmic.exe
Token: SeLoadDriverPrivilege	3880	wmic.exe
Token: SeSystemProfilePrivilege	3880	wmic.exe
Token: SeSystemtimePrivilege	3880	wmic.exe
Token: SeProfSingleProcessPrivilege	3880	wmic.exe
Token: SeIncBasePriorityPrivilege	3880	wmic.exe
Token: SeCreatePagefilePrivilege	3880	wmic.exe
Token: SeBackupPrivilege	3880	wmic.exe
Token: SeRestorePrivilege	3880	wmic.exe
Token: SeShutdownPrivilege	3880	wmic.exe
Token: SeDebugPrivilege	3880	wmic.exe
Token: SeSystemEnvironmentPrivilege	3880	wmic.exe
Token: SeRemoteShutdownPrivilege	3880	wmic.exe
Token: SeUndockPrivilege	3880	wmic.exe
Token: SeManageVolumePrivilege	3880	wmic.exe
Token: 33	3880	wmic.exe
Token: 34	3880	wmic.exe
Token: 35	3880	wmic.exe
Token: 36	3880	wmic.exe
Token: SeDebugPrivilege	4396	25.exe
Token: SeDebugPrivilege	3256	23.exe
Token: SeDebugPrivilege	4300	22.exe
Token: SeDebugPrivilege	1272	20.exe
Token: SeDebugPrivilege	3188	24.exe
Token: SeDebugPrivilege	3248	19.exe
Token: SeDebugPrivilege	3740	21.exe
Token: SeDebugPrivilege	3208	15.exe
Token: SeDebugPrivilege	3252	16.exe
Token: SeDebugPrivilege	908	18.exe
Token: SeDebugPrivilege	4232	17.exe
Token: SeDebugPrivilege	4596	13.exe
Token: SeDebugPrivilege	4304	11.exe
Token: SeDebugPrivilege	4216	10.exe
Token: SeDebugPrivilege	4560	7.exe
Token: SeDebugPrivilege	3136	9.exe
Token: SeDebugPrivilege	4460	14.exe
Token: SeDebugPrivilege	1160	12.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2728	2996	PCCooker_x64.exe	71
PID 2996 wrote to memory of 2728	2996	PCCooker_x64.exe	71
PID 2996 wrote to memory of 2728	2996	PCCooker_x64.exe	71
PID 2996 wrote to memory of 5080	2996	PCCooker_x64.exe	73
PID 2996 wrote to memory of 5080	2996	PCCooker_x64.exe	73
PID 2996 wrote to memory of 5080	2996	PCCooker_x64.exe	73
PID 2996 wrote to memory of 4428	2996	PCCooker_x64.exe	74
PID 2996 wrote to memory of 4428	2996	PCCooker_x64.exe	74
PID 2996 wrote to memory of 4428	2996	PCCooker_x64.exe	74
PID 2996 wrote to memory of 3508	2996	PCCooker_x64.exe	75
PID 2996 wrote to memory of 3508	2996	PCCooker_x64.exe	75
PID 2996 wrote to memory of 4268	2996	PCCooker_x64.exe	76
PID 2996 wrote to memory of 4268	2996	PCCooker_x64.exe	76
PID 2996 wrote to memory of 4268	2996	PCCooker_x64.exe	76
PID 4428 wrote to memory of 3880	4428	asena.exe	78
PID 4428 wrote to memory of 3880	4428	asena.exe	78
PID 4428 wrote to memory of 1584	4428	asena.exe	79
PID 4428 wrote to memory of 1584	4428	asena.exe	79
PID 4268 wrote to memory of 1904	4268	CryptoWall.exe	82
PID 4268 wrote to memory of 1904	4268	CryptoWall.exe	82
PID 4268 wrote to memory of 1904	4268	CryptoWall.exe	82
PID 1904 wrote to memory of 4760	1904	explorer.exe	86
PID 1904 wrote to memory of 4760	1904	explorer.exe	86
PID 1904 wrote to memory of 4760	1904	explorer.exe	86
PID 1904 wrote to memory of 1372	1904	explorer.exe	87
PID 1904 wrote to memory of 1372	1904	explorer.exe	87
PID 1904 wrote to memory of 1372	1904	explorer.exe	87
PID 3508 wrote to memory of 4396	3508	Bomb.exe	89
PID 3508 wrote to memory of 4396	3508	Bomb.exe	89
PID 3508 wrote to memory of 3188	3508	Bomb.exe	90
PID 3508 wrote to memory of 3188	3508	Bomb.exe	90
PID 3508 wrote to memory of 3256	3508	Bomb.exe	91
PID 3508 wrote to memory of 3256	3508	Bomb.exe	91
PID 3508 wrote to memory of 4300	3508	Bomb.exe	92
PID 3508 wrote to memory of 4300	3508	Bomb.exe	92
PID 3508 wrote to memory of 3740	3508	Bomb.exe	93
PID 3508 wrote to memory of 3740	3508	Bomb.exe	93
PID 3508 wrote to memory of 1272	3508	Bomb.exe	94
PID 3508 wrote to memory of 1272	3508	Bomb.exe	94
PID 3508 wrote to memory of 3248	3508	Bomb.exe	95
PID 3508 wrote to memory of 3248	3508	Bomb.exe	95
PID 3508 wrote to memory of 908	3508	Bomb.exe	96
PID 3508 wrote to memory of 908	3508	Bomb.exe	96
PID 3508 wrote to memory of 4232	3508	Bomb.exe	97
PID 3508 wrote to memory of 4232	3508	Bomb.exe	97
PID 3508 wrote to memory of 3252	3508	Bomb.exe	98
PID 3508 wrote to memory of 3252	3508	Bomb.exe	98
PID 3508 wrote to memory of 3208	3508	Bomb.exe	99
PID 3508 wrote to memory of 3208	3508	Bomb.exe	99
PID 3508 wrote to memory of 4460	3508	Bomb.exe	100
PID 3508 wrote to memory of 4460	3508	Bomb.exe	100
PID 3508 wrote to memory of 4596	3508	Bomb.exe	101
PID 3508 wrote to memory of 4596	3508	Bomb.exe	101
PID 3508 wrote to memory of 1160	3508	Bomb.exe	102
PID 3508 wrote to memory of 1160	3508	Bomb.exe	102
PID 3508 wrote to memory of 4304	3508	Bomb.exe	103
PID 3508 wrote to memory of 4304	3508	Bomb.exe	103
PID 3508 wrote to memory of 4216	3508	Bomb.exe	104
PID 3508 wrote to memory of 4216	3508	Bomb.exe	104
PID 3508 wrote to memory of 3136	3508	Bomb.exe	105
PID 3508 wrote to memory of 3136	3508	Bomb.exe	105
PID 3508 wrote to memory of 4356	3508	Bomb.exe	106
PID 3508 wrote to memory of 4356	3508	Bomb.exe	106
PID 3508 wrote to memory of 4560	3508	Bomb.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\PCCooker_x64.exe
"C:\Users\Admin\AppData\Local\Temp\PCCooker_x64.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\Files\epp64.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\epp64.exe"
    3⤵
    - Executes dropped EXE
    PID:3708
- C:\Users\Admin\AppData\Local\Temp\a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
  "C:\Users\Admin\AppData\Local\Temp\a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5080
- C:\Users\Admin\AppData\Local\Temp\asena.exe
  "C:\Users\Admin\AppData\Local\Temp\asena.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4428
- - C:\Windows\System32\Wbem\wmic.exe
    wmic.exe shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3880
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1584
- C:\Users\Admin\AppData\Local\Temp\Bomb.exe
  "C:\Users\Admin\AppData\Local\Temp\Bomb.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Users\Admin\AppData\Local\Temp\25.exe
    "C:\Users\Admin\AppData\Local\Temp\25.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4396
- - C:\Users\Admin\AppData\Local\Temp\24.exe
    "C:\Users\Admin\AppData\Local\Temp\24.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3188
- - C:\Users\Admin\AppData\Local\Temp\23.exe
    "C:\Users\Admin\AppData\Local\Temp\23.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3256
- - C:\Users\Admin\AppData\Local\Temp\22.exe
    "C:\Users\Admin\AppData\Local\Temp\22.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4300
- - C:\Users\Admin\AppData\Local\Temp\21.exe
    "C:\Users\Admin\AppData\Local\Temp\21.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3740
- - C:\Users\Admin\AppData\Local\Temp\20.exe
    "C:\Users\Admin\AppData\Local\Temp\20.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1272
- - C:\Users\Admin\AppData\Local\Temp\19.exe
    "C:\Users\Admin\AppData\Local\Temp\19.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3248
- - C:\Users\Admin\AppData\Local\Temp\18.exe
    "C:\Users\Admin\AppData\Local\Temp\18.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:908
- - C:\Users\Admin\AppData\Local\Temp\17.exe
    "C:\Users\Admin\AppData\Local\Temp\17.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4232
- - C:\Users\Admin\AppData\Local\Temp\16.exe
    "C:\Users\Admin\AppData\Local\Temp\16.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3252
- - C:\Users\Admin\AppData\Local\Temp\15.exe
    "C:\Users\Admin\AppData\Local\Temp\15.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3208
- - C:\Users\Admin\AppData\Local\Temp\14.exe
    "C:\Users\Admin\AppData\Local\Temp\14.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4460
- - C:\Users\Admin\AppData\Local\Temp\13.exe
    "C:\Users\Admin\AppData\Local\Temp\13.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4596
- - C:\Users\Admin\AppData\Local\Temp\12.exe
    "C:\Users\Admin\AppData\Local\Temp\12.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1160
- - C:\Users\Admin\AppData\Local\Temp\11.exe
    "C:\Users\Admin\AppData\Local\Temp\11.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4304
- - C:\Users\Admin\AppData\Local\Temp\10.exe
    "C:\Users\Admin\AppData\Local\Temp\10.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4216
- - C:\Users\Admin\AppData\Local\Temp\9.exe
    "C:\Users\Admin\AppData\Local\Temp\9.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3136
- - C:\Users\Admin\AppData\Local\Temp\8.exe
    "C:\Users\Admin\AppData\Local\Temp\8.exe"
    3⤵
    - Executes dropped EXE
    PID:4356
- - C:\Users\Admin\AppData\Local\Temp\7.exe
    "C:\Users\Admin\AppData\Local\Temp\7.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4560
- - C:\Users\Admin\AppData\Local\Temp\6.exe
    "C:\Users\Admin\AppData\Local\Temp\6.exe"
    3⤵
    - Executes dropped EXE
    PID:3504
- - C:\Users\Admin\AppData\Local\Temp\5.exe
    "C:\Users\Admin\AppData\Local\Temp\5.exe"
    3⤵
    - Executes dropped EXE
    PID:804
- - C:\Users\Admin\AppData\Local\Temp\4.exe
    "C:\Users\Admin\AppData\Local\Temp\4.exe"
    3⤵
    - Executes dropped EXE
    PID:2752
- - C:\Users\Admin\AppData\Local\Temp\3.exe
    "C:\Users\Admin\AppData\Local\Temp\3.exe"
    3⤵
    - Executes dropped EXE
    PID:3200
- - C:\Users\Admin\AppData\Local\Temp\2.exe
    "C:\Users\Admin\AppData\Local\Temp\2.exe"
    3⤵
    - Executes dropped EXE
    PID:2320
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    3⤵
    - Executes dropped EXE
    PID:2400
- C:\Users\Admin\AppData\Local\Temp\CryptoWall.exe
  "C:\Users\Admin\AppData\Local\Temp\CryptoWall.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Windows\syswow64\explorer.exe
    "C:\Windows\syswow64\explorer.exe"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Windows\syswow64\svchost.exe
      -k netsvcs
      4⤵
      System Location Discovery: System Language Discovery
      PID:4760
  - - C:\Windows\syswow64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1372

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
674B

MD5
27d7a398e95d756c524b910f17235740

SHA1
84d530782cf0302e33f9fcdf36eab54f1e9be79b

SHA256
4008338cbf8a79f0850e16515b0794b1eac17d00a48b4a66b15139af029f0dcc

SHA512
06674521c738435385dc94e1928db9fc5c86c7797f9225179b867682190a019f66b9aed71bfc8eb748d22fcf2624659b82d6abda4d251efbfb84b31269068173

Download Submit
C:\Program Files\Java\jre-1.8\COPYRIGHT

Filesize
3KB

MD5
74548cc1189022895809b081aa2fb6cf

SHA1
b1de75ebe58fc65f6330c7135698894b22c21331

SHA256
6b42860ee79a57bb93a0ea7774a6cfb4d04cb8cbfe0db6b39b0e5e5f50e19460

SHA512
d89d052c41c175eea4ca53ed0595776c1c828bfbb428b3e2621db3c4758b292989c399de6fa4f290146f70f16fc0faa8eeaf7362bfa03660623588ddcc23bfe2

Download Submit
C:\Program Files\Java\jre-1.8\LICENSE

Filesize
565B

MD5
d980c0b5f8f57bb878041239e2815b7a

SHA1
446048ad3c2d3572994f1c02b1d93dc262a8b200

SHA256
2aa2af73d48e2b7c6377f18d67acec03c15e26596ea2bb6b1ab11022d9c5fa2d

SHA512
f744290f5ee110812f6fd7b7c36e5b6a1f440cd56faf354d6aa2cc32c46eae40cc216a0935cb794ad0e1b564263fe836abbad831eb29070fd7d3eda002c1977e

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
711B

MD5
2b32377fb272cc148c531741fa6e68a1

SHA1
7987da68113fc970af8de491eb620583ae5bebd2

SHA256
0a1cd2472194c2c58002dcf0891ccf12c584f417d58657b3a6690f4013842065

SHA512
254a313f3d21bcc113ccf92cfa6b9bad1d5d75f6ca905e888293e25692a3d0351494e21ec31ec92b682b73642425698a928a4983b942400b7ab7eba4a3a4bab1

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
711B

MD5
fa27a79f08b32a7546a0fedbe331c78c

SHA1
3a3983427b43a4794d74cc1f7b120c7d1c561d5e

SHA256
62a3b5fbdb3b05fc82dbfd10a1078cb201336d11c93fc501ff057a1a732d766c

SHA512
ec753f81b6b5a9ff0a63ed943ea4180f3654dfacac3520c19d234f055d18b3ccd58053897018afffda7e9f4d32fb768b11a197894290c4ccba4e75eaa19e7cf1

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md

Filesize
1KB

MD5
2b508450f6baa81a2a5f31d9778547ae

SHA1
f5b4ebeae925faeb0054824383883443d46699a6

SHA256
05feb4dc5d8173d9526db81fb7d7212bb34cf143e3b18ba01b80262ae1b7b728

SHA512
9c4ecf58c8a7c216202cc463d518cfeae2bcecd0ea7019060255cccdbd0964c8e4ee6fdb9ca11466215ca4465d21d7b6ced65a306e99d2f17e5139e2b8e31c85

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\glib.md

Filesize
32KB

MD5
89b7d7442f252536edd17557df49f602

SHA1
de5f07c3d98f1a904be4927c41cabbd68c9cf239

SHA256
b7e58629df4e79537e2ce5491be2a8338425b0626051e55b9f83e9c1970202bc

SHA512
a192496d57e9f9409d795bf885c03091ae02e46888075365a316f0d2c146e8c03a2d064dc1a4e1efa7e03c56c322449c422feed04555bc099fc67e921431a064

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md

Filesize
34KB

MD5
417fe141da14aa029b28ebad91d25119

SHA1
c160805bd413510e65e43138e15a55f44f6f6775

SHA256
f6fda2e944c7218fa2dd6c6d6251a954731504ba2d0607b17183d6bbeae5dcc1

SHA512
13369480a3bbdc7f3d9752ef4addf2e888f2f92627ba25e3d3fb9c1109197f0728999b006c9ebf33bf5c131b0fcc70ff75e5e215c8bb3df654d3b93a0f2333e2

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md

Filesize
24KB

MD5
1968067a6f9988fe0f472ba1c4ac64f5

SHA1
466b559268b797aafac91c21e8b791c659ee607d

SHA256
60d80ee6b8aec468349e2ae9da2719f27ac9649462c8dfde3cdb893beb6351f4

SHA512
08374ec79277604f701edb879022171a4dcff529548e02eb1878a9097ee08433e6b582be5e80a89da5a0f0a416d02f5aecf05f5a59dd909a47950d4426f6cb26

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md

Filesize
2KB

MD5
f3067e7611ae11556a63591df8ecb882

SHA1
a726e64e8c0bbfdeae91621bba69d1ccf78a2365

SHA256
05b89b82dc5757a5848bcd73c52acbac59ab92569d6cc6acd37902ea291d58e9

SHA512
062f3a05d869be67bcf995c3073928d583232783a36fc45d8e517d551d37fbbbb959d4f90a3a96199f695e47f0d56fe74d7166d661b3d2249b4bf46356be740c

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md

Filesize
1KB

MD5
d6d2b7f72bf7cc28c270bcfa0b79008d

SHA1
dd0efdb865dab0971d27ae9b870c91778eeaf969

SHA256
c211229503b3442ad7bc3383e81058838b6f5d20b186dc55bfe380116fbd7a3e

SHA512
df237bafdc006027396888b97baf44ac20da3af998de413099d5569a8067ddb6e1e3773d5fa2a57343aa16ea0b336dfadf4c76fe6290c2e0a3a4f767d8482d4a

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md

Filesize
3KB

MD5
639b4d6101781930a280486b0be8c27e

SHA1
93d6d55a3ceef5a4bfe4e2ecf03ad7c651dc37f2

SHA256
4fc13585be0d5a004a6dfbb2cbe1eabbd4b2b8e4e5cf2c11a77ec48631e1b5d9

SHA512
448c4b10b70139817f3074174b1184328e8cd75dbf20c7adc5d7e810663f027ef3701bbaf9a09832ba98d02566fda732b54da3943075dbdd98d19782d4f8c05c

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md

Filesize
3KB

MD5
2083afacb155a4e2200f90541454c985

SHA1
ed6ed57a788efd50e31baf8a395b09480f649e87

SHA256
8a5ed7925562d8fee66d17ab441793e2e82b956714a8ed223c4afa4dc4f3e260

SHA512
6293f65f733a1b17dba5754c0636ecf831afa6ae6598f03f169a498660c1ea587eab59b09fd2a74f03f35eeef958e1e0d55b62833f0b4ced93abff66286a1b19

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md

Filesize
6KB

MD5
acd9e96f55e3b84c3699146ddbe02eba

SHA1
bfa144a6ebf8d0c7fb65a24bdda2245141e24f0d

SHA256
98e0f006149a1630c4e2ef27603fc9aa843508fbd8a4c3fdb7e08dc2f4cbf475

SHA512
45c13efa1076ccbb00af9d1c83841b76fa39c5c968e1d081c420a1e7f7dc1327004265ce0d715b78a70013864ee66ab389340e73c1426f165d1b1282843bfed9

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md

Filesize
17KB

MD5
315bc089c571140a98921d68ec1d431a

SHA1
2dea7acb62acf934edb0a1c234bcb411a05454d8

SHA256
6ea963a1f1f7b5919acff730a6df89eebd86bc4a2f092c32395aa5622669e5d3

SHA512
fadc854021131a2fb348e837121bd4cbd31f617a8fd104f5bb6ce2c287850f6858e54afd77a5ca1d9a03a6d4b1203d0034e51141f0f27239857d2c9da7ec6be4

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md

Filesize
320KB

MD5
40863dd98f9b0407d429832e15360394

SHA1
e1c76e5c2e519831875636ced2c99aeb216af595

SHA256
c4d3021388b492f68f91b1f10406f39927add3cb1709a76a94740935e3a03b1b

SHA512
c07dd7e57887b4619b911b2d09f1fb9b64ad730325d7945c992805a2aff3b94cce835eb2fef407c716edee5a9b0f0b9f5aa0d1cf44cd7b5672f7139c32e24af2

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\asm.md

Filesize
2KB

MD5
73c98c55fce32959ca6f184019c4321d

SHA1
7d55fb39b907679d95a0c4e56238737d1e1e9ddd

SHA256
254f8f1c49359073c5a0d52ea41030e6801c24769b5fe4ce787222466e372dcf

SHA512
1affd0fffe9a6b7b735fc539b96ead79b5915a0051f577ba6efd7edcd39aae73a02975088cb871351d1c44686ef01d53efc9fecc8b6d6e5bd885b5e977b91932

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md

Filesize
11KB

MD5
42ce0d97828e46ec775c6806e1abf1e2

SHA1
5cc9f36b7ff2c0243580d1b24132fc051fb87e25

SHA256
1f0f05a99ac84f0e337cfb282cc800add3f12ec34ae35dd3235a5a2f66c3c471

SHA512
963946a64ab575170fde77dd6a737b299417f2d0350732b5bf98cf44d390163f5992423f7879ec0e4516588b775499e55687a45faa0a389d6447a2a8cf38a230

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md

Filesize
3KB

MD5
ece03d69eb67c51669507575c6cd8f53

SHA1
330b6c294467e468671d2b470865d25957a424b3

SHA256
424b7874ae0da7d811db66d12fe824e6af1f9095cee4da67037cc2ca3995856e

SHA512
9f8f1e02aba8c56ed15aef59cbac4e39cf5082ce870d98c927e71242808bbd30cbe7916a094bc268a8185c8aad5110a6c43782109bb3d4430680e0d0e750bd29

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md

Filesize
683B

MD5
a9d9e1ec5cf84829a78aa4af43573ce5

SHA1
90dc5dddb44b41071900a03038656ee5f9258e61

SHA256
b15aeb05023ee50a1a3dd8fb40915ccf4d9e3ecaf9fddf0c86584cc9226bea99

SHA512
00e07af873365e5ab4c1a238bd260e3ca3937294eddea99631cc78006856cf2425cb85c1f1b95b7b7ae8a115545ed7fa3630c8423bde475766628ad586b17f61

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md

Filesize
1KB

MD5
21d142bd03201138fa6d0bd59ce6bb14

SHA1
57728f74ad2cacf786bb04ba571380fbb29e5ce5

SHA256
bc2b4060057601a318b3ae6593cfc20f328034bb056575651c3547d1ec6e89ca

SHA512
ea1d70ee73a571a6b983b80cdb8fc72b5ccfcdb2a7f81b81eb848a9dbc4262acb898dde04795801d453532ad5f7637208ee77b0d62ecb87c7420fa3d0cccaafc

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\dom.md

Filesize
4KB

MD5
163b83a7c8dd3a1239ba0aa4f244ced4

SHA1
9a63894e3f0cde613d9375de6acddc45fe5abf9e

SHA256
32265c26592be5494577ee47a337751aa36573ab08122c4e56b90fc41efb3eec

SHA512
0d9dacfb874467c3f50cb0e9ecd27006b6bb31d52e45436c0b022a34ec0fae3387aae4cc8dcb730a5c7be8872d2897eb07c0e977ae93e2efb5ad6ee424ce67ac

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md

Filesize
1KB

MD5
befaec9a800e4a4a0a485c2ca06d6fce

SHA1
a5db251c331134d83ee0c72e9d787ce52cfabc65

SHA256
ab093e2f9ad654503f844c64aa49035757ef7240fd1fc14574648ac6149659a7

SHA512
02a0475a63fcec5eb680494953381674a92feaf58f92b323e8ab65372861c25675c614f2f31022ea6c83723f7c4ea91af89b041db3067ff80f7d1342d9e04aa5

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md

Filesize
29KB

MD5
234066f7a02c40bff13b8e6809abf417

SHA1
b260dd8a2fc5e5a015fcafe7404590658328fd28

SHA256
bff656235e32555be3b74a75a0425110be3de7958d028b2dae0a21c08c63966d

SHA512
55576df49b5e0d77679e54ef377c3e2d61e44563405c4f2bd5385097e959ce961b34f91014be8932ac2cc07a3590b97c1feeaf063e0822beab3af14c14e01d2f

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md

Filesize
3KB

MD5
1180cd1f8691f758fb3cfbe1ac1db1cb

SHA1
b4426fb7270cc342f46301d5a625635edda772cc

SHA256
588dafc8a004b2266158ed6801c2fba9b1ec544528ae963555c97ebe9034b7f3

SHA512
52ce554a34863b63449d2555062ec6af77f714474709d6fc8080fc041c559cf54bda14f831952ee8d7338d37edccc722caf6978e789671f04ca6de57cf675b13

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md

Filesize
1KB

MD5
6d3a928dff8c474eec705105c7a2a7f8

SHA1
174955c9f67593aa9faf472ab1427aebca9167a3

SHA256
9a65d7b6831bca063dc31ee60be54e2915fb16e2c0166b88515b2b4290ea50fc

SHA512
fa6da0408ebbbf96e3b0d56a279acd666bd64b7089c261fd5eb8736591bb3942e4745f00422ce958232c2e2b7b3b1259bce50bd87e4bfa4198637134e978f45f

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\icu.md

Filesize
3KB

MD5
807ead78b9f678b417df18571c00ac1f

SHA1
e8bc5140e7eaab1dd6ee751d7326f07654e576b6

SHA256
5dc2d2458fd9e0dabe22c8325e3da1f5e8a5c5f4a8dc84d74a9251004ac8088f

SHA512
6117193282e27e52d5523b20fdc10b6986ee27b5435d9841601a78d484c572f987080c29fbeea4a8960833810d36ac7dc8ffd603471ad6ffdf58638be637aa51

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md

Filesize
1KB

MD5
7b1dc2cbbf324bd2c3a8a17677ebe1f2

SHA1
524b072d84f827cca5c5bdec31ecd67a3b0f927e

SHA256
05990d399aabb1c42a58464abc68337761222bb4d4bf195c8fb27c6089f0394b

SHA512
7b1cbc484296041b688256a43656acf50c2218d920fae515d82eb2bccd8960759b13f633624d9d9a3af433442f593fb37438cd6ab97a742ed402042e738313ef

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\joni.md

Filesize
1KB

MD5
b458e59a3361e047a4461c6a8fb4b7b3

SHA1
6199cc1c6eb4d829c214d493d18de307fc7e8fd8

SHA256
41c2b3aa9ca869bd81a96c16e46e152ec07d7f28f49e9221ed1c9227a65a629c

SHA512
167cb6263efdd6b3059322be53c252c601c34426f39d99a41ab77b63b0aa5d3669132accb6ee24ab0866872b04e7ec55eda4836a1795070879aacbf7c067a275

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md

Filesize
1KB

MD5
76e8952a2076637ada72e43879302a19

SHA1
9acdf924dc429b836ab057ea412bb25d2329e87d

SHA256
87a3d70f7db425c6e78c30c6e13be3da2ce6d710b1f307a9476da06a30425902

SHA512
a463bedef17c89912db4587d5636bd49bbab7e193dcf0e490ef83ad9f77a8617ba9b0c9dc1f4ed5a99432b1d4f02a0b06d8c7a2724eabe833ca3080ddb825b85

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md

Filesize
4KB

MD5
30299d2b1c4bf0171437b31cb6a9ee28

SHA1
17fe493cef071bedeb27347956dab4b306572d80

SHA256
23bdf050b6b297fdbf2f3c57f60d92c62299197b8abfaa62b4fa8eb356f255c8

SHA512
3f08644a78189c71a491151a22ea2e379470c6f85d7ebb02937eb1f4bad7e26a1469273db45e70159815bc761a3b7f5b38019d07100ceb192dc654ba1132d98a

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md

Filesize
3KB

MD5
e8b9dc476ba227f43ad1cbe450d3b08e

SHA1
07180de10265897835ea378418da5c6869c35a6c

SHA256
71ec8e4fe5dc3f3234b75850c375fbd8cef7a5fa2c561257db08ee6db4a8f139

SHA512
3e208ec42823f9ab2e5c826d52ad5e5f9c21cefa275df643284d0e5ee0ea313d93401ab72ce2c871d144a3e4747dd1117fc321cb24edecd851ed9688eb906375

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md

Filesize
7KB

MD5
992667772bc6ea46b25bee4552144488

SHA1
11cc6183c208b547aa4dcde428803cbe94582b61

SHA256
110b3978e7c338723e1cb08487b6a0b9506ee014a48cb65b90fd51e7728cca8d

SHA512
15e15e87d92b764f27884ebacedc33aaa9421568195a2de77ab117be7caafb820d5fe331451b8ae0aeaa2ca9ff00b99c04265ef6b5d7011436338882612abca3

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md

Filesize
6KB

MD5
228de47cc097a5da09d0ad3a279646e8

SHA1
c02831ec5ba56e57162026e59b2e4b1d44bc6703

SHA256
eee1ab82483ef8b5c0df2a665caa6a1177c0744c74079e66ddba71dbf80198dd

SHA512
b519b7937e2a69f0f8ee90da54a25522ab809b7d1a919de0c0470b0676405db7a14342258ca403fc96da7764b7e9c7e0a23b4b67e5a047ad5ff5565708fcaba2

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md

Filesize
4KB

MD5
5f3fcdb23aa5ba7dadb883412da6a075

SHA1
60f23259c0a61b407d5f550a5be9d2a586425ef4

SHA256
050de11ef22350112fe2b9c87f977d648f35496c9581978965304b04b1eb1761

SHA512
e4d5daa475f7146a630135a45c4f78abd60ce12f9776602919b3386a60d3701078ef69920d403084ecba26cfe8f20ae5e20ba5a857917f5a9f6ed556019956a8

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md

Filesize
2KB

MD5
63d53faf79f63ae153ee0c1e7888c66c

SHA1
385881199a2830f5fb3bcd93189d68d3467e6b11

SHA256
9f04dcbc592daded2ecd2fc54d282cddbda00c5cf4ef8564223c2e7f1d5befb2

SHA512
1e1ff3be467cb8c86a992b406b1927da552819e053cba7e48372d260f5fef0b18341f132143b1a2083c3a1d59dc3dd94f4285308336f76244df3424eb5c99a38

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md

Filesize
2KB

MD5
070dee0b3a07812a03ff0fd57cf9ca86

SHA1
bb1ca5aa218ce3cb1773493a6485b3cf47619445

SHA256
a96589d8f09777d75c50172d5b31812d9525542cdebe7c4fbba84017c87cec88

SHA512
3343b6c8c24795d67c454c3632229ac49226ad066d88b44efe5bea264ba1bae9fad8b9db4f44c53beeb2cba56d21da9d7cd6f62f7cc7f035504c1acc15eac97d

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md

Filesize
2KB

MD5
7844e290f2e09587fdfc03dca2fa9dcc

SHA1
5ad7546858330b2f84252bcb8201af5071988138

SHA256
260b8aad302d30274d1915ebce89e2d9e3b16cf2320974086177126f0b3fdc37

SHA512
1cbb929190916de295a0bfbfbbe694e52de0dd92f729fb065769f0d5aa7bdf28d445d601dc9d4aab0483c200d1f167bd6d02cfb8a9662aca3a4941aa8e4afc11

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md

Filesize
1KB

MD5
0433a89151b62260c7d6c162e3328307

SHA1
a724b0149f2e6a90ae65e3a9b6fcd793cef8db36

SHA256
e4981ca09bbf2e9eed1fe388fbec75c3e355972e52b99abb9efd96a985ec4982

SHA512
6c1b350436ccb7d9bc359fb9e3b70d7937f779f93272198c4d2133e7adcb6a87514e855bff03a5437831cffa8d11982934ee30c9a2d41f84b215124a7ca5039d

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md

Filesize
12KB

MD5
8ae02a82c513cbee84a6099eb1c8ff5a

SHA1
0c1e3e6942290f758b5eafedb4e9aa6d1a49973c

SHA256
148152eb8972437a124f6946fceb44d49bb608ea54908cc06521e1d4319f0b79

SHA512
bec8c9923b7ac292f8495cc242ec14e3791e79cf5fb8a1cdc102a60a2886053dd4977f03a65213c6db71aca62e68313e378eda829c210679229851d1f8d165b3

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md

Filesize
1KB

MD5
3e3b96cf7c665745ec300e72e278a1d1

SHA1
819be611b5fbfcf1e141bdf50a9fc2f74439b414

SHA256
3f9021729eedb34d6f1c62684690638a45b8d67b1174942996431c4abe1507fa

SHA512
855c3b5a35692e01a5d26e3be19a674f833d772cf400ead5a5d82aa13181854629f350b4a6dfffdbc60455505ba0a7b0b414406dd01fa263a08dbcfadee047b6

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md

Filesize
2KB

MD5
99dee0b09c02b5e88a996d4f58c70ffb

SHA1
ac4921bf6d99400a23a2ca546b9c46d62b8623c2

SHA256
9e380b3b5d8f2b340f4580d81c11c4bd6c599452831efb090dc6e7da3620ce12

SHA512
3c50f0e2c26a7ea9d7ea93c568220770c18a5436d23c765a5b984176e5d727f10a7bc88819bd09e4c29a01b1a05a22b2d7c3e72ca077d55ea343d7fc11f3741a

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md

Filesize
12KB

MD5
e228930f25f74d765ae5c0c6e7459017

SHA1
d241b8ccea79157186cb595c022c855389d6ff14

SHA256
73c13ed4cc9ed3149fd9ccee50da4c33016601abaea130b0a3acf2a88718b8c3

SHA512
c8a620f4a22fa5cd9948d83ddc54c1e0faf0dda49b447e5f518b097b72527689e9a348205a6b9ea5984d78753d8326ccaba3a18f7ce6630320662c6ad1257177

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md

Filesize
12KB

MD5
06aa42c2ba61b6027db33a6aac586c4f

SHA1
db83b345b6c283a6e9e0a5cc7122ab36791a896d

SHA256
889707a3e849583b4410aef6c0603c0b8199a910c9fa2f56e5e94ee6b75f92b1

SHA512
5b560e9610510989d9c7a43e4c77136db83359fa52f400c92ab8f5d029d1c99df8b09dd1a125f27156ae5d59916515f9e35f3442e0fe84b2a75c5563c165a323

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md

Filesize
11KB

MD5
81b2e2bcd42e4c99920a036a2bc46007

SHA1
04b21b0d8fb2c1703b8df7ff284f464ecdb5a769

SHA256
4a07522213ef8ebeebe20d90a6a2d2eddcb93f7a0abfdc8cdcbab36d2654892e

SHA512
d779881b0813967d4e238633e3382db63defe8fd6c6b894393cfc8bf0a44b3575d17fa337a3e05b080780ad21f12b29d93ba9eb01c992604cc377df347b5c75e

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md

Filesize
1KB

MD5
6751e6acb1e6b2c1018d1e8a8f1fce26

SHA1
92073e7c20aa41d819ab5dd1dcc7095232841350

SHA256
1b17ffd6178227f58b193f70e220a893cb5d6bdd8cee45a8211118527f8a8559

SHA512
35294fe96c49c277401d1ec96e93817c89f71c92b3306566c442ebdc322fe34c863cdf5eb7651859cf72d3793029bd002bac141030564dcf336be45c26cc1846

Download Submit
C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties

Filesize
4KB

MD5
dc35e2883b207b69d7ecc06bea8f9d30

SHA1
812bae3d0326bbab7832e613865398e939004238

SHA256
69e493c7c277bf7982c597291c1be17547c6a3274185cea944971817849bb6c9

SHA512
b14a55fcae62b9e84b2a9863f18b0ab1e0d168ed40f6077f7f65cb3b49078e319598acec5848776204da68fb042e750c45ebd03b1eef3cab33c317c3236454d9

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
563B

MD5
cf12e7e85574e842c40f35ddd38940de

SHA1
b1c72210a856c4caa3c03a69128dc1c5e57c1d2f

SHA256
8e7099c04a66e112798749eb7e382605d65d4f19b5c618ce611a6f68f29ea6db

SHA512
03ce1d7f5bf912985f47ef5c1ec9a29dc351493a4f06ba73e6693ab05b6e23e5ec8c564740394d79ae21cda3948c1c4fc2d443b71093121ee78b795cb35420ab

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK

Filesize
635B

MD5
643d33d87f19ec424759dd429f92a608

SHA1
68ad45583b0a49b8b1e9cf8daae7ba18f2df048e

SHA256
6609d890cb0b920e567e25611d918f2f3842b31519cb4065f278a9ac71d75ffe

SHA512
aa06821fd8e934062d518fee35e381389caaa8276fc663167c273c7cb0d7edf40f8b96372eae7f877133ff4393c5709de4b45b3246d5b2b8d53c0abf6d1b7363

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK

Filesize
634B

MD5
f437383d5f7a079e18ac1231442e4772

SHA1
88e6e20052d2aecfbe3ccd7c509fb2eedd13e6a0

SHA256
590a37c062ccced602ba77221e8b0dc39e3b21c30e596690741774248cc0018f

SHA512
3dcd5b8b1f7fa0547106295631f884e30dcebdd8cb4b0581a6806fb7f131bbeab7311d0fd541266e304511db4c9f82723533128efb600ddfb0d2e21e7c5ec111

Download Submit
C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config

Filesize
539B

MD5
d8c42360b41a2948ba751bdce06a936e

SHA1
ee6d6b5c99f1f69735f6cb4ab9e0076f7bd15236

SHA256
10aea11721edb6a1d7345f46d43f6a568a0223962f048c03cb2cbed97c3a9ff7

SHA512
3202f8e93b6697866ab7c49674c761246db61e8c562dd9adbc4645a43320bb9c0b2aea9b1b11f1fff40b4c71e53a08bb2752b66e45e71202541971f061d64c69

Download Submit
C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL

Filesize
245KB

MD5
f212ad035b80f1f0eb6b08e57fe5a152

SHA1
fd560905a10e166da70587b82ef1d12127f99f43

SHA256
e58168d64a4266453d7ca20d8c72985180f1adb245eae895eee894b98e6e63d3

SHA512
9f70d72ff0ba871421c91eddd5dc352c520b1713a44f3c81346beb8787f2332f8a94c32c4f52d81288a74cb7ff3b9716145c024ba00b8f181b8a84b7775f5b00

Download Submit
C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub

Filesize
526B

MD5
b8443c337bdb90654b656ad68825bd72

SHA1
f725c06be22db583fcb68a44c44f3631cee01924

SHA256
775da7cc6074223974109f14e2bc2640295902f19cf224cd22d9e17ad99a1b32

SHA512
6117df743bbf9fa9dd909687d79c773d96c789610a397227e4bcd48288e8c7c4dc903374df9b144b9ee182843772c2cd50862b55366c894e5e21bd176bb22d8f

Download Submit
C:\Program Files\Microsoft Office\root\Office16\pkeyconfig-office.xrm-ms

Filesize
904KB

MD5
2bb261c31eeb7957b78f9268c828c4bf

SHA1
1ecd50c321c67ee099bd4b2542c0b42e43574ac7

SHA256
2077a98d815aa8a1ea2ce5234923193180c0eced9f13914107191a210ce39c22

SHA512
0bcbaeca793cfee412b01067c4b820b9bf3bb861decef8710546a25bb11b84a32e6c3c795bc997adf95a91549bf8d6a5d8669929b7af570d744434ac33c16980

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
37KB

MD5
8ec649431556fe44554f17d09ad20dd6

SHA1
b058fbcd4166a90dc0d0333010cca666883dbfb1

SHA256
d1faee8dabc281e66514f9ceb757ba39a6747c83a1cf137f4b284a9b324f3dc4

SHA512
78f0d0f87b4e217f12a0d66c4dfa7ad7cf4991d46fdddfaeae47474a10ce15506d79a2145a3432a149386083c067432f42f441c88922731d30cd7ebfe8748460

Download Submit
C:\Users\Admin\AppData\Local\Temp\10.exe

Filesize
37KB

MD5
d6f9ccfaad9a2fb0089b43509b82786b

SHA1
3b4539ea537150e088811a22e0e186d06c5a743d

SHA256
9af50adf3be17dc18ab4efafcf6c6fb6110336be4ea362a7b56b117e3fb54c73

SHA512
8af1d5f67dad016e245bdda43cc53a5b7746372f90750cfcca0d31d634f2b706b632413c815334c0acfded4dd77862d368d4a69fe60c8c332bc54cece7a4c3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe

Filesize
37KB

MD5
6c734f672db60259149add7cc51d2ef0

SHA1
2e50c8c44b336677812b518c93faab76c572669b

SHA256
24945bb9c3dcd8a9b5290e073b70534da9c22d5cd7fda455e5816483a27d9a7d

SHA512
1b4f5b4d4549ed37e504e62fbcb788226cfb24db4bfb931bc52c12d2bb8ba24b19c46f2ced297ef7c054344ef50b997357e2156f206e4d5b91fdbf8878649330

Download Submit
C:\Users\Admin\AppData\Local\Temp\12.exe

Filesize
37KB

MD5
7ac9f8d002a8e0d840c376f6df687c65

SHA1
a364c6827fe70bb819b8c1332de40bcfa2fa376b

SHA256
66123f7c09e970be594abe74073f7708d42a54b1644722a30887b904d823e232

SHA512
0dd36611821d8e9ad53deb5ff4ee16944301c3b6bb5474f6f7683086cde46d5041974ec9b1d3fb9a6c82d9940a5b8aec75d51162999e7096154ad519876051fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\13.exe

Filesize
37KB

MD5
c76ee61d62a3e5698ffccb8ff0fda04c

SHA1
371b35900d1c9bfaff75bbe782280b251da92d0e

SHA256
fbf7d12dd702540cbaeeecf7bddf64158432ef4011bace2a84f5b5112aefe740

SHA512
a76fee1eb0d3585fa16d9618b8e76b8e144787448a2b8ff5fbd72a816cbd89b26d64db590a2a475805b14a9484fc00dbc3642d0014954ec7850795dcf2aa1ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\14.exe

Filesize
37KB

MD5
e6c863379822593726ad5e4ade69862a

SHA1
4fe1522c827f8509b0cd7b16b4d8dfb09eee9572

SHA256
ae43886fee752fb4a20bb66793cdd40d6f8b26b2bf8f5fbd4371e553ef6d6433

SHA512
31d1ae492e78ed3746e907c72296346920f5f19783254a1d2cb8c1e3bff766de0d3db4b7b710ed72991d0f98d9f0271caefc7a90e8ec0fe406107e3415f0107e

Download Submit
C:\Users\Admin\AppData\Local\Temp\15.exe

Filesize
37KB

MD5
c936e231c240fbf47e013423471d0b27

SHA1
36fabff4b2b4dfe7e092727e953795416b4cd98f

SHA256
629bf48c1295616cbbb7f9f406324e0d4fcd79310f16d487dd4c849e408a4202

SHA512
065793554be2c86c03351adc5a1027202b8c6faf8e460f61cc5e87bcd2fe776ee0c086877e75ad677835929711bea182c03e20e872389dfb7d641e17a1f89570

Download Submit
C:\Users\Admin\AppData\Local\Temp\16.exe

Filesize
37KB

MD5
0ab873a131ea28633cb7656fb2d5f964

SHA1
e0494f57aa8193b98e514f2bc5e9dc80b9b5eff0

SHA256
a83e219dd110898dfe516f44fb51106b0ae0aca9cc19181a950cd2688bbeeed2

SHA512
4859758f04fe662d58dc32c9d290b1fa95f66e58aef7e27bc4b6609cc9b511aa688f6922dbf9d609bf9854b619e1645b974e366c75431c3737c3feed60426994

Download Submit
C:\Users\Admin\AppData\Local\Temp\17.exe

Filesize
37KB

MD5
c252459c93b6240bb2b115a652426d80

SHA1
d0dffc518bbd20ce56b68513b6eae9b14435ed27

SHA256
b31ea30a8d68c68608554a7cb610f4af28f8c48730945e3e352b84eddef39402

SHA512
0dcfcddd9f77c7d1314f56db213bd40f47a03f6df1cf9b6f3fb8ac4ff6234ca321d5e7229cf9c7cb6be62e5aa5f3aa3f2f85a1a62267db36c6eab9e154165997

Download Submit
C:\Users\Admin\AppData\Local\Temp\18.exe

Filesize
37KB

MD5
d32bf2f67849ffb91b4c03f1fa06d205

SHA1
31af5fdb852089cde1a95a156bb981d359b5cd58

SHA256
1123f4aea34d40911ad174f7dda51717511d4fa2ce00d2ca7f7f8e3051c1a968

SHA512
1e08549dfcbcfbe2b9c98cd2b18e4ee35682e6323d6334dc2a075abb73083c30229ccd720d240bcda197709f0b90a0109fa60af9f14765da5f457a8c5fce670a

Download Submit
C:\Users\Admin\AppData\Local\Temp\19.exe

Filesize
37KB

MD5
4c1e3672aafbfd61dc7a8129dc8b36b5

SHA1
15af5797e541c7e609ddf3aba1aaf33717e61464

SHA256
6dac4351c20e77b7a2095ece90416792b7e89578f509b15768c9775cf4fd9e81

SHA512
eab1eabca0c270c78b8f80989df8b9503bdff4b6368a74ad247c67f9c2f74fa0376761e40f86d28c99b1175db64c4c0d609bedfd0d60204d71cd411c71de7c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
37KB

MD5
012a1710767af3ee07f61bfdcd47ca08

SHA1
7895a89ccae55a20322c04a0121a9ae612de24f4

SHA256
12d159181d496492a057629a49fb90f3d8be194a34872d8d039d53fb44ea4c3c

SHA512
e023cac97cba4426609aeaa37191b426ff1d5856638146feab837e59e3343434a2bb8890b538fdf9391e492cbefcf4afde8e29620710d6bd06b8c1ad226b5ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\20.exe

Filesize
37KB

MD5
f18f47c259d94dcf15f3f53fc1e4473a

SHA1
e4602677b694a5dd36c69b2f434bedb2a9e3206c

SHA256
34546f0ecf4cd9805c0b023142f309cbb95cfcc080ed27ff43fb6483165218c1

SHA512
181a5aa4eed47f21268e73d0f9d544e1ceb9717d3abf79b6086584ba7bdb7387052d7958c25ebe687bfdcd0b6cca9d8cf12630234676394f997b80c745edaa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\21.exe

Filesize
37KB

MD5
a8e9ea9debdbdf5d9cf6a0a0964c727b

SHA1
aee004b0b6534e84383e847e4dd44a4ee6843751

SHA256
b388a205f12a6301a358449471381761555edf1bf208c91ab02461822190cbcf

SHA512
7037ffe416710c69a01ffd93772044cfb354fbf5b8fd7c5f24a3eabb4d9ddb91f4a9c386af4c2be74c7ffdbb0c93a32ff3752b6ab413261833b0ece7b7b1cb55

Download Submit
C:\Users\Admin\AppData\Local\Temp\22.exe

Filesize
37KB

MD5
296bcd1669b77f8e70f9e13299de957e

SHA1
8458af00c5e9341ad8c7f2d0e914e8b924981e7e

SHA256
6f05cae614ca0e4751b2aaceea95716fd37a6bf3fae81ff1c565313b30b1aba2

SHA512
4e58a0f063407aed64c1cb59e4f46c20ff5b9391a02ceff9561456fef1252c1cdd0055417a57d6e946ec7b5821963c1e96eaf1dd750a95ca9136764443df93d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\23.exe

Filesize
37KB

MD5
7e87c49d0b787d073bf9d687b5ec5c6f

SHA1
6606359f4d88213f36c35b3ec9a05df2e2e82b4e

SHA256
d811283c4e4c76cb1ce3f23528e542cff4747af033318f42b9f2deb23180c4af

SHA512
926d676186ec0b58b852ee0b41f171729b908a5be9ce5a791199d6d41f01569bcdc1fddd067f41bddf5cdde72b8291c4b4f65983ba318088a4d2d5d5f5cd53af

Download Submit
C:\Users\Admin\AppData\Local\Temp\24.exe

Filesize
37KB

MD5
042dfd075ab75654c3cf54fb2d422641

SHA1
d7f6ac6dc57e0ec7193beb74639fe92d8cd1ecb9

SHA256
b91fb228051f1720427709ff849048bfd01388d98335e4766cd1c4808edc5136

SHA512
fada24d6b3992f39119fe8e51b8da1f6a6ca42148a0c21e61255643e976fde52076093403ccbc4c7cd2f62ccb3cdedd9860f2ac253bb5082fb9fe8f31d88200d

Download Submit
C:\Users\Admin\AppData\Local\Temp\25.exe

Filesize
37KB

MD5
476d959b461d1098259293cfa99406df

SHA1
ad5091a232b53057968f059d18b7cfe22ce24aab

SHA256
47f2a0b4b54b053563ba60d206f1e5bd839ab60737f535c9b5c01d64af119f90

SHA512
9c5284895072d032114429482ccc9b62b073447de35de2d391f6acad53e3d133810b940efb1ed17d8bd54d24fce0af6446be850c86766406e996019fcc3a4e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
37KB

MD5
a83dde1e2ace236b202a306d9270c156

SHA1
a57fb5ce8d2fe6bf7bbb134c3fb7541920f6624f

SHA256
20ab2e99b18b5c2aedc92d5fd2df3857ee6a1f643df04203ac6a6ded7073d5e8

SHA512
f733fdad3459d290ef39a3b907083c51b71060367b778485d265123ab9ce00e3170d2246a4a2f0360434d26376292803ccd44b0a5d61c45f2efaa28d5d0994df

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.exe

Filesize
37KB

MD5
c24de797dd930dea6b66cfc9e9bb10ce

SHA1
37c8c251e2551fd52d9f24b44386cfa0db49185a

SHA256
db99f9a2d6b25dd83e0d00d657eb326f11cc8055266e4e91c3aec119eaf8af01

SHA512
0e29b6ce2bdc14bf8fb6f8324ff3e39b143ce0f3fa05d65231b4c07e241814fb335ede061b525fe25486329d335adc06f71b804dbf4bf43e17db0b7cd620a7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe

Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.exe

Filesize
37KB

MD5
84c958e242afd53e8c9dae148a969563

SHA1
e876df73f435cdfc4015905bed7699c1a1b1a38d

SHA256
079d320d3c32227ba4b9acddf60bfcdf660374cb7e55dba5ccf7beeaedd2cdef

SHA512
9e6cb07909d0d77ebb5b52164b1fa40ede30f820c9773ea3a1e62fb92513d05356dfef0e7ef49bf2ad177d3141720dc1c5edceb616cef77baec9acdd4bbc5bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.exe

Filesize
37KB

MD5
27422233e558f5f11ee07103ed9b72e3

SHA1
feb7232d1b317b925e6f74748dd67574bc74cd4d

SHA256
1fa6a4dc1e7d64c574cb54ae8fd71102f8c6c41f2bd9a93739d13ff6b77d41ac

SHA512
2d3f424a24e720f83533ace28270b59a254f08d4193df485d1b7d3b9e6ae53db39ef43d5fc7de599355469ad934d8bcb30f68d1aaa376df11b9e3dec848a5589

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.exe

Filesize
37KB

MD5
c84f50869b8ee58ca3f1e3b531c4415d

SHA1
d04c660864bc2556c4a59778736b140c193a6ab2

SHA256
fa54653d9b43eb40539044faf2bdcac010fed82b223351f6dfe7b061287b07d3

SHA512
bb8c98e2dadb884912ea53e97a2ea32ac212e5271f571d7aa0da601368feabee87e1be17d1a1b7738c56167f01b1788f3636aac1f7436c5b135fa9d31b229e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\8.exe

Filesize
37KB

MD5
7cfe29b01fae3c9eadab91bcd2dc9868

SHA1
d83496267dc0f29ce33422ef1bf3040f5fc7f957

SHA256
2c3bfb9cc6c71387ba5c4c03e04af7f64bf568bdbe4331e9f094b73b06bddcff

SHA512
f6111d6f8b609c1fc3b066075641dace8c34efb011176b5c79a6470cc6941a9727df4ceb2b96d1309f841432fa745348fc2fdaf587422eebd484d278efe3aeac

Download Submit
C:\Users\Admin\AppData\Local\Temp\9.exe

Filesize
37KB

MD5
28c50ddf0d8457605d55a27d81938636

SHA1
59c4081e8408a25726c5b2e659ff9d2333dcc693

SHA256
ebda356629ac21d9a8e704edc86c815770423ae9181ebbf8ca621c8ae341cbd5

SHA512
4153a095aa626b5531c21e33e2c4c14556892035a4a524a9b96354443e2909dcb41683646e6c1f70f1981ceb5e77f17f6e312436c687912784fcb960f9b050fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bomb.exe

Filesize
457KB

MD5
31f03a8fe7561da18d5a93fc3eb83b7d

SHA1
31b31af35e6eed00e98252e953e623324bd64dde

SHA256
2027197f05dac506b971b3bd2708996292e6ffad661affe9a0138f52368cc84d

SHA512
3ea7c13a0aa67c302943c6527856004f8d871fe146150096bc60855314f23eae6f507f8c941fd7e8c039980810929d4930fcf9c597857d195f8c93e3cc94c41d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CryptoWall.exe

Filesize
132KB

MD5
919034c8efb9678f96b47a20fa6199f2

SHA1
747070c74d0400cffeb28fbea17b64297f14cfbd

SHA256
e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734

SHA512
745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\epp64.exe

Filesize
1.1MB

MD5
ab71322204ed36a0791c3587b098f80e

SHA1
3f02c3d01226db799b1ac0bfef7c4a65f79daaee

SHA256
67a90f411c73a3e359f38a8c39cc04f76f9ab12c2dfb446e773edcd46d1ce74c

SHA512
8e159f47a0813c573fa87852def1d7f296fa1b32f50d5fab9090f07ed878f75644bcf26760a95d422bc9b393d8eab5f437cdd1a3b169a273d1d4a127ca0e5b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe

Filesize
159KB

MD5
6f8e78dd0f22b61244bb69827e0dbdc3

SHA1
1884d9fd265659b6bd66d980ca8b776b40365b87

SHA256
a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5

SHA512
5611a83616380f55e7b42bb0eef35d65bd43ca5f96bf77f343fc9700e7dfaa7dcf4f6ecbb2349ac9df6ab77edd1051b9b0f7a532859422302549f5b81004632d

Download Submit
C:\Users\Admin\AppData\Local\Temp\asena.exe

Filesize
39KB

MD5
7529e3c83618f5e3a4cc6dbf3a8534a6

SHA1
0f944504eebfca5466b6113853b0d83e38cf885a

SHA256
ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597

SHA512
7eef97937cc1e3afd3fca0618328a5b6ecb72123a199739f6b1b972dd90e01e07492eb26352ee00421d026c63af48973c014bdd76d95ea841eb2fefd613631cc

Download Submit
C:\Users\Public\Documents\RGNR_BC248C0F.txt

Filesize
3KB

MD5
0880547340d1b849a7d4faaf04b6f905

SHA1
37fa5848977fd39df901be01c75b8f8320b46322

SHA256
84449f1e874b763619271a57bfb43bd06e9c728c6c6f51317c56e9e94e619b25

SHA512
9048a3d5ab7472c1daa1efe4a35d559fc069051a5eb4b8439c2ef25318b4de6a6c648a7db595e7ae76f215614333e3f06184eb18b2904aace0c723f8b9c35a91

Download Submit
memory/804-1243-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/908-1055-0x0000000000C50000-0x0000000000C60000-memory.dmp

Filesize
64KB

Download
memory/1160-1089-0x0000000000730000-0x0000000000740000-memory.dmp

Filesize
64KB

Download
memory/1272-838-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/1904-541-0x00000000030B0000-0x00000000030D5000-memory.dmp

Filesize
148KB

Download
memory/1904-33-0x00000000030B0000-0x00000000030D5000-memory.dmp

Filesize
148KB

Download
memory/2320-1194-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/2400-1203-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/2728-34-0x0000000004AD0000-0x0000000004B6C000-memory.dmp

Filesize
624KB

Download
memory/2728-32-0x00000000002B0000-0x00000000002B8000-memory.dmp

Filesize
32KB

Download
memory/2752-1183-0x0000000000D70000-0x0000000000D80000-memory.dmp

Filesize
64KB

Download
memory/2996-2230-0x0000000073C80000-0x0000000074230000-memory.dmp

Filesize
5.7MB

Download
memory/2996-5679-0x0000000073C80000-0x0000000074230000-memory.dmp

Filesize
5.7MB

Download
memory/2996-2-0x0000000073C80000-0x0000000074230000-memory.dmp

Filesize
5.7MB

Download
memory/2996-1-0x0000000073C80000-0x0000000074230000-memory.dmp

Filesize
5.7MB

Download
memory/2996-1668-0x0000000073C80000-0x0000000074230000-memory.dmp

Filesize
5.7MB

Download
memory/2996-0-0x0000000073C81000-0x0000000073C82000-memory.dmp

Filesize
4KB

Download
memory/3136-1131-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/3188-839-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/3200-1256-0x00000000001D0000-0x00000000001E0000-memory.dmp

Filesize
64KB

Download
memory/3208-943-0x00000000004C0000-0x00000000004D0000-memory.dmp

Filesize
64KB

Download
memory/3248-835-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3252-969-0x0000000000CF0000-0x0000000000D00000-memory.dmp

Filesize
64KB

Download
memory/3256-800-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

Filesize
64KB

Download
memory/3504-1185-0x00000000004C0000-0x00000000004D0000-memory.dmp

Filesize
64KB

Download
memory/3508-31-0x00000000004D0000-0x0000000000548000-memory.dmp

Filesize
480KB

Download
memory/3708-1423-0x000001C2C9A70000-0x000001C2C9B88000-memory.dmp

Filesize
1.1MB

Download
memory/3740-841-0x00000000006C0000-0x00000000006D0000-memory.dmp

Filesize
64KB

Download
memory/4216-1090-0x0000000000880000-0x0000000000890000-memory.dmp

Filesize
64KB

Download
memory/4232-1056-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

Filesize
64KB

Download
memory/4300-803-0x00000000006E0000-0x00000000006F0000-memory.dmp

Filesize
64KB

Download
memory/4304-1079-0x0000000000930000-0x0000000000940000-memory.dmp

Filesize
64KB

Download
memory/4356-1206-0x0000000000BF0000-0x0000000000C00000-memory.dmp

Filesize
64KB

Download
memory/4396-752-0x0000000000320000-0x0000000000330000-memory.dmp

Filesize
64KB

Download
memory/4460-1082-0x0000000000A20000-0x0000000000A30000-memory.dmp

Filesize
64KB

Download
memory/4560-1130-0x00000000006C0000-0x00000000006D0000-memory.dmp

Filesize
64KB

Download
memory/4596-1064-0x0000000000DF0000-0x0000000000E00000-memory.dmp

Filesize
64KB

Download
memory/4760-477-0x0000000000520000-0x0000000000545000-memory.dmp

Filesize
148KB

Download
memory/5080-15-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads