buran | 43812b98e4f9480d25b426a23a7b4d2a4e498110545c7a3cb21159bf75c18e7b

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de904e0d5b71c0c3d99430b61d40aae2_JaffaCakes118.exe
Size

406KB
MD5

de904e0d5b71c0c3d99430b61d40aae2
SHA1

5e1add3f70404f2110c389674e481484365eead4
SHA256

43812b98e4f9480d25b426a23a7b4d2a4e498110545c7a3cb21159bf75c18e7b
SHA512

25f086b82e86fcef30474d13e723980f43fccdd473b0e3f556b78b434494c2b22a3e3b765fbf2647aeb030e814a1eea1fdfe6d35e894449880780d6f3732d3f0
SSDEEP

6144:Zmr7jJUEMBNUNwxJ6m16i6d+W+u7Qn7prLtSacoTccdk+Hy:ZyfJcLUNMu7Qn7prLQQTccrS

Score

10^/10

buran zeppelin defense_evasion discovery execution impact persistence ransomware

Malware Config

Extracted

Path

C:\PerfLogs\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Reserved email: [email protected] Your personal ID: 957-AC5-69F Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Buran family
buran

Detects Zeppelin payload 17 IoCs

resource	yara_rule
behavioral2/memory/452-2-0x0000000000400000-0x0000000000544000-memory.dmp	family_zeppelin
behavioral2/memory/2444-27-0x0000000000400000-0x0000000000544000-memory.dmp	family_zeppelin
behavioral2/memory/452-37-0x0000000000400000-0x000000000054B000-memory.dmp	family_zeppelin
behavioral2/memory/452-39-0x0000000000400000-0x0000000000544000-memory.dmp	family_zeppelin
behavioral2/memory/2444-51-0x0000000000400000-0x000000000054B000-memory.dmp	family_zeppelin
behavioral2/memory/2444-52-0x0000000000400000-0x000000000054B000-memory.dmp	family_zeppelin
behavioral2/memory/2444-54-0x0000000000400000-0x0000000000544000-memory.dmp	family_zeppelin
behavioral2/memory/1916-94-0x0000000000400000-0x000000000054B000-memory.dmp	family_zeppelin
behavioral2/memory/2444-1584-0x0000000000400000-0x000000000054B000-memory.dmp	family_zeppelin
behavioral2/memory/3364-5911-0x0000000000400000-0x000000000054B000-memory.dmp	family_zeppelin
behavioral2/memory/3364-6663-0x0000000000400000-0x000000000054B000-memory.dmp	family_zeppelin
behavioral2/memory/3364-12740-0x0000000000400000-0x000000000054B000-memory.dmp	family_zeppelin
behavioral2/memory/3364-15554-0x0000000000400000-0x000000000054B000-memory.dmp	family_zeppelin
behavioral2/memory/3364-23619-0x0000000000400000-0x000000000054B000-memory.dmp	family_zeppelin
behavioral2/memory/3364-26692-0x0000000000400000-0x000000000054B000-memory.dmp	family_zeppelin
behavioral2/memory/2444-26723-0x0000000000400000-0x000000000054B000-memory.dmp	family_zeppelin
behavioral2/memory/2444-26724-0x0000000000400000-0x0000000000544000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Zeppelin family
zeppelin
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (6073) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	de904e0d5b71c0c3d99430b61d40aae2_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2240	notepad.exe

Executes dropped EXE 3 IoCs

pid	Process
2444	svchost.exe
3364	svchost.exe
1916	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start"	de904e0d5b71c0c3d99430b61d40aae2_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
28	iplogger.org
30	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-phn.xrm-ms.kd8eby0.957-AC5-69F	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms.kd8eby0.957-AC5-69F	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\officemuiset.msi.16.en-us.vreg.dat.kd8eby0.957-AC5-69F	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-200.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24_contrast-white.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteSmallTile.scale-150.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxMediumTile.scale-200.png	svchost.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\plugin.jar.kd8eby0.957-AC5-69F	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe.kd8eby0.957-AC5-69F	svchost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightRegular.ttf	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ul-oob.xrm-ms.kd8eby0.957-AC5-69F	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\THMBNAIL.PNG.kd8eby0.957-AC5-69F	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\people\rachelVaughan.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\AppxManifest.xml	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-96.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\tr-tr\ui-strings.js.kd8eby0.957-AC5-69F	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXT.kd8eby0.957-AC5-69F	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub.kd8eby0.957-AC5-69F	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Star.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteWideTile.scale-400.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_scale-100.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\organize.svg	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugin.js	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\example_icons.png.kd8eby0.957-AC5-69F	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote.cat	svchost.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-white\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\StoreLogo.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-unplated_contrast-white.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCache.scale-150.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\ui-strings.js.kd8eby0.957-AC5-69F	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons.png	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ul-oob.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.WPG	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-20_altform-unplated.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\StoreLogo\PaintApplist.scale-400.png	svchost.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluNoSearchResults_180x160.svg	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\ui-strings.js.kd8eby0.957-AC5-69F	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ko-kr\ui-strings.js.kd8eby0.957-AC5-69F	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\eu-es\ui-strings.js	svchost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\images\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_fr.properties	svchost.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteWideTile.scale-125.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookLargeTile.scale-400.png	svchost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hu-hu\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-gb\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\SmallTile.scale-125.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fi-fi\ui-strings.js	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ThirdPartyNotices.txt.kd8eby0.957-AC5-69F	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-40.png	svchost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-tw\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-oob.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-30_contrast-white.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Retail\NinjaCatOnDragon.scale-200.png	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt.kd8eby0.957-AC5-69F	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ppd.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-40_altform-lightunplated.png	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de904e0d5b71c0c3d99430b61d40aae2_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	452	de904e0d5b71c0c3d99430b61d40aae2_JaffaCakes118.exe
Token: SeDebugPrivilege	452	de904e0d5b71c0c3d99430b61d40aae2_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2416	WMIC.exe
Token: SeSecurityPrivilege	2416	WMIC.exe
Token: SeTakeOwnershipPrivilege	2416	WMIC.exe
Token: SeLoadDriverPrivilege	2416	WMIC.exe
Token: SeSystemProfilePrivilege	2416	WMIC.exe
Token: SeSystemtimePrivilege	2416	WMIC.exe
Token: SeProfSingleProcessPrivilege	2416	WMIC.exe
Token: SeIncBasePriorityPrivilege	2416	WMIC.exe
Token: SeCreatePagefilePrivilege	2416	WMIC.exe
Token: SeBackupPrivilege	2416	WMIC.exe
Token: SeRestorePrivilege	2416	WMIC.exe
Token: SeShutdownPrivilege	2416	WMIC.exe
Token: SeDebugPrivilege	2416	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2416	WMIC.exe
Token: SeRemoteShutdownPrivilege	2416	WMIC.exe
Token: SeUndockPrivilege	2416	WMIC.exe
Token: SeManageVolumePrivilege	2416	WMIC.exe
Token: 33	2416	WMIC.exe
Token: 34	2416	WMIC.exe
Token: 35	2416	WMIC.exe
Token: 36	2416	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3116	WMIC.exe
Token: SeSecurityPrivilege	3116	WMIC.exe
Token: SeTakeOwnershipPrivilege	3116	WMIC.exe
Token: SeLoadDriverPrivilege	3116	WMIC.exe
Token: SeSystemProfilePrivilege	3116	WMIC.exe
Token: SeSystemtimePrivilege	3116	WMIC.exe
Token: SeProfSingleProcessPrivilege	3116	WMIC.exe
Token: SeIncBasePriorityPrivilege	3116	WMIC.exe
Token: SeCreatePagefilePrivilege	3116	WMIC.exe
Token: SeBackupPrivilege	3116	WMIC.exe
Token: SeRestorePrivilege	3116	WMIC.exe
Token: SeShutdownPrivilege	3116	WMIC.exe
Token: SeDebugPrivilege	3116	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3116	WMIC.exe
Token: SeRemoteShutdownPrivilege	3116	WMIC.exe
Token: SeUndockPrivilege	3116	WMIC.exe
Token: SeManageVolumePrivilege	3116	WMIC.exe
Token: 33	3116	WMIC.exe
Token: 34	3116	WMIC.exe
Token: 35	3116	WMIC.exe
Token: 36	3116	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2416	WMIC.exe
Token: SeSecurityPrivilege	2416	WMIC.exe
Token: SeTakeOwnershipPrivilege	2416	WMIC.exe
Token: SeLoadDriverPrivilege	2416	WMIC.exe
Token: SeSystemProfilePrivilege	2416	WMIC.exe
Token: SeSystemtimePrivilege	2416	WMIC.exe
Token: SeProfSingleProcessPrivilege	2416	WMIC.exe
Token: SeIncBasePriorityPrivilege	2416	WMIC.exe
Token: SeCreatePagefilePrivilege	2416	WMIC.exe
Token: SeBackupPrivilege	2416	WMIC.exe
Token: SeRestorePrivilege	2416	WMIC.exe
Token: SeShutdownPrivilege	2416	WMIC.exe
Token: SeDebugPrivilege	2416	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2416	WMIC.exe
Token: SeRemoteShutdownPrivilege	2416	WMIC.exe
Token: SeUndockPrivilege	2416	WMIC.exe
Token: SeManageVolumePrivilege	2416	WMIC.exe
Token: 33	2416	WMIC.exe
Token: 34	2416	WMIC.exe
Token: 35	2416	WMIC.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 2444	452	de904e0d5b71c0c3d99430b61d40aae2_JaffaCakes118.exe	83
PID 452 wrote to memory of 2444	452	de904e0d5b71c0c3d99430b61d40aae2_JaffaCakes118.exe	83
PID 452 wrote to memory of 2444	452	de904e0d5b71c0c3d99430b61d40aae2_JaffaCakes118.exe	83
PID 452 wrote to memory of 2240	452	de904e0d5b71c0c3d99430b61d40aae2_JaffaCakes118.exe	84
PID 452 wrote to memory of 2240	452	de904e0d5b71c0c3d99430b61d40aae2_JaffaCakes118.exe	84
PID 452 wrote to memory of 2240	452	de904e0d5b71c0c3d99430b61d40aae2_JaffaCakes118.exe	84
PID 452 wrote to memory of 2240	452	de904e0d5b71c0c3d99430b61d40aae2_JaffaCakes118.exe	84
PID 452 wrote to memory of 2240	452	de904e0d5b71c0c3d99430b61d40aae2_JaffaCakes118.exe	84
PID 452 wrote to memory of 2240	452	de904e0d5b71c0c3d99430b61d40aae2_JaffaCakes118.exe	84
PID 2444 wrote to memory of 4484	2444	svchost.exe	98
PID 2444 wrote to memory of 4484	2444	svchost.exe	98
PID 2444 wrote to memory of 4484	2444	svchost.exe	98
PID 2444 wrote to memory of 1620	2444	svchost.exe	99
PID 2444 wrote to memory of 1620	2444	svchost.exe	99
PID 2444 wrote to memory of 1620	2444	svchost.exe	99
PID 2444 wrote to memory of 1780	2444	svchost.exe	100
PID 2444 wrote to memory of 1780	2444	svchost.exe	100
PID 2444 wrote to memory of 1780	2444	svchost.exe	100
PID 2444 wrote to memory of 3972	2444	svchost.exe	101
PID 2444 wrote to memory of 3972	2444	svchost.exe	101
PID 2444 wrote to memory of 3972	2444	svchost.exe	101
PID 2444 wrote to memory of 3792	2444	svchost.exe	102
PID 2444 wrote to memory of 3792	2444	svchost.exe	102
PID 2444 wrote to memory of 3792	2444	svchost.exe	102
PID 2444 wrote to memory of 1932	2444	svchost.exe	103
PID 2444 wrote to memory of 1932	2444	svchost.exe	103
PID 2444 wrote to memory of 1932	2444	svchost.exe	103
PID 2444 wrote to memory of 3364	2444	svchost.exe	104
PID 2444 wrote to memory of 3364	2444	svchost.exe	104
PID 2444 wrote to memory of 3364	2444	svchost.exe	104
PID 2444 wrote to memory of 1916	2444	svchost.exe	105
PID 2444 wrote to memory of 1916	2444	svchost.exe	105
PID 2444 wrote to memory of 1916	2444	svchost.exe	105
PID 4484 wrote to memory of 2416	4484	cmd.exe	112
PID 4484 wrote to memory of 2416	4484	cmd.exe	112
PID 4484 wrote to memory of 2416	4484	cmd.exe	112
PID 1932 wrote to memory of 3116	1932	cmd.exe	113
PID 1932 wrote to memory of 3116	1932	cmd.exe	113
PID 1932 wrote to memory of 3116	1932	cmd.exe	113
PID 2444 wrote to memory of 3112	2444	svchost.exe	121
PID 2444 wrote to memory of 3112	2444	svchost.exe	121
PID 2444 wrote to memory of 3112	2444	svchost.exe	121
PID 2444 wrote to memory of 3112	2444	svchost.exe	121
PID 2444 wrote to memory of 3112	2444	svchost.exe	121
PID 2444 wrote to memory of 3112	2444	svchost.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\de904e0d5b71c0c3d99430b61d40aae2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\de904e0d5b71c0c3d99430b61d40aae2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2416
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1780
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3116
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:3364
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:1916
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3112
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2240

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
975B

MD5
8c759969132d63cdecf37b04efe05a62

SHA1
135db5ec20c6b00d789930d471fb18b23dc56ea6

SHA256
e8e37b28d14729c65d3426fe0373261f9be94333dcfa99063cfffdd6e6f028e0

SHA512
2997ef3f46462d5aca2d63517a2b2280670fc77bd3845b04d4ac75337d7f8160f8a6b893997cee7ad3976f3c279cf69ea4715656239efa1a172f34eac6fe12f5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png

Filesize
64KB

MD5
6258b4468652a248c2bfd1fa683246e2

SHA1
4641960a00d20b279fc30545e17c8f2cc4005850

SHA256
b32b9b205d6dfe47ac63fac5813ffdf0a69f216f7cb7aeb2c72715d61df7733a

SHA512
356490d8367a41d0e48100c1e68105195f5f162bd803e3b158eb900c680b71433ce7aa9b42ebb41f920aa13d17059af011282a150475147381b6d84ecebff61a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_bow.png

Filesize
52KB

MD5
0294d6efca95b3c136040e610585c402

SHA1
0f4ee21f0a59c42d354c088bc4e12706f0a8c230

SHA256
e49680b51e707e6c4b2d765376680a6c61ba91408f7631367b179bc240c2a049

SHA512
1b14d3e9f640ce8f1a6088d9de05179ad77295f0dca2078e8f30274a17e5891c709d271560985ffa060b434ebf1eab3d9e0a82f46181daf54cd7ac40c497f196

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png

Filesize
52KB

MD5
04b802bf9a51b35e9eb8e9badffdf10f

SHA1
f2e9d9e925018d53e042cfd98f0d8a92cbda636e

SHA256
cc3c5663af47350ff00aba74c26ba20afdef8eba1f3fa87d2c6df96ebfb1d3b6

SHA512
d4c8ac06deb531095fa9945764ae89776ea0df7f1b3ddec4f63f139ec6c6586360baae7f8c45b831e797c94fa75017b2c8a75e1a98b532ef07f510e1ec62d0de

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons_retina_thumb.png

Filesize
52KB

MD5
bda640ccc0f7eca63fb9f502b305ab1e

SHA1
5e91ebee10d9f1babebfa28f91a83bb9668c19db

SHA256
649254da1a34f200765cee18d9b389772e27c47087af992a0c77cd4b925c9740

SHA512
85ea212716e2ba11524913b97e64ef7228f1f8eb66a47df1952c8945beca6e88d0b331a000a0eff3d8bfef4b68473defdd4af1c99868acb39240028218c9a34e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\ui-strings.js

Filesize
29KB

MD5
c57ff16d6ee7c6095a69b31a490ab043

SHA1
7c03139addc5ff3aaca431169eb6399372d93a39

SHA256
62021ddbbfafe2489ca47a1724344a85c0c86f51630344bbff28c050bf6c2631

SHA512
0a31ceb43beb9093078edd7a2007db413ebb7c99b407697b45324c2e584ef2bf8637873270adc9d07df06e10d6e662d32ec2dbbce001e04839f14825d2abccb9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js

Filesize
34KB

MD5
be9298d2f8fa2f30fb4226767780b198

SHA1
ea8da2f9f6035d90709118cc98cb4c9ea9b0efad

SHA256
ac4fd62df1c52b161ca190137dc964f5e0f0fcd942fa9f3943b6e3dad02f4ea5

SHA512
52861a8da698b8e924040c5566fcc21553ff4acbd0e426bddb14d351a382d5c2c18d8910670f4c70ef3e21c554dec87a7f27b84396212e6d688f717772b85da1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\ui-strings.js

Filesize
9KB

MD5
06b64aca69882e8472f3a6e5d113d334

SHA1
67da8e1f529b85a1bd681440dbae33611da0d74d

SHA256
2a7140579afffdb9a7b4ccd766e95ace42bc2af59e54340e7b5b979fc361f2a8

SHA512
78ed088e70cc2de0e1d892dad43cf552ab79bc44db0bae975f5c2bf4268de83c6ca3868dbf535021511e90a0c9d45f4f82b27866a6ac2295baed273e6f6de3e7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\ui-strings.js

Filesize
10KB

MD5
1c23ee39fb788a7938bbe63c448bf498

SHA1
d08e654a156da15f105b002eba7326ffb311d36a

SHA256
1b04b040a1730ece98e94086650eedc59b78b7b1e1eadf39ba6f1401ec87a5f6

SHA512
d66a57a01e1c70fad58edeb6b6573298c712a73544c94910658b2a26153a0d18159e3059fd3a48efb6af6fe899657a5555752e6b291a8fdcfe674404cd3c02a5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\ui-strings.js

Filesize
5KB

MD5
c65e294bf9edc2029f316f6c9aa10cf0

SHA1
30374c2c6a63c14c294fc5ff384a2c24a283cf65

SHA256
25defbe1701785129662d8f80f713fb37e8eddb752899cd7065c17b3574b755b

SHA512
fffc90e0da7b53d114ded4f7fc46d1529824ab0c8727a0164986f386fda47b68e0b1cb2fb632ca64c17baa545565a4dd04a0c2f1b36246516e03355019bc2f1f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js

Filesize
6KB

MD5
0d7c07371a04a04a54261bed5b50cfad

SHA1
20149afb2252444559b79e57edfe58024c752313

SHA256
43b94d5527643ec21e9400f71ab03037da8f54ebac4bf9c511539c000445d318

SHA512
bc6f248a446ffa991c8c9f30a8807212f53920d880ed67fc92af804514f319845de509336d715576847aa38c1ed137f2c972ae45b7eac468ed4e6f6d459fdf4b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png

Filesize
9KB

MD5
6370fbb2925062d9ee3141518e69a970

SHA1
31a5963b491166df92ff118a6f9d4a07de9f77bf

SHA256
abe0ee21cd5de26917e98885e3923b88e34dc97a0375b898d1a11a76df206f01

SHA512
01e099d689ef776251cddb3e92e78e9f23cbaecc01d342b56b595f925d95cc80dc32ea210c7eb9df6238c1b32c01733b8aec938c0b62d980382c8ad34bf30443

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js

Filesize
175KB

MD5
45e6d269ffb16898e987a1167d0c572f

SHA1
efe4ba15a4d451c087f9a600de5774832d1c6922

SHA256
2166a8a0a888c81a449b0daf7df31e64fc25580d775651abf98698a639cacd6e

SHA512
27cf4859cbe045cb3550deb80f90021eb8ab5b6f75ce11e8ebf35fe8935964ac1072e29441643ceb35a305f6e9a85d2c8566a3e42d3c8234a944e2955ba67f8f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js

Filesize
377KB

MD5
40f391fe895fda0bbb94dea1816c7811

SHA1
9ec620653b27f290c9ee5be1d11bbed7f7996cec

SHA256
857975f3ea51a72b667b87c5900cf94884752ee599a1a8eda4b2e3d40c1cf37e

SHA512
836518db41d6e942273f6b62eefec327b39657614e0aaf51dfba839f102dff92caa4e4102f2b82f25e98b896c6e44878e644c8d73186bc31cc79ab0b9a783462

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js

Filesize
10KB

MD5
f6d475b92686eaed14c4555c726d2489

SHA1
325ab2376de613fd533483cca7b3b8d8390c0625

SHA256
474f060f31f867024ee422df44adda92d17886c2f42e4047d6bcb7e1111f3f16

SHA512
839a3c147f0669f8b608a2442ffbed559108acf60d0be47dc593eca0f0728586daf3bf83fa6e68c05c17fbb8e616297469507a72185b81fd40e7b70c8d5c7f51

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js

Filesize
12KB

MD5
8a8ea0baa59dad3efc96bf926b4d78f0

SHA1
97689a2e2cdffc4d91e567c461e020a5f9efe58a

SHA256
282526119a4e16f149c43f659864473aa927c8efc2163137e33b73789ddce05f

SHA512
9965cd648af1800cd5e7fe7647b2ca408b2e8f7a732db6e1ba0a292d844bdf0b717e202e9e64601194d044a322897126815d9adce28073aae7098e76eca0607c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\new_icons_retina.png

Filesize
18KB

MD5
793a7406873620f0b58518349a98b540

SHA1
c1a8566837ae086d898799e711d7bce37297b051

SHA256
0407672c9cd7afa059328a2e3855301bb3c5ce636100639b1b0efe7be49cbffa

SHA512
4989c44f556f393893669079982ee6e394d14fe50c44c97861c549e86d7fcf8fd03437eb15464fef146f1bd303aa785524ba6ff6d2762127e2d3d5f3205afe10

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\ui-strings.js

Filesize
6KB

MD5
d671448d28a91db77cc1465982001572

SHA1
5389b0e170c523024b9d5bd5ec6bf478065f3d15

SHA256
464862d86133973445b2df10b852dba00cb09b2b3448752cb4331ac7c3055304

SHA512
008662bb591f39135d87802448d1594f9d3f1f38905259c9c861f9a447a2115e51f2be1da2dd7347982a72e31465cd4b325e10bf930c45503bd239e9a6fb2c9c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\ui-strings.js

Filesize
6KB

MD5
cb96ccbfb02585f4f79ad22520437726

SHA1
77eae96cf1762ac43d2409cc2ae5455e08f93c00

SHA256
c2d6064b66f627bcb36e8677618a7ff70cb3413f1fe7309df7611bbf40561e02

SHA512
8562bd1b69f7653d410fb5dfe239944310304753a2de063c665b5d3bfd6f30b4575d015a3769b1015d96c5faff975414a90ca6a83a240df16d30cc9cce74eb27

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf

Filesize
381KB

MD5
253d797efb4c037223b941238d595691

SHA1
1a1fc235682fee555fce81fe0961af8db3941eba

SHA256
e74b4ce72bb984c86bc32dcd4abe36760bf4d36b56a1a64063dff0af52a0e893

SHA512
785cc0e48722b4642bd08549cc561ede44d39e526eb392151b7e1706ee0ef33ef1a13495b84d9a1467ded1c8a010454c6dc3851b21b6e3835825e4ecdf2b8e3d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\ui-strings.js

Filesize
14KB

MD5
061bb283488025b1572295c7d6cc9b42

SHA1
bddd1a0cc44a1e68d58eab0cbd27192a1e664c6d

SHA256
50d504b082cfc32c67ae3c17de1f11e0d9e780b6d4d92d6e1d264baadf5cd541

SHA512
92d60f59296011198becd45d18ec1bfb44beb59b090eda458c199f0499fb3422c797a659c36917bcd60f1c2150fc524da3ac804530f0b14185076c76857444e4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\ui-strings.js

Filesize
17KB

MD5
7a975f8df9d7190207ae7c8bb3b6ac93

SHA1
9c275aa05abcbcdb8e9b39193f7f29da18387b42

SHA256
43058f4a76e8b5103b3b9d6d5b1fc5429e589afba518ed36235726665e096b86

SHA512
d4571b1308eacd6a24b9d156a301c1ce8f6adf80bfd5c561eb07b477fe269b4211db1b00cd1019b41797913331c1d56594e2140d4486afc0f4059472078c7a17

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\ui-strings.js

Filesize
18KB

MD5
5301ac82d7a826f9676f8c095a0309c2

SHA1
effd2382a531a33709e0e6bcc9764e9de85b486d

SHA256
49b16a9e0b1cd2000082c7ce3fba85b40cd2f8bce007c4c9e7df2077b1cba1c2

SHA512
795ee3597443ff1fa1997c8e54aed2d19354620f434537fc51ce7ab163a006e6864c957e9211a88e0d96698425bbcfa80c9c9bf69b2cc723b88c151547eeb4d7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js

Filesize
9KB

MD5
0c10251e93f374a9f89c48101e7769e4

SHA1
162f28cfbca3f18de5b5bcd69e3090b066956b06

SHA256
66b953c8d1d1440e454a5884b219e19bb6c49ded43a1c99141fa847d38738bb1

SHA512
c7d1d7ee08b83afff4a34919367e8d638cb5789ddec1f26df0e8b420857adc4eb3628f4a88466aefcb7214c4e6aa8bba220cbe67d6021e8250186dc22b7af110

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
c326f93718f74348dbcbc38510e0f32b

SHA1
a7a74832c2b323b3acd87130663901c5ceb79a59

SHA256
07232aff77dca86c2528635b718beb1d8d9039121e20f5fa0108f960783119e3

SHA512
a9a434fe9873efef57a8299295687f60b642d194e07561c9952de74c580ff8a3c915d20c2ebf39d77bf969aa0788337059d9cb1dbf2876460c18539ccb34e7ea

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
a355eb55f845b8618db2826bccf6bf37

SHA1
f642b23d3b60469475648e68b4fc42d4cef233e7

SHA256
49d039e33c621521ceccc695f0fd61e1baef977cc997eee798248beeaf5d5523

SHA512
d86d918e27cc655e3756c53439c354be964d9c480e149681cc9a78f95be6129801ca52c6259bf9d63f2814c090ec1244bf9f6e1ce04384f7516fcc042348aae4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\ui-strings.js

Filesize
17KB

MD5
61c59bfc5241496c0aea43e098c3e20b

SHA1
8eb5adc2455ac4a3951f897dffb37b1518b37be4

SHA256
efae159d2949576e43f125c7ae14dcd041a32f1aefb7f3475cb0f48147cfaff1

SHA512
fb8965924a9b77065d9430330e731841feeeecac57f557838ff6bf097e1647f0f10009e495a2adb02103411bef323f4ed6b1b4def7dff8b5e98e6e74844c674e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\ui-strings.js

Filesize
19KB

MD5
5da6fc3f5fd7751faa54cbb3eeb8c08f

SHA1
33be9818bd614647359b3ff890c6b4e7d76da979

SHA256
19b3ff617ad8fe6f5e18d96d7e3abde7802b8e5f282e900be8dd22cdc3c5107b

SHA512
d52e1101e7f33f5ffbf711e22aff92fe80a717723b9f5b0b3ec6cd112161a4ae3c021146f257fab59206a0911032b12cbc1372584147661329f60c2761e5f990

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\ui-strings.js

Filesize
23KB

MD5
3e1f8f3825874e433ca725e277180d79

SHA1
d455363f30a7e215f5bc843e607fb55a12a9df47

SHA256
ec17a78857bc2a5225576cca3cf161d29efeebee6a63411a711f152be3175069

SHA512
680b6262c1a8de4262246aae49f679fac7d4ee13e58fda4784f0db7ed883b9e27496035ce7cd185cd05b39c47bce8e055d3e02f6c68fb41fe16b015c6f57b95b

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe

Filesize
4.1MB

MD5
c7ded7d3e6186d03ce3f458c0233e4f0

SHA1
37122242f166ca9c38a18bd23911b00076a57042

SHA256
2b5cdc2450afe8691183681eabe7ce9cc3b45c2eda93dd2489fff484e6249934

SHA512
a689fe743cbe459eda615da66b019f4d46205c01bd3cdcdcd0f836a1e9309d9e01ebbbeeec0620482a9cc7aa47eaa6e4ebf71c3eb90def6cfe7f371173be466c

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX.kd8eby0.957-AC5-69F

Filesize
292KB

MD5
0946cc061f610c5a1ef1e992a9048228

SHA1
c478211e6858485bcbd4e9aef58f68626c9cd969

SHA256
2dd3b89cb21f930635544f0102b8602cd5620a686264c772a0018e33482cc74d

SHA512
b2683edf980d4060c09226e71b0d693533c3110c1e78b1cd3e806df74ec785c245259b80d001b2fc7ab84099b51c9a59372c8ab38bf1f898749bc0e9fecc10a4

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi

Filesize
2.4MB

MD5
0d418eb85614f01ce907687396af155c

SHA1
1329173a47dfe469292cf28ad160ca4f9a6d5d80

SHA256
b6a2a19aa9f586284ea23137fe1c00d311126832ecbe78c0daf038334d7dab54

SHA512
27f71a73576690918e59735e9077d2d32c486f9827565795da52e24b304a1b1f5bbf6bacae90efed972cd61a663fd598186ebc93cf5f1be6146fd8e801d3600e

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe

Filesize
62KB

MD5
4199285b66354fea0c4e6c108310a410

SHA1
65028c9fc094c2f8457db7e4d18d9cb1bf402c28

SHA256
e77cfb440ed58421e95130d89af7341176e2920c653486e28c1dc6efa310f824

SHA512
aa9f33184356ada4d899435d3f937e3eb620201c5ff379c863b3bb51173a04f4638999684a22ddf6889fcd4ee34c6e185c2042b505d13c938eca780b832a4c11

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe

Filesize
1015KB

MD5
8bc04c3e7f3700ea4d32e6c08e52c82a

SHA1
cc8b15c66e61e3c1daba64ebc0c54476613eb646

SHA256
699eba65145d3b790680d5cecd06b66bebec48d0f7be225ddb9741aa0763eedf

SHA512
059f697822d4184919ab55e0eae0d12619ce2db4b5bd2ae5823bfa3de918812256b3566ab910be333719324aa92cdef9df7e9eaf86a924d03cc57ac717488ab6

Download Submit
C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
da4f185434f9261e4b7bf6aee86e129e

SHA1
687705d9a3cdeb2758efc3c93f952595baa68a79

SHA256
7ef693b53dbc32b1c2ede676d655c0b18588c5e9033d44e63c0b639ce048c013

SHA512
411cca60afc81ee24179c50bf3bf5021b436364c86161e2338b8f83d8c7cda127de10e5cd3bd9903f256150043efa3bd778600d297f4daca91ef631b3a753261

Download Submit
C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo

Filesize
832KB

MD5
b97d25a40ff94a429fe31a40838705b0

SHA1
e65223177892c70e5dfa3b3a73b4e44f328b4949

SHA256
0a90af71677d10723a0aa3ac0e7fc7768a92f73fcbb836756482569641425329

SHA512
be24d952c6044b99c03bf15631476ea9e7111513e1482846f13cd3a1ca7424f082fefddb385a593499ab980ecfe0124c9fbd781e6bf1d9791bff39d898ac11e6

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo

Filesize
674KB

MD5
a8386729af4c1149ca97d7e32d39451e

SHA1
7b1dcf2981b02e64d9fe835cd4c50fa4bbdbb354

SHA256
c7b4f5cb24aa370fcabfd91965efc32853bc6b69c1ff85d6efd0f16f95aaeb06

SHA512
e34bedc55838107f25222b3f59d47b93b073af0e288c8d06b1e4aeb8f3c45803c4d1139875e2fd96b0c6d360d0e56dc458b38c765301b0ff2a57d8e12cb6d369

Download Submit
C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo

Filesize
613KB

MD5
9c3ef67415f76610f4dd7e6fae996e11

SHA1
e53e4158d87021acf89f762e4058b60e49ea9308

SHA256
47ad7348f611ab996f0b4f4a2960fcb8252e251a8f7dc0dee49f538313b6b01c

SHA512
0eadccf28ccb3ecc003c04bd089277b12097d3101d35f763427575a65464871c41ac0d55638413e490d4c850a1234d3c1aea1f1c091d0011e6125939a79f46ba

Download Submit
C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo

Filesize
595KB

MD5
917b902d9d5d507a8eb0a354d1f8f871

SHA1
b4954887e8fa440680081df6ce93ce28fc257c90

SHA256
09cf9af2fc2046df99730ac31c6e8621ebb57d410b2f6fe8ab7ec6fb17ab689e

SHA512
1ad8f24bfca3b849fd2759d7cf61b9e11e3132eb9144d24f680782c5c17ec478614e706ef57fd13d04fdac67a8a6fbf6301214650f4bf9ef33cda17b64f6caf3

Download Submit
C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo

Filesize
615KB

MD5
cc92cfc38c02d1a18e1b5cda8085c25e

SHA1
ead419d36ed82cefd48075714100732065dead7d

SHA256
9c2d417f24614354e17220ff6e3079df364d0f8ac6fde46a4de4491663217169

SHA512
33694f45690f78c798f5614a9e2ea535621adf787eac739f7ec99214f4deed5f5a58dfb6490ae24d96161e64dc89195e9ea59dc708aba892bc795fa861ddd908

Download Submit
C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo

Filesize
780KB

MD5
6488d73405297e307c7eecefffcb5a49

SHA1
e902a85f6604cf25bc6c25090ea03b273c9318b6

SHA256
a95212c2dc838bfed4ee340460b71aee70bd2aa70e6599d96a564da79afe1211

SHA512
440bcbad6791ce01f4aa55868e2cdf6db78057061eb54764d050ab5b9a748f7e6cc0f9b558bd50cb538e72ba6b70e29a1bcffc093810740b6961ed9df91b35ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
3fd0150a8783351b705067e95b6a7a73

SHA1
f25ebe76c2199de815dd7a387377e489900b6199

SHA256
6cd1f27cc83e8b2f6f20308c3fdc89598eb29ea3a0e0e426a21094a309397a86

SHA512
178de8824ae3ad07348edadbde2805c3c24f2461aa540c46e5b8a4e29227e43a08f841deaf7bf49d7e24c1d4f29faf65f90c79304c52ee5bf8f85c9601f5e1ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78

Filesize
472B

MD5
f8c2ef375d65ea851dbec17c45ceaf80

SHA1
ee465722f65b62c4e2f4ca8a403c343efbac673e

SHA256
66875c31f25ecd20ff76967b7fceeff43ceff626d47fe28b99d18dd1fba6ae51

SHA512
2e1fc8dafc52ec52e1eed6c0e373964579e5b794eec27b9110c8df3410b5017b3f8e78d067c4811c39981152691362eff7829d996eea0ee10d586ef86f5de2ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
5890b835ebede7489e6738fbd7c5c26b

SHA1
ce5a010ff84e0145a4893525f760041abee69b60

SHA256
417ec3d4a4a821c255e6c2103883e0437a26310d8aa9bbcde058d85c20c2cc23

SHA512
5e0afee870a5de2756ef49c8b4e017b9898080effa80d4eadae9693d34c8284bb32c7eec9d23d273e83c3a57782a25f8e068f3fcb52efa4b3685b9ccb93112ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
484B

MD5
f4ebbb24aa61d24404ef4be31c094464

SHA1
c08d4e1395edb9a0fab28f41eb55ceb9cfdd7502

SHA256
fccd3c1d0b8f83d655e3d172b097b9d1e7d98a1de63e08e54715e9bb28a56322

SHA512
d6a50b296142136684813daefc1a85db88507dc784fbe7c053aa67bb6a96440017854f7b12df03f11d7afd64b5dbc213eb4fa02ab9356af1169e4fce84633968

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78

Filesize
488B

MD5
9ca2950b39219040c5b0ca74a59f4d96

SHA1
014b2ca3ae2a06e67a51bea25f84f12e4a900dc0

SHA256
fbaf9f7f6a08bd9aae11f6d0f2bae77b286809587a60f952ac19d02100a05e91

SHA512
399ebb5e270ab416d823b2b205600bb0d93421232fea94154556f575c0e6d09580aa8924daa1e74029e75982b35b4c756bb2e7cd64d21230b930999fe9592588

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
c53f9092c2f685238f44818b91844a24

SHA1
1c93a7b40bbc3acbfd0a85500dbe4a3618e97924

SHA256
368df131b7b9261451278721c07bd9b3527b49604a2cdaad94f23ee2c25194ba

SHA512
b46e74cb4d9ad2bbca00bcf479ca1ee76a14cff448a6e8317c897db4aaa8fdcf0f0982737eccc8177b6072846438928f7fd321a884716fbd4bbd9a4eb3d510de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\L6PPXFHA\79M18GGG.htm

Filesize
18KB

MD5
99a5ced9dfb5824225a0fab4c74a7b46

SHA1
f0ebed42f94fabe0c10dcf1eb3eb084a904e144a

SHA256
44b3cbfb57079b2570e5ae94942d8e00ce0291c26317c2649a41101018bab25a

SHA512
2966164e08f60aaa0078dbfee9f4d5521b5c02525dbbad4ac14df0d6be948ba98ae1da33e05ceec07abd6d8a18278c399629621803acdccc91019372fa3152ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKYZDMA5\4GW96THN.htm

Filesize
190B

MD5
6ebbeb8c70d5f8ffc3fb501950468594

SHA1
c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

SHA256
a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

SHA512
75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
406B

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

Filesize
406KB

MD5
de904e0d5b71c0c3d99430b61d40aae2

SHA1
5e1add3f70404f2110c389674e481484365eead4

SHA256
43812b98e4f9480d25b426a23a7b4d2a4e498110545c7a3cb21159bf75c18e7b

SHA512
25f086b82e86fcef30474d13e723980f43fccdd473b0e3f556b78b434494c2b22a3e3b765fbf2647aeb030e814a1eea1fdfe6d35e894449880780d6f3732d3f0

Download Submit
C:\Users\Admin\Desktop\ApproveSync.xps.kd8eby0.957-AC5-69F

Filesize
653KB

MD5
d25166d8c4bc2d433d9d6821fb36ea57

SHA1
e87d889b8521b539ddc7c3b587f9cd048034b11a

SHA256
bff5c160c9c50cef157a6d8fe07316080b13b38b6b54e4e505d9743753b22ef7

SHA512
16bd5cbf2a8956b93cffeed919d5ba380ac08d18f00de96f9d36e038a0abac5f4de32da309898b84d003e7a1638ee1806210607d3b519471be74b088324a786e

Download Submit
C:\Users\Admin\Desktop\AssertFormat.TS.kd8eby0.957-AC5-69F

Filesize
467KB

MD5
0cba061f730dcb66ecd3994158b1cbe3

SHA1
bd2e11d081759635e63ebbbd27f3ffa788a00aad

SHA256
2b01e1aefe8fa1f061bbb5edac6a37ca14168e711feb4578755dbbd8793ca74f

SHA512
699db7c78f4d22884ab9c2d24b9bc0c740696e557f5aaa49b1b8353dbc1fab6a6f7333f33182de937fbc617d7ae42309e0367b59f7753f6b35608c50ac8a8d0e

Download Submit
C:\Users\Admin\Desktop\CompleteFormat.xlsb.kd8eby0.957-AC5-69F

Filesize
513KB

MD5
c788fb5a6a294dcb9a0366a94b4483a4

SHA1
98c63f4e81b30ae0e7ceab16be02be61f4434ebd

SHA256
709743dae046aa24bc753706fd5e2cc0c53e0deb6a5a747dcbe1955c1c4f4276

SHA512
e3a7f9209890630ec7a74586420087ae9bcf9a94d3098630a5b129b142bb866e5f92fecad3a70a396fe3173c83db992d417e4e67bdb2df2f71e06cd4dc4c378e

Download Submit
C:\Users\Admin\Desktop\ConfirmWait.docx.kd8eby0.957-AC5-69F

Filesize
18KB

MD5
cd561e42400f0df11bf9116de747aa9b

SHA1
028a8e135860685aa52fd1b8ee4d7e6e98e9d298

SHA256
b1f26410324e770fcbb6bbc889653806dc921d23b71ae84f10ec4284fd85d9a5

SHA512
4901e72ea14947839569b3a7759e5bcd232772a2f172fa713d8dcab20b11dba35cf3177d5afd14e2c25696a12725a398bb1a185093f1472fef1bd83af1a7c0fb

Download Submit
C:\Users\Admin\Desktop\ConvertToRemove.tmp.kd8eby0.957-AC5-69F

Filesize
490KB

MD5
82bb897ff5be24fe238643720f169d8b

SHA1
b0259761d3a245d9fbe0c149d5645140fec00ac0

SHA256
02bd8deedb052e80ad530626742951987ae40de8489b0dc4bf1aae88d180ee55

SHA512
81ecf128eff38ba08d29bc31ee21b73d66c9b42dbdf13fb07ae05b22d62f379e8cf2d292508eaee212bb034d822e18f2a4f6a77ad87a730ad773c84fd5e0b58e

Download Submit
C:\Users\Admin\Desktop\DisableComplete.pptx.kd8eby0.957-AC5-69F

Filesize
304KB

MD5
d91e1c21f99df79008c8a5f38b896f39

SHA1
f93a0b96d7662c5fd570951a1327f8c6a701acf8

SHA256
f8c936185ed579de5b58b818afb9522b7f4114dccfcc2ee003a3a35f76d80c88

SHA512
91c1e0fcd07f8dc626705516264d8e3b959d6d05bc68f8fcf6c50cbdfc82eaf16f5fbca72f136545f59ca5db3ff4479cf01117d29cf7773f5ea15493b938194d

Download Submit
C:\Users\Admin\Desktop\DisableEnable.pcx.kd8eby0.957-AC5-69F

Filesize
327KB

MD5
5a532fc44642ba95c89b9bbd571410be

SHA1
c33de7f0d48d1982ca3d7f785b0b17c84f0155c3

SHA256
f971fe77b28c4ea0dca34b23242767a21a82fa6ad50a300f0f471e8d2d6570cf

SHA512
a1c08bc81b1a9cd268ba8fb93ab85777ee2e8fe9c145dee12929f4e4fa7a1986bae97d44ef6d5dd1a98781707787b387a36dbe8cc85746b34cca65481d5045db

Download Submit
C:\Users\Admin\Desktop\DismountFind.avi.kd8eby0.957-AC5-69F

Filesize
560KB

MD5
3cf322603ce1fa14afa5369a8161b6c8

SHA1
b3538fd2faec4a52a5ae077fc5d35a5e913d7aa6

SHA256
7e51cb5872290770de01a10235bfdda77aef33982f18fd0dd24884781db90d61

SHA512
3527b8f5ec17ba7657ba45d39940d45bdf47ae49c6c89f6a185428cf76b0c830f337f1a91c7c7c3255bee85ee29fc91366f0c616a5cab42c07d42bbf85256d2e

Download Submit
C:\Users\Admin\Desktop\GetCopy.jpg.kd8eby0.957-AC5-69F

Filesize
723KB

MD5
71f1afc5cdb59067923e0ccdf43db070

SHA1
fccd65abd409be1fbabd413cd34cca077d2be106

SHA256
f25e516376586a920998745d1a8bcf000724bfce84678d8d248ee95019d2d22e

SHA512
a644587fa1c256ebab2b7010ac77acf837dc197dfdd42916c10ae09091c423d61a0fd8460c127ed5111e3d72d38699161f642dd445e62e427090d792299476ac

Download Submit
C:\Users\Admin\Desktop\InitializePing.ocx.kd8eby0.957-AC5-69F

Filesize
350KB

MD5
f7410a0ff51abf99de8d647888351b41

SHA1
3d63973004fe55b1eb79351969a0221d9242e5c3

SHA256
58a10ebbacb8cdd88f13d4a6c8978abbc5e69b4bd1afa1b1f671e35c7697adbf

SHA512
a36030d9c874d4d146694de1fe02722cfe705622dfa788c9f239a05fd0d5d11ec9f9b6ae571bf732942de2fa259e367e6a3c193367c7242977fadfcec3c0357e

Download Submit
C:\Users\Admin\Desktop\InitializeStep.exe.kd8eby0.957-AC5-69F

Filesize
257KB

MD5
68a145d5dece5d11c33869019553a3d8

SHA1
b9f74732b80d6b9848d0ccca9aec742e97c2b680

SHA256
82320643614477dcb11542fa334f35a4aad1068ea8081ea2d65ba8343997e2e7

SHA512
bf6fec4892bfe1305ad3ff58f859bad8f3e21bed76a01450f436cfbf21292b314b8176179d46d46abed9ce3d02964171851399e4ac0a9489fd92a2e5e8829229

Download Submit
C:\Users\Admin\Desktop\LockReset.dwfx.kd8eby0.957-AC5-69F

Filesize
676KB

MD5
10bbd2e30fe33a9c71a1c147a0877055

SHA1
50a8ae9d9c8bd6dfb57283fc74b2448d8af76052

SHA256
d02107c4f9b7d4c41c2cd86b809f28f11578e0ceb89310d7c92b321b20384bda

SHA512
d3d1456bab9dae55a8669da6c3b11fbc3a90cfb007fac56e7a3b1b6f3a3a8252e3b44c03c018a0ba6e2a5537944affdea82d54ba510aed37a89f19e83ad970c2

Download Submit
C:\Users\Admin\Desktop\MoveDisconnect.m3u.kd8eby0.957-AC5-69F

Filesize
1002KB

MD5
1da7801a99312bd7416c47f5f5c513c7

SHA1
ed91b96fa3eb586a5df0b5746f06e4d0b3bf260e

SHA256
d2adae39cd2ac3e59862b3961700badb4ab67d1fc01fb83c8c3f8192b8262b08

SHA512
a71c463eb964f1b0c2775a0aad2919a9eff09b6165f9d229369e77dc9e6e18f76f200043b1e5b5371168c3dd4bcd9f0ab9c009388a32f727ad52164f88b795da

Download Submit
C:\Users\Admin\Desktop\OutUse.wav.kd8eby0.957-AC5-69F

Filesize
443KB

MD5
2113055f105b22ee7c2d89519af91a7a

SHA1
1c650e10d66fe26a6c9a43172d8e72fc0f2763a1

SHA256
07fb4bb9a9f7c7d15a2aef63887b4b79c9785cf43eb6c1a3550c27652b2c2f2a

SHA512
9fa73ca5c5fd691fafccc6f856651c018ac7ad8bac50d6e06f9cc041a709e6289e1609b121757aaa2b42fe789e71b61aeb07c2f4df723616c6916aae2f5f8e4d

Download Submit
C:\Users\Admin\Desktop\ProtectEnter.rmi.kd8eby0.957-AC5-69F

Filesize
629KB

MD5
f1fe17e23ba2a4cd0bce8ce20f942af5

SHA1
970ba210443e673483d269329d71c84e5934057f

SHA256
592cb9b7aac1a0f0dba796b70137447ad02524db20b7f89f3fdc6c2b462dfe1b

SHA512
b6dae17cdd0939894e9b893806f601f1155c83cce3bb62becd4e540509a990f6ea07af3bbe1f9bb6b4dae45f764cc6731ee8d46dfe1aacc31e836385bd144f53

Download Submit
C:\Users\Admin\Desktop\PublishRead.au3.kd8eby0.957-AC5-69F

Filesize
536KB

MD5
57cea3ba6a2bd6173bdd3e279026df04

SHA1
93270bff4b6aae522f3c67c405d81dae10c5f656

SHA256
17b5b86c4f6ea291a1e74ed9625d518fac77ae98a583534990e8b830900add05

SHA512
00fb85c94aaa172f208370d79c3a3ff39908cebac36a02e1597fd08321c7b612e854b4008c75121d11e4552c03e15149523019575a64aa10c36aeeb9ab2400f8

Download Submit
C:\Users\Admin\Desktop\RedoRestore.docx.kd8eby0.957-AC5-69F

Filesize
17KB

MD5
7ba2d1d6e0bb8277fcadfb52a9d1a80b

SHA1
b28f8b23abc1f4aed05cc1d446730129412b6a29

SHA256
8bd9038ef533c82c024f4ca4bc0d3b70103b7da919755cea1798c152a8d72400

SHA512
85849483428e4edd934df6f67866fe0a011e9ebf160c840883a773cd5e1d2d443a4aa03199fe8cbe846420365560a51e03e8cf6fc0e9ea201a63072d53ce5c67

Download Submit
C:\Users\Admin\Desktop\ResetProtect.docx.kd8eby0.957-AC5-69F

Filesize
18KB

MD5
60aa47f986fe366594ff8594b034761b

SHA1
d17bdf6cb1ef91c7932c57c3ec44fbd6f3b1ab44

SHA256
97ad8438dfd0b408c0e701628c60f2a4a355863beffc9621db663ed72f7bb0fe

SHA512
7d45612a8b8947af6b0c5e9d2f9ddd6eacc00eec91c958ee6b1d19c5834c6517a287185ace2a85a0a6ead97362f924cf2e27220f9650ddd3a50c532a5b8ba78a

Download Submit
C:\Users\Admin\Desktop\RestartSplit.aif.kd8eby0.957-AC5-69F

Filesize
373KB

MD5
b197dca445859348d10b5987abf0a201

SHA1
54df6205320d578f0b50d2b82865eddf1723f0d9

SHA256
efb248d63d6f574d1cf2d764ac8ef2f76a8d7c2f1a52dbc6dd8c88cc9eed4163

SHA512
a70313edfaea7a3e053a74144d28d673d8904862e7c3786d74eea8392eced56fd313db2ebfe68e0daeae4582fac898abfa9eb616cfbc9b71c81c277ca4eb2142

Download Submit
C:\Users\Admin\Desktop\SendResolve.inf.kd8eby0.957-AC5-69F

Filesize
583KB

MD5
6cade8c1c5156ac397822288a81468ae

SHA1
c1b10e016bd6904698c9af027a0105375e2fb4b3

SHA256
367f3b9ef60f8582bfe8770e5a06b799159a265284a5b9b0e71b8196285453a0

SHA512
14416f3ec1574c82ba192d78ad17b7854af2eb4e1576289328d36079073dc6a3e97759b9f20820b461715971cab24ddf2e8aff7106397e0695a80a59805579fc

Download Submit
C:\Users\Admin\Desktop\ShowRemove.tif.kd8eby0.957-AC5-69F

Filesize
606KB

MD5
f324c5e25163ed84678cde85d3081ff6

SHA1
c73f174f84e253f1628049ba028111c98541130c

SHA256
4704ec431b1d5edd64050d4f988ceeeed45bbe7093324ca46d63f84d9d59faa5

SHA512
b82dbc6a487ea70ede1f443af1415ad02855719d7cb22a7c93493e5a1411856288279a92d706801cfd76317eb3c2d7fa6e6df9fec24f96cd5c6bc7081140300f

Download Submit
C:\Users\Admin\Desktop\StepGet.3gp.kd8eby0.957-AC5-69F

Filesize
699KB

MD5
dbcb8de155d688e8e314b1266d23fea4

SHA1
f5c20b7d94e13e282d13bb152ad7d35966d493c4

SHA256
124fd4d40af446b906fcdff1aeb0e577849619b4386fe4e41b06aad661114d2d

SHA512
c2b349e3c0848251457a11191ebb6b58910a8934bfbb11d5649c378986b61fd3b39c1b984c68bbc3f7e4e42619e7bdc74a5008cace0bb1b40f915f898eab7146

Download Submit
C:\Users\Admin\Desktop\StopAssert.xlsx.kd8eby0.957-AC5-69F

Filesize
12KB

MD5
dac489a874f699fe43e1c1f84127697f

SHA1
ebe619e5cad5f3d3946dcf17577d5c0a0475ebeb

SHA256
980bf7b52ae9068b5b88b5a03bb04d2c20f8a35ab2d0b4c360d67f956ddd0fa1

SHA512
4d7ad10afc3365de6f72a8a99349f7d7f297d060241e6624669908b3ec5c24d674c543c3e5be7f98a931c62be4897bf2c1b1549dd9deecc899abbe280e778765

Download Submit
C:\Users\Admin\Desktop\SubmitLock.docx.kd8eby0.957-AC5-69F

Filesize
18KB

MD5
f820c2c5d3cfec80c2be818dd967592a

SHA1
bb94040eed59c8e7f5ad0e75f9223401f6c4f5cf

SHA256
e1079fdf3800a804230ebe42035518517290a019abacb0540ac42c900d605e27

SHA512
1bbe6f975a5a4a81ee030b7cf96a57ac7fb5c2c245f7b077153419fc5bbaa68806c4163a6c88e7975df2402c80d6139c1f1250faf6821626e9b37d3a4ab3fecc

Download Submit
C:\Users\Admin\Desktop\TraceOut.dxf.kd8eby0.957-AC5-69F

Filesize
397KB

MD5
6930ceea60a55054e9d43a9c19c2be2d

SHA1
666ade2e28dee883830b990e3ce2972d41744fdc

SHA256
2d8edeb28d24ff98b7152050695eed07ee68e5918d1a5aa93d85d22e6d1c0ffe

SHA512
9816a9eb507883bdc7faa6048dce967b18bb7f4ffdadc645a474f965eab2ef7b03b4c2b8ab97ab9c2b64c397fde323ac3bdf9e7abdaf4ce5d649b1538a259dd2

Download Submit
C:\Users\Admin\Desktop\TracePush.3g2.kd8eby0.957-AC5-69F

Filesize
420KB

MD5
ce889a604f0c39b90305a245511c02b6

SHA1
f35ed0a808ba987dbbdb3578439514adbb290b51

SHA256
73dfaaa30cb51d065a1c51d8326102ec0e3f6528112d3cb564b53825ee6254a9

SHA512
e008efe27068886b757fbadc55c232206818efa5a74d134686a2f0deb0ded1b9abe1dae9da373aac960c82bb183d0328114b2df297de246de0171c7671bdab90

Download Submit
C:\Users\Admin\Desktop\UnlockOpen.wax.kd8eby0.957-AC5-69F

Filesize
280KB

MD5
3a21f51d1ff8745f4ef5d7b1da3992d8

SHA1
6a15c89d02c03830838b4c93f938c4d543b60711

SHA256
1a986e2f79edcba41f9009266c750f8cebba6046fe8b5f9ba134bfd5ef27cb7c

SHA512
9231ddcf6a11595867400c5d0c2c9e21b60e29093b60505af2e16ae6932f7ff58b4f7dc9ab56ca18cf8a027d298423e6df380c6f7494b0d02a98fdc148c4c0c6

Download Submit
C:\Users\Admin\Desktop\UnprotectPublish.xlsx.kd8eby0.957-AC5-69F

Filesize
11KB

MD5
5107286d45c31d381d3c9619c7d569b6

SHA1
cc542fabab65e82276afade49c706f46bb671e5f

SHA256
00511bdeaaa49d15542946512c2cc16ca63a57b99cfdb2c6ccbe01a5ccf73d52

SHA512
f138977c38a5a30ca6731d3dc0b107d5529a87b46afc4af34522f8766ad9fc9ed8408292a0369b1725b73cfa454918a32f6ea7b044516d45275e53ebc1e700e1

Download Submit
C:\Users\Admin\Desktop\UnprotectRepair.docx.kd8eby0.957-AC5-69F

Filesize
18KB

MD5
523b591674e96cf18db1b0c5ac14b034

SHA1
2d3c5ff4820d9cd4383763b54adc9652850e88bf

SHA256
ac4e2b336d329ddb177a2904a008c0dfcd2df3815d0256d289e27588153ae5d0

SHA512
37f8bc5ce30e7fcd7aeed3386bf71079df28e6cd5ad82043239a5c89cd200e1b4af352225a7d0241d5b8ba1594b47eab458c6c98d8e7f74688c9d0fa3f99adbc

Download Submit
C:\vcredist2010_x86.log.html

Filesize
83KB

MD5
fb5f051df27378d38d6116f43f8bfec9

SHA1
9c3a069b6f792e449490ff044ddfd4d3ab5c0445

SHA256
f7cf4279e0f516a0f2c6e7066ed2e556ddc12032833ff00592f83c74e5ae49dc

SHA512
599aaab9df5528ddad6ef82be2e2ce679d195c5de01df3ae5f040a3b059056b93c4cf71ea77511f634d81c7d41ed00c91199693941d6dafaef7555f2e4d60f8e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3350944739-639801879-157714471-1000\.zeppelin

Filesize
513B

MD5
8bff8f7ec2dee0630915c750011b1bad

SHA1
3f37e6bc23aba846bffa9d510bfd03024af53c73

SHA256
aca5c1161a85a45d36eaf2bceeff54a0d668bc04957b91f49665fe2a52857ef3

SHA512
e9f1100ee8ebb3614351f8300615fa9400198848502e7d67e8dce918d95a0ce7a245db2a9951fcb7baaeff9c8d0fe36b38d368c263e5daf34ddf0947470d9abe

Download Submit
memory/452-38-0x00000000009D0000-0x0000000000B14000-memory.dmp

Filesize
1.3MB

Download
memory/452-39-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/452-0-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/452-1-0x00000000009D0000-0x0000000000B14000-memory.dmp

Filesize
1.3MB

Download
memory/452-2-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/452-37-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/1916-94-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2240-24-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2444-27-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/2444-1584-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2444-51-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2444-52-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2444-54-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/2444-26724-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/2444-26723-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2444-26-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2444-25-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/3364-26692-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/3364-15554-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/3364-5911-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/3364-6663-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/3364-12740-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/3364-23619-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/3364-57-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads