Downloads.rar

General
Target

default.exe

Filesize

139MB

Completed

19-11-2020 10:40

Score
10 /10
Malware Config

Extracted

Path C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
Family buran
Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: lokeradmin@protonmail.com or adminsysloker@protonmail.com and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: lokeradmin@protonmail.com Reserved email: adminsysloker@protonmail.com Your personal ID: 13A-721-97F Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

lokeradmin@protonmail.com

adminsysloker@protonmail.com

Signatures 14

Filter: none

Defense Evasion
Discovery
Impact
Persistence
  • Buran

    Description

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Executes dropped EXE
    csrss.execsrss.exe

    Reported IOCs

    pidprocess
    4208csrss.exe
    4488csrss.exe
  • Deletes itself
    notepad.exe

    Reported IOCs

    pidprocess
    3264notepad.exe
  • Adds Run key to start application
    default.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Rundefault.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start"default.exe
  • Enumerates connected drives
    csrss.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\X:csrss.exe
    File opened (read-only)\??\P:csrss.exe
    File opened (read-only)\??\L:csrss.exe
    File opened (read-only)\??\K:csrss.exe
    File opened (read-only)\??\I:csrss.exe
    File opened (read-only)\??\H:csrss.exe
    File opened (read-only)\??\Y:csrss.exe
    File opened (read-only)\??\V:csrss.exe
    File opened (read-only)\??\S:csrss.exe
    File opened (read-only)\??\N:csrss.exe
    File opened (read-only)\??\E:csrss.exe
    File opened (read-only)\??\B:csrss.exe
    File opened (read-only)\??\Z:csrss.exe
    File opened (read-only)\??\W:csrss.exe
    File opened (read-only)\??\U:csrss.exe
    File opened (read-only)\??\Q:csrss.exe
    File opened (read-only)\??\O:csrss.exe
    File opened (read-only)\??\M:csrss.exe
    File opened (read-only)\??\G:csrss.exe
    File opened (read-only)\??\T:csrss.exe
    File opened (read-only)\??\R:csrss.exe
    File opened (read-only)\??\J:csrss.exe
    File opened (read-only)\??\F:csrss.exe
    File opened (read-only)\??\A:csrss.exe
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    7geoiptool.com
  • Drops file in Program Files directory
    csrss.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\msipc.dll.muicsrss.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\THMBNAIL.PNG.13A-721-97Fcsrss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\bd_60x42.pngcsrss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-80_altform-unplated.pngcsrss.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8201_48x48x32.pngcsrss.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xmlcsrss.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\help.gifcsrss.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-phn.xrm-mscsrss.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarWideTile.scale-200.pngcsrss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\WideTile.scale-200.pngcsrss.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon_2x.png.13A-721-97Fcsrss.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Outlook.scale-100.pngcsrss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-96_altform-unplated.pngcsrss.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXTcsrss.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\AppStore_icon.svg.13A-721-97Fcsrss.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html.13A-721-97Fcsrss.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.ja_5.5.0.165303.jar.13A-721-97Fcsrss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteMediumTile.scale-150.pngcsrss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Effects\02.pngcsrss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-36_altform-unplated.pngcsrss.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-sampler.jarcsrss.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-templates.jar.13A-721-97Fcsrss.exe
    File opened for modificationC:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200_contrast-high.pngcsrss.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner-2x.png.13A-721-97Fcsrss.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ja-jp\ui-strings.jscsrss.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL116.XML.13A-721-97Fcsrss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\LargeTile.scale-200.pngcsrss.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\editpdf.svg.13A-721-97Fcsrss.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXTcsrss.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXTcsrss.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\root\ui-strings.js.13A-721-97Fcsrss.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_de.propertiescsrss.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.propertiescsrss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\TriPeaks\Tips_3.jpgcsrss.exe
    File opened for modificationC:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Lumia.ViewerPlugin\Assets\IconOpenInRefocus.scale-125.pngcsrss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-200_contrast-white.pngcsrss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\MainPage\diamondIcon.pngcsrss.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\ui-strings.js.13A-721-97Fcsrss.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\s_opencarat_18.svgcsrss.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png.13A-721-97Fcsrss.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_zh_CN.jar.13A-721-97Fcsrss.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ul-oob.xrm-mscsrss.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro DC.pdf.13A-721-97Fcsrss.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\CHICAGO.XSL.13A-721-97Fcsrss.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png.13A-721-97Fcsrss.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXTcsrss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7989_24x24x32.pngcsrss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionMedTile.scale-150.pngcsrss.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailBadge.scale-150.pngcsrss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\SmallTile.scale-200.pngcsrss.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\ui-strings.js.13A-721-97Fcsrss.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ul-oob.xrm-ms.13A-721-97Fcsrss.exe
    File createdC:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXTcsrss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\ScanIcon_contrast-white.pngcsrss.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\dot_2x.png.13A-721-97Fcsrss.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_pt_135x40.svgcsrss.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-mscsrss.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-140.pngcsrss.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.White.pngcsrss.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXTcsrss.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\es-es\ui-strings.js.13A-721-97Fcsrss.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.manifest.13A-721-97Fcsrss.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_scale-125.pngcsrss.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXTcsrss.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Interacts with shadow copies
    vssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    2600vssadmin.exe
  • Modifies system certificate store
    default.exe

    TTPs

    Install Root CertificateModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349default.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986edefault.exe
  • Suspicious use of AdjustPrivilegeToken
    default.execsrss.exeWMIC.exevssvc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege4772default.exe
    Token: SeDebugPrivilege4772default.exe
    Token: SeDebugPrivilege4208csrss.exe
    Token: SeIncreaseQuotaPrivilege1620WMIC.exe
    Token: SeSecurityPrivilege1620WMIC.exe
    Token: SeTakeOwnershipPrivilege1620WMIC.exe
    Token: SeLoadDriverPrivilege1620WMIC.exe
    Token: SeSystemProfilePrivilege1620WMIC.exe
    Token: SeSystemtimePrivilege1620WMIC.exe
    Token: SeProfSingleProcessPrivilege1620WMIC.exe
    Token: SeIncBasePriorityPrivilege1620WMIC.exe
    Token: SeCreatePagefilePrivilege1620WMIC.exe
    Token: SeBackupPrivilege1620WMIC.exe
    Token: SeRestorePrivilege1620WMIC.exe
    Token: SeShutdownPrivilege1620WMIC.exe
    Token: SeDebugPrivilege1620WMIC.exe
    Token: SeSystemEnvironmentPrivilege1620WMIC.exe
    Token: SeRemoteShutdownPrivilege1620WMIC.exe
    Token: SeUndockPrivilege1620WMIC.exe
    Token: SeManageVolumePrivilege1620WMIC.exe
    Token: 331620WMIC.exe
    Token: 341620WMIC.exe
    Token: 351620WMIC.exe
    Token: 361620WMIC.exe
    Token: SeIncreaseQuotaPrivilege1620WMIC.exe
    Token: SeSecurityPrivilege1620WMIC.exe
    Token: SeTakeOwnershipPrivilege1620WMIC.exe
    Token: SeLoadDriverPrivilege1620WMIC.exe
    Token: SeSystemProfilePrivilege1620WMIC.exe
    Token: SeSystemtimePrivilege1620WMIC.exe
    Token: SeProfSingleProcessPrivilege1620WMIC.exe
    Token: SeIncBasePriorityPrivilege1620WMIC.exe
    Token: SeCreatePagefilePrivilege1620WMIC.exe
    Token: SeBackupPrivilege1620WMIC.exe
    Token: SeRestorePrivilege1620WMIC.exe
    Token: SeShutdownPrivilege1620WMIC.exe
    Token: SeDebugPrivilege1620WMIC.exe
    Token: SeSystemEnvironmentPrivilege1620WMIC.exe
    Token: SeRemoteShutdownPrivilege1620WMIC.exe
    Token: SeUndockPrivilege1620WMIC.exe
    Token: SeManageVolumePrivilege1620WMIC.exe
    Token: 331620WMIC.exe
    Token: 341620WMIC.exe
    Token: 351620WMIC.exe
    Token: 361620WMIC.exe
    Token: SeBackupPrivilege2160vssvc.exe
    Token: SeRestorePrivilege2160vssvc.exe
    Token: SeAuditPrivilege2160vssvc.exe
    Token: SeDebugPrivilege4208csrss.exe
    Token: SeDebugPrivilege4208csrss.exe
  • Suspicious use of WriteProcessMemory
    default.execsrss.execmd.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4772 wrote to memory of 42084772default.execsrss.exe
    PID 4772 wrote to memory of 42084772default.execsrss.exe
    PID 4772 wrote to memory of 42084772default.execsrss.exe
    PID 4772 wrote to memory of 32644772default.exenotepad.exe
    PID 4772 wrote to memory of 32644772default.exenotepad.exe
    PID 4772 wrote to memory of 32644772default.exenotepad.exe
    PID 4772 wrote to memory of 32644772default.exenotepad.exe
    PID 4772 wrote to memory of 32644772default.exenotepad.exe
    PID 4772 wrote to memory of 32644772default.exenotepad.exe
    PID 4208 wrote to memory of 44884208csrss.execsrss.exe
    PID 4208 wrote to memory of 44884208csrss.execsrss.exe
    PID 4208 wrote to memory of 44884208csrss.execsrss.exe
    PID 4208 wrote to memory of 44804208csrss.execmd.exe
    PID 4208 wrote to memory of 44804208csrss.execmd.exe
    PID 4208 wrote to memory of 44804208csrss.execmd.exe
    PID 4208 wrote to memory of 45604208csrss.execmd.exe
    PID 4208 wrote to memory of 45604208csrss.execmd.exe
    PID 4208 wrote to memory of 45604208csrss.execmd.exe
    PID 4208 wrote to memory of 46004208csrss.execmd.exe
    PID 4208 wrote to memory of 46004208csrss.execmd.exe
    PID 4208 wrote to memory of 46004208csrss.execmd.exe
    PID 4208 wrote to memory of 46604208csrss.execmd.exe
    PID 4208 wrote to memory of 46604208csrss.execmd.exe
    PID 4208 wrote to memory of 46604208csrss.execmd.exe
    PID 4208 wrote to memory of 6364208csrss.execmd.exe
    PID 4208 wrote to memory of 6364208csrss.execmd.exe
    PID 4208 wrote to memory of 6364208csrss.execmd.exe
    PID 4208 wrote to memory of 11804208csrss.execmd.exe
    PID 4208 wrote to memory of 11804208csrss.execmd.exe
    PID 4208 wrote to memory of 11804208csrss.execmd.exe
    PID 4208 wrote to memory of 14044208csrss.execmd.exe
    PID 4208 wrote to memory of 14044208csrss.execmd.exe
    PID 4208 wrote to memory of 14044208csrss.execmd.exe
    PID 1404 wrote to memory of 16201404cmd.exeWMIC.exe
    PID 1404 wrote to memory of 16201404cmd.exeWMIC.exe
    PID 1404 wrote to memory of 16201404cmd.exeWMIC.exe
    PID 4208 wrote to memory of 25484208csrss.execmd.exe
    PID 4208 wrote to memory of 25484208csrss.execmd.exe
    PID 4208 wrote to memory of 25484208csrss.execmd.exe
    PID 2548 wrote to memory of 26002548cmd.exevssadmin.exe
    PID 2548 wrote to memory of 26002548cmd.exevssadmin.exe
    PID 2548 wrote to memory of 26002548cmd.exevssadmin.exe
    PID 4208 wrote to memory of 1964208csrss.exenotepad.exe
    PID 4208 wrote to memory of 1964208csrss.exenotepad.exe
    PID 4208 wrote to memory of 1964208csrss.exenotepad.exe
    PID 4208 wrote to memory of 1964208csrss.exenotepad.exe
    PID 4208 wrote to memory of 1964208csrss.exenotepad.exe
    PID 4208 wrote to memory of 1964208csrss.exenotepad.exe
Processes 16
  • C:\Users\Admin\AppData\Local\Temp\default.exe
    "C:\Users\Admin\AppData\Local\Temp\default.exe"
    Adds Run key to start application
    Modifies system certificate store
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:4772
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start
      Executes dropped EXE
      Enumerates connected drives
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4208
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 0
        Executes dropped EXE
        Drops file in Program Files directory
        PID:4488
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
        PID:4480
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
        PID:4560
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
        PID:4600
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
        PID:4660
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
        PID:636
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
        PID:1180
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
        Suspicious use of WriteProcessMemory
        PID:1404
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic shadowcopy delete
          Suspicious use of AdjustPrivilegeToken
          PID:1620
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
        Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin delete shadows /all /quiet
          Interacts with shadow copies
          PID:2600
      • C:\Windows\SysWOW64\notepad.exe
        notepad.exe
        PID:196
    • C:\Windows\SysWOW64\notepad.exe
      notepad.exe
      Deletes itself
      PID:3264
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:2160
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Initial Access
              Lateral Movement
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

                    MD5

                    0519018281624cbfdff47f7680fdced8

                    SHA1

                    1b0bd906e38c982349e34c20b45ee63720b85754

                    SHA256

                    76f5db32283559f86d4695314ce1fa43febade0c213e581129ab03b7b4f7bc28

                    SHA512

                    367576a7d4228fa83b92993231f876efe34baa72e739517eb0b10273170a07c4c956135a4d1e076a99a339ad9979392d2e96bd872a9b6c6c8594f2a1439a3e6c

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

                    MD5

                    de48d295da95391c0bc8922959b5be74

                    SHA1

                    65a78fd5b8ac7cbe3e37f3e949c297b928b0ce09

                    SHA256

                    b774b75da470eeb8dc7192ac2ea9bc9cdb8ebd54b28c5db71af60f14863c6b2d

                    SHA512

                    751d4530af3bfd9295aa05c1f1dfaed1abe4cae567d45b62ee6dee8a4b9d880dfe03d556a9b863830c30201607e636021e495046e7b4170cb6392902b6fb64a1

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

                    MD5

                    87503e130a34c63855fb1ae6c39c8adf

                    SHA1

                    ad6c1341ec6b71014ddf20b6e2097e72c46b0462

                    SHA256

                    25ffabfad4706ab986b725b970a5676e286cd8939b144724a8f3bfad889b68fe

                    SHA512

                    ffe6862877c04c3fc3ccc5b21266590f0cc5f0c328ec585fa69fbd81a5f0991e8fd8fd6bb8bf2eb6a13ae2ade36f63fd103b32965ce1e19b5bbf0458aee75d44

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

                    MD5

                    46b53e1d27de9ea23ae42458aae68954

                    SHA1

                    06c2d32fd11bd12e82faec05e0c4158701d1460e

                    SHA256

                    8a4aae1a46973ac1505cbb885dc49616e174dd6a551e2e0546687d98c4a0d0e3

                    SHA512

                    f18a24b56289ac04a684451f6f47499d96347a07952f8cb233ae53175217331552f4500629eab956f29478aa88abaa027f8204da68f8868a9c6990cf33c6c8da

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

                    MD5

                    4b703b8de48979d3bbaeab6a5d2de314

                    SHA1

                    93f8ea9b9e4624d07c0492fb70983fcde4ff8962

                    SHA256

                    964776cfd774f51c19db3b4f8f2297df67a77c5574e8c687e7f0b30384c1e61f

                    SHA512

                    9166127aa7baeb1b65f90ab08c5dcf1e6ccbcf52c21f9dcf2d5e775fe31d6c398febd14c715bb89391583a2c53be98dfd0acfe730aacb5af7e8c0e1dcd8bc7b6

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

                    MD5

                    613c5d273eedc5dd698ebc735dd0df17

                    SHA1

                    8acea9fdfabcc0c2e6b1435a88185d677adeae8b

                    SHA256

                    060c00d5cae95f929f73fc5b1367b21a0aa21c7cb486cc140a39d0b137b5b5e7

                    SHA512

                    6b9cf35baa600db2d89cd75a3f27a55c8a60c60623977d8a3a2bb676304c198888ae066eb05fe4f9dc6e7d96d7563a7d2ece3df2fe1845ca962e08d55b43b52d

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JGAO043J\VTDZ4VWC.htm

                    MD5

                    6b17a59cec1a7783febae9aa55c56556

                    SHA1

                    01d4581e2b3a6348679147a915a0b22b2a66643a

                    SHA256

                    66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

                    SHA512

                    3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S7PGJ114\ASKNT69L.htm

                    MD5

                    b1cd7c031debba3a5c77b39b6791c1a7

                    SHA1

                    e5d91e14e9c685b06f00e550d9e189deb2075f76

                    SHA256

                    57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

                    SHA512

                    d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

                    MD5

                    f42abb7569dbc2ff5faa7e078cb71476

                    SHA1

                    04530a6165fc29ab536bab1be16f6b87c46288e6

                    SHA256

                    516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd

                    SHA512

                    3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

                    MD5

                    f42abb7569dbc2ff5faa7e078cb71476

                    SHA1

                    04530a6165fc29ab536bab1be16f6b87c46288e6

                    SHA256

                    516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd

                    SHA512

                    3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

                    MD5

                    f42abb7569dbc2ff5faa7e078cb71476

                    SHA1

                    04530a6165fc29ab536bab1be16f6b87c46288e6

                    SHA256

                    516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd

                    SHA512

                    3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

                  • C:\Users\Admin\Desktop\ConfirmComplete.eps.13A-721-97F

                    MD5

                    e2905cef7cb77cb04e2444001d99619e

                    SHA1

                    26ea3bd7937c399344cb9847f7a32d120eeb1888

                    SHA256

                    a721b42ea681af1964e2f096a0043876eacab95f7634819f8b2e096db1b15c04

                    SHA512

                    6736e7472d82b41e8215d046a9f00686121e0eb3cd00b0d004581c25572b2d0cfcaf4b760bc2e3bcb0956661f435185d4ee86d484d3b0bb8d208e5deb959e0cb

                  • C:\Users\Admin\Desktop\ConvertCompare.mpeg.13A-721-97F

                    MD5

                    ea0984eba072b2fe5e81a65b02bfa029

                    SHA1

                    7ab5c7fa65e432ec991cba5ad21c1a2c054a71c4

                    SHA256

                    f00bace221d5b300ac5a51a672e300de3eb893f6289e49b3b4350bdb46914bd1

                    SHA512

                    a379467e0a3eaea2fa25ba3dfedfd1bf4eba35449beb921e071889673dac1afaed358480c2e824ac2fcbf89d676f54c5bd4fa4732fc64718f0f781b3f736c7a8

                  • C:\Users\Admin\Desktop\DisconnectGroup.csv.13A-721-97F

                    MD5

                    eb64c299cb5ec7e57732cbbb2d832bbd

                    SHA1

                    d5f59894ffc725787b6c34f39f1a7d4436e6f431

                    SHA256

                    4e5cf8f61f7524a9c3741afbe5dff0f03ef9604a8073ca50f27780550f1cf64a

                    SHA512

                    c0b01bc883fa6175fb581665a8e3230ba17a73592a53214ac6f1454c8c3d35ab0fd1098a5d478736dd72146a25291310c3f6eb2fcf12ef96cf967d6613dac105

                  • C:\Users\Admin\Desktop\DisconnectRemove.wmf.13A-721-97F

                    MD5

                    48a510a3215cf81aff84e7b4fa5d2155

                    SHA1

                    a8677613d8c00adcde53c01a12b3e07e71234cc4

                    SHA256

                    e28cdd307332df522026799b982dace189dccc3e9c2c0960ac52f23601296425

                    SHA512

                    693320b2e8c4d8c85ef9d0d8548761951275b8b322ca82a946d897a48fef6a141556605e337a5746101515fb96e8a30c8256a8d48820379c9c3365ad304ecd3b

                  • C:\Users\Admin\Desktop\GetSkip.mp2.13A-721-97F

                    MD5

                    c5b967fdd251346d0b0a65d6347b35ec

                    SHA1

                    04d1a7f93b4c3f79a7b2023ecef827a065b6cd14

                    SHA256

                    ef99fbb8c3ca293a4d3ce0fdde9b6662846249e21a00918328ce558b590bb853

                    SHA512

                    3b9ea87414a2824cc98696278c9a68d13b4d4c459d9b2542d57618927a51966e02a659a4b8849a0684b43f0e0c8d4cf186d4508c97754dc3ef2c5945f0400a57

                  • C:\Users\Admin\Desktop\InvokeTest.lock.13A-721-97F

                    MD5

                    78fcce6f38ff8fe711626da720912b03

                    SHA1

                    d1618f140a7dc25f0be136d2420cfcac7fe6f592

                    SHA256

                    064d755a82ca43c0d61a3973b57505d7c18e81dd0180dbcc581cbfeed618103e

                    SHA512

                    cb5f25b55f8ef538f34c08e2c3fff44c11e005d80b4893b30b043a1a7e4e9ec1a919533b7c961b25f36d986ded890c6c3315406c282a9a9a579d93e4eff9fd61

                  • C:\Users\Admin\Desktop\JoinCompress.css.13A-721-97F

                    MD5

                    2e5ec92196eadc75dbd3ddf09365a8aa

                    SHA1

                    2936a37d03b1b58e33e749439e546dd4e6c80f90

                    SHA256

                    c1065ce3f6a10fa9b8c010288a9b39c3b9e826910d04b66e8497d1145cf0afd2

                    SHA512

                    d58cfd96d0942f1f6d800d4de6633035d3dc9e5cd41e6548685f02f3347e77d85eaf65fc64f7a9f87e078852516ccdad4595ff96c7a2ec47cc057ca12b65a730

                  • C:\Users\Admin\Desktop\ReadMove.wmf.13A-721-97F

                    MD5

                    8f4df131437c4f8e45be8c33f79a8476

                    SHA1

                    b60016b2cbd31f8e321935bfad46e865f1a0d4f4

                    SHA256

                    f56ff8f161f621d671f1dc71d9bd69607e7aa6ee3c6ee31f6afcc5f7008ab27f

                    SHA512

                    83e55799d9ad53ac7ce0073ad33443ef3a7e178d355c0ee1516c49e4bc1c6d98cb2c380257f0195bb878fbb9a037ee4cc66b9473639286a22895996021c1d0c7

                  • C:\Users\Admin\Desktop\RedoLock.ppsx.13A-721-97F

                    MD5

                    b2752da96f2563cecbd4dc1c240fd303

                    SHA1

                    a4dede6a1b28a95e9c69088ae2b668ec33c1e13b

                    SHA256

                    f671b5af8d628528e0b13dc65770e68eab789138dacb892192b2e72766b95815

                    SHA512

                    95025286d42f8ca94fcb37a6d5d571193165799a75113b7860459ea378f1937b1e1f7180d461d8d777433700fa4b2745767e4eb389793165839c38e27ea89cec

                  • C:\Users\Admin\Desktop\RegisterAdd.iso.13A-721-97F

                    MD5

                    dd29d3eb9c41969ffcfd05e852b10a54

                    SHA1

                    30145369bb44ab9a1c9c1b919e1a9e7c3d10c97d

                    SHA256

                    780188a640d7ef5e3c3cf45506ce9fb795c0207b854bf3910aceddd77cd77bda

                    SHA512

                    8e089c4c49a4409fe0c72a2c9a989da4cd4f972f26b799c6b4dffa95aee619ac6a2145cb86d33160ae122b8670c123cd59658a24f0eb81ff86d112164e53d88f

                  • C:\Users\Admin\Desktop\RegisterOptimize.mpeg.13A-721-97F

                    MD5

                    9fbd1eeb2e269969b585ff4ea129470e

                    SHA1

                    9b1eccae20fee4fe795dd7a5d7bc470eba3f4ac9

                    SHA256

                    12ee18fd14ffac4414f944c2b67a78fe00dcf7404adf588f88b376917ec060d4

                    SHA512

                    b35fea10a7db62ad34a8041527b6f3b7720576bd71868bc5120904c261052df3b37ef1ebad67aa6010fe9cecf5356cb066c5d15369e3f9fb5ede412252f9a77e

                  • C:\Users\Admin\Desktop\RenameSync.emz.13A-721-97F

                    MD5

                    36a85765fdb73224d51171736de86e6e

                    SHA1

                    acc3ec0645dd784afa66e0822770b7e18bf732f9

                    SHA256

                    40dee649448d5a7d7e015ed29d87b35ce7596501fee6f5f29a5bf2e12f316f3a

                    SHA512

                    9f24b57de48167b79fe93b126ed6c0cdf97a143bd53ff1a84125e464ffd2debe2633b3141101b8b7383a32be14919b72a358afc583a3e9413ada1733542c92a0

                  • C:\Users\Admin\Desktop\RepairPop.avi.13A-721-97F

                    MD5

                    f3614d9fd4cfcbb8e46284be36e2375b

                    SHA1

                    98693ce738455c6e97d5bcc1045b0ceada819e5f

                    SHA256

                    22a1725a50f18a3001ac05c7627c5f12839f7663372d2d40ea646bdf5eab9e83

                    SHA512

                    c715582dc94f3045dfb495c7b3471a7aedd4dfde6535bb4010ba4939b49a7d3aca426d97e9dd64434baecfc3707ff3b306f56fdc4ffe05cd0ddaa27c5f60bf81

                  • C:\Users\Admin\Desktop\RestartResume.M2V.13A-721-97F

                    MD5

                    8f3d0169bb266f06f6fde8a9a5d59385

                    SHA1

                    c8e85715d56b3fb54a40422c2c74a227adddadca

                    SHA256

                    9023b9e081a4aff3e218fb350decc87bb9e6f0d7a2c45e727f2922e74f4d1297

                    SHA512

                    39f21155361cccd242bb3c80e1efda39f165e21654720839b9c912d800061620bc5ab4d9258f1c3215bfa48eab6feef67fc9f6a7503534479dcdd151446e147d

                  • C:\Users\Admin\Desktop\RevokeFind.m1v.13A-721-97F

                    MD5

                    eb2a873654fdc9cbf6cea02e37e488a1

                    SHA1

                    01cb59efa0450e0f49ba821956df8187e0f92532

                    SHA256

                    f8adf43a7dadaa47f457d8c12198338aadf19f92ceb41444284b3ab9a4f78088

                    SHA512

                    33a572d476503f89b9ae5d64c979f73fb99c89b6066a3e99b704bb680b39dcf2c6494d73569cf40c8f90b87e4b78621e9a8c9837946c029ac95c9fd5397e4ece

                  • C:\Users\Admin\Desktop\SendReset.pdf.13A-721-97F

                    MD5

                    2cae449eea3d4af75273399118d6768d

                    SHA1

                    98810220263238d43ee3ff8cd476ebae5353b5e9

                    SHA256

                    40af3ac377a191afc54a600e56b0e2b58b7729e15145de517d11c01b6e38c7c3

                    SHA512

                    7b372d8d5d9347b35d994d85c56b0d172ba1cefb8e15c770a56936f3aa81c4a9a15bc6bf01048efded43626e510d34979678e61d5f51b1305359755d39297bcd

                  • C:\Users\Admin\Desktop\SetRestore.TTS.13A-721-97F

                    MD5

                    f6caf2c56b965ff6061ab6420f4c9874

                    SHA1

                    4248c097b0a39d428c2c3b8afd3d04fee38a00d6

                    SHA256

                    6365056cdfec9d4986931172259b4a281f9bc7dd42413169547d453ae1e6b1f1

                    SHA512

                    cc2fdca4e6cf750e28e1e6ee24861a8e673d8b53bd045254aa02ac9379cd58dae847735606a53216c91b187652598dbf5b29193b5546f4208e0741c1a17c33ae

                  • C:\Users\Admin\Desktop\SplitSelect.xltx.13A-721-97F

                    MD5

                    37ef33511932ee16b3754d8fb0da8cca

                    SHA1

                    8110ee9c1bd3568c33d397a5d23a28de4be8be7c

                    SHA256

                    74e46c484be91803c08d5525f51050d9de08513b6c5a615372701862093b86b6

                    SHA512

                    95297bd78898f623758e9aa5d12c76c9deb5744139503f32734a41d1fbdb444415ac667996427ecc07ca635bfd255ec4e143daabd9042b1888dbd4de90f1c045

                  • C:\Users\Admin\Desktop\SuspendCheckpoint.midi.13A-721-97F

                    MD5

                    ca866c5263907cebd677db4567a427c9

                    SHA1

                    d8608e18cb55efd96fe28b74e69d871293db7fb4

                    SHA256

                    b6c850e3b7dd361ca2349a870fa45e6eda8597bd36fc1329cf11cc009faa17c7

                    SHA512

                    1f09c01a49ed3975bdee5a2c8e7eb5e4fdb689282aa324f4363b7e7515a5b5fb7007fc08d59b54081641a82937ec1b452d2212bebbb6163d22dfd5e16474dbdc

                  • C:\Users\Admin\Desktop\SuspendGrant.dwfx.13A-721-97F

                    MD5

                    e82fe3cc668891c2ba62ff778f7c007e

                    SHA1

                    cd8f65ba2a8700abbf2ff70867e7978b63ca9d3e

                    SHA256

                    740c0b68a86873649c8b065ceb94cdabdfbd864bb6e5a550009dc266883ede91

                    SHA512

                    6be0f6c1b68116ee168ba8bf46641398f33e8553941fbb7a6df9420c517a21c7c72cf24bae17d453b171691df062aad4eff634823269f16736ee75fcae64bfed

                  • C:\Users\Admin\Desktop\SuspendSync.vstm.13A-721-97F

                    MD5

                    03ba169a307e1425c812578ac2ed5f13

                    SHA1

                    8b931923cffa637f86b8d0eaabd813fc0a4ba345

                    SHA256

                    53c0f44964a321763973267e2866321668454194219113997156eba76a7ddd75

                    SHA512

                    d2edd5d4c1da67c907a1993739d4f4124c9b444ec7c419d238fe7d83485a7fafe2ec66a6800fd4cc8660fded5cd29ae2e14199d249b7d1c7b84079616e20b56d

                  • C:\Users\Admin\Desktop\UnblockConvertFrom.tmp.13A-721-97F

                    MD5

                    5319108845e38b996dd80446e3b78fe7

                    SHA1

                    78597fc6f070d0b8283b2fc2eeab49c3289cace0

                    SHA256

                    ce1b4e84d51042287e814724106b2c16eb4d07bb20f2d4d8d7ce2ca3a5683a80

                    SHA512

                    00823e33d47e095f42aefa540521b5189011fbfbc23746e797abc52a42b3e47be00f3dff2c280f5f613db28ce6fb3ebf25b05f2ec11e6f6cf0b22008c175ee85

                  • C:\Users\Admin\Desktop\UninstallCompress.ADT.13A-721-97F

                    MD5

                    3c88a52062a3f7b9460fd66a3bb015ca

                    SHA1

                    17c9d80e6dcb985eab3437cdbb29a0c8fdc2e308

                    SHA256

                    8e351b84014ec8f92960230b0942e857723f437bf0488f32ca2f536fce97c52d

                    SHA512

                    8a4b34a53dea1eb663dca60ee477c20e524e55d1946ba057e95e63f01a0c3d085acf4389bec99ff9e885e59ddd40b2701dedfffec0a1561bf4c07286f067726f

                  • memory/196-49-0x0000000000000000-mapping.dmp

                  • memory/196-48-0x0000000000780000-0x0000000000781000-memory.dmp

                  • memory/636-19-0x0000000000000000-mapping.dmp

                  • memory/1180-20-0x0000000000000000-mapping.dmp

                  • memory/1404-21-0x0000000000000000-mapping.dmp

                  • memory/1620-22-0x0000000000000000-mapping.dmp

                  • memory/2548-23-0x0000000000000000-mapping.dmp

                  • memory/2600-24-0x0000000000000000-mapping.dmp

                  • memory/3264-4-0x0000000000000000-mapping.dmp

                  • memory/3264-3-0x00000000001F0000-0x00000000001F1000-memory.dmp

                  • memory/4208-0-0x0000000000000000-mapping.dmp

                  • memory/4480-15-0x0000000000000000-mapping.dmp

                  • memory/4488-13-0x0000000000000000-mapping.dmp

                  • memory/4560-16-0x0000000000000000-mapping.dmp

                  • memory/4600-17-0x0000000000000000-mapping.dmp

                  • memory/4660-18-0x0000000000000000-mapping.dmp