buran | 8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6

Analysis

max time kernel
92s
max time network
103s
platform
windows7_x64
resource
win7v200722
submitted
27-08-2020 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe
Size

437KB
MD5

e26982b170856ca8ca96a2f41b2306fb
SHA1

e467f2bc6f01f2a13effaf8f6283d616ccf40e2e
SHA256

8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6
SHA512

80a636ae53f5049e1ec34e092d91be8f8cc11d1f96eb919bfabd814c677c1e68a773c102b4fd28f2335427173f76203815b60f133d1d4cf0834bded85931af0e

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: crioso@protonmail.com and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: crioso@protonmail.com Reserved email: wiruxa@airmail.cc If you do not receive a response after 1 hours, then resend the message to our backup email: wiruxa@airmail.cc yongloun@tutanota.com anygrishevich@yandex.ru Your personal ID: 195-83A-216 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

crioso@protonmail.com

wiruxa@airmail.cc

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

taskeng.exetaskeng.exe

pid process

1908 taskeng.exe
1584 taskeng.exe
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1892 notepad.exe
Loads dropped DLL 1 IoCs

Processes:

SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe

pid process

1108 SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe

pid	process
1908	taskeng.exe
1584	taskeng.exe

pid	process
1892	notepad.exe

pid	process
1108	SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run	SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start"	SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskeng.exe

description	ioc	process
File opened (read-only)	\??\W:	taskeng.exe
File opened (read-only)	\??\Q:	taskeng.exe
File opened (read-only)	\??\N:	taskeng.exe
File opened (read-only)	\??\E:	taskeng.exe
File opened (read-only)	\??\Z:	taskeng.exe
File opened (read-only)	\??\T:	taskeng.exe
File opened (read-only)	\??\P:	taskeng.exe
File opened (read-only)	\??\O:	taskeng.exe
File opened (read-only)	\??\J:	taskeng.exe
File opened (read-only)	\??\B:	taskeng.exe
File opened (read-only)	\??\A:	taskeng.exe
File opened (read-only)	\??\Y:	taskeng.exe
File opened (read-only)	\??\X:	taskeng.exe
File opened (read-only)	\??\V:	taskeng.exe
File opened (read-only)	\??\U:	taskeng.exe
File opened (read-only)	\??\K:	taskeng.exe
File opened (read-only)	\??\H:	taskeng.exe
File opened (read-only)	\??\S:	taskeng.exe
File opened (read-only)	\??\R:	taskeng.exe
File opened (read-only)	\??\M:	taskeng.exe
File opened (read-only)	\??\L:	taskeng.exe
File opened (read-only)	\??\I:	taskeng.exe
File opened (read-only)	\??\G:	taskeng.exe
File opened (read-only)	\??\F:	taskeng.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 geoiptool.com

flow	ioc
4	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

taskeng.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_ja.jar.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00444_.WMF.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18190_.WMF	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-lib-uihandler.xml_hidden	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0281640.WMF.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\TAB_ON.GIF.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\vlc.mo	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guyana	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Halifax	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Andorra.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099172.WMF.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-11	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_justify.gif	taskeng.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\PST8PDT	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21301_.GIF.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.CN.XML	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\Templates\1033\ExecutiveNewsletter.dotx.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0188511.WMF.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE05930_.WMF	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD15301_.GIF	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\GROOVEMN.EXE.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CONTACT.JPG.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH00681_.WMF	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0145904.JPG	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0238333.WMF.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01478U.BMP	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00192_.WMF.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\FORMS\1033\TASKACCS.ICO.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\New_Skins.url	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Nome	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0287020.WMF	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\FORMS\1033\DOCL.ICO.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-ui.jar.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD10219_.GIF	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\FORMS\1033\RECS.ICO.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ceuta.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR24F.GIF	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Thunder_Bay.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD00255_.WMF.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0239953.WMF	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIconsMask.bmp	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jar.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0182888.WMF	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\SIGN.DPV	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Magadan.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE00608_.WMF.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0205582.WMF	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\VIEWBY.GIF	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe.195-83A-216	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-attach.jar	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\EET	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Yakutsk	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolIcons\OFFLINE.ICO	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\INVITE11.POC	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\Stationery\1033\JUNGLE.HTM.195-83A-216	taskeng.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1884 vssadmin.exe
972 vssadmin.exe

pid	process
1884	vssadmin.exe
972	vssadmin.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

taskeng.exeSecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	taskeng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c190000000100000010000000ea6089055218053dd01e37e1d806eedf040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf91400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	taskeng.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exeWMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1108	SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe
Token: SeDebugPrivilege	1108	SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe
Token: SeIncreaseQuotaPrivilege	1560	WMIC.exe
Token: SeSecurityPrivilege	1560	WMIC.exe
Token: SeTakeOwnershipPrivilege	1560	WMIC.exe
Token: SeLoadDriverPrivilege	1560	WMIC.exe
Token: SeSystemProfilePrivilege	1560	WMIC.exe
Token: SeSystemtimePrivilege	1560	WMIC.exe
Token: SeProfSingleProcessPrivilege	1560	WMIC.exe
Token: SeIncBasePriorityPrivilege	1560	WMIC.exe
Token: SeCreatePagefilePrivilege	1560	WMIC.exe
Token: SeBackupPrivilege	1560	WMIC.exe
Token: SeRestorePrivilege	1560	WMIC.exe
Token: SeShutdownPrivilege	1560	WMIC.exe
Token: SeDebugPrivilege	1560	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1560	WMIC.exe
Token: SeRemoteShutdownPrivilege	1560	WMIC.exe
Token: SeUndockPrivilege	1560	WMIC.exe
Token: SeManageVolumePrivilege	1560	WMIC.exe
Token: 33	1560	WMIC.exe
Token: 34	1560	WMIC.exe
Token: 35	1560	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1976	WMIC.exe
Token: SeSecurityPrivilege	1976	WMIC.exe
Token: SeTakeOwnershipPrivilege	1976	WMIC.exe
Token: SeLoadDriverPrivilege	1976	WMIC.exe
Token: SeSystemProfilePrivilege	1976	WMIC.exe
Token: SeSystemtimePrivilege	1976	WMIC.exe
Token: SeProfSingleProcessPrivilege	1976	WMIC.exe
Token: SeIncBasePriorityPrivilege	1976	WMIC.exe
Token: SeCreatePagefilePrivilege	1976	WMIC.exe
Token: SeBackupPrivilege	1976	WMIC.exe
Token: SeRestorePrivilege	1976	WMIC.exe
Token: SeShutdownPrivilege	1976	WMIC.exe
Token: SeDebugPrivilege	1976	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1976	WMIC.exe
Token: SeRemoteShutdownPrivilege	1976	WMIC.exe
Token: SeUndockPrivilege	1976	WMIC.exe
Token: SeManageVolumePrivilege	1976	WMIC.exe
Token: 33	1976	WMIC.exe
Token: 34	1976	WMIC.exe
Token: 35	1976	WMIC.exe
Token: SeBackupPrivilege	1524	vssvc.exe
Token: SeRestorePrivilege	1524	vssvc.exe
Token: SeAuditPrivilege	1524	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1976	WMIC.exe
Token: SeSecurityPrivilege	1976	WMIC.exe
Token: SeTakeOwnershipPrivilege	1976	WMIC.exe
Token: SeLoadDriverPrivilege	1976	WMIC.exe
Token: SeSystemProfilePrivilege	1976	WMIC.exe
Token: SeSystemtimePrivilege	1976	WMIC.exe
Token: SeProfSingleProcessPrivilege	1976	WMIC.exe
Token: SeIncBasePriorityPrivilege	1976	WMIC.exe
Token: SeCreatePagefilePrivilege	1976	WMIC.exe
Token: SeBackupPrivilege	1976	WMIC.exe
Token: SeRestorePrivilege	1976	WMIC.exe
Token: SeShutdownPrivilege	1976	WMIC.exe
Token: SeDebugPrivilege	1976	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1976	WMIC.exe
Token: SeRemoteShutdownPrivilege	1976	WMIC.exe
Token: SeUndockPrivilege	1976	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1560	WMIC.exe
Token: SeManageVolumePrivilege	1976	WMIC.exe
Token: 33	1976	WMIC.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exetaskeng.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1108 wrote to memory of 1908	1108	SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe	taskeng.exe
PID 1108 wrote to memory of 1908	1108	SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe	taskeng.exe
PID 1108 wrote to memory of 1908	1108	SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe	taskeng.exe
PID 1108 wrote to memory of 1908	1108	SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe	taskeng.exe
PID 1108 wrote to memory of 1892	1108	SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe	notepad.exe
PID 1108 wrote to memory of 1892	1108	SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe	notepad.exe
PID 1108 wrote to memory of 1892	1108	SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe	notepad.exe
PID 1108 wrote to memory of 1892	1108	SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe	notepad.exe
PID 1108 wrote to memory of 1892	1108	SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe	notepad.exe
PID 1108 wrote to memory of 1892	1108	SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe	notepad.exe
PID 1108 wrote to memory of 1892	1108	SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe	notepad.exe
PID 1908 wrote to memory of 816	1908	taskeng.exe	cmd.exe
PID 1908 wrote to memory of 816	1908	taskeng.exe	cmd.exe
PID 1908 wrote to memory of 816	1908	taskeng.exe	cmd.exe
PID 1908 wrote to memory of 816	1908	taskeng.exe	cmd.exe
PID 1908 wrote to memory of 1864	1908	taskeng.exe	cmd.exe
PID 1908 wrote to memory of 1864	1908	taskeng.exe	cmd.exe
PID 1908 wrote to memory of 1864	1908	taskeng.exe	cmd.exe
PID 1908 wrote to memory of 1864	1908	taskeng.exe	cmd.exe
PID 1908 wrote to memory of 1652	1908	taskeng.exe	cmd.exe
PID 1908 wrote to memory of 1652	1908	taskeng.exe	cmd.exe
PID 1908 wrote to memory of 1652	1908	taskeng.exe	cmd.exe
PID 1908 wrote to memory of 1652	1908	taskeng.exe	cmd.exe
PID 1908 wrote to memory of 1520	1908	taskeng.exe	cmd.exe
PID 1908 wrote to memory of 1520	1908	taskeng.exe	cmd.exe
PID 1908 wrote to memory of 1520	1908	taskeng.exe	cmd.exe
PID 1908 wrote to memory of 1520	1908	taskeng.exe	cmd.exe
PID 1908 wrote to memory of 832	1908	taskeng.exe	cmd.exe
PID 1908 wrote to memory of 832	1908	taskeng.exe	cmd.exe
PID 1908 wrote to memory of 832	1908	taskeng.exe	cmd.exe
PID 1908 wrote to memory of 832	1908	taskeng.exe	cmd.exe
PID 1908 wrote to memory of 1500	1908	taskeng.exe	cmd.exe
PID 1908 wrote to memory of 1500	1908	taskeng.exe	cmd.exe
PID 1908 wrote to memory of 1500	1908	taskeng.exe	cmd.exe
PID 1908 wrote to memory of 1500	1908	taskeng.exe	cmd.exe
PID 1908 wrote to memory of 1584	1908	taskeng.exe	taskeng.exe
PID 1908 wrote to memory of 1584	1908	taskeng.exe	taskeng.exe
PID 1908 wrote to memory of 1584	1908	taskeng.exe	taskeng.exe
PID 1908 wrote to memory of 1584	1908	taskeng.exe	taskeng.exe
PID 816 wrote to memory of 1560	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 1560	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 1560	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 1560	816	cmd.exe	WMIC.exe
PID 832 wrote to memory of 1884	832	cmd.exe	vssadmin.exe
PID 832 wrote to memory of 1884	832	cmd.exe	vssadmin.exe
PID 832 wrote to memory of 1884	832	cmd.exe	vssadmin.exe
PID 832 wrote to memory of 1884	832	cmd.exe	vssadmin.exe
PID 1500 wrote to memory of 1976	1500	cmd.exe	WMIC.exe
PID 1500 wrote to memory of 1976	1500	cmd.exe	WMIC.exe
PID 1500 wrote to memory of 1976	1500	cmd.exe	WMIC.exe
PID 1500 wrote to memory of 1976	1500	cmd.exe	WMIC.exe
PID 1500 wrote to memory of 972	1500	cmd.exe	vssadmin.exe
PID 1500 wrote to memory of 972	1500	cmd.exe	vssadmin.exe
PID 1500 wrote to memory of 972	1500	cmd.exe	vssadmin.exe
PID 1500 wrote to memory of 972	1500	cmd.exe	vssadmin.exe
PID 1908 wrote to memory of 432	1908	taskeng.exe	notepad.exe
PID 1908 wrote to memory of 432	1908	taskeng.exe	notepad.exe
PID 1908 wrote to memory of 432	1908	taskeng.exe	notepad.exe
PID 1908 wrote to memory of 432	1908	taskeng.exe	notepad.exe
PID 1908 wrote to memory of 432	1908	taskeng.exe	notepad.exe
PID 1908 wrote to memory of 432	1908	taskeng.exe	notepad.exe
PID 1908 wrote to memory of 432	1908	taskeng.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:1864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:1652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:972

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 0
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1584

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:432

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:1892

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
90061c0fe3983bf5a61e7f1ecfffd3e3

SHA1
6a4245a302f8cff5bec5aacaeb2a029eeec4ba1a

SHA256
3118edda0b78684c8db584c4929f050d921cbcbc506ae58ee584f2e5b85d5a3e

SHA512
8b81e4c8ba32a64d40c71dd015374c373253af7a992669e6a0994532c905b92701916c96c84709e26db86b1e5bc1492552cb92e0c352ae1f6135ed33181f64df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
821ac3c30e3b835b926263e532902014

SHA1
01667121b734a1d2a6ed5c770bf8f5f402db1bc3

SHA256
5e420896fdbdcb98c99d35b9df4cbb3bacc7ff57b97f2029c4d520875ad6fc59

SHA512
6092157f74da5a3609afc44f3c5ea0250c7fff9994b4e0e89b38bddd688c285c16e0340200bca13059a087e053c49e351ad2ed24053af7772022dd27d7eb7d00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
01d84333430bc95a1e992cc960bbbf8f

SHA1
289caa9484d82cd60c91a38db4f1132c7bfb8234

SHA256
ffae3c311e042ca760af80800e48e36efb11ee5145db0465b413e64f9a674eaf

SHA512
0d8ecdaeecc5de269b225efacb56c451714924404cc139688b5e6e56292bd5ee7776750a8f5023cad1befd6e68fb0ea8235ea29b3cdf7affc92ac1558e1ed5d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
bd71ea17c9a676ad7b24c05304943174

SHA1
cf268ef60a47aa268d43ac919554ac06b419f376

SHA256
0bc662dcad4193684c2e84963adc46384b85f2ce229ba87be105fcb22988c4ee

SHA512
3c1d928c9d893e4ce1bf94b46fb1133d0692ef3bd93402ce9552a24ca5e8951e674799fe4f7ca3f1409257ee963d048d3eba12b110adc17803eb9e3059d581e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
be7814b1180f969619d8572aafd56885

SHA1
11954c14c776530ee4ee93dfe5c6a1ecec88b15c

SHA256
6db70d63a824585099cae5ca7992a7975e68e0c415a01cda06669ffab00fb62b

SHA512
feca70bb11ee8ddad2170530baa9294284155b96ea5d4dd93aa11ec14ebc882e6d4fb0ee9ad72631fd69bf86c14aaf74e06cd65a4e1126d20605883f741072fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
b81984f7aeb9d110f2d8350ea23ff614

SHA1
e7370be9701adfaa1c754c94b29072568e79ae44

SHA256
b5d32511935984307cd354f1b289a204be963dfe497a834d5a627dd779e611ed

SHA512
9dc719394fd7036bbdb183bdc4d1e855369cb9d47542cc0cfa9ee19113da177249176022eb427a6d6ccc336e4f57c1b77a87e1d39fe1f4739d5d8f52c65543d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
7cc44eecc6045bedd4a99cdf5335b8db

SHA1
8dadcd2be37c8c0dc0165bf07d048bf2613e9fd6

SHA256
c3113171605938dd239b66bb56bc09147e1240c50de00872e7e2cc96daca582b

SHA512
e6ed06391630956a7b06858ed89286c0b8967b0c277d65ab84ffe1e4e96bcfbd5665dc03cb20c063a7d35545c8113f815f5f93528b2b906985c7250e8bee06fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
f1fbdea05423068df12760d1fb7d0664

SHA1
19601ae9e2a803e11f215f869ccb7631ea9a1653

SHA256
1a065c4ff121028d2158d9df8ee6f7fe6d2b16bced7388ecb91d3d06c4645662

SHA512
a3b50aaf82d306dca43e7865edc5164e5c17798311391a45703646fb3de8d7df9ed7d76a04b47af5236cdc2fb0b2b61651aded33db6134703090ce2def0cb553

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EAP7GNEB\CWEVN1EA.htm
MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UJFO0ABC\FK3B61CX.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
e26982b170856ca8ca96a2f41b2306fb

SHA1
e467f2bc6f01f2a13effaf8f6283d616ccf40e2e

SHA256
8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6

SHA512
80a636ae53f5049e1ec34e092d91be8f8cc11d1f96eb919bfabd814c677c1e68a773c102b4fd28f2335427173f76203815b60f133d1d4cf0834bded85931af0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
e26982b170856ca8ca96a2f41b2306fb

SHA1
e467f2bc6f01f2a13effaf8f6283d616ccf40e2e

SHA256
8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6

SHA512
80a636ae53f5049e1ec34e092d91be8f8cc11d1f96eb919bfabd814c677c1e68a773c102b4fd28f2335427173f76203815b60f133d1d4cf0834bded85931af0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
e26982b170856ca8ca96a2f41b2306fb

SHA1
e467f2bc6f01f2a13effaf8f6283d616ccf40e2e

SHA256
8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6

SHA512
80a636ae53f5049e1ec34e092d91be8f8cc11d1f96eb919bfabd814c677c1e68a773c102b4fd28f2335427173f76203815b60f133d1d4cf0834bded85931af0e

Download Submit
C:\Users\Admin\Desktop\AddDisable.bin.195-83A-216
MD5
5471e61bc70de8e5d8a6b366a3deb3ff

SHA1
fc8d79893a7e0220547fdf5b2771004f96cc40e2

SHA256
49f35e6835f0a0fe2f2500e6a7d03633c30f3c377eb2ead7c535f0f29d552f80

SHA512
efd6c8161f0f8b8733615d4835efc14e8aaaa8ea6357c11e665e5319c961e9eb01f9986ab575b88060f9b1717993a66bd9b3b8b73edd0464377578fdb1fefee4

Download Submit
C:\Users\Admin\Desktop\ApproveReset.rar.195-83A-216
MD5
09866bc1d2eebe94a5f417c19c118d58

SHA1
0dfea2c1ab03c9faa3c3010e4313f7304332255b

SHA256
d2edbfeaf04e2db8739c9ead86d0f355a19a58f15890056a1c8786fc9385cec7

SHA512
72a1edf76774c99d116fc635b57bc15c8528549fc52cc653e2a0181f8b153a9dfcaae8588bc7c18e8f00799b5bcda248c54c83c8a274993a33ec5ee8f1cd5597

Download Submit
C:\Users\Admin\Desktop\BackupDeny.xps.195-83A-216
MD5
101aacd51f5f1bc2fd4c15ff849bdb89

SHA1
0b9d058a484fd1423710b3caebe55e45ecb9c7da

SHA256
40631bde2c17cfb75df1b2775581074bf3ab45eee89d5bf0246efe4ffdf15b2e

SHA512
60abfcede47d4fbb53d849352008e5cf99fea25dcd0c44cd6ae0413487e9cb757684821da0bafa65b27fbd88d72de89fce188d73157b3afd82c66cdd12f21cdc

Download Submit
C:\Users\Admin\Desktop\CloseLimit.3gpp.195-83A-216
MD5
2f375be15276a7b590412aed255531ff

SHA1
07db9c8bac0b7b54393a4706e6a75168df97b3d9

SHA256
aabc1aab700606c6761acc3d92810d5b0501222830f9b00168bca074ac60fabe

SHA512
3e3fa82d3fb1bb635ee26df49c89d695800fb9e308554a78ebcf35c50021443498490705c2767e7e59226023f3a98275caf74ad2f9b8c574fb4884540cd55546

Download Submit
C:\Users\Admin\Desktop\ConfirmUse.7z.195-83A-216
MD5
b38df548067d9c4e08370204d401a102

SHA1
8e0dad31b1dd9b45bb636a0dd7f8b39ff37cb170

SHA256
3b06f62c0bdfe6aa3378309120535ef1948ded8895fef8243528f1c6bb6937a6

SHA512
7f0d1b1e272021deee10fb21b5ebdce8ffe89215cd4b02f1815eb6047d7343164ccbf0b3647899dd4cb9e594735e0986d8524d2331c67d7de62d70e4bf35aaca

Download Submit
C:\Users\Admin\Desktop\ConvertConvertFrom.odp.195-83A-216
MD5
939ecec547dea272e305ddc90f7032b6

SHA1
477deac3f201de63b2fb78937d9f3441a7db6744

SHA256
ebaf44da93c2ed15c4aca3a133bc54b47e4441afa1e1eabaec964adab2575354

SHA512
09a2891af125bae67ed4ef1889899720cc689b0579586789ca869718fdd905ccfeba35042d8dfb06a3fa595428c92a3c9e652229d7178fb89b3f8f3b24074b34

Download Submit
C:\Users\Admin\Desktop\ConvertDisable.potx.195-83A-216
MD5
0b277a83fd1d8b38bc3989d08149ca59

SHA1
60576fac1027ffe8dccc7178153b27f1e2e7dfeb

SHA256
c1716ed2cffbaa6fb4e49f8c6445aa178d1bc0bb3fdf6a8861fc680af2c08ad1

SHA512
48eb402b24c715e06314bce0b7da457a52b30bb143321d19a5c3d35a150bacae2526ded325c0c517b4a437e5e6209273de6fc521470d09787d4944964133e694

Download Submit
C:\Users\Admin\Desktop\DenyClear.xht.195-83A-216
MD5
a0f0a314cd0dc2952e47f8d025f1cc41

SHA1
2b6ce31bf5232354ad6f3f43f1eca59e13bae853

SHA256
25022b1df84fc1cc7d0b8386f5bfcb253c80bf00caa3d098c692ff08da5b9310

SHA512
463ccbf6d6291f990cfb78addeb45c183ef4f359c870a6453895c112f885aa44cda775c390efbb797dbb997a91a400661704aa18d0cc85b5dbec729cf6236fec

Download Submit
C:\Users\Admin\Desktop\DisableOptimize.png.195-83A-216
MD5
3af8653956fc24d9b4bf7fb1da215765

SHA1
5f39c68bd7910b9de20f2b12e103712b6e4809d2

SHA256
4c805c7cb5f8561e1e569e5a034c5c1e4f3e7c5c17d76feea34661ce9ce33f83

SHA512
e9eaf9a89e909d5d46724ee77098f843aa87a5ea888ddacec1d9b9a37ddb331dd49a27ee2931e61534d207684bbcd29945247d77a4773f5574a57a8198ad9f3d

Download Submit
C:\Users\Admin\Desktop\DisableRename.rtf.195-83A-216
MD5
08183fd0b97938c26c4a2c23f366ad9c

SHA1
db5935a99c8d796dc19d191d1a380fcc5fe00e2f

SHA256
f23d1717af056a02ae008ab694da02f4fc249a35df2ce75facf2d2b8e590043e

SHA512
36a91bfe28964cc1ff5ac2551e0dc17c271fedc7f582c12aef4d9d5de5eda3f1e282304e7f2080dfc41c35837b9b5222083a8c70a033d54614c808551d45dcce

Download Submit
C:\Users\Admin\Desktop\EnableRestore.wav.195-83A-216
MD5
528d5f5c94ca69f81a658e420da9bc3b

SHA1
e19709c73a320fbb93ec15049d1303cd12d0c61d

SHA256
ff9d31449e9af251174612abe6084f55a8499608d59e0c31dcf7fb40676f7106

SHA512
ae308d07a392d2532db2daac145faf14974fbb7abcd043353c8c68453bd9752baef09cc851bb6950aa3438e07f18c7a218418eac4110b3b2baedc572bc22f24a

Download Submit
C:\Users\Admin\Desktop\GetOut.vsd.195-83A-216
MD5
997b7c5d2b6c4ea51a6d0aba5b7d029a

SHA1
8ab333a0e520576f2922ba696116789589db1efa

SHA256
b0d7864d7a5c9e886ee50fb55209bb91521dcecacd18fca0ec2db47f9bff45f3

SHA512
d4884ac8939b04d9a87d03fb4f0faaad36d11701abee4380a78be22a235028af6e2515be8f7f38390af0ef1c054a4b1b217393ac4147365c255af2e175e6b8a2

Download Submit
C:\Users\Admin\Desktop\GrantResolve.asx.195-83A-216
MD5
55933faf1dfcf9e6cb76d3f58a106d00

SHA1
b5820a93def6becc34a2093504d940b66add3e16

SHA256
6804d6dd29471f64d1e2f0397cfce6ab971fdd6468509ddde5e5030565d9ebd5

SHA512
63dfb0dce4635db4596c4e2b8039e79d132c07d304e147060b3b3e1c375bb4a59f08c57ec5411ad82b0b7b29550ddc1ed30753842d2f7dd4c0d05328dc59e788

Download Submit
C:\Users\Admin\Desktop\GroupConvert.vsd.195-83A-216
MD5
3ac316e10fe5d1e41926aa753068a1ec

SHA1
96fd5f7fcaa3308fcc18c3e4cddfb2e929897958

SHA256
0e96f0cd0adfb7cc9a9b98581cf50bb42851bf0d1dfd2a01ede7e476a3a1f1d4

SHA512
2ca7014833075f15acd752a0de8be03b717bb61adde0e50cf8bec3706ee57bc1c93300b6e2982d1cd601a5da42d7d9a6097eb503cd10dfe75ead66bfbf94c984

Download Submit
C:\Users\Admin\Desktop\HideExit.dotx.195-83A-216
MD5
7345d5035628c560edc8df2aeba47e0d

SHA1
a1405f8efe32398fa360268658c06c29e383ddf0

SHA256
1b6208a6df2d5f6ebf7db154ae0fde1286da2f8e0a5f436549dae7f074ebe12f

SHA512
303d61aa72230c705c32be9fac6ef929708c5acd0d9e03bb577fc84c2f2eaebfa7c47fa72f1c1f39aff5be79d1c64e053465a9128709dcf31cccd8287840041a

Download Submit
C:\Users\Admin\Desktop\ImportMerge.ppsx.195-83A-216
MD5
126f2a182d2237a5811d59cd34159955

SHA1
3825d687394a23d652b5e7a8ed34c39aaef0fd50

SHA256
adfc6e3a44d080ea877c45ba5d4341d6b3effa53a135d5fbd40b7e7669413d09

SHA512
0b1286896e366efb726ca61f6bfce0a03741c530e84953722364125f7a49477560b8079d2d3beb686c18aa9d0b989d58cb2de924729856527b4fa5d1080441c4

Download Submit
C:\Users\Admin\Desktop\MeasureRename.mpe.195-83A-216
MD5
aa959e184a8fdc4e7df43b9df78544b4

SHA1
6f012867e737f0f0b306300a7835c5b06cceb1b8

SHA256
4e449c0490df552d3d342e0cc252d43a03d52c4f4f1bb5c9632a4e3a10e0b884

SHA512
f7fb09f91c9b38dab8eb09cbc41c2a1834ae186a2afcd48fd1ddf44cb4e768c1c443f8ad5649504ed265e657be997bd05c2aa5373ac1a930ae5704d6f91a56e1

Download Submit
C:\Users\Admin\Desktop\OptimizeBackup.otf.195-83A-216
MD5
c260bf27bfd1dab481e89774657ce020

SHA1
1c9377224a6cb32d798bb97c2da45f7c28986512

SHA256
bd177adf9f0a80f79ae5fb5ee77b0360ee8d77f5a054dec947ece41118ec8f72

SHA512
ff8c7520813502430728f16ec849aa79e22445e6a892fe1c0e44540123e060fd5bc48edb5634d526e229bc8a2da9ac30546217a1f39ec556d0fb818320872412

Download Submit
C:\Users\Admin\Desktop\PublishMerge.htm.195-83A-216
MD5
4b1d5da8359d4804e9808cad4a5bfeec

SHA1
c50d8aee1ba7a2d05c4484c9034284204f904ec9

SHA256
58d498749d55d08be493da69b51975741b1604e64ea7aaac9282074855222f8e

SHA512
aae1399018f555432022d04e91ab7135da71d52942d6430a43159d2bd3707097ea57c0a784b4c07e38bf69e023b5603793c437d8f9c79819f487249c5a99b0bd

Download Submit
C:\Users\Admin\Desktop\ReceiveAssert.odp.195-83A-216
MD5
40924a15e3f48cfaf797a6750893fcd1

SHA1
45d1396c392c5ab572b826ceff9c5e331be03996

SHA256
4262a85a7f8d53ca86061227779835e376041f655a8702efe88f0138a5dca564

SHA512
19b41e8263c7426921a73acaf7d55d9283fb09e05bbb9e9952fb7734a1e8a94aa68cc365ae213806dbf00a6418d54cfb66639380f9389f601f16efc11778626e

Download Submit
C:\Users\Admin\Desktop\ResizeConvertTo.emf.195-83A-216
MD5
15d10221d24a2b3f0f5ac2bdf34e36a5

SHA1
8e66a8dc00cf4aeda6153e10b56da0f05b8ef430

SHA256
ac51e6dac46f09597892c44b3f4acd7acc815ee9c119767fb184a32f5f6a7c5b

SHA512
ba775cec13c992f20c057474db9d199fe6d76cc58dbcc73d0f0608bf5b303139816f752aa3094f51e29524e3d3204853d9f5f825c2a781639e0cda606136ceff

Download Submit
C:\Users\Admin\Desktop\SendTest.iso.195-83A-216
MD5
ca8d999b75941cf647b0b9ba5b974eb6

SHA1
bfb8800c8f8de9c55670cde1dc68ab309b0f9c90

SHA256
3b55fc6f9b7c7e36617c5c56c18d23be353d883462fcf4c9d598e0caf99c5055

SHA512
6819c07b40036808fe0aaebc2c98671b1b6c95819973dec4738ccb5ae66f35050e778f44a2188050359dda4c31204eab25171dc93f6ae43cb4317a6cdf3d33f1

Download Submit
C:\Users\Admin\Desktop\StartUpdate.rm.195-83A-216
MD5
99388b9d2e9e44ae9e238b70318e5f94

SHA1
32b2ef23847e7a56b23d08b3fbfaad9c93520f3c

SHA256
4b3c0a66714d3f94d6eac8943d955475b31d0115b09a603aa8277138fa4f246e

SHA512
3010888537ae7e1c616a85b8d9cf373da40d38c2c12274c6f05a77ea2455e433700d170725f2b802ce79bb0f205250f18fb6374a2fb33d23ab39dc7bbdc7ac35

Download Submit
C:\Users\Admin\Desktop\StepSearch.txt.195-83A-216
MD5
3a506c3c748822b36111d28304a049eb

SHA1
23fc48692155dc2042e97a16a9ce8011e110cf8a

SHA256
6a6f56dbb7a2be3110d011c1d759af1349a306237b8894b0734cbd588aaf746b

SHA512
69e1e2d78277f76f26fe92bb8b4b759bd5d248ed496d823c1237fafcdfeea27c17c49387713a936f98046d8411fe4597564b1fc99a52c734cb7677695985d7c3

Download Submit
C:\Users\Admin\Desktop\SwitchSubmit.dib.195-83A-216
MD5
db8997ddc2f7312ed677678b3b5c3c1d

SHA1
20ca6fa3de539592eca9061802def7170822fc67

SHA256
d511bebc4077c551bc8d5abea688da06beef7879d5cd3b6e9c6bf64837860035

SHA512
2e0ef22d188feb9857d09ffc5a978a4783821db2735870815a934daa8a2912b10fbdf91f0266935fca45856c6615c90f822dc9f019fda6983ba12571bd5ea81f

Download Submit
C:\Users\Admin\Desktop\SyncUnpublish.js.195-83A-216
MD5
46e4c8c03c35c9a7d2db6f5f76f08a13

SHA1
0c4242bb6e8cb35651527a9c12aa1e6914f6c7a2

SHA256
6d245bd2d37e9f00389a652e5c8c851c16ff6f77bf7f0f79f86a2f328f5b0f83

SHA512
474982ea840ca9e9b3edd10b8b736fa93de11d9573d8d34cc020725ddabc6e21b4a52c02a291b868ae131825b95bb6d115f419df73af8aa516a2c75e882783c4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
e26982b170856ca8ca96a2f41b2306fb

SHA1
e467f2bc6f01f2a13effaf8f6283d616ccf40e2e

SHA256
8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6

SHA512
80a636ae53f5049e1ec34e092d91be8f8cc11d1f96eb919bfabd814c677c1e68a773c102b4fd28f2335427173f76203815b60f133d1d4cf0834bded85931af0e

Download Submit
memory/432-56-0x0000000000000000-mapping.dmp

Download
memory/816-16-0x0000000000000000-mapping.dmp

Download
memory/832-20-0x0000000000000000-mapping.dmp

Download
memory/972-28-0x0000000000000000-mapping.dmp

Download
memory/1008-0-0x000007FEF7770000-0x000007FEF79EA000-memory.dmp

Filesize
2.5MB

Download
memory/1500-21-0x0000000000000000-mapping.dmp

Download
memory/1520-19-0x0000000000000000-mapping.dmp

Download
memory/1560-24-0x0000000000000000-mapping.dmp

Download
memory/1584-22-0x0000000000000000-mapping.dmp

Download
memory/1652-18-0x0000000000000000-mapping.dmp

Download
memory/1864-17-0x0000000000000000-mapping.dmp

Download
memory/1884-25-0x0000000000000000-mapping.dmp

Download
memory/1892-4-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1892-5-0x0000000000000000-mapping.dmp

Download
memory/1908-2-0x0000000000000000-mapping.dmp

Download
memory/1976-27-0x0000000000000000-mapping.dmp

Download