buran | d6352812b8eb5834a74a1004bec9cdc16090556294d1c0312f1d82b7c1693e5f

Analysis

max time kernel
122s
max time network
114s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
25/01/2025, 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.zip
Size

114KB
MD5

12bbe5c66309bef6c023efcd6c66ec49
SHA1

e0892183009a05e9d9e4569ffff0f6fd5270939c
SHA256

d6352812b8eb5834a74a1004bec9cdc16090556294d1c0312f1d82b7c1693e5f
SHA512

98133ed42404d9f2d5816ffb54358e6d593bdf6a0cea2e478a44c1fdad84f17ac5784b56832369dca71bb4eef1d22c37c2102d408f3c00e45945aeebe0b6ff77
SSDEEP

3072:x4hw/Y9X+9jbwV4DjjBEHLxrqfc/HNaCEgEwzxChY8:xZkOlbS4DjjENqSNxEEzxCh/

Score

10^/10

buran zeppelin defense_evasion discovery execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\dotnet\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] or [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 366-712-9FA Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Buran family
buran

Detects Zeppelin payload 14 IoCs

resource	yara_rule
behavioral1/files/0x001b00000002ab79-2.dat	family_zeppelin
behavioral1/memory/1764-46-0x00000000000C0000-0x0000000000200000-memory.dmp	family_zeppelin
behavioral1/memory/4624-47-0x0000000000AF0000-0x0000000000C30000-memory.dmp	family_zeppelin
behavioral1/memory/1504-50-0x00000000000C0000-0x0000000000200000-memory.dmp	family_zeppelin
behavioral1/memory/1764-1962-0x00000000000C0000-0x0000000000200000-memory.dmp	family_zeppelin
behavioral1/memory/3532-9722-0x00000000000C0000-0x0000000000200000-memory.dmp	family_zeppelin
behavioral1/memory/1200-10949-0x0000000000AF0000-0x0000000000C30000-memory.dmp	family_zeppelin
behavioral1/memory/4624-13245-0x0000000000AF0000-0x0000000000C30000-memory.dmp	family_zeppelin
behavioral1/memory/3532-17435-0x00000000000C0000-0x0000000000200000-memory.dmp	family_zeppelin
behavioral1/memory/2692-19372-0x0000000000AF0000-0x0000000000C30000-memory.dmp	family_zeppelin
behavioral1/memory/3532-21612-0x00000000000C0000-0x0000000000200000-memory.dmp	family_zeppelin
behavioral1/memory/2692-21611-0x0000000000AF0000-0x0000000000C30000-memory.dmp	family_zeppelin
behavioral1/memory/1764-21614-0x00000000000C0000-0x0000000000200000-memory.dmp	family_zeppelin
behavioral1/memory/4624-21615-0x0000000000AF0000-0x0000000000C30000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Zeppelin family
zeppelin
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (6075) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 6 IoCs

pid	Process
1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
4624	lsass.exe
3532	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
1504	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
2692	lsass.exe
1200	lsass.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start"	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened (read-only)	\??\X:	lsass.exe
File opened (read-only)	\??\T:	lsass.exe
File opened (read-only)	\??\I:	lsass.exe
File opened (read-only)	\??\Z:	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened (read-only)	\??\L:	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened (read-only)	\??\Y:	lsass.exe
File opened (read-only)	\??\B:	lsass.exe
File opened (read-only)	\??\W:	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened (read-only)	\??\S:	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened (read-only)	\??\O:	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened (read-only)	\??\K:	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened (read-only)	\??\Y:	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened (read-only)	\??\R:	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened (read-only)	\??\S:	lsass.exe
File opened (read-only)	\??\P:	lsass.exe
File opened (read-only)	\??\H:	lsass.exe
File opened (read-only)	\??\M:	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened (read-only)	\??\J:	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened (read-only)	\??\I:	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened (read-only)	\??\A:	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened (read-only)	\??\O:	lsass.exe
File opened (read-only)	\??\M:	lsass.exe
File opened (read-only)	\??\K:	lsass.exe
File opened (read-only)	\??\X:	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened (read-only)	\??\U:	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\N:	lsass.exe
File opened (read-only)	\??\J:	lsass.exe
File opened (read-only)	\??\G:	lsass.exe
File opened (read-only)	\??\A:	lsass.exe
File opened (read-only)	\??\T:	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened (read-only)	\??\Q:	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened (read-only)	\??\B:	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened (read-only)	\??\U:	lsass.exe
File opened (read-only)	\??\R:	lsass.exe
File opened (read-only)	\??\Q:	lsass.exe
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\P:	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened (read-only)	\??\H:	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened (read-only)	\??\G:	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened (read-only)	\??\Z:	lsass.exe
File opened (read-only)	\??\V:	lsass.exe
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\V:	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened (read-only)	\??\N:	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	iplogger.org
13	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-36.png	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@fluentui\dom-utilities\lib-commonjs\portalContainsElement.js	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml.366-712-9FA	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ppd.xrm-ms.366-712-9FA	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Dark.scale-200.png	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-64_contrast-black.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fi-fi\ui-strings.js	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\ui-strings.js.366-712-9FA	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\ui-strings.js.366-712-9FA	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js.366-712-9FA	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_10.2.41172.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TipsAppList.scale-125_contrast-white.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\NotepadWideTile.scale-200.png	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\music_offline_demo_page2.jpg	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateSquare50x50Logo.scale-100.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\LinkedInboxBadge.scale-125.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\ComboBox\VirtualizedComboBox.js	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\ui-strings.js	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-oob.xrm-ms	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-white\GetHelpAppList.targetsize-40_altform-lightunplated_contrast-white.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-60_altform-lightunplated_contrast-white.png	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\SnipSketchAppList.targetsize-36_altform-unplated.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_altform-unplated_contrast-white.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PaintAppList.targetsize-96_altform-lightunplated.png	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Dark.scale-125.png	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms.366-712-9FA	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-64_altform-lightunplated.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_hover.png	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons_retina.png	lsass.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sk-sk\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png.366-712-9FA	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\WeatherWideTile.scale-100.png	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_neutral_split.scale-140_8wekyb3d8bbwe\Images\contrast-black\PowerAutomateSquare150x150Logo.scale-140.png	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\DocumentCard\DocumentCard.base.js	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\Breadcrumb\Breadcrumb.styles.js	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SmallLogo.scale-100.png	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1CACH.LEX	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\WeatherAppList.targetsize-80_altform-unplated_contrast-white.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-60_altform-lightunplated_contrast-white.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-16_altform-unplated_contrast-white.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_anonymoususer_24.svg	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml.366-712-9FA	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\WPFT532.CNV.366-712-9FA	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd\icecast.luac.366-712-9FA	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-down.svg.366-712-9FA	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\core_icons.png	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-pl.xrm-ms.366-712-9FA	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CASHREG.WAV.366-712-9FA	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\vscroll-thumb.png	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.366-712-9FA	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hr-hr\ui-strings.js.366-712-9FA	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\es-es\ui-strings.js.366-712-9FA	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_altform-unplated_contrast-white.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-tool-view.js.366-712-9FA	lsass.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\NewsAppList.targetsize-80.png	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2280	7zFM.exe
Token: 35	2280	7zFM.exe
Token: SeSecurityPrivilege	2280	7zFM.exe
Token: SeDebugPrivilege	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
Token: SeDebugPrivilege	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
Token: SeDebugPrivilege	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
Token: SeIncreaseQuotaPrivilege	2812	WMIC.exe
Token: SeSecurityPrivilege	2812	WMIC.exe
Token: SeTakeOwnershipPrivilege	2812	WMIC.exe
Token: SeLoadDriverPrivilege	2812	WMIC.exe
Token: SeSystemProfilePrivilege	2812	WMIC.exe
Token: SeSystemtimePrivilege	2812	WMIC.exe
Token: SeProfSingleProcessPrivilege	2812	WMIC.exe
Token: SeIncBasePriorityPrivilege	2812	WMIC.exe
Token: SeCreatePagefilePrivilege	2812	WMIC.exe
Token: SeBackupPrivilege	2812	WMIC.exe
Token: SeRestorePrivilege	2812	WMIC.exe
Token: SeShutdownPrivilege	2812	WMIC.exe
Token: SeDebugPrivilege	2812	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2812	WMIC.exe
Token: SeRemoteShutdownPrivilege	2812	WMIC.exe
Token: SeUndockPrivilege	2812	WMIC.exe
Token: SeManageVolumePrivilege	2812	WMIC.exe
Token: 33	2812	WMIC.exe
Token: 34	2812	WMIC.exe
Token: 35	2812	WMIC.exe
Token: 36	2812	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2812	WMIC.exe
Token: SeSecurityPrivilege	2812	WMIC.exe
Token: SeTakeOwnershipPrivilege	2812	WMIC.exe
Token: SeLoadDriverPrivilege	2812	WMIC.exe
Token: SeSystemProfilePrivilege	2812	WMIC.exe
Token: SeSystemtimePrivilege	2812	WMIC.exe
Token: SeProfSingleProcessPrivilege	2812	WMIC.exe
Token: SeIncBasePriorityPrivilege	2812	WMIC.exe
Token: SeCreatePagefilePrivilege	2812	WMIC.exe
Token: SeBackupPrivilege	2812	WMIC.exe
Token: SeRestorePrivilege	2812	WMIC.exe
Token: SeShutdownPrivilege	2812	WMIC.exe
Token: SeDebugPrivilege	2812	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2812	WMIC.exe
Token: SeRemoteShutdownPrivilege	2812	WMIC.exe
Token: SeUndockPrivilege	2812	WMIC.exe
Token: SeManageVolumePrivilege	2812	WMIC.exe
Token: 33	2812	WMIC.exe
Token: 34	2812	WMIC.exe
Token: 35	2812	WMIC.exe
Token: 36	2812	WMIC.exe
Token: SeBackupPrivilege	4176	vssvc.exe
Token: SeRestorePrivilege	4176	vssvc.exe
Token: SeAuditPrivilege	4176	vssvc.exe
Token: SeDebugPrivilege	4624	lsass.exe
Token: SeIncreaseQuotaPrivilege	4736	WMIC.exe
Token: SeSecurityPrivilege	4736	WMIC.exe
Token: SeTakeOwnershipPrivilege	4736	WMIC.exe
Token: SeLoadDriverPrivilege	4736	WMIC.exe
Token: SeSystemProfilePrivilege	4736	WMIC.exe
Token: SeSystemtimePrivilege	4736	WMIC.exe
Token: SeProfSingleProcessPrivilege	4736	WMIC.exe
Token: SeIncBasePriorityPrivilege	4736	WMIC.exe
Token: SeCreatePagefilePrivilege	4736	WMIC.exe
Token: SeBackupPrivilege	4736	WMIC.exe
Token: SeRestorePrivilege	4736	WMIC.exe
Token: SeShutdownPrivilege	4736	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2280	7zFM.exe
2280	7zFM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 4624	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	82
PID 1764 wrote to memory of 4624	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	82
PID 1764 wrote to memory of 4624	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	82
PID 1764 wrote to memory of 3532	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	83
PID 1764 wrote to memory of 3532	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	83
PID 1764 wrote to memory of 3532	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	83
PID 1764 wrote to memory of 1504	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	84
PID 1764 wrote to memory of 1504	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	84
PID 1764 wrote to memory of 1504	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	84
PID 1764 wrote to memory of 2624	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	85
PID 1764 wrote to memory of 2624	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	85
PID 1764 wrote to memory of 2624	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	85
PID 1764 wrote to memory of 5100	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	87
PID 1764 wrote to memory of 5100	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	87
PID 1764 wrote to memory of 5100	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	87
PID 1764 wrote to memory of 2280	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	89
PID 1764 wrote to memory of 2280	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	89
PID 1764 wrote to memory of 2280	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	89
PID 1764 wrote to memory of 3296	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	91
PID 1764 wrote to memory of 3296	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	91
PID 1764 wrote to memory of 3296	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	91
PID 1764 wrote to memory of 2036	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	93
PID 1764 wrote to memory of 2036	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	93
PID 1764 wrote to memory of 2036	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	93
PID 1764 wrote to memory of 3956	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	95
PID 1764 wrote to memory of 3956	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	95
PID 1764 wrote to memory of 3956	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	95
PID 1764 wrote to memory of 3400	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	97
PID 1764 wrote to memory of 3400	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	97
PID 1764 wrote to memory of 3400	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	97
PID 3400 wrote to memory of 2812	3400	cmd.exe	99
PID 3400 wrote to memory of 2812	3400	cmd.exe	99
PID 3400 wrote to memory of 2812	3400	cmd.exe	99
PID 1764 wrote to memory of 1396	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	102
PID 1764 wrote to memory of 1396	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	102
PID 1764 wrote to memory of 1396	1764	516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe	102
PID 4624 wrote to memory of 2692	4624	lsass.exe	104
PID 4624 wrote to memory of 2692	4624	lsass.exe	104
PID 4624 wrote to memory of 2692	4624	lsass.exe	104
PID 4624 wrote to memory of 1200	4624	lsass.exe	105
PID 4624 wrote to memory of 1200	4624	lsass.exe	105
PID 4624 wrote to memory of 1200	4624	lsass.exe	105
PID 4624 wrote to memory of 2592	4624	lsass.exe	106
PID 4624 wrote to memory of 2592	4624	lsass.exe	106
PID 4624 wrote to memory of 2592	4624	lsass.exe	106
PID 4624 wrote to memory of 2396	4624	lsass.exe	108
PID 4624 wrote to memory of 2396	4624	lsass.exe	108
PID 4624 wrote to memory of 2396	4624	lsass.exe	108
PID 4624 wrote to memory of 1400	4624	lsass.exe	110
PID 4624 wrote to memory of 1400	4624	lsass.exe	110
PID 4624 wrote to memory of 1400	4624	lsass.exe	110
PID 4624 wrote to memory of 3964	4624	lsass.exe	112
PID 4624 wrote to memory of 3964	4624	lsass.exe	112
PID 4624 wrote to memory of 3964	4624	lsass.exe	112
PID 4624 wrote to memory of 3880	4624	lsass.exe	114
PID 4624 wrote to memory of 3880	4624	lsass.exe	114
PID 4624 wrote to memory of 3880	4624	lsass.exe	114
PID 4624 wrote to memory of 4876	4624	lsass.exe	116
PID 4624 wrote to memory of 4876	4624	lsass.exe	116
PID 4624 wrote to memory of 4876	4624	lsass.exe	116
PID 4624 wrote to memory of 5100	4624	lsass.exe	118
PID 4624 wrote to memory of 5100	4624	lsass.exe	118
PID 4624 wrote to memory of 5100	4624	lsass.exe	118
PID 5100 wrote to memory of 4736	5100	cmd.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2280

C:\Users\Admin\Desktop\516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
"C:\Users\Admin\Desktop\516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2692
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:1200
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1400
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3964
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3880
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4876
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4736
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2532
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4204
- C:\Users\Admin\Desktop\516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
  "C:\Users\Admin\Desktop\516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe" -agent 0
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3532
- C:\Users\Admin\Desktop\516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe
  "C:\Users\Admin\Desktop\516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe" -agent 1
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2624
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5100
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2280
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3296
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3956
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1396

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1692

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
1⤵
PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons_retina_thumb.png

Filesize
52KB

MD5
dc661627305203207ceac9c590dbf98c

SHA1
e1d409724fcbf1f38279656c3cbf2543f4452827

SHA256
b534dc7fdc1d45e1bc95a6750ebaca2cfd9c00e9f5d3af1981b0a82327906b0b

SHA512
85aa3d80d6c0a631143c727702daad3cf2678dc4a82083109cdd4028ad6e43cd1cf937239e4d750dd090d026765ad7c1f01e5d996166f36d250d86aa790e7c6b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\ui-strings.js.366-712-9FA

Filesize
5KB

MD5
1d7f9619450b143cd75a28b207b86513

SHA1
ffd3807cfcf3b5e6b6ead497a39933e08edd7e22

SHA256
9e48b47fce99d35ee641c1598ba571971c34ca756127c28ebf0474f080697c97

SHA512
3cbe758f84855e9c76e45c585e8cae7e08e022b054a857cf9221bb35962909da18121c218e4b516c50a7502ef596c92c8353082957a14f0ad734d2d98f328544

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif

Filesize
9KB

MD5
379da3de3834c0737d29f6a778f16be1

SHA1
5191c6a8d2ba6793a8d8b42c10448c3ec104b2e5

SHA256
82abb65bc95ae77616320aa4cef4aeeb020fb70b3ea9855f8408fe2737deaaf4

SHA512
ab58beb91043742b464045a93c0189d9128455e579ab0541588620d7dea4e85af97e0e80ecc76c2948d0fd1d2e03625a9955c84a2a2c4b9926b7f3263ff5de8f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png

Filesize
9KB

MD5
e267d65738302c227b77266ee73276d6

SHA1
4280de8281756761048635f1103d54c9e3d085d4

SHA256
aed40f3734e277c2ba6bce967ea071e470f734573e6c48cd241d2c8ca0e4c97e

SHA512
49675f003e1f9a56c57e466a0c69e3fc4e9b452c9f2cf683ed05a68ad91608339ca38fe56f3f21cb75553a20592c5fc4b4acf86a9cae756085de03a1f72b1e4e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js

Filesize
175KB

MD5
372ee63d1bf11ab6aa9424b36b3f719d

SHA1
f0a607b43748e181b0c63d0ac922c9b54df8b2c6

SHA256
d92e543b8ff947cde65f4e7ce899eab97d4365572dc04a5a6fa379687cf80ef5

SHA512
a5bacc0877fd894ad60c1c5e32bfda2d2c431a2b3ba525ef52981969b4081a3bcef2ea29d2da3b2244435bcffaa115b1a7c98aa5a9409de3e77806e2b8fb7b0a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.js.366-712-9FA

Filesize
387KB

MD5
9f76169a637b6db2831ede30aabd71dd

SHA1
9b5affaae992425df511c02a89e31c0d2e17da64

SHA256
8becf2ce6f2dd92a76301aa40e2ceac9bb96b41e5047a4eaa960c96ec00efa32

SHA512
9fcfc23104107899852ed1b162cd48fdc3985d8555a945c92f4e4b4588eb0c89edc4b4af83eb4fa9e87926521f1e32a8574acffcb6067d65236762eb0326cd54

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\core_icons.png

Filesize
10KB

MD5
2db6360e8ebde219a512553d433572a7

SHA1
0f282e57a780f8707e35854c4c30f272f38f61aa

SHA256
65fe65708685ee881a1d87d8f63f76a521ea2ea58901921ccc8eb040a54b4416

SHA512
f78677cff2077a153739ee4f62e33b7f241e2b7e7a41af7e2ba59937f763317c2502577709364275b16d1ade5edd0be42118963599c2eb60c1ecf8e91e1d4014

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\sample-thumb.png.366-712-9FA

Filesize
8KB

MD5
e05f99b7f34eac2f0eb5c7a6a671b137

SHA1
53ef64724acdec4ee9216f7ef8bdf639da40a025

SHA256
424dbf940dab9925e4f461f23b9d8d2bb593eb037121a7eace33e15a3bd4d7bc

SHA512
39c971da73d5657c897bd16b03b256abb0bec61f6f070ccd6d41a7be1d26860aeabd7b6aa53e432b4af8312ba4a708979808ce1fd4f690b612dcccf0af561e04

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons.png.366-712-9FA

Filesize
9KB

MD5
9a6cc4e10e8974e7eac6d15f1d065596

SHA1
cf95ba6b83340e412f2df11abc4c065663c8c51b

SHA256
8ec409f5d9cf73aefffe36506d7878b87ada97846cebb35fe8e9814baad7e4c6

SHA512
8bf2e52ef7c0a20922a18aa408c9c4dcb09ee3c7e8f47847d1f46c8ece1b02299fa9b3d4483c8450710266521c6abc765697edf91e5e5749a51cc39017a82fb8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\new_icons_retina.png

Filesize
18KB

MD5
37e7c2b026fb0af26e389995c0c5d10e

SHA1
5dd0b0db32624061ce6690b7e950e9a1165f7ad6

SHA256
8c5a79af69e761ae8cc604693e2d0c97e952f500ec728ad00501f583ff658581

SHA512
729471dced7158761c026b25dbbf9a03678b19b6e1f4e4a556887cd66da9b723384d796fd6e710da30bcebc00ba536b34abd9c3a52a652daf7cd4f9b22163fc0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\new_icons_retina.png

Filesize
18KB

MD5
1bb7dac8d142072eaec1dc77033ec557

SHA1
1d148720c9fa139d7bfffb6c7a4e1a95a92be5c2

SHA256
de1e61a1450d1f9aac55d105c91bfc7eb4c1adae0672a822cd54645952ee6064

SHA512
4951f694abc3f05c311702b54fa87fb65d8bcaedc823184e3f6d402bb2b5fc5480d2cf7c54da5d4f0731b9b28008df47a3adb9ebdd22e69931d80cc556158827

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\ui-strings.js

Filesize
6KB

MD5
b02a641b9944930d27f832cefd6fb3da

SHA1
e955084ae9cd97f791dde40bd2b30629dfcb9c9a

SHA256
97c35e2ac23db7f1114a27ef8c61050d097696c47b23327cf8cda030983f6c18

SHA512
d6f349d28a8533bea93195673f0fdfeb9fe218ebaf0255285f8361a9ca9739a6368f8dc8d08720f44351f6c5b0c8f95f3a6ef1e488050a906a26cf16542f4b84

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\AppStore_icon.svg.366-712-9FA

Filesize
15KB

MD5
923e8bd56e193fbd2918a0c430dd0fb3

SHA1
f6fbd0b1c01e695e7623e145e52d95fdfc94e159

SHA256
af8a6d03ec087dfe995a2d5662e97e7880119719e54e9f54039cfa7582f579cb

SHA512
eda55a02a3927e6bf984fdc59a6b2095daa151f232e48034a1bc6e00054bd49266dee9db91e09f83b8cf5ed236f2f58c1569ca5f41cf2a232cc9b9ceb25cbc9c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf

Filesize
56KB

MD5
42abbf2997def081965da79aace202d7

SHA1
1986ad5f44437b74139936e53999b9747d046128

SHA256
70252e48a225d8c737abb6cc8914a3d8f175e25ddafe650e95c6dda0310335b3

SHA512
45da8b30e209df99737ec7f993667acb69d662782e04b97fbc2c2a10aa04c617af0056297a65bef9eda2e4e2ce830ee5401701b6f6509d685fec666ecc047c72

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-variant2-2x.gif.366-712-9FA

Filesize
813KB

MD5
f12736afb0dde4382044232d0f67823f

SHA1
d90441cc848162cf99f1d1784f6f0599ed2cba74

SHA256
88949b0f730067d97b894bffb4f6931773750901974850aab82c48bc998170c8

SHA512
1fcc41352590f6a71b4d77c093a99ac255ba301f91cd86d656f6a637a7e76504480fb1cadebdbc6043f6b242bd2348196cf258c1edd1beae2319ffe781cf0465

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\faf_icons.png.366-712-9FA

Filesize
7KB

MD5
a57be320f02f6427d29e4e08e15d87c7

SHA1
9ee1714f6344b08bd8dcf1866c12cefad0789f40

SHA256
3364ec8f19747d63562a23011089f43844f50a5f89a30302e2992fdcb87c1957

SHA512
3379a2eb01d50c7603d50150cf8d341f93267c0ca030129d5ec3711bbc563f808a4330bab72884c36ae5bc18cbb6005e678ba12a302bf930a2208dbe35fb012e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
66df8686bfcc2eb034e5407077dbb916

SHA1
7680cdbf25162db0ba05ab24cb921a2e67fc4685

SHA256
c1d59ce39cb944c6b6ba58df96db39eb027ded3c4ac922bce289f6d211331661

SHA512
48ce6d9778d74dbbf011b2b50b88fe4a085e31c538842769a3927e7f5796f23c752030ebdb935233ee0abf4d92b289af7bd8364463bd2e74577f7f7acb705c10

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\ui-strings.js

Filesize
17KB

MD5
40aa584d52f2eedd1c73b083be2b98a8

SHA1
c95cc78029c85012c8a24f529e1bd0444d0d0d1b

SHA256
22117d9b0c27772edb8caa44c4fa4346daa18a86caf009bc47a2ff54c8ab16f0

SHA512
afd4d148c7b1bd210dd80823b4585ae3f95ed3c2a89c6a72da4bf50f3fa8f126238cb712e3a3bb8acb982a18b56a61f675da89a2301272b272f0c714d905cd66

Download Submit
C:\Program Files\7-Zip\7-zip.chm.366-712-9FA

Filesize
114KB

MD5
1be32941ae9c60e9fad5fffbd78618df

SHA1
ad4a1270d3c6dbff67b5b059558c9970898b1779

SHA256
a15117f2178839b2b6cc5747aef83fd209d36f80ca7a0dfeba7b347428033e5a

SHA512
089213d7ddb2e620c0a47e2e854783fb88804bec4789e5ed66d46be511fcb9a55a98ff771539624ab152f7bf8e36db177c38d19ff61b6875a2d4e429b8a508d2

Download Submit
C:\Program Files\7-Zip\7z.exe.366-712-9FA

Filesize
545KB

MD5
24f4d29160de3cca5bd4c8c0921d55a1

SHA1
104673487b4946d8e2f174f74d5e64e29b1d6f2c

SHA256
aa1297e2cf0660d3eeae8cb552edd1e8eba5313db918479a4c8d82ead26560cd

SHA512
03600e0d125ac76bbf525e27b68f00f4719ce3202f38da6a569df8e40b00a0a23aadfac1a36d5a5a63941cc584b976bb06257b500ee88e06759ff93fe5591de9

Download Submit
C:\Program Files\7-Zip\7z.sfx.366-712-9FA

Filesize
211KB

MD5
7249c907a1062e47c137d1dacc83c207

SHA1
17ca590cf2b3003b18843e177a87eb1862ebc849

SHA256
144eaffd51e631879e370b41d71ff340f03b6e99933f849be2e13c3e22d3463e

SHA512
d29350289fa80081ed51ddb8cab492a246e4bb2ef0fd65e2f5dc34ceb7c3b9a17e1a366dcfeddfacbf7b345014102ca862eebfd11f517cf618d5dfe34422be69

Download Submit
C:\Program Files\7-Zip\7zCon.sfx.366-712-9FA

Filesize
190KB

MD5
768ecc205c7a80ac91a63d9b3088671b

SHA1
b95e5109e7c8c992f2c5ee86c3e4c43015f06aa3

SHA256
54099402bc9b25f07e15590a82cd5ee63e13678496a326abcb5122b7b7e614ef

SHA512
7f60c59593faecd5b6360afc6b6fbe9101e8ac297f3cee1cb393a14a06cd4c0076f483667762180651c84e5d2629ecd6bfdbbcb4878110bf1d07e443d72c0a10

Download Submit
C:\Program Files\7-Zip\7zFM.exe.366-712-9FA

Filesize
932KB

MD5
ad9fa4e9839ea0691405f302ca12f9a6

SHA1
a27c7b4a3798441ab5ccac8d2df4bf4a51b5410f

SHA256
008bd9a9d08ed40d72e2b65d6e8f919bd0706e3172e0efbd08a22247762d1bd2

SHA512
88d59e4fea79073dd5cea4d766b7763d6064cab78edde93e8ae4e5a1b7e471565cedecafe4d091150cbac731ffe4787dffca5ff03b4eaa1fd029d31274fb6192

Download Submit
C:\Program Files\7-Zip\7zG.exe.366-712-9FA

Filesize
685KB

MD5
33b55094aedccf0b0256c13f88ef5293

SHA1
b1ba2f9265db7fd5950f2895a64057e96385af2c

SHA256
e338db7f3e9c49cd14d99291623a321b63bf658ebd73e25300100acefda6d913

SHA512
4785eaffbd47dfafad8995bbd166197211041ab626233ef18763663d7113b24bab9d334cb2ca31c526f889f90743d713c50b2489e00f36e459a879f0832a862a

Download Submit
C:\Program Files\7-Zip\History.txt.366-712-9FA

Filesize
58KB

MD5
d18a695d79924f7d4f11f110f63c1130

SHA1
7b029da34900003fbaddaf983a187e0999aff5c7

SHA256
15d71377c844d8f61df826509af2bd51fc7731b578b204b7c7953279bf48ae61

SHA512
9d6d0b0873008da883480bbf2cec709b78c97d75111c16fdd63abdeb848cc2fb76667bd8048c3376444d1ec432fcf1b52c3cd5355264d9d5d581744afc5ed0ff

Download Submit
C:\Program Files\7-Zip\Lang\af.txt.366-712-9FA

Filesize
6KB

MD5
bdbefad46d7e97f7df7b7aad7c3f0917

SHA1
7ac9cbd7629df51ff691eefa0322a5a849b8de4c

SHA256
fb9d93687f492b1e6b8d4b9604381ee24e72d12713b7f6cd270b48e7aa69c99f

SHA512
35caaf8d5eb1373fab969f9d03c9cfc0fea092806801a722034f7f60965ba5e2fbe5f2a7d548c85c1ec50268594b6a53fe670176d3f6268aa5f0da4fe1b98067

Download Submit
C:\Program Files\7-Zip\Lang\an.txt.366-712-9FA

Filesize
9KB

MD5
99a7835ee027c65e0eb4bcc3ecccc021

SHA1
68f2960cad0f0331fdb3f74d00d2945209a85051

SHA256
1d8d5465308969396f836f5c1916bd32e0400e01f7e659bebb8ed43a3599c135

SHA512
d79c9e525cb6581d01145c50f26ea4d860f2957a70a891718579553e506afd425d558947c9951bfe371ef3017702b063d861e1b781f1db5ab574bda9c64190f2

Download Submit
C:\Program Files\7-Zip\Lang\ar.txt.366-712-9FA

Filesize
14KB

MD5
0cb175aaf585db1783b99ffd7c4ca6a2

SHA1
5814055820a4885e027fa70c4fef01b7fba2f4d2

SHA256
04044a1e1ddd8368a825a0d45a3ad4271d3063f2fbdbf209ae96eb084f90749a

SHA512
00d957aa61188657ec21c1e4a4ae04b4fe54f93daacbe5430fb3f9a16c7b138a185409b46c279be329cdaddfd7dd42d85546e1f48c3c57932940cef9e92acc70

Download Submit
C:\Program Files\7-Zip\Lang\ast.txt.366-712-9FA

Filesize
6KB

MD5
6c1eb0346763f0672678800764402034

SHA1
bdb592a84d291c40c04448f1ae08470282aceec1

SHA256
4ca9e8e3604bf4ae3f77128d64c37a1dc78e3728d12e9f14b0b84373a931ef66

SHA512
200bfed99e44312b96e38c785e0d551085aee4714de03c24d805ea6d87630ca018b4743fe00eaf7d8aa48e5c53b04d39ad19c0c8530fc839b441a3538bc5aa19

Download Submit
C:\Program Files\7-Zip\Lang\az.txt.366-712-9FA

Filesize
10KB

MD5
e2de4ca1fd2db6836e33acebdf226dc6

SHA1
6ab0615760870f663238ce19cb7d70a1610f9cb5

SHA256
e1e5aa739c54b3575b8eed5ddaf1e5e1ca7505badc3d2d8c97142a4865bcc5e8

SHA512
75e50c431f98476df41035937e73623820aaa0af8d4e9cda17de3df5a541ad4b3d0cd627e3ae5581131695c26e5114cc2b1807bccf0ee7d5a373a278a0c6d021

Download Submit
C:\Program Files\7-Zip\Lang\ba.txt.366-712-9FA

Filesize
12KB

MD5
28d84ee6bcf70815b32ca677a7a038fd

SHA1
b9264c24c84d92c311ebff7b5200d56fc66ad9eb

SHA256
f4fc14f342b794bc8375728f78c27b67b58cefafd109599a7ca699e6bc70287d

SHA512
a735c37bf96187138e1573da22b0c949065c3aee2c4c2700aa43ee20f02123bd78e0061eb554ae8facc57fd81d1889c924fdd8fdebda0ebf8492235d75cbd517

Download Submit
C:\Program Files\7-Zip\Lang\be.txt.366-712-9FA

Filesize
13KB

MD5
75bb1410b10610afaa0c0ea547c717f6

SHA1
5e8f954565e8a019dafcc854ddb70088d730bbac

SHA256
8c38955426b090af37a48d3fc22408f30290229fce17982066a3750272c38005

SHA512
54c252c529bbdd312b81e4b8605a9257031a2ae54e3facdb52a4b8b491a20177ee9e88e2a57d610f5a10b01b47bebef196e24d80311bad340c79e4b318636df1

Download Submit
C:\Program Files\7-Zip\Lang\bg.txt.366-712-9FA

Filesize
14KB

MD5
77557b72dcefd35ddd7fb941835c28a2

SHA1
90ca891cd328a8268e37fa7abb164c4316065476

SHA256
06a51fd7df741ba0143f5bbb18f07a26ae732966d0304d335d4e59d3f11fd715

SHA512
4e759d8ba8c39149f4a3b4eb805e615c8fd5145930f5a91cdf82c1c70e012ffdc23d546a7f136de5c21c83a11805d132f39699901ae7dcca6b2810feba5c0c43

Download Submit
C:\Program Files\7-Zip\Lang\bn.txt.366-712-9FA

Filesize
16KB

MD5
93e3abd2f3b1a8b7952d8eb2db0a9efb

SHA1
7c5f7268b6473b841f518056ce367c6ab102a7b4

SHA256
a735ca29741bdc10c3dc41bc2620409795da175c2c2c55bdeb2ae0616ffcc06e

SHA512
0acaa841e300ec4901a9a867d629c33660ce3f831758e1f69a56b3b223e2ea14eda8801408b1bfc1778c1263dbddeafa67f06f17782dd57f068a1c487da18bb6

Download Submit
C:\Program Files\7-Zip\Lang\br.txt.366-712-9FA

Filesize
6KB

MD5
0ea2f6de9ef4396f35b36ca3be4a55f8

SHA1
4c2dcc8a2b2db208e69fa686082f704230149721

SHA256
cfcfb60a3187f94257ca85ffc502700863189d2c4186d6882e8e93afe0734d07

SHA512
28ce161ed6f5c37f423b29cfc3ee82f99bc6c353ec34dd19f8421495e10776b4cb3080e76cd5eab40742c23c266f392673e55902d7c6634043c0b743596b1b82

Download Submit
C:\Program Files\7-Zip\Lang\ca.txt.366-712-9FA

Filesize
10KB

MD5
2a3439c2d0662e75e3ebd4a712f085a7

SHA1
8646812ca6eec363bd956ac36eb582e2855ccb8b

SHA256
9d7ad2673df0f9b0760a7da47877459c9a6006b71abb9ff61ae23ebb56c10421

SHA512
395b462a3cfb659a37c99eafcda5bd69ed84ab2530888a28cad3225d0d91b0bfa3d49efae98ae03ef6e936d27e4dc595687d96c7da4b786da836eb32a39481ec

Download Submit
C:\Program Files\7-Zip\Lang\co.txt.366-712-9FA

Filesize
12KB

MD5
9343cb914811a2e766a3ce169b87ed77

SHA1
dbf39f33dfb3ce6842d96baec6af881555ce2cbe

SHA256
520440b480722be748339155ada3d7adbf783f372e4f7cee94b39b1eab74f7cc

SHA512
05761ac83ece7a4c8a82a6d4301b280d1faf6e2755229db1aa60559cecffae735430ac54f05726d29bbf2dd203099bcd1d2f493fafb018ba6ce8e5339e22ae53

Download Submit
C:\Program Files\7-Zip\Lang\cs.txt.366-712-9FA

Filesize
10KB

MD5
74852239b7cf8063c0bc0b79f67c5cf5

SHA1
726997932e930dd3a3b745e33ae7ced692280acc

SHA256
7791c62bed1e04fb31982650256f37734ef63d17d84540cd333f853cb7e8713f

SHA512
72cdb41b106f21917706190ee9cd7db298e99bb74e54b4b472b10a0566aed68cc1e253ccf7d561bdbda7c1c45f467c5ee6c246004b7718a9727faa6ed86fdd92

Download Submit
C:\Program Files\7-Zip\Lang\cy.txt.366-712-9FA

Filesize
6KB

MD5
dab0b5b412ad2d2952d300404abbb821

SHA1
258234c51732235a3a31b70c273b66fc16d6380c

SHA256
85da8aaba23481b5e7d7040d0ecce25225dd8e258956e113a4469b5d94d2865e

SHA512
125ba6fc425660253656f2888e8221633531e65bc86a670a6ab2b4aa64722faa82f6c095ff433a709b6727c45d15a293b3148b7264019e2bd0e1a57e0a5ced92

Download Submit
C:\Program Files\7-Zip\Lang\da.txt.366-712-9FA

Filesize
9KB

MD5
72d4a112bb8ede8cdf0e93cdb7071adc

SHA1
4ebcbdebf8f36e0e7d81e3716cbe28fbfdf88d55

SHA256
498c5d0499a489112b1c043bbb15357ad1c42b4bfb215a78b0039dd97377c6df

SHA512
62020196c1587f83589fd688e7aabc59b6e4dc285fe4abbf0cbe9e07b8d9f2e3ca20f71531343719d165acf0b3abd2080b019fb3cababaffe955b562194c53d5

Download Submit
C:\Program Files\7-Zip\Lang\de.txt.366-712-9FA

Filesize
10KB

MD5
40aadf647ea821b32a8a237c1bf3b292

SHA1
c20d39eff45ff35e4a6471f8c4910ad0f65af858

SHA256
17dce0824396fd4f674ebbcb3a8267f168ce2e25228f88f2f1de97620e1ddc2a

SHA512
020bd60bb8f196335f115f3805822394df9a7691c8eac99823cfda1496efeac9447a6bf15f5129d92f3aada23b7fc7c8e17854d6bd865c13fe9f1458f9dbf37d

Download Submit
C:\Program Files\7-Zip\Lang\el.txt.366-712-9FA

Filesize
18KB

MD5
752ef1dff828cc4998c888a13113bf90

SHA1
366d72a7eae8ebefbb4118a95ce1eb019f4d435f

SHA256
51b7077f0f935ba9f4d4b5632c7958dac12b7d679324891bacf18b2941263bdc

SHA512
290fb157215a0461aa4fe6d31a5e7c0ffc7dd1c475d8f8b5e98c1dcdd0bd8fe3d508ef77a92b687e13f83e990b7ea19b4e12252d7a574d8c91ad82898aff3445

Download Submit
C:\Program Files\7-Zip\Lang\en.ttt.366-712-9FA

Filesize
9KB

MD5
3973b3a52eb8c1115f8daa137fbbc203

SHA1
a021546268739c06fec2d60ec2fd5bc6a9686000

SHA256
3f0625b791b8250a34be9192d3e250fe1e08221a0aa4259c0d03678ee78cd94f

SHA512
20cba2dde3fc53ee790910eefb9bc91838cf0c9a701cbc6e45b9f7d419d9e3b006cbfcf2d99de7a0cd4c9f5631484bdb196c4a758e9fe19eea997db897238722

Download Submit
C:\Program Files\7-Zip\License.txt.366-712-9FA

Filesize
5KB

MD5
8a305bd14aaa6f8556cc3d301bbec7f6

SHA1
036c95665a59c0c18415be0e0518a783092efbe4

SHA256
b565643e3530f2556cf6a819a827719a0ecd038b22ffa9bf4431b91ebd705e70

SHA512
3a5de366f0bde3a5212de667f0876aad596de780062105a11456018f94d8dcb7f41841be4bfa74f24cbddbec7e533e449b1ce303065b7d982135bba39961aaf4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe.366-712-9FA

Filesize
16KB

MD5
817f2e39d029be5dffcc31bfcf95cbfb

SHA1
87706261af1e04e8ca2cdf39bfddaaa5fb354699

SHA256
f2a4ff9ef57072e87460ea6e79efe8e341aaf84a8a1c299c6de884cd47d24b38

SHA512
cddb4d22413e752e4ec54374dd61530e40515cdb6d96320b1adf6d9739fb0389d222679453cb1520dd850ab34b7b0cae6ba16fbbb2474ce1bd45da8e63005b85

Download Submit
C:\Program Files\7-Zip\descript.ion.366-712-9FA

Filesize
1KB

MD5
f576da1e1d7ec3876b02c2bfa6ba520b

SHA1
112d907eb3dcfa0526b1566f738e8db11e2fe1c0

SHA256
2874f05c349fca5a562bc1a778399814870d77919b0f3c9680b1da4746cac85c

SHA512
c4fc0b4e9756997e714c02802aa32e9cb840954fac5642e69e9ace114d1430f5e83ad83122ac07da254d46d0332e459f3b81e9ef07dc7d80f8ed98eff76e1ae4

Download Submit
C:\Program Files\7-Zip\readme.txt.366-712-9FA

Filesize
3KB

MD5
cca683a5ff22e196718118776266ef9c

SHA1
392fd7e1485dea8aa9cd396bdf9c1b1b2ed0d05d

SHA256
390f1a393f7520d103d1c9c0de7dd9d681b2d97ef34971ee16d37e9f3d7641ea

SHA512
8a5b4c9c58fb23afde0100a2790c321c479e7f5537f34a5eb4c98cf3a4c5c378f8aec296c91b1025e17328d9da20f9710026e248aa16c33162f5a6e0f1dbd81c

Download Submit
C:\Program Files\BlockUpdate.html.366-712-9FA

Filesize
1.6MB

MD5
b066dccd07b7f74030fdc0bf9005ffd0

SHA1
1b83ad5d91c4c2a781a6faabdb29f2daa0a33e15

SHA256
2ee18f7283d1e824925d0fa850c52eed71a8bda474e1346a22a7f84925818296

SHA512
b763920db7677078fc31d5fa60081cdd21d9a78af7395a2457e80370726b54af9191055d6dfc1821f78ed3deb27ac170b6700b023944f6dc766966b71a9581b6

Download Submit
C:\Program Files\CompressPop.ico.366-712-9FA

Filesize
861KB

MD5
00a45f01bee01772abba189d66791840

SHA1
ac7a295758152d75c1adfaeb3dd40e5a6cc2655c

SHA256
3e3425c0e7508ae5abd918fdc75443e398c138c2cb2143c965ac496e93a81ed8

SHA512
75b6f1052d7d1271299dd34f3b39e3781d44d51efc346f1824ce597f5d031c1160e6a42abc6a1d97a1f5d5d1dbae375d80c9ab713fd6df85a0c3a3e3dcd25d44

Download Submit
C:\Program Files\ConnectClose.ico.366-712-9FA

Filesize
1.5MB

MD5
289e252ebdfb01ded50f05e1a0c54f2c

SHA1
8a82111316fc7d866892bdb778bfb20e08bfc91c

SHA256
c3596fcbcd120fee6218ff23051a2777b597a0ab7c2af7f9b22e68d512cc8543

SHA512
6727231949e273c90f2596e729343ef52137c89d904f34c76ca4ca2a468cc9e05406fab13d8ae8d90d7f9ab2e26e7ac1422d67e29f97af8c4c8baa71e4f0b224

Download Submit
C:\Program Files\ConvertToDisable.wm.366-712-9FA

Filesize
779KB

MD5
073e2941141ba343e6bd57e8c6b64e07

SHA1
530aa7dc2fa0665cc59e482f2b25cb17dbbc6649

SHA256
e57b94c9fe85cf1389d6ba76eaa71165a066c00c66cafc114a34c2954e5b12e9

SHA512
3eb2c9c9b9379322bc88117583c56ea99dfc65de8e16506f32ed66f3c89385eacdc2ceb943c9cb603ab23815df08dfb13bfa7a8eddfc01924ddb0fa39786c24b

Download Submit
C:\Program Files\InitializeSplit.edrwx.366-712-9FA

Filesize
1.1MB

MD5
8d044f730396a506ced229bb55625ffe

SHA1
06784f9f27b1312900c1d507b3e5ee75527e15c3

SHA256
dc2a477afd59445b0339b1ab9b93abb6bcc63a7f27f4fb0874f10479134e4122

SHA512
3767eeae69ad0c8877263120a1361a991c0cfdf01071cf1fba6e6c59003c3af64bde837aa834c2a0cf20e34bb99974fd012ea68a92fe69ed5583a5aeb395d061

Download Submit
C:\Program Files\JoinConvert.mp2v.366-712-9FA

Filesize
1.2MB

MD5
45fc45342cbc63b2f3d0c00e54050a72

SHA1
88b1c81265f10f83efc52c17cb79d1110c642d3f

SHA256
946cfe68a68f9406d0a7f6cdf61fdc78442ae5de9b4482507bc33fdd47ae83c5

SHA512
74914943dc6a7d92b03695d91540643fc973f12dc1a0459995f0d8d668fa5b84f00d3aec5cc38f0458fd91db6ab122c622cc461a9b5f4e190e4646316e9ebb30

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX

Filesize
292KB

MD5
66ac61d83a00dee2b639a150b133394d

SHA1
50f62026faa8ac97f8e54ba411e1743d6e180275

SHA256
2527562ff872fb6a414605ae1a5485ec2509e2cfea2b729fe3c0a4f62b082aed

SHA512
8c646895263bd50ae78e33ef20e5265ff90e31acf502ee56b08c1d18d442063faffaec35e441d25700a71cd1d3a0320fdab76dc8cf8dff8b31334a31687dbfa7

Download Submit
C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL

Filesize
265KB

MD5
165912dbde65f0698015bb9a4aeea99a

SHA1
b68eef3aa72484d32784e77448038ed190530ef9

SHA256
cfabf2c346c1ad38298307ea663be918b6f42609d1f56b70b16fccb9e43e9fc0

SHA512
d5d433fba770a5137c4a4fe10f3545016d31d0f4f31210827f1228d070bdb14aef71058245a1bfe7719dac23be2fc88b738c826bf36dfec8f38ab23a7088b680

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi

Filesize
2.4MB

MD5
4a5559030f7a9f70918ee2e0d7b630c0

SHA1
7f9b0c7b88c69f8f8733968c0201d304c597defc

SHA256
eb218f5f24f7dfb6020bbdc831614e0a07e9be264424a9e7b0e39e8f2fad4d26

SHA512
d825b2ff02fd160ee57c0724a3527db17a3e57f5f8f752aa68c5c4e1ce9833ce09a10a137a6ca6af8c0b002c89235a23efaa9b55b7bf838880563fa91db054d2

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe

Filesize
62KB

MD5
ce8876475c31839fcc0657edd39049c4

SHA1
9c070c93b69821571ae6d37f351f283d2fa9cc7e

SHA256
6179c98ab3223efef34f10253506d1c2655e0acd390a94a59b26fd69a9e3a06e

SHA512
db7dd7e366191f09a7ac1610ed9df13af5061c27c65a3b582ecef6772bb2e375079de1cee9508eb42a8ddf51bcfb90c58518e8a827bcded08bcd66728d6b13d4

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe.366-712-9FA

Filesize
1015KB

MD5
0eca8272d9ae41e672bf8bfebacf1e99

SHA1
00ac9b68c435436e83b306abbc3c657035f1339b

SHA256
d79501b7841787a03441507af6f7eeba2956d7287ee4b2310ea88aa457453b86

SHA512
9b9571ac739702280d72b9db2ba881044e599b7a64cda502d4710da70c9ea9079293497565a469aec59e8561f6621f01de026a26098cad7784d7f7b00059309d

Download Submit
C:\Program Files\OpenMeasure.vb.366-712-9FA

Filesize
1.2MB

MD5
b8624d75689f509f5fc2a077acd3c06c

SHA1
edeaaa536e895faea4a9f6ae9f46960340ed1189

SHA256
805d5d67662d383abd946e27f9a6bb4c5a378f3e8138e94222027396a09a151c

SHA512
e0de0f9852f00463baeb7c79438e93f96424b19fa4af7ee34fa3d147dc479c3017ba5d8730d60dad3e082fd2f583da90d7ae6de8aa5c7e6b601285fc6cf00f75

Download Submit
C:\Program Files\PingUpdate.3gpp.366-712-9FA

Filesize
697KB

MD5
5da44094801fb81fc1dcc7cdcf0ad037

SHA1
baaab4c754e1d0ec46ec3861c918210b9cda34e7

SHA256
893ecac0f0e342cf6b9217995386243ac31506c3eaf239e4ccf1e3c9fc705b09

SHA512
494357f3cb3bb3fd0ce60531c701152e47a830dacf6b59d03c27e159be54c3ec430b3528a61795d92a6061fdca7dcafab348aa19e7f5602a28a81e98e43e6d2c

Download Submit
C:\Program Files\PublishProtect.docx.366-712-9FA

Filesize
616KB

MD5
aecaaf00f684df909f589d4843342a51

SHA1
833381977bcd850542abb04f60c6467f289969c2

SHA256
e34637390ba86716858c4b041bd4f5aa32b37b8680ec49f10e1afe4474f61fa4

SHA512
6f468e2aa093febc707b4bfd6966b8cf959b08e07ac2246a6c58fc7421ffcd9f4693e0a409ffc83c62220842a878d4156b0de21669cc2498d4eb2f9494fb9398

Download Submit
C:\Program Files\ReceiveDeny.search-ms.366-712-9FA

Filesize
1.3MB

MD5
5af880657802d93366337a2ff111ed8d

SHA1
49fb367825ecae6c08c4ca0c7991bca57b4709ee

SHA256
c30c05bfa5465e71de1302622499f0564d99869fa8b8c8be606d74ebe74444f6

SHA512
16e611881926350c438a0e050ab2f6963ccc2b824b54d29606b6355ae8e96fa497e5587a484f2005c886c565679035e6e498989fbe0079fd0e6773902eb2f644

Download Submit
C:\Program Files\RestoreNew.xml.366-712-9FA

Filesize
1.4MB

MD5
9548709393bb7cbf11411a656e00108c

SHA1
a224a9c86a1bfee662981a70b062cf16839c73a7

SHA256
abfb5d4f0664c225cd8d2d8701d2640f9fb85419a80167cc9e8203e7beb0809b

SHA512
18dd393420a97500477f3634f5a9f02cb832e0b94c90f2d3405d8c3a1692ce4128ad98fc6ec9086b633354f2c4f61d1abed63677ae9ef05f9343194c7db0a272

Download Submit
C:\Program Files\SyncApprove.vsw.366-712-9FA

Filesize
1.0MB

MD5
254e815e2102cad85352887916e618b6

SHA1
e219e42915253400bfb3bac61aa785a32b74df27

SHA256
f0601de72ad89ff81e90487b3dc17e1815683cffec7e0e1afaf39ed63f6e3858

SHA512
e435410239f2f7278a017fa7900b416cb5e1b9afcfce210f1b36c7bda86fd82fdba79dcc110d3530deefc0e09df8e4fdff798235d57d8a4508d51d84207d245c

Download Submit
C:\Program Files\UninstallConvertFrom.M2T.366-712-9FA

Filesize
1.6MB

MD5
79cee99efb0356a19df30f5c479cd0f9

SHA1
153436ecfc61cfa41c4e57485e17dd4c382e06ce

SHA256
cec66762e903be8931234cfa727a59be2f5ba61454d2f8e05c778c8fef7d2d54

SHA512
b64eefa6f850733479807f3fd0d094e8fb0c8181dd01a3d846fac7ab633be0a3fe4455de0e5dd6ab727dbea56e23311cbec35bf48a04876170b8a9150585b679

Download Submit
C:\Program Files\UnlockOpen.emf.366-712-9FA

Filesize
2.3MB

MD5
3b8800f247b07702b781803b1be99315

SHA1
954135774d6e0ee77bf6bb9a1adb9a1251919720

SHA256
1f8575cf7648b76cdfcdece31d8fd4bd240f20a478563b1207d9a47476e4e6d7

SHA512
fb7358f8821a7ee25a3828e1ac59741b21b943ae7f087b91cac0c24a20381ffb721422748764c7e99c7133048f4cdc618d6273f494af6c14c81cd909b879dc8c

Download Submit
C:\Program Files\UnpublishUnblock.midi.366-712-9FA

Filesize
943KB

MD5
53686d5be965089ea52d1126aecd25a9

SHA1
b186a0b78b74a544145c8c3c287fcff97b01d5c6

SHA256
bf5b4d769fee910aa109d5161a18ba045601759cd2e9457d8ce003d82e2f8fa6

SHA512
8b38dba912edc4cf1706413e547b4a3692ade3b989f76f434283ca78f30515bc57482b34c6ab2cb53fb5eb1e0ddf9fe03b120361d20865f1571c8127bacb31b5

Download Submit
C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\vlc.mo.366-712-9FA

Filesize
612KB

MD5
221194cbc42f95f7edf7b6df98258bf6

SHA1
0410b2590bad6548b370869952a23127221f2948

SHA256
5c491230be723f57f8b69f0010368b017528904f6ad218a9ac2a2014b49d8e4c

SHA512
bc74538fb0296eaaef5cd1d6033a7deec78d239a3914f759aeb66f9bef6da8456689544fb90c1f886bfbfb8eccd0acdcd6c2162ab6cb48bd29ba736992ff1dab

Download Submit
C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo.366-712-9FA

Filesize
613KB

MD5
e9fad6dc7770232c6eb0d12967beea5a

SHA1
658623092895239631f9aa1aec82cc50e6cbb1b4

SHA256
05a498ebaabbe51bdc658c966be4deeb76ae100f58bc45ead7a33cd9e39efd20

SHA512
212fac1c8c409f4cd291d2ee04451d7b92bbdee262b7d16f4252fe4809356b007d3a0e92923d6fd7df4c964a136c04382e07491df04d976baa5432a0494da529

Download Submit
C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo.366-712-9FA

Filesize
615KB

MD5
b694d1a62958cc64e7916716a978fe1e

SHA1
e72c11696ef8cdf11fd23ac945dab848e0669e9b

SHA256
1ffb03b62be1df9103b5762fb1f35041774c9104e4f92514c893f40b48b17833

SHA512
c241aca0a1d8eb503fc7590a0b1bbf8d06bbb39c6b753f7fb0401819dad4127805793c5a00972fbb4d35aafd88b7e826b3a5975da37d929edf2ab5f6b5b65fb0

Download Submit
C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo.366-712-9FA

Filesize
780KB

MD5
4f4f6b639e6f04960e300642c3fbe021

SHA1
1b8bcdb8aed9d9a5a8c2cb1aff450e0b2d5aa22a

SHA256
5d3bc07810c686141dedd749eda3981dab7e9f7cf2a07c61d0c95d3672a4b88f

SHA512
e45ca6c60e3f027d5a17fead2b184c92bdb9a5221c3320856dd90107d1a74ff1f2bed42d54e3ffc8d9cf3e68a86b7748b65e048f2dc36cd34c91be51d435df53

Download Submit
C:\Program Files\dotnet\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
985B

MD5
3af3b4a1e09501b9173edf6372a973ba

SHA1
a4268a30801b348f54f2d35fda446ae2b20d2837

SHA256
67fe2bb25dd8f410a835a596825b4d06b212141c0f905b84e9e2b77c3fd56306

SHA512
d881f413beba6108a86e9c09c1decfcc59a74823cca05f6c1e79fd4a936d96319949b78702636dc0cf96c7d5850a36dd1ca69d8ca0581a426c6aea277077cf18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
cbcc1b6ba4d53c94cf957f4052375a4e

SHA1
e1a3c0fe8be307f70fa76186af0c54d829e77f36

SHA256
2f9a549e940c54a86748cc9076a3992a3bc622101c005c2b7cc75b9820493b92

SHA512
eae558a54c6bc71382049d35f5eed6719040a858123c2e52f3cfc91a4167b7cd8668bf1220f169ed811f115ce8dab9fbb2b4f84860babd4139d132b63b516d2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78

Filesize
472B

MD5
8f150e49b43783ea7246e03456b0c2de

SHA1
36ba3040b347c8648c8686e05485493d29813b13

SHA256
03d4132435f19c7d4eec33ff1c624e9fe6e20c72494f46721f7e9dd973eb792b

SHA512
585a92686f6a5842531f0f58706b6951b566416ffbfb5669c34a2043bbb4494ae23ff54a397b33b072937f9a34f47070bb4654702e8bf103df509b4ce030909d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
1377275d5101b19fca91b1d9c3598e4a

SHA1
1ae691c76fd89c93aae8d7cac235ef82f2def01d

SHA256
f198314ee09f7adc845d9fe2f67e9c06c63430c4b3ee0946d1e5b2a88d8bb997

SHA512
47fdadefaf686888a3ce69b646929229fb24bd9bb6082b031c5d54e2516eec1244c9c159d986a7456f6fdd0dbca143a55591ee37e8fbc65e2b37c3249e5a73b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
484B

MD5
9108abd86bfcb3cecd635d26c77199bf

SHA1
3dcd7402d1dcffe7a0fc5218a2e9351eee7120bb

SHA256
ec410395d6eefbdac94777b4f18082fffde37ff64d186dc031f1c152de39cef4

SHA512
386b8f56904e103edcbbe8f3f3c0adb20c10c0fc6acc4874bdc6d0454de7ca7d2d7ecefa9e834c8e05fd6068c2b09b296b414b3384a69eaa3261a1d4bf0fe55a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78

Filesize
488B

MD5
0b25eee2820185006af317360f099ef6

SHA1
f6e1ac177d8e55ab9d3c1078f22813439888216e

SHA256
32255bf69b4b4eb7f38c48b41fcf98ed77a4282750c5876e8c69a227ca699c61

SHA512
eebb822dc5c010925d919c546c2567cd8fdfae5d1bd24a2c9a5ac155d657161843d8da955fc6e076eeab748de1978962e3ccbb6592e9409e27d7ef2f633d960b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
080b22f7d6d42a9693d6ff267b39ecab

SHA1
d0837c08c5c28899021c8c7d1dc5b83940fc3f7a

SHA256
818cbfbdec71f820d7bae6c733ebb9c00e7d074dee533c17da76e13a38e3460c

SHA512
1154ec93063d84906799d7a09cbc15e765ca66c69782392b8a1b958b040ff067583eacc303eed61154e772b3171545a1da4620018471fc07329b0e94ea538fb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7TGIK9U5\50QLAIV4.htm

Filesize
18KB

MD5
99a5ced9dfb5824225a0fab4c74a7b46

SHA1
f0ebed42f94fabe0c10dcf1eb3eb084a904e144a

SHA256
44b3cbfb57079b2570e5ae94942d8e00ce0291c26317c2649a41101018bab25a

SHA512
2966164e08f60aaa0078dbfee9f4d5521b5c02525dbbad4ac14df0d6be948ba98ae1da33e05ceec07abd6d8a18278c399629621803acdccc91019372fa3152ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JNMR143F\KPM2ID3L.htm

Filesize
190B

MD5
6ebbeb8c70d5f8ffc3fb501950468594

SHA1
c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

SHA256
a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

SHA512
75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\32d6788f-dcb4-4ac3-8bb0-1131198bca7e.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\Desktop\516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd.exe

Filesize
211KB

MD5
f42abb7569dbc2ff5faa7e078cb71476

SHA1
04530a6165fc29ab536bab1be16f6b87c46288e6

SHA256
516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd

SHA512
3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

Download Submit
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.366-712-9FA

Filesize
381KB

MD5
d6a6105227005efbd53f82c089e0c8f1

SHA1
7d026d36ad4ea8e1560867c2352a321d7f912c01

SHA256
7e6d841834eece981fe3da7c525dc6888e452dfec50c62a5e397cc6a49da3c6c

SHA512
3445db249d3c7650828f81bb4ef7a6816c13ee7bd2e8c85ad23c850039825cf81c08e37d2f5f9648bd70c659306d3ca5c30c3b70d10a07b620594cc17c1138a8

Download Submit
C:\vcredist2010_x64.log.html.366-712-9FA

Filesize
87KB

MD5
773c5a6551e8152f8ec414c61f97d477

SHA1
d4ae0ee5473d621cc3e8a0c45b1991f2090607a4

SHA256
287057e5c49398dceccbc719e66c9c518d5c80ad72ce8cc6e643c153107e5301

SHA512
c0c47029f6412d3a645e163cb12da73aaa40d1e46d85623dcc9c5a8975c1665a053208326d1fc34dd6e99042ea2d2b008ce79314e7b53050881bb680109080d4

Download Submit
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.366-712-9FA

Filesize
398KB

MD5
a4f3cfdd56ba8272179e55d18953b608

SHA1
121aeb259650f9c3ec511270be5d819ec3da6309

SHA256
defd507b5322995985dc2b5b26109b8620f609159ee2a5cf7e59ae1494f161f4

SHA512
55314330a311a744fdbbc6939634de32caba068f95cf07ba7193eb751a93aad5237e5419937acd63c29b02b1f4c2d9dcdb4ea5451bac68c0f5a73fe942eb2f3a

Download Submit
C:\vcredist2010_x86.log.html.366-712-9FA

Filesize
83KB

MD5
cf4c5575ef66ab612aa3adbfc38b0583

SHA1
5b8412ec27f6a5d5a7415b66cd2caac584745f17

SHA256
96f431d4b8b2378413f0e52c80c2b32a573c675a8eb9aa64b6f2a3e15f3e2312

SHA512
b633557af9c6125f34e68c8f5f90c71e7ff40c5eccd71feb0cec84525f20dfc4e0779f474da0a4ee03bcbdccc84d4565bfe756e045a25b65d12031698cb9451a

Download Submit
memory/1200-10949-0x0000000000AF0000-0x0000000000C30000-memory.dmp

Filesize
1.2MB

Download
memory/1504-50-0x00000000000C0000-0x0000000000200000-memory.dmp

Filesize
1.2MB

Download
memory/1764-1962-0x00000000000C0000-0x0000000000200000-memory.dmp

Filesize
1.2MB

Download
memory/1764-46-0x00000000000C0000-0x0000000000200000-memory.dmp

Filesize
1.2MB

Download
memory/1764-21614-0x00000000000C0000-0x0000000000200000-memory.dmp

Filesize
1.2MB

Download
memory/2692-19372-0x0000000000AF0000-0x0000000000C30000-memory.dmp

Filesize
1.2MB

Download
memory/2692-21611-0x0000000000AF0000-0x0000000000C30000-memory.dmp

Filesize
1.2MB

Download
memory/3532-17435-0x00000000000C0000-0x0000000000200000-memory.dmp

Filesize
1.2MB

Download
memory/3532-9722-0x00000000000C0000-0x0000000000200000-memory.dmp

Filesize
1.2MB

Download
memory/3532-21612-0x00000000000C0000-0x0000000000200000-memory.dmp

Filesize
1.2MB

Download
memory/4204-21613-0x00000000012A0000-0x00000000012A1000-memory.dmp

Filesize
4KB

Download
memory/4624-47-0x0000000000AF0000-0x0000000000C30000-memory.dmp

Filesize
1.2MB

Download
memory/4624-21615-0x0000000000AF0000-0x0000000000C30000-memory.dmp

Filesize
1.2MB

Download
memory/4624-13245-0x0000000000AF0000-0x0000000000C30000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads