buran | 812e862c4c470d4728a408b64d1cff9dca2f302f2742ff5ec99aeb896870bc6e

Analysis

max time kernel
151s
max time network
133s
platform
windows7_x64
resource
win7v20201028
submitted
14-12-2020 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b56a1f8a3ba9c5eb1a3b1a6aca398676.exe
Size

325KB
MD5

b56a1f8a3ba9c5eb1a3b1a6aca398676
SHA1

345a633366ec3dab7813924773377afc005cc5fc
SHA256

812e862c4c470d4728a408b64d1cff9dca2f302f2742ff5ec99aeb896870bc6e
SHA512

ee9f751e332d9cf2cc8cc42a3cc9e7b2e6671358623c9e5a00a45a9f3a86e648aa7e13a43001d69a516ea78579c98fe6f102d42b930199872134d17efa6e32e4

Score

10^/10

buran discovery persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: uspex1@cock.li and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Pay $ 100 in BTC Write to email: uspex1@cock.li Reserved email: uspex2@cock.li Telegram: @uspex2 Your personal ID: 10F-18C-8B1 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

uspex1@cock.li

uspex2@cock.li

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 3 IoCs

Processes:

kjejdIHj.exeservices.exeservices.exe

pid process

636 kjejdIHj.exe
1732 services.exe
1744 services.exe
Loads dropped DLL 4 IoCs

Processes:

b56a1f8a3ba9c5eb1a3b1a6aca398676.exekjejdIHj.exe

pid process

1776 b56a1f8a3ba9c5eb1a3b1a6aca398676.exe
1776 b56a1f8a3ba9c5eb1a3b1a6aca398676.exe
636 kjejdIHj.exe
636 kjejdIHj.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
636	kjejdIHj.exe
1732	services.exe
1744	services.exe

pid	process
1776	b56a1f8a3ba9c5eb1a3b1a6aca398676.exe
1776	b56a1f8a3ba9c5eb1a3b1a6aca398676.exe
636	kjejdIHj.exe
636	kjejdIHj.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kjejdIHj.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	kjejdIHj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\services.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\services.exe\" -start"	kjejdIHj.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

services.exe

description	ioc	process
File opened (read-only)	\??\N:	services.exe
File opened (read-only)	\??\H:	services.exe
File opened (read-only)	\??\E:	services.exe
File opened (read-only)	\??\Q:	services.exe
File opened (read-only)	\??\P:	services.exe
File opened (read-only)	\??\M:	services.exe
File opened (read-only)	\??\L:	services.exe
File opened (read-only)	\??\K:	services.exe
File opened (read-only)	\??\J:	services.exe
File opened (read-only)	\??\A:	services.exe
File opened (read-only)	\??\Y:	services.exe
File opened (read-only)	\??\V:	services.exe
File opened (read-only)	\??\U:	services.exe
File opened (read-only)	\??\T:	services.exe
File opened (read-only)	\??\O:	services.exe
File opened (read-only)	\??\I:	services.exe
File opened (read-only)	\??\B:	services.exe
File opened (read-only)	\??\W:	services.exe
File opened (read-only)	\??\X:	services.exe
File opened (read-only)	\??\S:	services.exe
File opened (read-only)	\??\R:	services.exe
File opened (read-only)	\??\G:	services.exe
File opened (read-only)	\??\F:	services.exe
File opened (read-only)	\??\Z:	services.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 geoiptool.com

flow	ioc
10	geoiptool.com

Drops file in Program Files directory 9245 IoCs

Processes:

services.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Qatar.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215709.WMF.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.zh_CN_5.5.0.165303.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.change_2.10.0.v20140901-1043.jar.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.clusters.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\El_Salvador	services.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Winamac.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Moscow.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Sybase.xsl.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\header-background.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.servlet_8.1.14.v20131031.jar.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01478U.BMP.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00914_.WMF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187837.WMF	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-heapwalker.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_ja.jar	services.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\NEWS.txt	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02280_.WMF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00183_.WMF.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Khandyga.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HM00426_.WMF.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt	services.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Bogota.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\vlc.mo.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STP.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00194_.WMF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212751.WMF.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-visual.jar	services.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Guatemala.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ndjamena.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Danmarkshavn	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.http_8.1.14.v20131031.jar.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00648_.WMF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01163_.WMF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02264_.WMF	services.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\VideoLAN Website.url.10F-18C-8B1	services.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management\management.properties	services.exe
File created	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01637_.WMF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105490.WMF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199465.WMF.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core.xml.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server.jar.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00389_.WMF.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00414_.WMF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02075_.WMF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187863.WMF	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rankin_Inlet	services.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaSansDemiBold.ttf.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_zh_CN.jar.10F-18C-8B1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145212.JPG	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196364.WMF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00096_.WMF	services.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1540 vssadmin.exe
2028 vssadmin.exe

pid	process
1540	vssadmin.exe
2028	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

services.exekjejdIHj.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	kjejdIHj.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	kjejdIHj.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	kjejdIHj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	services.exe

Suspicious use of AdjustPrivilegeToken 85 IoCs

Processes:

kjejdIHj.exeWMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	636	kjejdIHj.exe
Token: SeDebugPrivilege	636	kjejdIHj.exe
Token: SeIncreaseQuotaPrivilege	756	WMIC.exe
Token: SeSecurityPrivilege	756	WMIC.exe
Token: SeTakeOwnershipPrivilege	756	WMIC.exe
Token: SeLoadDriverPrivilege	756	WMIC.exe
Token: SeSystemProfilePrivilege	756	WMIC.exe
Token: SeSystemtimePrivilege	756	WMIC.exe
Token: SeProfSingleProcessPrivilege	756	WMIC.exe
Token: SeIncBasePriorityPrivilege	756	WMIC.exe
Token: SeCreatePagefilePrivilege	756	WMIC.exe
Token: SeBackupPrivilege	756	WMIC.exe
Token: SeRestorePrivilege	756	WMIC.exe
Token: SeShutdownPrivilege	756	WMIC.exe
Token: SeDebugPrivilege	756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	756	WMIC.exe
Token: SeRemoteShutdownPrivilege	756	WMIC.exe
Token: SeUndockPrivilege	756	WMIC.exe
Token: SeManageVolumePrivilege	756	WMIC.exe
Token: 33	756	WMIC.exe
Token: 34	756	WMIC.exe
Token: 35	756	WMIC.exe
Token: SeIncreaseQuotaPrivilege	792	WMIC.exe
Token: SeSecurityPrivilege	792	WMIC.exe
Token: SeTakeOwnershipPrivilege	792	WMIC.exe
Token: SeLoadDriverPrivilege	792	WMIC.exe
Token: SeSystemProfilePrivilege	792	WMIC.exe
Token: SeSystemtimePrivilege	792	WMIC.exe
Token: SeProfSingleProcessPrivilege	792	WMIC.exe
Token: SeIncBasePriorityPrivilege	792	WMIC.exe
Token: SeCreatePagefilePrivilege	792	WMIC.exe
Token: SeBackupPrivilege	792	WMIC.exe
Token: SeRestorePrivilege	792	WMIC.exe
Token: SeShutdownPrivilege	792	WMIC.exe
Token: SeDebugPrivilege	792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	792	WMIC.exe
Token: SeRemoteShutdownPrivilege	792	WMIC.exe
Token: SeUndockPrivilege	792	WMIC.exe
Token: SeManageVolumePrivilege	792	WMIC.exe
Token: 33	792	WMIC.exe
Token: 34	792	WMIC.exe
Token: 35	792	WMIC.exe
Token: SeBackupPrivilege	328	vssvc.exe
Token: SeRestorePrivilege	328	vssvc.exe
Token: SeAuditPrivilege	328	vssvc.exe
Token: SeIncreaseQuotaPrivilege	756	WMIC.exe
Token: SeSecurityPrivilege	756	WMIC.exe
Token: SeTakeOwnershipPrivilege	756	WMIC.exe
Token: SeLoadDriverPrivilege	756	WMIC.exe
Token: SeSystemProfilePrivilege	756	WMIC.exe
Token: SeSystemtimePrivilege	756	WMIC.exe
Token: SeProfSingleProcessPrivilege	756	WMIC.exe
Token: SeIncBasePriorityPrivilege	756	WMIC.exe
Token: SeCreatePagefilePrivilege	756	WMIC.exe
Token: SeBackupPrivilege	756	WMIC.exe
Token: SeRestorePrivilege	756	WMIC.exe
Token: SeShutdownPrivilege	756	WMIC.exe
Token: SeDebugPrivilege	756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	756	WMIC.exe
Token: SeRemoteShutdownPrivilege	756	WMIC.exe
Token: SeUndockPrivilege	756	WMIC.exe
Token: SeManageVolumePrivilege	756	WMIC.exe
Token: 33	756	WMIC.exe
Token: 34	756	WMIC.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

b56a1f8a3ba9c5eb1a3b1a6aca398676.exekjejdIHj.exeservices.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1776 wrote to memory of 636	1776	b56a1f8a3ba9c5eb1a3b1a6aca398676.exe	kjejdIHj.exe
PID 1776 wrote to memory of 636	1776	b56a1f8a3ba9c5eb1a3b1a6aca398676.exe	kjejdIHj.exe
PID 1776 wrote to memory of 636	1776	b56a1f8a3ba9c5eb1a3b1a6aca398676.exe	kjejdIHj.exe
PID 1776 wrote to memory of 636	1776	b56a1f8a3ba9c5eb1a3b1a6aca398676.exe	kjejdIHj.exe
PID 636 wrote to memory of 1732	636	kjejdIHj.exe	services.exe
PID 636 wrote to memory of 1732	636	kjejdIHj.exe	services.exe
PID 636 wrote to memory of 1732	636	kjejdIHj.exe	services.exe
PID 636 wrote to memory of 1732	636	kjejdIHj.exe	services.exe
PID 636 wrote to memory of 1324	636	kjejdIHj.exe	notepad.exe
PID 636 wrote to memory of 1324	636	kjejdIHj.exe	notepad.exe
PID 636 wrote to memory of 1324	636	kjejdIHj.exe	notepad.exe
PID 636 wrote to memory of 1324	636	kjejdIHj.exe	notepad.exe
PID 636 wrote to memory of 1324	636	kjejdIHj.exe	notepad.exe
PID 636 wrote to memory of 1324	636	kjejdIHj.exe	notepad.exe
PID 636 wrote to memory of 1324	636	kjejdIHj.exe	notepad.exe
PID 1732 wrote to memory of 1896	1732	services.exe	cmd.exe
PID 1732 wrote to memory of 1896	1732	services.exe	cmd.exe
PID 1732 wrote to memory of 1896	1732	services.exe	cmd.exe
PID 1732 wrote to memory of 1896	1732	services.exe	cmd.exe
PID 1732 wrote to memory of 1636	1732	services.exe	cmd.exe
PID 1732 wrote to memory of 1636	1732	services.exe	cmd.exe
PID 1732 wrote to memory of 1636	1732	services.exe	cmd.exe
PID 1732 wrote to memory of 1636	1732	services.exe	cmd.exe
PID 1732 wrote to memory of 1664	1732	services.exe	cmd.exe
PID 1732 wrote to memory of 1664	1732	services.exe	cmd.exe
PID 1732 wrote to memory of 1664	1732	services.exe	cmd.exe
PID 1732 wrote to memory of 1664	1732	services.exe	cmd.exe
PID 1732 wrote to memory of 1660	1732	services.exe	cmd.exe
PID 1732 wrote to memory of 1660	1732	services.exe	cmd.exe
PID 1732 wrote to memory of 1660	1732	services.exe	cmd.exe
PID 1732 wrote to memory of 1660	1732	services.exe	cmd.exe
PID 1732 wrote to memory of 1844	1732	services.exe	cmd.exe
PID 1732 wrote to memory of 1844	1732	services.exe	cmd.exe
PID 1732 wrote to memory of 1844	1732	services.exe	cmd.exe
PID 1732 wrote to memory of 1844	1732	services.exe	cmd.exe
PID 1732 wrote to memory of 1008	1732	services.exe	cmd.exe
PID 1732 wrote to memory of 1008	1732	services.exe	cmd.exe
PID 1732 wrote to memory of 1008	1732	services.exe	cmd.exe
PID 1732 wrote to memory of 1008	1732	services.exe	cmd.exe
PID 1732 wrote to memory of 1744	1732	services.exe	services.exe
PID 1732 wrote to memory of 1744	1732	services.exe	services.exe
PID 1732 wrote to memory of 1744	1732	services.exe	services.exe
PID 1732 wrote to memory of 1744	1732	services.exe	services.exe
PID 1844 wrote to memory of 1540	1844	cmd.exe	vssadmin.exe
PID 1844 wrote to memory of 1540	1844	cmd.exe	vssadmin.exe
PID 1844 wrote to memory of 1540	1844	cmd.exe	vssadmin.exe
PID 1844 wrote to memory of 1540	1844	cmd.exe	vssadmin.exe
PID 1896 wrote to memory of 756	1896	cmd.exe	WMIC.exe
PID 1896 wrote to memory of 756	1896	cmd.exe	WMIC.exe
PID 1896 wrote to memory of 756	1896	cmd.exe	WMIC.exe
PID 1896 wrote to memory of 756	1896	cmd.exe	WMIC.exe
PID 1008 wrote to memory of 792	1008	cmd.exe	WMIC.exe
PID 1008 wrote to memory of 792	1008	cmd.exe	WMIC.exe
PID 1008 wrote to memory of 792	1008	cmd.exe	WMIC.exe
PID 1008 wrote to memory of 792	1008	cmd.exe	WMIC.exe
PID 1008 wrote to memory of 2028	1008	cmd.exe	vssadmin.exe
PID 1008 wrote to memory of 2028	1008	cmd.exe	vssadmin.exe
PID 1008 wrote to memory of 2028	1008	cmd.exe	vssadmin.exe
PID 1008 wrote to memory of 2028	1008	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\b56a1f8a3ba9c5eb1a3b1a6aca398676.exe
"C:\Users\Admin\AppData\Local\Temp\b56a1f8a3ba9c5eb1a3b1a6aca398676.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776

C:\Users\Admin\AppData\Local\Temp\kjejdIHj.exe
"C:\Users\Admin\AppData\Local\Temp\kjejdIHj.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
4⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
4⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
PID:1664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
4⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:1540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:2028

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 0
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1744

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:1324

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
b70dc0d32e75295574887a1eb8e8824d

SHA1
1c7aadf97657f25a66e2b26ffce20fae35a81b71

SHA256
9ba2afab5c73c6c8fef834f724b2b729553020c44495b12f87e5779d94354cd9

SHA512
4396416ab54ea4c5f50c3b9fa6c0679bb9ec3a5549ba0d729ef54266404a6ebbffdca86da989b17b6357f9bce3fcc0b8f43727d56adae84beac48e1fc7740dc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
ee6f44b70b1b952cca185c9c42455e50

SHA1
304e0d9730b1e2c36d42b12ff8ebb8ce12d2557b

SHA256
e61cbb508cf8bd896994b1feea6912f2d4319d6a382d9554ee43c9e44d76443c

SHA512
f0c69c3d063cc4aeb65467cb06b6a9a2f1fb56b9ca7419f3ad83a61725ab71ab7a0b0964eef422d11fb47bff7573ad18a5f6f004db7ddab829cb5b49c0897297

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
a79f29048b133ca17588ca54c6519db9

SHA1
45854963cb24a79f8b582fd13c6916d9bacf60b4

SHA256
164f85824da0142ecb22e5f6903e6b0628dc50c9425aac6a4819b9dd340a565d

SHA512
9da9eed3123c84d81fa784ec38c7b975ca8be47037d5d137d1d9124c2a35cb3f067cffd083e449fe5ce2547d9c31fa36409b9fe312a95b20d0dbc8c9c4ed8034

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
de85a10419d30f347c7b0b0ed3b71fac

SHA1
231b7c6f43006b02aaaf9632e5d6e533dc458658

SHA256
d40a2a5ba83459adf8c01f628f3437908494b7c9d5aa8599830411bcb06d44b7

SHA512
62a9fccb7a7cf6d61f60e67053b2795c4cb39f1f5f7f9fe715d8c30ddc02058d5bb368a06ffebd78f98a82ec71fde6ea4c04c4a23b47e3fb526f531be8dfc2ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
fb3cba406b7db4427a2448a301472029

SHA1
81043fa56af65e0ed46f3ad04c630c16b338aa79

SHA256
845f01a62d34797f262348d1c43c1efc1a661657cc1ce428e1a1f10cfd728233

SHA512
ca1809a172057098ae49c5c73c36f84fef196988a75b90b3a8fb937cfeb71ddc76a260dc01027060687b372caac7582ff2981053efae8c5452057be4daf00287

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
2c3dab0ad9bdb538c770fdd2e0bc3598

SHA1
09fdafd2260d72481a62bae68601f9c641d3e0f4

SHA256
95c9ccad463037cf97f342766826ef0c69a9473b1b06ebf850f7cbc76829559b

SHA512
ac87f24f8e90f02a15cc16a4d0a7dbaf6ab70ffc3d8352dc7d98a86e045b260d740cd2e6a46dcbc9943bd067ebb3499ad03bd2d706032cba77e874ab55c8145c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
491f17226e33cc9923f02e57de5dd8d0

SHA1
0d3f124234d9ff5777c5cdf68471f43ba0695b68

SHA256
b6127714c001a28a2530677954ad351252b881b5344dcde3cba9823d5b6423ee

SHA512
e1d8248c01a4152e48443ae39a1fe72642b346911b750c29450c756e2d09560269a1aeaef5fbca9ad594086ccd18161f4e566749453fe0181a32fbd45dbcbb6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3O0J2C38\L4MFWJEK.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I4HTQEUG\IC1KCPPZ.htm
MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\kjejdIHj.exe
MD5
43a791cfe3e906f15a432943088450a1

SHA1
0a2d12d30126385eb85d1ce88d06762bc429fb03

SHA256
7055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101

SHA512
372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kjejdIHj.exe
MD5
43a791cfe3e906f15a432943088450a1

SHA1
0a2d12d30126385eb85d1ce88d06762bc429fb03

SHA256
7055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101

SHA512
372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
MD5
43a791cfe3e906f15a432943088450a1

SHA1
0a2d12d30126385eb85d1ce88d06762bc429fb03

SHA256
7055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101

SHA512
372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
MD5
43a791cfe3e906f15a432943088450a1

SHA1
0a2d12d30126385eb85d1ce88d06762bc429fb03

SHA256
7055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101

SHA512
372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
MD5
43a791cfe3e906f15a432943088450a1

SHA1
0a2d12d30126385eb85d1ce88d06762bc429fb03

SHA256
7055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101

SHA512
372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a

Download Submit
\Users\Admin\AppData\Local\Temp\kjejdIHj.exe
MD5
43a791cfe3e906f15a432943088450a1

SHA1
0a2d12d30126385eb85d1ce88d06762bc429fb03

SHA256
7055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101

SHA512
372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a

Download Submit
\Users\Admin\AppData\Local\Temp\kjejdIHj.exe
MD5
43a791cfe3e906f15a432943088450a1

SHA1
0a2d12d30126385eb85d1ce88d06762bc429fb03

SHA256
7055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101

SHA512
372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
MD5
43a791cfe3e906f15a432943088450a1

SHA1
0a2d12d30126385eb85d1ce88d06762bc429fb03

SHA256
7055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101

SHA512
372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
MD5
43a791cfe3e906f15a432943088450a1

SHA1
0a2d12d30126385eb85d1ce88d06762bc429fb03

SHA256
7055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101

SHA512
372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a

Download Submit
memory/636-5-0x0000000000000000-mapping.dmp

Download
memory/672-2-0x000007FEF6B20000-0x000007FEF6D9A000-memory.dmp

Filesize
2.5MB

Download
memory/756-34-0x0000000000000000-mapping.dmp

Download
memory/792-35-0x0000000000000000-mapping.dmp

Download
memory/1008-28-0x0000000000000000-mapping.dmp

Download
memory/1324-14-0x0000000000000000-mapping.dmp

Download
memory/1324-13-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1540-32-0x0000000000000000-mapping.dmp

Download
memory/1636-24-0x0000000000000000-mapping.dmp

Download
memory/1660-26-0x0000000000000000-mapping.dmp

Download
memory/1664-25-0x0000000000000000-mapping.dmp

Download
memory/1732-10-0x0000000000000000-mapping.dmp

Download
memory/1744-30-0x0000000000000000-mapping.dmp

Download
memory/1844-27-0x0000000000000000-mapping.dmp

Download
memory/1896-23-0x0000000000000000-mapping.dmp

Download
memory/2028-36-0x0000000000000000-mapping.dmp

Download