buran | 66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af

Analysis

max time kernel
124s
max time network
126s
platform
windows7_x64
resource
win7v20201028
submitted
06-11-2020 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe
Size

256KB
MD5

ada523db2c2418fa37398c41b370c125
SHA1

7c2c197b14447cbf4bd0d040a36493ec1d9d8bc7
SHA256

66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af
SHA512

849e06f1308ef00d1cf5ac71d9deb5699bae0e3985bca11525d3a95879325d1c11ad30f7c1bf80ef51ccc71032ab793ac2bef305c051391c9cefd91253621343

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: uspex1@cock.li and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: uspex1@cock.li Reserved email: uspex2@cock.li Your personal ID: EFA-3F4-E9A Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

uspex1@cock.li

uspex2@cock.li

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

explorer.exeexplorer.exe

pid process

340 explorer.exe
2012 explorer.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

explorer.exe

description ioc process

File opened for modification C:\Users\Admin\Pictures\ExitSet.tiff explorer.exe

pid	process
340	explorer.exe
2012	explorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ExitSet.tiff	explorer.exe

Loads dropped DLL 2 IoCs

Processes:

66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe

pid	process
484	66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe
484	66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start"	66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\B:	explorer.exe
File opened (read-only)	\??\U:	explorer.exe
File opened (read-only)	\??\Q:	explorer.exe
File opened (read-only)	\??\K:	explorer.exe
File opened (read-only)	\??\I:	explorer.exe
File opened (read-only)	\??\G:	explorer.exe
File opened (read-only)	\??\X:	explorer.exe
File opened (read-only)	\??\O:	explorer.exe
File opened (read-only)	\??\J:	explorer.exe
File opened (read-only)	\??\A:	explorer.exe
File opened (read-only)	\??\H:	explorer.exe
File opened (read-only)	\??\Y:	explorer.exe
File opened (read-only)	\??\W:	explorer.exe
File opened (read-only)	\??\T:	explorer.exe
File opened (read-only)	\??\N:	explorer.exe
File opened (read-only)	\??\M:	explorer.exe
File opened (read-only)	\??\L:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\Z:	explorer.exe
File opened (read-only)	\??\V:	explorer.exe
File opened (read-only)	\??\S:	explorer.exe
File opened (read-only)	\??\R:	explorer.exe
File opened (read-only)	\??\P:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 geoiptool.com

flow	ioc
6	geoiptool.com

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe

Drops file in Program Files directory 15066 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Recife	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\cacerts.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Bogota	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00129_.GIF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107328.WMF.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Ojinaga	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Monaco.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099154.JPG.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18193_.WMF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR41F.GIF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\TAB_OFF.GIF	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Equity.eftx.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_ja_4.4.0.v20140623020002.jar.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\El_Salvador	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18202_.WMF.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GB.XSL	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_ja.jar	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15277_.GIF	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\TAB_ON.GIF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPQUOT.DPV.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00444_.WMF	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_underline.gif	explorer.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.properties	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01607U.BMP.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18234_.WMF.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101859.BMP.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02028K.JPG	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\gfserrorfromgroove.ico.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pago_Pago.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_ja.jar.EFA-3F4-E9A	explorer.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mset7fr.kic.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novokuznetsk	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-execution.xml_hidden	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\access-bridge-64.jar.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kuala_Lumpur	explorer.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImagesMask.bmp	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\MANIFEST.MF.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239953.WMF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME18.CSS	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\accessibility.properties.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Omsk.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00775_.WMF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\WidescreenPresentation.potx.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14792_.GIF.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15277_.GIF.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21520_.GIF.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.HK.XML.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt.EFA-3F4-E9A	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfont.properties.ja	explorer.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\ResourceInternal.zip.EFA-3F4-E9A	explorer.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1996 vssadmin.exe
2032 vssadmin.exe

pid	process
1996	vssadmin.exe
2032	vssadmin.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exeexplorer.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe

Suspicious use of AdjustPrivilegeToken 85 IoCs

Processes:

WMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1052	WMIC.exe
Token: SeSecurityPrivilege	1052	WMIC.exe
Token: SeTakeOwnershipPrivilege	1052	WMIC.exe
Token: SeLoadDriverPrivilege	1052	WMIC.exe
Token: SeSystemProfilePrivilege	1052	WMIC.exe
Token: SeSystemtimePrivilege	1052	WMIC.exe
Token: SeProfSingleProcessPrivilege	1052	WMIC.exe
Token: SeIncBasePriorityPrivilege	1052	WMIC.exe
Token: SeCreatePagefilePrivilege	1052	WMIC.exe
Token: SeBackupPrivilege	1052	WMIC.exe
Token: SeRestorePrivilege	1052	WMIC.exe
Token: SeShutdownPrivilege	1052	WMIC.exe
Token: SeDebugPrivilege	1052	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1052	WMIC.exe
Token: SeRemoteShutdownPrivilege	1052	WMIC.exe
Token: SeUndockPrivilege	1052	WMIC.exe
Token: SeManageVolumePrivilege	1052	WMIC.exe
Token: 33	1052	WMIC.exe
Token: 34	1052	WMIC.exe
Token: 35	1052	WMIC.exe
Token: SeIncreaseQuotaPrivilege	344	WMIC.exe
Token: SeSecurityPrivilege	344	WMIC.exe
Token: SeTakeOwnershipPrivilege	344	WMIC.exe
Token: SeLoadDriverPrivilege	344	WMIC.exe
Token: SeSystemProfilePrivilege	344	WMIC.exe
Token: SeSystemtimePrivilege	344	WMIC.exe
Token: SeProfSingleProcessPrivilege	344	WMIC.exe
Token: SeIncBasePriorityPrivilege	344	WMIC.exe
Token: SeCreatePagefilePrivilege	344	WMIC.exe
Token: SeBackupPrivilege	344	WMIC.exe
Token: SeRestorePrivilege	344	WMIC.exe
Token: SeShutdownPrivilege	344	WMIC.exe
Token: SeDebugPrivilege	344	WMIC.exe
Token: SeSystemEnvironmentPrivilege	344	WMIC.exe
Token: SeRemoteShutdownPrivilege	344	WMIC.exe
Token: SeUndockPrivilege	344	WMIC.exe
Token: SeManageVolumePrivilege	344	WMIC.exe
Token: 33	344	WMIC.exe
Token: 34	344	WMIC.exe
Token: 35	344	WMIC.exe
Token: SeBackupPrivilege	684	vssvc.exe
Token: SeRestorePrivilege	684	vssvc.exe
Token: SeAuditPrivilege	684	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1052	WMIC.exe
Token: SeSecurityPrivilege	1052	WMIC.exe
Token: SeTakeOwnershipPrivilege	1052	WMIC.exe
Token: SeLoadDriverPrivilege	1052	WMIC.exe
Token: SeSystemProfilePrivilege	1052	WMIC.exe
Token: SeSystemtimePrivilege	1052	WMIC.exe
Token: SeProfSingleProcessPrivilege	1052	WMIC.exe
Token: SeIncBasePriorityPrivilege	1052	WMIC.exe
Token: SeCreatePagefilePrivilege	1052	WMIC.exe
Token: SeBackupPrivilege	1052	WMIC.exe
Token: SeRestorePrivilege	1052	WMIC.exe
Token: SeShutdownPrivilege	1052	WMIC.exe
Token: SeDebugPrivilege	1052	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1052	WMIC.exe
Token: SeRemoteShutdownPrivilege	1052	WMIC.exe
Token: SeUndockPrivilege	1052	WMIC.exe
Token: SeManageVolumePrivilege	1052	WMIC.exe
Token: 33	1052	WMIC.exe
Token: 34	1052	WMIC.exe
Token: 35	1052	WMIC.exe
Token: SeIncreaseQuotaPrivilege	344	WMIC.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exeexplorer.execmd.execmd.execmd.exe

description	pid	process	target process
PID 484 wrote to memory of 340	484	66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe	explorer.exe
PID 484 wrote to memory of 340	484	66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe	explorer.exe
PID 484 wrote to memory of 340	484	66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe	explorer.exe
PID 484 wrote to memory of 340	484	66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe	explorer.exe
PID 340 wrote to memory of 1772	340	explorer.exe	cmd.exe
PID 340 wrote to memory of 1772	340	explorer.exe	cmd.exe
PID 340 wrote to memory of 1772	340	explorer.exe	cmd.exe
PID 340 wrote to memory of 1772	340	explorer.exe	cmd.exe
PID 340 wrote to memory of 1708	340	explorer.exe	cmd.exe
PID 340 wrote to memory of 1708	340	explorer.exe	cmd.exe
PID 340 wrote to memory of 1708	340	explorer.exe	cmd.exe
PID 340 wrote to memory of 1708	340	explorer.exe	cmd.exe
PID 340 wrote to memory of 1612	340	explorer.exe	cmd.exe
PID 340 wrote to memory of 1612	340	explorer.exe	cmd.exe
PID 340 wrote to memory of 1612	340	explorer.exe	cmd.exe
PID 340 wrote to memory of 1612	340	explorer.exe	cmd.exe
PID 340 wrote to memory of 844	340	explorer.exe	cmd.exe
PID 340 wrote to memory of 844	340	explorer.exe	cmd.exe
PID 340 wrote to memory of 844	340	explorer.exe	cmd.exe
PID 340 wrote to memory of 844	340	explorer.exe	cmd.exe
PID 340 wrote to memory of 1384	340	explorer.exe	cmd.exe
PID 340 wrote to memory of 1384	340	explorer.exe	cmd.exe
PID 340 wrote to memory of 1384	340	explorer.exe	cmd.exe
PID 340 wrote to memory of 1384	340	explorer.exe	cmd.exe
PID 340 wrote to memory of 1504	340	explorer.exe	cmd.exe
PID 340 wrote to memory of 1504	340	explorer.exe	cmd.exe
PID 340 wrote to memory of 1504	340	explorer.exe	cmd.exe
PID 340 wrote to memory of 1504	340	explorer.exe	cmd.exe
PID 340 wrote to memory of 2012	340	explorer.exe	explorer.exe
PID 340 wrote to memory of 2012	340	explorer.exe	explorer.exe
PID 340 wrote to memory of 2012	340	explorer.exe	explorer.exe
PID 340 wrote to memory of 2012	340	explorer.exe	explorer.exe
PID 1772 wrote to memory of 1052	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 1052	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 1052	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 1052	1772	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 1996	1384	cmd.exe	vssadmin.exe
PID 1384 wrote to memory of 1996	1384	cmd.exe	vssadmin.exe
PID 1384 wrote to memory of 1996	1384	cmd.exe	vssadmin.exe
PID 1384 wrote to memory of 1996	1384	cmd.exe	vssadmin.exe
PID 1504 wrote to memory of 344	1504	cmd.exe	WMIC.exe
PID 1504 wrote to memory of 344	1504	cmd.exe	WMIC.exe
PID 1504 wrote to memory of 344	1504	cmd.exe	WMIC.exe
PID 1504 wrote to memory of 344	1504	cmd.exe	WMIC.exe
PID 1504 wrote to memory of 2032	1504	cmd.exe	vssadmin.exe
PID 1504 wrote to memory of 2032	1504	cmd.exe	vssadmin.exe
PID 1504 wrote to memory of 2032	1504	cmd.exe	vssadmin.exe
PID 1504 wrote to memory of 2032	1504	cmd.exe	vssadmin.exe
PID 340 wrote to memory of 924	340	explorer.exe	notepad.exe
PID 340 wrote to memory of 924	340	explorer.exe	notepad.exe
PID 340 wrote to memory of 924	340	explorer.exe	notepad.exe
PID 340 wrote to memory of 924	340	explorer.exe	notepad.exe
PID 340 wrote to memory of 924	340	explorer.exe	notepad.exe
PID 340 wrote to memory of 924	340	explorer.exe	notepad.exe
PID 340 wrote to memory of 924	340	explorer.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe
"C:\Users\Admin\AppData\Local\Temp\66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:484

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:344

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:2032

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -agent 0
3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
PID:2012

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:924

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
94b4ad73963959e339923ddcabf6b331

SHA1
aa2c6af08dd5478d326c90ef2146c3ee2a7b55b2

SHA256
8945240c6d037d35d6124ac4b9815a8d74d785fa30c2c4b2fd54ed2fb68f58f4

SHA512
aefafb7d184e5564bdc65311e52619950f603fb89259de2af3b8f9fa05c346bf9e3f33b9cbe05a01389ef97642c7e37299ce8b9b4f3cb9f6d4e9a6877c537126

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
3208da0c038576623565b095fcea4ad1

SHA1
bc421f8eb4b9c6100aa444edece988c01dd63b26

SHA256
16ca708624c0f83871bbb8349e31fba20e5591f298ee91ddf08faf2919041f4b

SHA512
17fd810bdb400ce06167d6009a23cbdafdeb5eb0cb5c18456ec3a833546ad050429b003bdec753aa591d5b370cbb1290633abc1cc71f3ae29e81d58c56b8408c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
c6f27d5d1ee450d3400bf13e0804fce6

SHA1
2d0505f90eca6a49ca15b742aa5ef9ef01c7af41

SHA256
2c01ba329cfb39b6141b3c98d662ba24eb458e051fb7de79f975e681e8b4327a

SHA512
75687ddffd7021a033d19049f0cc05bbccd97a1433c06738a04590ed660996f669838514fe9f3b7c4b2eb494cf8a594f54bab1446cc915da4a042c3a327adc3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
dd13eb7136c10f64c614302b65eba2b0

SHA1
9a634752e9410937a320f7f0a516f787936d5cbe

SHA256
a3b8ab74e7ff30f80a05996283234b36a1e65202d101a7ac7824fb2dd7a9c8d2

SHA512
d72dd1a92c64b7856a791f94c6a05ee93fad792bc5c69e77269439b47c014ec50b6326020fdf3a82d5ba576bd690113aa8ca8228353813994f65dbe97694d000

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
be8da404527da141e865eedfaa117e28

SHA1
d8146427d359e08a07790c89e2c41238e06b715e

SHA256
fa23b95c08a1c988bf7fa2eefe4f2431e54c9556de4dbb221d7e9e0b3860c0d5

SHA512
d78ca4152da8624f40b119334c5bc4d03ea04c3a124da2ccdaecab7136b8107d5354584dacdb69822d981a68925bfc5b18325bf0dc4b5eec42fb74007b0c8e40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
885c02d5d2ed0fead8ffcdc437b5cf6d

SHA1
4400bdcb069fae8b8afec3680470f84840e5881e

SHA256
a1c06ba3088fb6849d5da031a23102a9f773f2035e92ba63ec9644ad79bf257a

SHA512
099805f5e1c9cedf19b8dd9286e0cb941ab3a620454b7a86afe909690c6586a2061c771811db41d7569ed5310467924eb92f46175779a3da841e08c6fc69b983

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
f95126d57175bfd597ec8b2a20908b71

SHA1
13d54ffa3b663452ced58093b586725cf1a69701

SHA256
37a5adb952d6de79537847d00b6d666f433b7e22e75ef56e081b588cbd36e826

SHA512
a8f4bcc2a1247d865e74bd48b0734236d4e0c93649109109786f92e2c07d02dc2637d79eea66b4b24614a123b278099ff90db4af516823a2654aed80cb15c21c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\NA9WPOQQ.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1R1CL99\DZY8GMS0.htm
MD5
6b17a59cec1a7783febae9aa55c56556

SHA1
01d4581e2b3a6348679147a915a0b22b2a66643a

SHA256
66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

SHA512
3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
MD5
ada523db2c2418fa37398c41b370c125

SHA1
7c2c197b14447cbf4bd0d040a36493ec1d9d8bc7

SHA256
66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af

SHA512
849e06f1308ef00d1cf5ac71d9deb5699bae0e3985bca11525d3a95879325d1c11ad30f7c1bf80ef51ccc71032ab793ac2bef305c051391c9cefd91253621343

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
MD5
ada523db2c2418fa37398c41b370c125

SHA1
7c2c197b14447cbf4bd0d040a36493ec1d9d8bc7

SHA256
66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af

SHA512
849e06f1308ef00d1cf5ac71d9deb5699bae0e3985bca11525d3a95879325d1c11ad30f7c1bf80ef51ccc71032ab793ac2bef305c051391c9cefd91253621343

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
MD5
ada523db2c2418fa37398c41b370c125

SHA1
7c2c197b14447cbf4bd0d040a36493ec1d9d8bc7

SHA256
66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af

SHA512
849e06f1308ef00d1cf5ac71d9deb5699bae0e3985bca11525d3a95879325d1c11ad30f7c1bf80ef51ccc71032ab793ac2bef305c051391c9cefd91253621343

Download Submit
C:\Users\Admin\Desktop\BlockCompare.scf.EFA-3F4-E9A
MD5
42dbf88bb6660c4b6c00cae75a888535

SHA1
7e86fe5a001a1840ab3ded5f23e6ca4c8c5db612

SHA256
9747b601be59c20a05c9a39a94c7d2ce3193873414fb14e7ad05600f9b79575e

SHA512
39f2b83550ad9e1547affe7a1ccbfe5f4bc715e8e39f8cbd48f948d682b958634ceb7482ad4880b867b82b932141870774175fdc415adfcb11e2e9f49b6a2131

Download Submit
C:\Users\Admin\Desktop\CheckpointSuspend.mp4.EFA-3F4-E9A
MD5
d50ee5e4aa29c35570d3bac72bcbaa51

SHA1
a436f0ece4104eb1a0f70eee8a8489e68be16a6c

SHA256
8624e67f64c5f7e911631d7f7de22879194e6bd5dffa7b4cf55d27af56c3c6cb

SHA512
2965192e084479933c66c931fbe273e8f53cbd91eaed0d9397fadc65288b05de9ee5664ee46ff860ccb31b51af3ad0e7418e54252a9c5e6cfb1f1e0d64889373

Download Submit
C:\Users\Admin\Desktop\ConvertFromSubmit.jpg.EFA-3F4-E9A
MD5
04c2471287edca0c76ba2b2288a36cd4

SHA1
2391ee05ba74bc46143ddbfacea6ec929e5aeebf

SHA256
348f9e6d7fd08fa14402b6a8054e5a555cfd0325a880a03d6b31bdeed0366ca5

SHA512
5ad043aa6aec11f2eb7d4a805bcb263bcc90b7987deab8514206995f025740e7ee53b83b53e4379b1f0209c81bfd5ac487c6f79ca926c449c4388cc2d4b9a7c8

Download Submit
C:\Users\Admin\Desktop\ConvertWait.snd.EFA-3F4-E9A
MD5
d45479016b1c07a2ae58eeb1d0fbe667

SHA1
ba7aa7fbeb2470652f728c4b5c7fa14279fed7d1

SHA256
23579addeb8a4f763dbf9a26d123f5124f057055bf0629969bfb8555d2822da6

SHA512
8ad7c064990f731c79b66de01b3fcd8f41e016e0c3319ef3e86a082105f9fa3116c1c6292eb9242eef2cc9f938e22c83c8730d33b95dab118b571275a3545e2c

Download Submit
C:\Users\Admin\Desktop\DisconnectComplete.ppt.EFA-3F4-E9A
MD5
03c71a368b3a41afdfb05c94f93cc339

SHA1
d238455a3b941dfbb229314833ade5a6fc70bd86

SHA256
31f7437970a715f7c82e8082f1ae0cc9db633411a496d0e40b4b74247532308d

SHA512
2631f32574e7c53af9205a994df368715344043fcd4cf0f1194f7124a63e5d818bb0618ec71a82295b1ac4656bf6cb5779c3ab9b1aa84e4208796c7630c30f32

Download Submit
C:\Users\Admin\Desktop\EnableTrace.3g2.EFA-3F4-E9A
MD5
8a81a36b133e96daa37613074641901d

SHA1
eeca51e6a531dd55e44d569ddbfe7cdebb9f349a

SHA256
53ea659bbed2f154716e0b1e1c66b3dd3a6fc633b3e87687a9fd63e9d43b2502

SHA512
f65982a08ebcb55637283782be295b957aec86b24e2ee74584e4337c4af713553161ab539dfdeac18c836cd19e5bdb20397ba1039f22a7cf0f91f8c836c73474

Download Submit
C:\Users\Admin\Desktop\ExportNew.3gp2.EFA-3F4-E9A
MD5
5ff34595c221ed9e63cc1f8ba6562136

SHA1
a7acd8c38c69a1d2f96adee5d124d782043c1903

SHA256
2ccffaf623e99eae9a8bd267134ed67cb3585478dac65d6f241a6950aa5ba8ca

SHA512
f4dea0bd31d73783cd9e0fa1c3af4e2c310da068bab7b23c6c1fdb37e9a981efa8162926f9b80b2097dfa49767c6fb4f9e4ce2f8dc3bf12ea9bfd3d45a350afa

Download Submit
C:\Users\Admin\Desktop\GetReset.pptm.EFA-3F4-E9A
MD5
1fb7caeaf2e98791cf8866fa36708b80

SHA1
df394d27d403b6857b15daef5ff945d17cb6742d

SHA256
822a85bf0c8a204493142bc3882044a56b241d618880a55ba00f71928fe19cf8

SHA512
d80c989b76773260cc1b8ef6bb218901f4812129a4f12f0a9383a555a6c1f2a1ac782b32acef4b4615d2d8a2b2c1789a2c98b5b11f2a9be00f7f5e0f7d5cc846

Download Submit
C:\Users\Admin\Desktop\JoinEdit.xhtml.EFA-3F4-E9A
MD5
3c606406a12f8f53e234d27acd5476cc

SHA1
45e8ab00e3b5b6a18e9c09d50adb77d607c3c293

SHA256
752ea8134388eb2ef5d4ce91d04b0cd97b75da91f2090446240354f614d23dc7

SHA512
1a1ff846470983ec6ecc5295f10169cc18c0ea8534843c5675d99b45f0d46883b92d7d6059aa0de0b40d15625e856f85dc8aa41fdb57b9a368ace7b16351ed74

Download Submit
C:\Users\Admin\Desktop\LimitConvert.temp.EFA-3F4-E9A
MD5
530361d2d7419c1076f8e41533300d79

SHA1
85ff7647ff709cef6b307251185da51211a706f4

SHA256
cab32aff943494e55d7a24f7767bc688e41088d5ea95284f605a5d2a69e48797

SHA512
22aeb199cd8db3180b9bcf0b1642a1be051841fbf6ad516889e3b714da5d0e7d4b4cf51db1a2878dc1d1cf4d069df39e542ebffe985f67c27f54081a217f08d5

Download Submit
C:\Users\Admin\Desktop\MeasureConvertTo.MTS.EFA-3F4-E9A
MD5
b95379552ef5a544cc5fc6ea858983d3

SHA1
2cde67a3131d45c0035301216a0ad3d8cc1faadf

SHA256
80d97d79ce2131400a5b77e76725d8b383bbe64ad3ac13c018669a1b67aefb9b

SHA512
6d57bf5ac0edd876b2eb5e9e9b15b616e2ef0a6d55cd9c75a7788c2ce7951749e45c6481222c6d08fadc638ca69be1e2c97f063600f71bbe3404a6f5f1a52e5f

Download Submit
C:\Users\Admin\Desktop\MountDisable.vst.EFA-3F4-E9A
MD5
0551f50ad728b0185024d24539d14583

SHA1
e7c0e80b72908cb456b039e87aaf0b875ea0afbd

SHA256
7029f6af33201c5ddad172f45c830ff8066e1e9fa5c9ccd39c07b2053d86df94

SHA512
db0b9c275d10101e0c67c00ab1b933622bc36f6725f171bfccfa457f95b90ebfea08a95bd4d18d6ea23549efa071aac8f60d3da1cb1190f35c8dd76dd1a3465d

Download Submit
C:\Users\Admin\Desktop\MountSend.ADTS.EFA-3F4-E9A
MD5
7d1b2164440c31c1b38a5d401effcebd

SHA1
f5a76cb233d1e332a50efd3f527b6e1ca7895ec6

SHA256
738707578a30971823e7ab3eeb2de2b1c822b4ca5646820a8e0de52f9338d730

SHA512
03753850f0cdd824527ce2c2154e4d2a742a77571c2d0937bbb785ee1bc101f2675f90a8011e7ad80fd43258ac6973fe708a6769037824a058b49fb2c5ca5e7a

Download Submit
C:\Users\Admin\Desktop\NewCompress.wav.EFA-3F4-E9A
MD5
9f6d17610815a0739559d71788ad990b

SHA1
cec6cdda58c6fb087590ad8076839c52df4bbd07

SHA256
928b9ac9e6218788b03490a7db4c9d53ef561b60036394ffe760c4d4ea3805ad

SHA512
ce1b22f691f1bc2e2b2d8b27ec5bacdd7169391c475e327f9a1e8547decc75300be7eec1c5e8f36c6790254327500793a430d95af43f895a2eaef004c385ca52

Download Submit
C:\Users\Admin\Desktop\OpenMerge.aif.EFA-3F4-E9A
MD5
978af0f229884451ab3affdcf2185924

SHA1
e3bc1a31ff6ab0bcf51488b4afa25c63f282d360

SHA256
dac7d1d309991583d88c1f3ebc7ee7fb6e78e3d4c622885374a31909013e33f7

SHA512
b6738d8cf9af64fbf02754cdad2aceaf6ed03ff5b4ef3131936e36dc4e81fc2cd03f18615da3b3b98d7f89ac780bf6c870be8af9d707f70a48fa82f6a6111cec

Download Submit
C:\Users\Admin\Desktop\PingTest.ps1.EFA-3F4-E9A
MD5
4ff0f7aeef133d3e0a3ffb922851748c

SHA1
6b1952165ca19aa2a424039be629560c49e08bc0

SHA256
fea0150b8c7a496972cf96dd5a317ea8eb0370a4ed585fd3f58995e9b04dd362

SHA512
775719ff64aca912f9abb1d8a986c312a80eacd5a390ad60b6c004bcc45d3dec8702587fde0dfc5760bb962847827d012919e4b9e819f1b54b2270023a6d8432

Download Submit
C:\Users\Admin\Desktop\PopResize.vdw.EFA-3F4-E9A
MD5
88a37242573c6891399c0e00247d800e

SHA1
52b265bad7922908c66d50ec730f7cf69c8061f8

SHA256
7aa2521818763e39a2ac3f1e3a900e94957eb2b3dc13ab37fde130b6c2ccb048

SHA512
098b666d81b7e2d4fb720c1085b33e9b44ae1824dc9d165642804953d0c975b347f7996e7f94e103103782224b6fd7218bdda9fc8dd9cf7a9f8db583ec9dea7b

Download Submit
C:\Users\Admin\Desktop\RedoRename.jfif.EFA-3F4-E9A
MD5
0f93c3f1d0d47d627921724110dd703f

SHA1
9ad38810939a40477ecb230c65a8e1b8c56d66a5

SHA256
2d919f2825c69060f229a8676a2b9e4dec993b95c272cc7ddbc19ab899836759

SHA512
bc1c3660622270732bdb29d5df28e196e83447550de0d02b1019c538f8bbbf16646614cf82d0080ef1bb62d94c8ff676beb872df2dd9b97708eee441d3d059b9

Download Submit
C:\Users\Admin\Desktop\RemoveWait.wma.EFA-3F4-E9A
MD5
54e43f7f1c9028e044ff51841b773d7e

SHA1
7b06309e8e482298b2289bd6905fe27465ff669e

SHA256
dfdfa233339caab2691ecf423e1e8baa1fba9e804e186ee0e19540bac055138c

SHA512
f8fba8c2f363f6ca816ec2623c6e88e441f9e45dbfbec402417986638e95b63538a5b6c84d8ee782f15de140f5a0726ac5432e1b47fb30738c99ff3df8fe776e

Download Submit
C:\Users\Admin\Desktop\RepairCopy.ram.EFA-3F4-E9A
MD5
b735799ceb25498b437c6ef09f585362

SHA1
97f110ec111aab0dac7a51d9e50f7691dc585c64

SHA256
9df7f68c86298f87c64bbc153c3471791798004224b75361b83c1f42853b04b5

SHA512
6ee9144635fef8c060ef68b99ef23b49a0d70b0584d7821bf33ccd489204a029bc3c6ffaaf289d69d3766e87a138d61a951e6fb2cf28ee6bd8a014abb9fe33e7

Download Submit
C:\Users\Admin\Desktop\RepairRegister.cfg.EFA-3F4-E9A
MD5
c1f4e35ce0a966b2ec42b313c70adb13

SHA1
6493a63ce477baeb2479e2ac24a7614700d4dc8b

SHA256
f0a6083383b62c6f3aad6145d85f637adb3cc79472a0cf88f049f4913382580e

SHA512
4a62eea65c415cd2ed87c9a05c75e39f50d8374d0ff28614903ba86f0a829c36b668787f937c7e31f11971a8e38e1427880f4e1baf37babf721f5c1b70307f8b

Download Submit
C:\Users\Admin\Desktop\RestartResolve.crw.EFA-3F4-E9A
MD5
a1668cd6e4abe4f373a5d2bad7b1dd36

SHA1
1ca70d2d4b0eca4dcc121549a11f377f4b6e12d7

SHA256
fb28ddfdcc9e156aa89c21db55697158db29139c8a7081f6761e6bcc4a2cd713

SHA512
df229ca84916e30bf605014530ffb26c52f4499e117f963af4b69ee4cd3ff91a54655c100bc7ada708a97ec2d30cbd8e0c5876ae757eaf990b024fbb9a3702bd

Download Submit
C:\Users\Admin\Desktop\StartFormat.aiff.EFA-3F4-E9A
MD5
948b66b2a5ad4e68c8719c77a388c051

SHA1
f494a54959e41f1b3487063a3b71919a60fc8aac

SHA256
820967f9e815fb41a4b2d35a378be1df964ce8579ba5fe7fc2501ab36e124a08

SHA512
b64d4842b6ea68a329d0db2ad92bdf8ee09c07386cce6e3055100d70c7f54a9e601fcae858d61c74514fc2f4fe17a86e5f7ccc3b16f6dd5e2284bd76350a86ec

Download Submit
C:\Users\Admin\Desktop\SubmitDisconnect.pdf.EFA-3F4-E9A
MD5
817d903600a860def05dcb46336fda56

SHA1
7f4ef59c26cc8c1fc22c6d6841b6b7635cdf45d4

SHA256
ecd74f5938a89a403de0e00d8b2906a3d2e7e3211b739bb02a62864563be3c30

SHA512
f972ddeebcbcec05d715596ee1563e52cbdbfd07aede2d6e9d873d7f480f20d6b4372de728ab0a7044324cc40206fa5b7685aea162633d88102cfd3fb8e317bd

Download Submit
C:\Users\Admin\Desktop\UseUninstall.cab.EFA-3F4-E9A
MD5
deebe56af77ad224ecbfd84c15826df8

SHA1
006f0cf76c14ab75bf33b6a1703fa34a6769aac6

SHA256
2d2711e3563f7fce789e484a609e34f7f5af7ba0d27ec4b105357c58cb2aa745

SHA512
0f76772ab1718663a27a14ca007f5838fe4b082195763753783f8b177d94162f0b3c583e79fe18e50da52b980c27a55a143f4f440997816aeb9952845f4d11af

Download Submit
C:\Users\Admin\Desktop\WaitShow.aifc.EFA-3F4-E9A
MD5
4ac1695d9b674aec2d36f107ca2fba58

SHA1
3e435d169c4f7653687137d86a8db71a57b13b11

SHA256
40440d759760594e61c88019133f23809e3e90c67bc73eddd19b3ebae24024f4

SHA512
74e65ff44adcf2ef1a67c08890a8bdd9e17ee42dd53faa12c9414e4c6d5dcdda0a51616d5d5f0e77cad4f9f5587f41e34a0c3ecdf15fb273ad61f7a8870e4e12

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
MD5
ada523db2c2418fa37398c41b370c125

SHA1
7c2c197b14447cbf4bd0d040a36493ec1d9d8bc7

SHA256
66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af

SHA512
849e06f1308ef00d1cf5ac71d9deb5699bae0e3985bca11525d3a95879325d1c11ad30f7c1bf80ef51ccc71032ab793ac2bef305c051391c9cefd91253621343

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
MD5
ada523db2c2418fa37398c41b370c125

SHA1
7c2c197b14447cbf4bd0d040a36493ec1d9d8bc7

SHA256
66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af

SHA512
849e06f1308ef00d1cf5ac71d9deb5699bae0e3985bca11525d3a95879325d1c11ad30f7c1bf80ef51ccc71032ab793ac2bef305c051391c9cefd91253621343

Download Submit
memory/340-3-0x0000000000000000-mapping.dmp

Download
memory/344-26-0x0000000000000000-mapping.dmp

Download
memory/844-17-0x0000000000000000-mapping.dmp

Download
memory/924-54-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/924-55-0x0000000000000000-mapping.dmp

Download
memory/1052-23-0x0000000000000000-mapping.dmp

Download
memory/1384-18-0x0000000000000000-mapping.dmp

Download
memory/1504-19-0x0000000000000000-mapping.dmp

Download
memory/1612-16-0x0000000000000000-mapping.dmp

Download
memory/1708-15-0x0000000000000000-mapping.dmp

Download
memory/1712-0-0x000007FEF63D0000-0x000007FEF664A000-memory.dmp

Filesize
2.5MB

Download
memory/1772-14-0x0000000000000000-mapping.dmp

Download
memory/1996-25-0x0000000000000000-mapping.dmp

Download
memory/2012-21-0x0000000000000000-mapping.dmp

Download
memory/2032-27-0x0000000000000000-mapping.dmp

Download