avaddon | 1d1feaab709be09d383912b6e73ae410bb7733563a5449d3739bf608e82fca56

Resubmissions

26/02/2025, 16:43

250226-t8l7aawtcw 10

Analysis

max time kernel
383s
max time network
359s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/02/2025, 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
Size

483KB
MD5

53717dc73f61b0f9551cb62d6fca2e4a
SHA1

1ca9304e86632b147852767c85c57e08bdfc8855
SHA256

c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028
SHA512

ae6ff8377d89cd3d1686c5a6bd7bb398bb975e4e52f7db5fbb0550783d77648558f03a13a9751d0cb6ed993621b12980d54777385802dd4c014ec22ae8d33552
SSDEEP

12288:WcvbX8rMmSZJ8t9ZITyDpFGIOyA4muT5WFExk8y:/zMr1SZJ8t9ZITyNzOt4dVy

Score

10^/10

avaddon defense_evasion discovery execution impact ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\sTKqsCQG_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bdeeAdEbdd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTgwNS10SnVObzhRV25WOG11bHVrUkx6aHMzSGtQUU5VSVcwaVR5Vmh1bWhaOXVnQ1pxci82Q25sMlFybkNFRVBsT2gxdnRhclVwekR5MWNRbEVydis4ZzJ1ZW5XN21QY2V6ZGZNai9LeU05ZFJtL21oTWxWUVJFSmJUYUVDV1FCdWlPbVNBR25HajRvN3FUNHozdWxDMW11R3JpTjZQNy95L2QraTZVWDFzUzZQbDJyWURjNEFXNjBBUXl2cjFIcTh1VUNLMnkwbGFPOU5BNFhWenl2NTg3WXYvWmh1ZFgwbjdnSC9RUzBKK1NZdmlYL0E4V0tsbTBUN2pmRHlhNTlDREJIeEZyUmpZUTI3YWlVRUFCQldFSW1pWGk2L0tVbWF4WU5BM1oxVEZlRCtiNDFHQStBbUR4ZDhKNzlqR1VLYmltbnhIT0xJamxIRGtYczdmVWlwbUZJT1RydndheHM0N0ZnTkoyZzV5ZDQ0ZzdLMUVFd08wYjlBV2kyK05yRmdUVnpOcG9wTU5Ia3dnOGFkZk9kYWRyblp5VmxRQ1dEVjBaWHZrYnpZMWFHNXd2Lyt5RWFlKy9kbkxTZkJTc1BVdnZqOHBReGJtUUt0U2tvUGU1ZlA2YVhNMkM3SnYxZFE3QkRVdmtnRU5VV1dVOGVhVkFGNW44RFNjc0hkWFBzNHIzN1BhK29nRG10N3dNYW1XK2R6NzJBTS91RThVK2REeXpSYm1VWk1mMFduZnZuQjc1Tzd3R3BCTnJ5eVFiUm44T1MrYmxqaDJ1SVk1TTNuTEwxNUNRNHhweGxxLyszVGt0d1UyZ2JtaHFUL2RxS2xWSVFVSVpsdUIyZzJSbEhVbnVlQzdDOVJaeVRySTN5OHpQWGl6enFqNktqQUdweW9KLzNpcElWRlRHVUVTOTZ1QmZpdXJYWUFld1R0a2pSb0RZQ2hzd0RxNC9RYUgxNE42VENnWlhLcE1vSW1pSWJyTGlqRGwxa05oSzlubjRXSGJTK2tDdGFRMlB6SVBrVTFVZDltM1dlZGkyQ0Mrdng5RjFOWDl5WTM3cHduZWFnYXIzNmhNelloT0F0aEoxejNSYnFWOG8xUnoyM1pDQzRwSkZidnRCV1ZrZ3hJL3ZZZzQ5T0dmWHUzOFJDNGI4RGUzSUg4UW1WOGNHZHJWakRnNEJQYnRiRE1CbGprbDYwbDhuRVgySnJVZ3RBUXNIOE1kTVVkL09HazBEREk3MzZJOHBmVzA0NkUvSWtrUzFiQ2tUMk9tSmp3NzZpOUI4ZU1JdkE5VEExcGRQMVJ2SkhVQ2RlVjVIRzlpTTMxQUNUZndmRzk2STJBRXVCVGhjaEIyY0VBYWNVUmEwczVUMFJ4ZGdsRDlEbWdpS0J3OG9zdkYvQVg1S2lYT1FYU1NDb01TU2ZJOGtNeVZIR2g3L0NmelJVRHlORncxYWJPRGhMVFhvSEtIYXY4VUhFbHc3bERLT0J6cU9LaXBKeEhnSjVEdDZJdk5pVUxUVG54NGwxSTQ1SnN3VHVaaEdqMzlOWEZxb3NaU2NkM1M3Y2tXS2s0eE1GVnJlRGh4eFJJRXZucnlwUkxqUXU3UElJcklGMmw3M0tkSXNZaU5GVElqaWNiQUFuVHM5dCsya1pWVUgwOHlBT09wb0t6TlJEcHZQQUVuNURjODRsbi95WTdUU0lsU21hT3lqdDdzYzJDcW9YUjR6Y21OdTBreTBkNnIxbDVoRXUxNmJ1ZjZoSjdZKzZGUHQ2WUlnOHI1UkhnYUpIN21VQk1pdDZDVVljYVAydFcrSm1BVEc1bU9kMkRIRGVUYUVxOXkrKzZjTWtyVC9vWm0vbEc3d1hiWnRvcGJuSU9RcU5tbnlTTGNiTW93Z1RPMm8wajRQaE5KZGh2dS9zUklCK2hpTmJhT3Q0Nmhxa0JRWXZ1WEU3b2U0QXkraW9rRUR5SXVOMHNtZlR1TUlNaitRU2hxT1I1ejBaVE8wbmJ1eW1aZHZuSTg4YU96N3VoNmVLUWFYa1BWVGV0ME4rMEs3V0ZmOVdxbndRNlRNckJ5VTNFWFM3bkxTeEFGQWVtM1ZRV2dpMHhuQnNVdzhEOWFlcW9BTnltTUIrMHNaYjAycUd3WHNmbDQxdGNZQjRQajJMTmNIb01RNjRLem9saFp6WUhIQkN5QT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * sTKqsCQGItbYx3Mq1czrqVYWb

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Desktop\sTKqsCQG_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Public\Pictures\Sample Pictures\sTKqsCQG_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
ransomware avaddon
Avaddon family
avaddon
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (185) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\Y:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\E:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\H:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\I:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\J:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\P:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\Q:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\T:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\X:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\B:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\K:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\M:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\R:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\S:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\V:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\Z:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\W:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\F:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\A:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\G:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\L:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\N:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\O:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Interacts with shadow copies 3 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2084	vssadmin.exe
2584	vssadmin.exe
644	vssadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2984	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1632	vlc.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1632	vlc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2704	wmic.exe
Token: SeSecurityPrivilege	2704	wmic.exe
Token: SeTakeOwnershipPrivilege	2704	wmic.exe
Token: SeLoadDriverPrivilege	2704	wmic.exe
Token: SeSystemProfilePrivilege	2704	wmic.exe
Token: SeSystemtimePrivilege	2704	wmic.exe
Token: SeProfSingleProcessPrivilege	2704	wmic.exe
Token: SeIncBasePriorityPrivilege	2704	wmic.exe
Token: SeCreatePagefilePrivilege	2704	wmic.exe
Token: SeBackupPrivilege	2704	wmic.exe
Token: SeRestorePrivilege	2704	wmic.exe
Token: SeShutdownPrivilege	2704	wmic.exe
Token: SeDebugPrivilege	2704	wmic.exe
Token: SeSystemEnvironmentPrivilege	2704	wmic.exe
Token: SeRemoteShutdownPrivilege	2704	wmic.exe
Token: SeUndockPrivilege	2704	wmic.exe
Token: SeManageVolumePrivilege	2704	wmic.exe
Token: 33	2704	wmic.exe
Token: 34	2704	wmic.exe
Token: 35	2704	wmic.exe
Token: SeIncreaseQuotaPrivilege	2704	wmic.exe
Token: SeSecurityPrivilege	2704	wmic.exe
Token: SeTakeOwnershipPrivilege	2704	wmic.exe
Token: SeLoadDriverPrivilege	2704	wmic.exe
Token: SeSystemProfilePrivilege	2704	wmic.exe
Token: SeSystemtimePrivilege	2704	wmic.exe
Token: SeProfSingleProcessPrivilege	2704	wmic.exe
Token: SeIncBasePriorityPrivilege	2704	wmic.exe
Token: SeCreatePagefilePrivilege	2704	wmic.exe
Token: SeBackupPrivilege	2704	wmic.exe
Token: SeRestorePrivilege	2704	wmic.exe
Token: SeShutdownPrivilege	2704	wmic.exe
Token: SeDebugPrivilege	2704	wmic.exe
Token: SeSystemEnvironmentPrivilege	2704	wmic.exe
Token: SeRemoteShutdownPrivilege	2704	wmic.exe
Token: SeUndockPrivilege	2704	wmic.exe
Token: SeManageVolumePrivilege	2704	wmic.exe
Token: 33	2704	wmic.exe
Token: 34	2704	wmic.exe
Token: 35	2704	wmic.exe
Token: SeBackupPrivilege	2152	vssvc.exe
Token: SeRestorePrivilege	2152	vssvc.exe
Token: SeAuditPrivilege	2152	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2736	wmic.exe
Token: SeSecurityPrivilege	2736	wmic.exe
Token: SeTakeOwnershipPrivilege	2736	wmic.exe
Token: SeLoadDriverPrivilege	2736	wmic.exe
Token: SeSystemProfilePrivilege	2736	wmic.exe
Token: SeSystemtimePrivilege	2736	wmic.exe
Token: SeProfSingleProcessPrivilege	2736	wmic.exe
Token: SeIncBasePriorityPrivilege	2736	wmic.exe
Token: SeCreatePagefilePrivilege	2736	wmic.exe
Token: SeBackupPrivilege	2736	wmic.exe
Token: SeRestorePrivilege	2736	wmic.exe
Token: SeShutdownPrivilege	2736	wmic.exe
Token: SeDebugPrivilege	2736	wmic.exe
Token: SeSystemEnvironmentPrivilege	2736	wmic.exe
Token: SeRemoteShutdownPrivilege	2736	wmic.exe
Token: SeUndockPrivilege	2736	wmic.exe
Token: SeManageVolumePrivilege	2736	wmic.exe
Token: 33	2736	wmic.exe
Token: 34	2736	wmic.exe
Token: 35	2736	wmic.exe
Token: SeIncreaseQuotaPrivilege	2736	wmic.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1448	firefox.exe
1448	firefox.exe
1448	firefox.exe
1448	firefox.exe
1632	vlc.exe
1632	vlc.exe
1632	vlc.exe
1632	vlc.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1448	firefox.exe
1448	firefox.exe
1448	firefox.exe
1632	vlc.exe
1632	vlc.exe
1632	vlc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2456	AcroRd32.exe
2456	AcroRd32.exe
1632	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2704	2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	31
PID 2656 wrote to memory of 2704	2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	31
PID 2656 wrote to memory of 2704	2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	31
PID 2656 wrote to memory of 2704	2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	31
PID 2656 wrote to memory of 2084	2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	35
PID 2656 wrote to memory of 2084	2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	35
PID 2656 wrote to memory of 2084	2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	35
PID 2656 wrote to memory of 2084	2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	35
PID 2656 wrote to memory of 2736	2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	37
PID 2656 wrote to memory of 2736	2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	37
PID 2656 wrote to memory of 2736	2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	37
PID 2656 wrote to memory of 2736	2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	37
PID 2656 wrote to memory of 2584	2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	39
PID 2656 wrote to memory of 2584	2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	39
PID 2656 wrote to memory of 2584	2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	39
PID 2656 wrote to memory of 2584	2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	39
PID 2656 wrote to memory of 3048	2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	41
PID 2656 wrote to memory of 3048	2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	41
PID 2656 wrote to memory of 3048	2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	41
PID 2656 wrote to memory of 3048	2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	41
PID 2656 wrote to memory of 644	2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	43
PID 2656 wrote to memory of 644	2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	43
PID 2656 wrote to memory of 644	2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	43
PID 2656 wrote to memory of 644	2656	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	43
PID 932 wrote to memory of 1448	932	firefox.exe	50
PID 932 wrote to memory of 1448	932	firefox.exe	50
PID 932 wrote to memory of 1448	932	firefox.exe	50
PID 932 wrote to memory of 1448	932	firefox.exe	50
PID 932 wrote to memory of 1448	932	firefox.exe	50
PID 932 wrote to memory of 1448	932	firefox.exe	50
PID 932 wrote to memory of 1448	932	firefox.exe	50
PID 932 wrote to memory of 1448	932	firefox.exe	50
PID 932 wrote to memory of 1448	932	firefox.exe	50
PID 932 wrote to memory of 1448	932	firefox.exe	50
PID 932 wrote to memory of 1448	932	firefox.exe	50
PID 932 wrote to memory of 1448	932	firefox.exe	50
PID 1448 wrote to memory of 1464	1448	firefox.exe	51
PID 1448 wrote to memory of 1464	1448	firefox.exe	51
PID 1448 wrote to memory of 1464	1448	firefox.exe	51
PID 1448 wrote to memory of 2068	1448	firefox.exe	52
PID 1448 wrote to memory of 2068	1448	firefox.exe	52
PID 1448 wrote to memory of 2068	1448	firefox.exe	52
PID 1448 wrote to memory of 2068	1448	firefox.exe	52
PID 1448 wrote to memory of 2068	1448	firefox.exe	52
PID 1448 wrote to memory of 2068	1448	firefox.exe	52
PID 1448 wrote to memory of 2068	1448	firefox.exe	52
PID 1448 wrote to memory of 2068	1448	firefox.exe	52
PID 1448 wrote to memory of 2068	1448	firefox.exe	52
PID 1448 wrote to memory of 2068	1448	firefox.exe	52
PID 1448 wrote to memory of 2068	1448	firefox.exe	52
PID 1448 wrote to memory of 2068	1448	firefox.exe	52
PID 1448 wrote to memory of 2068	1448	firefox.exe	52
PID 1448 wrote to memory of 2068	1448	firefox.exe	52
PID 1448 wrote to memory of 2068	1448	firefox.exe	52
PID 1448 wrote to memory of 2068	1448	firefox.exe	52
PID 1448 wrote to memory of 2068	1448	firefox.exe	52
PID 1448 wrote to memory of 2068	1448	firefox.exe	52
PID 1448 wrote to memory of 2068	1448	firefox.exe	52
PID 1448 wrote to memory of 2068	1448	firefox.exe	52
PID 1448 wrote to memory of 2068	1448	firefox.exe	52
PID 1448 wrote to memory of 2068	1448	firefox.exe	52
PID 1448 wrote to memory of 2068	1448	firefox.exe	52
PID 1448 wrote to memory of 2068	1448	firefox.exe	52
PID 1448 wrote to memory of 2068	1448	firefox.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
"C:\Users\Admin\AppData\Local\Temp\c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Interacts with shadow copies
  PID:2084
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Interacts with shadow copies
  PID:2584
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3048
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Interacts with shadow copies
  PID:644

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ExportExpand.ini
1⤵
- Opens file in notepad (likely ransom note)
PID:2984

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2456

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:932
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.0.1812637439\350464105" -parentBuildID 20221007134813 -prefsHandle 1248 -prefMapHandle 1108 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb588858-d20e-4f7a-a14f-07e21550f71b} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 1328 96f7358 gpu
    3⤵
    PID:1464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.1.1327887083\1211869202" -parentBuildID 20221007134813 -prefsHandle 1524 -prefMapHandle 1516 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6019cacd-ff4d-4e4b-9d4e-89a3a5af5452} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 1536 3f31358 socket
    3⤵
    - Checks processor information in registry
    PID:2068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.2.555724917\2137735544" -childID 1 -isForBrowser -prefsHandle 2032 -prefMapHandle 2028 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 772 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {20ec9e64-76b8-4c50-b0af-6676640db48a} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 2044 9663a58 tab
    3⤵
    PID:2712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.3.1904360990\22985687" -childID 2 -isForBrowser -prefsHandle 2780 -prefMapHandle 2776 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 772 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8a9654d-480a-4a3c-8597-8be5c9e5be96} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 2792 f62558 tab
    3⤵
    PID:2236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.4.1680907015\1106675734" -childID 3 -isForBrowser -prefsHandle 2948 -prefMapHandle 2944 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 772 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1085a47c-2759-4732-92a3-8c4e6c0cb5bc} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 2960 1cc3ec58 tab
    3⤵
    PID:2160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.5.6569758\374832677" -childID 4 -isForBrowser -prefsHandle 3744 -prefMapHandle 3752 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 772 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3ae980f-0c5a-46d8-80ff-8dd98d7df6c6} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 3764 1e4fa458 tab
    3⤵
    PID:764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.6.2126801721\396264429" -childID 5 -isForBrowser -prefsHandle 3876 -prefMapHandle 3880 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 772 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9037fd50-3df4-45d2-80f3-9c0e22f2fd21} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 3868 1e4fb958 tab
    3⤵
    PID:2796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.7.1638212248\2057383142" -childID 6 -isForBrowser -prefsHandle 4052 -prefMapHandle 4056 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 772 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {11757abd-372f-431c-8203-f5e1bf6c1f35} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 4044 1e4fc258 tab
    3⤵
    PID:2288

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1632

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1060

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x52c
1⤵
PID:940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\activity-stream.discovery_stream.json.tmp

Filesize
37KB

MD5
6d326c251ec643967688362179355f42

SHA1
54b3113773517de1126e7d13fc17a135068a7982

SHA256
1ce92c365b91c73a3340403fbf4ca4c77518bb1748223987941b62540fb536b9

SHA512
ec359c662133900d7c3938365c5fa070afaa829ecdb8a438ddc46bfe3b6ec6df35239068dc3e74e4b5565f67e226d76ce8d707dd5fa5d6310576b5c2afbba4b1

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
8ab0ea64ff6193d6da9a1604e6354d34

SHA1
f518af675bbb9c7a3bc4be310827b739d3fa8b0b

SHA256
b03567bda740abc3dd1d613fd2d5b82f0e3dbc44ae5a741d79fc0f790e26bf78

SHA512
293b4054940e48b587883ba905ed5b9559d8f516ae47a4c9631bf4dac35e5a68878e44907dbf4933765c8b0071f4bd4aeaedeb50d25e930f8cfb981582e6a22c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
a306f92c258edc75d7c56b736debfb6b

SHA1
eeff1ec31cc15d9463421961741748379524bb20

SHA256
e6fd70d782a6a58d08a25ee2b3991ca10684a88beef560d861714eb5231824ea

SHA512
1e4cf666e84f972ebdb6a8c9ceb55a8e41936665431611a8466d3d68db2e976a4000322dd4098661ba53de3c46a52146e812daa0eb589ec8fbc233b4f54fcc3d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\4a7b0d02-d0e7-44b1-b9ca-3be5347d371c

Filesize
11KB

MD5
4e1cf12223bfd8b17416a18394f7bac3

SHA1
7eccef9f5abb25f1d978c3bd7268865e22d717d1

SHA256
210c6bb22c9f0799859dcfcbc9646e283ec661ea12ea48d2f88ed47942b99480

SHA512
d6b434eef5e43f183d053cca4bd534006c177ba05217922df4fc76f5f09ab9923de3d11ed3165aa94b9c714b7f4da53ad5ae187bc7f863258a692eed717ca3c3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\856d3839-d937-4798-8a2a-3d21fb0909e6

Filesize
745B

MD5
70c161f082af8593868bc534ffd962e5

SHA1
ba9f9bbb774a8394165b336e47f8c6bfdf94fe20

SHA256
9e923260d20da359f129a01a8dea94ce7a0405b03a87c877c8041fbf4fde0031

SHA512
dcae0df01ef1d5045e26a0a316350acf19c83319a1ca3690b39464cc0d15aa74bf9903bfa2e087e3effc6ce30748fc4fcf79c0206b4b798bb815100dee42276f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs-1.js

Filesize
6KB

MD5
397651259378ba87c6e3003aa6b127b3

SHA1
21ecd80ad76fd85b679b610cf70277890f959d7b

SHA256
799720d18be0845ce6dbd1ada05be0c751c75438a292089a54d43f2c5102d8f3

SHA512
7d2d7e6f1bf9066ce66c551952973346e132744b5ce3e99f811d58c71dcd574efdf4f6c0eeabc64d1334354eb59a576228c8f7a01234dd8d8fbf4671ab0fe121

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore.jsonlz4

Filesize
830B

MD5
71ae2ebd53989e9418c1bd1ea8d11d25

SHA1
79231b8e5028a0ddec25442c395a3611a80fe79f

SHA256
0b5cecaf0aae4ef2d02ce9110d3bf293d6aca18efdfc7ae4e446049fa2a35037

SHA512
4ea351f38c36112ddb668e1fa299ab849dcbecae4765bed49cc7b301451c15ae3469b343dc9e0712f22acb7020ebb84adad6dc824e13b78d5b1894dea2a25c2b

Download Submit
C:\Users\Admin\Desktop\ConfirmClose.mp4.bdeeAdEbdd

Filesize
1.2MB

MD5
33ac35ce040ca8510eb9a5e0242b6a6c

SHA1
cfda5a1fe2cdd72a5ba069d8608c047567a64cde

SHA256
93d4969109d1ee5b566b05807eabf0b9caa14a20db7d66f40dc2ab5588f66885

SHA512
2b083efc5714a17c3fc63731a3da1d2e39be93c9b78637106ea75c7ba09b0afa5d91d4168790beffdcf15b1309cd68cecb5a3e5529455d4d2525ce3c1b2925ea

Download Submit
C:\Users\Admin\Desktop\CopyApprove.xlsx.bdeeAdEbdd

Filesize
16KB

MD5
32807025639731d5eeeb01c274eeb173

SHA1
6b44add5b246a08b8fed362295811827d4a98aab

SHA256
b36b750f63fcddb9c5e73e2db68447c0a8f154b4f5d4e293742bdc2580ec14cd

SHA512
2bf00b083b0a396377faa579c1126258c9e584ab5b4e93f4f24636d12afa01eb12011ee44b18b0adf96de07cd52db092e42dba59cf79d9f7994756004f6d8f7a

Download Submit
C:\Users\Admin\Desktop\CopyFind.vsdx.bdeeAdEbdd

Filesize
640KB

MD5
56be571327b8f7d07a4fbb3690c4cda7

SHA1
98ddc4cc7a88f5156392ba83703129d464891b0d

SHA256
5435f0df2bba428492ae01bbf378a655f3e9f453a23949fae128b4f6199136a0

SHA512
a95b3bce553f9ca24eb22f25d0cfd68f119ab890cc3fccc66b53582d37838d8221c8a435658c4593de9f29f7fd4171dc292c3e14159c3d632327dbb209508826

Download Submit
C:\Users\Admin\Desktop\EnableEdit.docx.bdeeAdEbdd

Filesize
24KB

MD5
487b6086b84ed0eb1fb02fca9f87e6c6

SHA1
ddf3f2d81a9f96277773115fd4a24e0e95132075

SHA256
86df16e0aca60057b2826771527a8b843e05152f0691a929d65d678231fa21c6

SHA512
130691aab2b2fdd5528eb9977d6274d5f80761b017f31cae5a223ec82b58719e5c572005a888acf8299c4e93dc2fe130b21a9ad60205299bf47a296dd8ed62ce

Download Submit
C:\Users\Admin\Desktop\ExportExpand.ini

Filesize
463KB

MD5
cb1078a401cb7b4e5e9c14f792ac5198

SHA1
463917f950f4b2b1d3267736d4f3584b5d747d6f

SHA256
6cb830238aa3250f442fa75c9de5acfe7ff1c4aa06c07c64e669b965eb932971

SHA512
52a5c17dd20fd7f75e50172452e178bafba09bcc5434e2db9b2b53cfe4a960de5c611769097ca37cbb76bd1a1f406693167ae570362d1a82f230e2a589576d9a

Download Submit
C:\Users\Admin\Desktop\HideShow.shtml.bdeeAdEbdd

Filesize
912KB

MD5
0fffd6c3fcebb0bd90b4f1f144be5677

SHA1
a001092ee0007ecc8b7dfc6b9479ce6efd856f58

SHA256
995a5cbef109f9398a7254c4a29aeb9f492f955ef5c9ecfae3786e76747a69fc

SHA512
101b894281f6cddb83bcbbc5a952714cf8368ece9487d228fb3f12adcd4a0af935d429d0fe1cc80985f5678b74c6d84ab0b0dcad75ecccb598a948ce1df76733

Download Submit
C:\Users\Admin\Desktop\InstallSet.docx.bdeeAdEbdd

Filesize
24KB

MD5
720de65aadb1d8abe7fa176ae75a0470

SHA1
135e563e55b9f84633f7e86aff4b25441f6ed0f9

SHA256
366d6630af7a057775d5265d211e59c155b4819482eba607cb589e35b70ad1eb

SHA512
772a102652d8e67a981f2fb8942fb0d352f6aa22bb90100497b1cf0ea483eacbc440ffb6ec7c48496ea3ea8f70a1a803dcc34fa9ec0418d69ef1c028c12452ed

Download Submit
C:\Users\Admin\Desktop\InstallUndo.ppsx.bdeeAdEbdd

Filesize
1.0MB

MD5
2bf7d69528824b72beddc56507f6ba21

SHA1
19d9d8121f6ca6ad0c056f25b00bd80820f55414

SHA256
ed85242153896d75330082a0b8487faf839ed6615b9c88a8a6920e07b29f1573

SHA512
340cb3ab00ba8ea2157493ba7073d9fbfb01b5df22c678e77746bd47903cfe5935339e3a64b5de5ec23f3a67776b5689b00078d0d8a2c95c846f7b6f5bf5ab25

Download Submit
C:\Users\Admin\Desktop\JoinMount.TS.bdeeAdEbdd

Filesize
552KB

MD5
d6341d5e608cfb198297f5f2dc1756f3

SHA1
58081dc48e18fd79323ca3cf96591ab989cd790e

SHA256
788e6e7bb096f0e24dcfafb4e2c4630868f4800940b3184644626d3751966421

SHA512
ca8a46ad44f7e17ab075dc8ceaecb79778934c87d95dc886828259c1eebc52a97e3b49925971edfae62b8565044581c4bbac07b61934663d8b906bfe59d7aa47

Download Submit
C:\Users\Admin\Desktop\MeasureSuspend.xls.bdeeAdEbdd

Filesize
952KB

MD5
b48ad3323e37633ecbd855f8c76f1e5d

SHA1
0617d00734e5aa5f3e66a28ccbf31279f091ca20

SHA256
a8e249dabe30919d67ca31ecff059f872223bf3d22e04589f4db300aaa0c0c0b

SHA512
1354fb8d44f498095e4ab516f89204488b631fda69d8ee06128ad53867b33d1bc67ea1502f840c682f51a359861a319a97a82d6c7be8d3badf05548b423eb4b3

Download Submit
C:\Users\Admin\Desktop\MergeUninstall.edrwx.bdeeAdEbdd

Filesize
728KB

MD5
b1f123e9a9797859e6f3b0fca4899b7d

SHA1
03c9f35270987d5724b56de99f569b87d6f6b12f

SHA256
92cf49d3e46fb2224433268b05de502a9b843b373f883d37d451724e6a993db4

SHA512
1ce54df2d2950d1a7432dd168cb1d784fc9096a5997d30ee7d7b1842c14c3484c70d9d52335c5d5347dc7b657b8c60fe88c8b6fff5633bc202e0645c1543779b

Download Submit
C:\Users\Admin\Desktop\OutPublish.ttc.bdeeAdEbdd

Filesize
824KB

MD5
1c462e8a5e28188c08de9cb86d2938fb

SHA1
88321217a39d5ea2cf819aab61e5e4959592f088

SHA256
4b933a23ef72b8baeb804227e87aac852a3da6169a162a075bbe945ea0d4bfd0

SHA512
82eb5dacae5c214db1efad5ac190f7ced35f890e14b9608a429e29003a1583fc831fd171d29052e161575c2b102f134200ced481aa924a6b7207b96b873180f3

Download Submit
C:\Users\Admin\Desktop\OutSearch.emf.bdeeAdEbdd

Filesize
1.8MB

MD5
de0e2a966395dfde685d185aaf8c0e94

SHA1
1eea7705971053ee5361a0eeb2654231dacf1408

SHA256
106613ce0fbe07136cae1c729a9adf21f897581fd118dd24f71fddaa872c7952

SHA512
e5b740531a35f315a23e1cccd2d08446207415596fefb6547d6c92d3d89d9b4e722bcd4cdcffa75307c47542c2c0d34fa43203803d49949b3f512e2677ccd816

Download Submit
C:\Users\Admin\Desktop\PublishOpen.xlsx.bdeeAdEbdd

Filesize
16KB

MD5
7bbecf69ce0646582db8701d637a4b9d

SHA1
7dd7ee865add80844fa95d2ff8427f1c51b69020

SHA256
80b56324780975b4c1532700351094ba1e00aa17d6edb3691a3f78a90ed721a3

SHA512
9c7708b3db9699cbfb44178bc5b85e550f1399a7d0fa7f7c2540b505646cc5b97adeb42c7236ea6a31b54e9ea5ecd21f4a62a6ec9a1a5cdcc3275182fcbfc9d1

Download Submit
C:\Users\Admin\Desktop\RemoveApprove.csv.bdeeAdEbdd

Filesize
688KB

MD5
d50cefdec3f59bdc8ba6966aab69aed0

SHA1
45eb2c263ee75b7a8821a50bcbf8e24478f083e6

SHA256
158fe7582fb940cc67418f1b8267539f9ce73c2c3548f2f363fa4742b94bb478

SHA512
e333274752a4593de7d8fd8246d134246f2855e55a29c0961152dd753f10e17022d77ad16877a244c6bf3e1ace7bd3614750323dfbf9b4b08613aed301195170

Download Submit
C:\Users\Admin\Desktop\RepairImport.7z.bdeeAdEbdd

Filesize
1.1MB

MD5
629661b5ef7a398921f7c42958bd40ea

SHA1
526a6c7bd8256cc1812dd37eed4a24880bd336fa

SHA256
98b3cb96d901c8dfd41c4f462a47125723e59c44aed0e1005820cde4be469230

SHA512
297af510ae99d4cbf7056f8b49040386236169d21f6dae43c1656f556fd9500961e8479583c8009933b9c6f574dd7a6957a7edd7e3e3c5cd1bdeb95a9e297db1

Download Submit
C:\Users\Admin\Desktop\ResetRead.dot.bdeeAdEbdd

Filesize
1.1MB

MD5
e790e6f573ad70fc8e95cb51ee75b036

SHA1
87ee455d2f685716d22a6ebea7908d89318ce709

SHA256
73882f4a278a89a15cc508cbc194a68049695404459a0a5ea03655aa8c245db3

SHA512
611da27941ea836241addb512256a5c6382a49adf65a2c5a66249f378eb167f1c3a62fab6020933802377a41bc803ff9187e64da0fdf46d8f248c657d281212f

Download Submit
C:\Users\Admin\Desktop\SelectOut.rle.bdeeAdEbdd

Filesize
600KB

MD5
bed53e7a32be3163d70fc14d5e57dc9d

SHA1
903bec494bd1f8022670040da5ac571689424951

SHA256
418e6e6cf25e75b5ade6212fb8c32f2f40f4dfbc31b60ee1d4aadbf38f806696

SHA512
0f3de7e33f23628b8bc3aba801156539bf4e4560270db914276c4df0f6e9a687dbcbf839ab98765c218548d4755c20b136eb9453689ea4796c377400c26f1d55

Download Submit
C:\Users\Admin\Desktop\SetResolve.asp.bdeeAdEbdd

Filesize
512KB

MD5
7d7232d5c4deea818246082e49f1ec5a

SHA1
836aa5e31c534af01a73d283da4cb6358c6c6b85

SHA256
57fa8dc3a7a13a4fb11dc72827924176c95f67a6c9d3b32627e00bb06649e58f

SHA512
f042dfe36960a39bd00987ccfc3e4ccf5d114cb71f4f0e9fe6e3d6bfa9231191b11475477d690045b23ed3f52ac5c8466afd4ab08ecd8dcd64d67324d11425b7

Download Submit
C:\Users\Admin\Desktop\SkipRedo.csv.bdeeAdEbdd

Filesize
864KB

MD5
cfa75870e59cd106f524314e2740e0e0

SHA1
0dd9dc14a90b14bafeed214965fb8bb2040d6b62

SHA256
f9372d95bbaad32e264bf0d694a82ca0f8472f84c5c6b26e06df4101c60cc6de

SHA512
ebe4cceb8c45c5f85c77b84fcee79ed1da859cd7f975bacd1c0f4e1580b6b385e1c5bb11add4c1d026e0c97f5fdd7ba0b91a90993a389a5bd969f86aeabf06b3

Download Submit
C:\Users\Admin\Desktop\SubmitStep.easmx.bdeeAdEbdd

Filesize
1.2MB

MD5
5987eada6a8713c7cecc43e4ea3ecffb

SHA1
8e98df45b9eaed65b0589415c74be49b063fc3ec

SHA256
69a7e3c06d3f43d0142a91946fabc3a00c31c7e2a029b212740e6460469b4476

SHA512
d62e98c0fe037936608ceccf87101bd26ab4af30ec82a3bde664fa440d6597cc2ab195fc69fda509078298a8920328b240a10dfdcb97d76034614de937a31ad8

Download Submit
C:\Users\Admin\Desktop\SwitchRename.3gpp.bdeeAdEbdd

Filesize
1000KB

MD5
678320505e5e405f9602cd1eb499a86e

SHA1
93cd1a53baa781fc6573e6d01320752690119ea6

SHA256
3585dac229d6fb3070c887283e019d4c2ca402bea5265f7d4c5f229666c7013d

SHA512
96f49d7d4cd49575776a0c6d96c558bdb6f3cca244db5c5b66d592166a327728e4e8acc0265912d71de24d7537ee1d897e0ef9405498c230b6ffb4b8c041d9bc

Download Submit
C:\Users\Admin\Desktop\SyncCopy.gif.bdeeAdEbdd

Filesize
776KB

MD5
0ead8a1002831527160aa1ea57a399a2

SHA1
313dc48c2db23aac072b06c53990f5baac6a8eb4

SHA256
f92bfbbbed00c7a49c6880bf454fb5261eba423658d87702cf286aedc61d1614

SHA512
0f5b5f25e9a646481eb4dadab7e0192afdd00db1c6a51180b12a6e8c8ace240d34d2fbc119308271edc38c01241ef9ac48dabc1715a7f14577f933260fb4415b

Download Submit
C:\Users\Admin\Desktop\TraceDismount.docx.bdeeAdEbdd

Filesize
24KB

MD5
77a60ffbf78378a2948e578ebca6cd28

SHA1
09051219b3a70e8fee1d2012ba0fbdeea91c7ddd

SHA256
554d8d79487178be93e4c7d03d74c06f0dcea425fd49fb5c440429a6fa2bbaab

SHA512
967a3e8a727b83aeac2a86aabf493bc6aaf85ad10511fbb02edaecc0a6ecbf89adef60c5b2b05ed01b989b6a0931c287ccb8088e3f062e1179d2bd3d73767548

Download Submit
C:\Users\Admin\Desktop\TraceRevoke.eprtx.bdeeAdEbdd

Filesize
1.3MB

MD5
6dd5e3c1c87d6cd30a4b5b6e3c86ea46

SHA1
a73be370d02c198c7f0d5a05a22068f2b29df04f

SHA256
747f474b087c3cd31eaf27fff2d33b8c24845303b6cd3c4f018af711b9fefdac

SHA512
c594f52092bb487a42e7083f71a5e1758aab58a498ae209c75a8572d9e504a772114b4bbe6f5d6df7effb3b121ad9fc1e1273a57b56d57f52462334f5ebfadc6

Download Submit
C:\Users\Admin\Desktop\WaitUnlock.3g2.bdeeAdEbdd

Filesize
1.1MB

MD5
750ef3c77f6ca195a3b26830181ff06d

SHA1
f9f05db4fabe7e0a1a5ae4259634c729a4298a4c

SHA256
42587246ad3529662c713c8b815b53cf4c4ebf84ddf1c843c3c9a0d0fda5f1e6

SHA512
c50ef9b69aaf51f43902dab73c8637281d8b6b3de5cc3e4b8faa5d57be73f8734b22078550aa558a996df2fa6595e154f6947717305de13b78888cabf2a6dd84

Download Submit
C:\Users\Admin\Desktop\sTKqsCQG_readme_.txt

Filesize
3KB

MD5
4846c60a76b560ad21c8e8c7f1b7ad16

SHA1
c447025923196fbc6ad483c38e94a12250ffd69a

SHA256
6e26845f5dafbeb23ce84681f9f8bd0ae35aea927bac267d63bd82629799bd66

SHA512
6aa598ae75f208d6871250633a0d26725aecc8ea88c580a3ca86d6a7651b4b502988d6d5be8e4256398a219221e48832bbc60b4703ce3392b1687f38e89710e6

Download Submit
C:\Users\Admin\Desktop\sTKqsCQG_readme_.txt

Filesize
3KB

MD5
c2dd7c88747c2501fbcff15db56929b0

SHA1
59cdff2db83aac8ea72f9e1eed4e4523eff307e1

SHA256
432513a69208142a82ff807366bc1fd6bcaabac268c91681309c256510904707

SHA512
3fd93451e56cbe01529faaa3beb66cbfd3f66a1d4d63e03c973a7ea33330f430c0fcdea62f3fc7d0108d41ff3ab4ded79e5db0bea229d51f1dace50d2c9ef9e9

Download Submit
C:\Users\Public\Pictures\Sample Pictures\sTKqsCQG_readme_.txt

Filesize
3KB

MD5
e266fca027accc9934a10313b42030c1

SHA1
2cb44833383bc28734b11011e70660b4a42fefbb

SHA256
cd74245a80b54aace595868458ea319bbb4cfe106541decaf7dc36f0ae38ec71

SHA512
8f094972dc08922216948dc9dfdf0d904cf3a7d237934d01de2bf2e8b40bffdb749ae5e26780a6dd97a098c80237616462251359d7dcd944c55ba7351730b68c

Download Submit
C:\Windows\System32\LocalGroupAdminAdd.log

Filesize
15B

MD5
e89c001fb4d9e08cc7072ce774cdb999

SHA1
796d1a40d539ba1bcb187e848f74b690ec15a08e

SHA256
87713e954ae3003e8746c6707de610663b566ac47a3a9c14bcf0b24f48cd0fa7

SHA512
9c0056685e19ef8ee568031043a5630ef13ab6e2b934e25735b114790b1fae21eb6b00ca534f6f1353da068896ef63d76cf5b9525a8713c2f566a7519959efe4

Download Submit
C:\Windows\System32\Local_LLU.log

Filesize
50B

MD5
563c3703a9b57cc9b370a76d6173d09c

SHA1
8cbbca5e8a8f863299de71faf86ea8087c54b401

SHA256
30c4b1b1bac993998256fdd787ecccb7bb27800a2656deaa3896acb708af17dd

SHA512
04306687d032b91bd2564b82d83ed7d48bec480e449f954634c2e91f2eb3ca0c5d9714f0ecba8391bd61bf27f0e6c55e4105c39a0a6f74ac7723e14237607d8f

Download Submit
memory/1632-750-0x000000013F1C0000-0x000000013F2B8000-memory.dmp

Filesize
992KB

Download
memory/1632-753-0x000007FEF4410000-0x000007FEF54C0000-memory.dmp

Filesize
16.7MB

Download
memory/1632-751-0x000007FEF73C0000-0x000007FEF73F4000-memory.dmp

Filesize
208KB

Download
memory/1632-752-0x000007FEF6E60000-0x000007FEF7116000-memory.dmp

Filesize
2.7MB

Download