buran | 513c4fe0de5b8df83d8d99ce55f0c474600699591a4185fdb0b4ee5e9c718924

Analysis

max time kernel
140s
max time network
134s
platform
windows7_x64
resource
win7v20201028
submitted
16-12-2020 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe
Size

449KB
MD5

574f031251f67bcc6ea9168364d2fbfd
SHA1

f5d6140140829eaa550d2ef57b3ca8281b3d79bb
SHA256

438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
SHA512

d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: yongloun@tutanota.com and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: wiruxa@airmail.cc Reserved email: anygrishevich@yandex.ru Your personal ID: 187-7CE-4F1 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

wiruxa@airmail.cc

anygrishevich@yandex.ru

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

services.exeservices.exe

pid process

576 services.exe
1236 services.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

services.exe

description ioc process

File opened for modification C:\Users\Admin\Pictures\MeasureResolve.tiff services.exe
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

296 notepad.exe
Loads dropped DLL 1 IoCs

Processes:

438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe

pid process

476 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\MeasureResolve.tiff	services.exe

pid	process
296	notepad.exe

pid	process
476	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\services.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\services.exe\" -start"	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

services.exe

description	ioc	process
File opened (read-only)	\??\P:	services.exe
File opened (read-only)	\??\K:	services.exe
File opened (read-only)	\??\E:	services.exe
File opened (read-only)	\??\B:	services.exe
File opened (read-only)	\??\W:	services.exe
File opened (read-only)	\??\T:	services.exe
File opened (read-only)	\??\S:	services.exe
File opened (read-only)	\??\Q:	services.exe
File opened (read-only)	\??\A:	services.exe
File opened (read-only)	\??\F:	services.exe
File opened (read-only)	\??\X:	services.exe
File opened (read-only)	\??\V:	services.exe
File opened (read-only)	\??\N:	services.exe
File opened (read-only)	\??\G:	services.exe
File opened (read-only)	\??\I:	services.exe
File opened (read-only)	\??\H:	services.exe
File opened (read-only)	\??\Y:	services.exe
File opened (read-only)	\??\R:	services.exe
File opened (read-only)	\??\L:	services.exe
File opened (read-only)	\??\J:	services.exe
File opened (read-only)	\??\Z:	services.exe
File opened (read-only)	\??\U:	services.exe
File opened (read-only)	\??\O:	services.exe
File opened (read-only)	\??\M:	services.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 geoiptool.com

flow	ioc
5	geoiptool.com

Drops file in Program Files directory 15048 IoCs

Processes:

services.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX8.x3d.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382967.JPG.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\form_edit.js	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Faroe.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199465.WMF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Austin.thmx.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\OriginFax.Dotx	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239191.WMF	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-text.xml	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\msmdsrv.rll	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00775_.WMF.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Algiers.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Jujuy	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler.jar.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyDrop32x32.gif.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apothecary.xml.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Civic.eftx.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.console_1.1.0.v20140131-1639.jar	services.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Berlin	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01586_.WMF.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198021.WMF.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145879.JPG.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PICTPH.POC.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00158_.GIF.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_zh_4.4.0.v20140623020002.jar.187-7CE-4F1	services.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Mawson.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107314.WMF.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14768_.GIF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE	services.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18242_.WMF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\ACTIVITS.ICO.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDownArrow.jpg	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL054.XML	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_High.jpg.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_zh_CN.jar.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178348.JPG.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR29F.GIF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\MANIFEST.MF.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237336.WMF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18255_.WMF.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Dubai.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02293_.WMF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_K_COL.HXK.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONTACTL.ICO	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.HK.XML	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\messageboxinfo.ico.187-7CE-4F1	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF	services.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1544 vssadmin.exe
776 vssadmin.exe

pid	process
1544	vssadmin.exe
776	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exeservices.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	services.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	services.exe

Suspicious behavior: EnumeratesProcesses 1094 IoCs

Processes:

services.exe

pid	process
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe
576	services.exe

Suspicious use of AdjustPrivilegeToken 87 IoCs

Processes:

438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	476	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe
Token: SeDebugPrivilege	476	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe
Token: SeIncreaseQuotaPrivilege	1052	WMIC.exe
Token: SeSecurityPrivilege	1052	WMIC.exe
Token: SeTakeOwnershipPrivilege	1052	WMIC.exe
Token: SeLoadDriverPrivilege	1052	WMIC.exe
Token: SeSystemProfilePrivilege	1052	WMIC.exe
Token: SeSystemtimePrivilege	1052	WMIC.exe
Token: SeProfSingleProcessPrivilege	1052	WMIC.exe
Token: SeIncBasePriorityPrivilege	1052	WMIC.exe
Token: SeCreatePagefilePrivilege	1052	WMIC.exe
Token: SeBackupPrivilege	1052	WMIC.exe
Token: SeRestorePrivilege	1052	WMIC.exe
Token: SeShutdownPrivilege	1052	WMIC.exe
Token: SeDebugPrivilege	1052	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1052	WMIC.exe
Token: SeRemoteShutdownPrivilege	1052	WMIC.exe
Token: SeUndockPrivilege	1052	WMIC.exe
Token: SeManageVolumePrivilege	1052	WMIC.exe
Token: 33	1052	WMIC.exe
Token: 34	1052	WMIC.exe
Token: 35	1052	WMIC.exe
Token: SeIncreaseQuotaPrivilege	840	WMIC.exe
Token: SeSecurityPrivilege	840	WMIC.exe
Token: SeTakeOwnershipPrivilege	840	WMIC.exe
Token: SeLoadDriverPrivilege	840	WMIC.exe
Token: SeSystemProfilePrivilege	840	WMIC.exe
Token: SeSystemtimePrivilege	840	WMIC.exe
Token: SeProfSingleProcessPrivilege	840	WMIC.exe
Token: SeIncBasePriorityPrivilege	840	WMIC.exe
Token: SeCreatePagefilePrivilege	840	WMIC.exe
Token: SeBackupPrivilege	840	WMIC.exe
Token: SeRestorePrivilege	840	WMIC.exe
Token: SeShutdownPrivilege	840	WMIC.exe
Token: SeDebugPrivilege	840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	840	WMIC.exe
Token: SeRemoteShutdownPrivilege	840	WMIC.exe
Token: SeUndockPrivilege	840	WMIC.exe
Token: SeManageVolumePrivilege	840	WMIC.exe
Token: 33	840	WMIC.exe
Token: 34	840	WMIC.exe
Token: 35	840	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1052	WMIC.exe
Token: SeSecurityPrivilege	1052	WMIC.exe
Token: SeTakeOwnershipPrivilege	1052	WMIC.exe
Token: SeLoadDriverPrivilege	1052	WMIC.exe
Token: SeSystemProfilePrivilege	1052	WMIC.exe
Token: SeSystemtimePrivilege	1052	WMIC.exe
Token: SeProfSingleProcessPrivilege	1052	WMIC.exe
Token: SeIncBasePriorityPrivilege	1052	WMIC.exe
Token: SeCreatePagefilePrivilege	1052	WMIC.exe
Token: SeBackupPrivilege	1052	WMIC.exe
Token: SeRestorePrivilege	1052	WMIC.exe
Token: SeShutdownPrivilege	1052	WMIC.exe
Token: SeDebugPrivilege	1052	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1052	WMIC.exe
Token: SeRemoteShutdownPrivilege	1052	WMIC.exe
Token: SeUndockPrivilege	1052	WMIC.exe
Token: SeManageVolumePrivilege	1052	WMIC.exe
Token: 33	1052	WMIC.exe
Token: 34	1052	WMIC.exe
Token: 35	1052	WMIC.exe
Token: SeIncreaseQuotaPrivilege	840	WMIC.exe
Token: SeSecurityPrivilege	840	WMIC.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exeservices.execmd.execmd.execmd.exe

description	pid	process	target process
PID 476 wrote to memory of 576	476	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe	services.exe
PID 476 wrote to memory of 576	476	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe	services.exe
PID 476 wrote to memory of 576	476	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe	services.exe
PID 476 wrote to memory of 576	476	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe	services.exe
PID 476 wrote to memory of 296	476	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe	notepad.exe
PID 476 wrote to memory of 296	476	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe	notepad.exe
PID 476 wrote to memory of 296	476	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe	notepad.exe
PID 476 wrote to memory of 296	476	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe	notepad.exe
PID 476 wrote to memory of 296	476	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe	notepad.exe
PID 476 wrote to memory of 296	476	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe	notepad.exe
PID 476 wrote to memory of 296	476	438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe	notepad.exe
PID 576 wrote to memory of 1576	576	services.exe	cmd.exe
PID 576 wrote to memory of 1576	576	services.exe	cmd.exe
PID 576 wrote to memory of 1576	576	services.exe	cmd.exe
PID 576 wrote to memory of 1576	576	services.exe	cmd.exe
PID 576 wrote to memory of 1728	576	services.exe	cmd.exe
PID 576 wrote to memory of 1728	576	services.exe	cmd.exe
PID 576 wrote to memory of 1728	576	services.exe	cmd.exe
PID 576 wrote to memory of 1728	576	services.exe	cmd.exe
PID 576 wrote to memory of 292	576	services.exe	cmd.exe
PID 576 wrote to memory of 292	576	services.exe	cmd.exe
PID 576 wrote to memory of 292	576	services.exe	cmd.exe
PID 576 wrote to memory of 292	576	services.exe	cmd.exe
PID 576 wrote to memory of 2032	576	services.exe	cmd.exe
PID 576 wrote to memory of 2032	576	services.exe	cmd.exe
PID 576 wrote to memory of 2032	576	services.exe	cmd.exe
PID 576 wrote to memory of 2032	576	services.exe	cmd.exe
PID 576 wrote to memory of 1380	576	services.exe	cmd.exe
PID 576 wrote to memory of 1380	576	services.exe	cmd.exe
PID 576 wrote to memory of 1380	576	services.exe	cmd.exe
PID 576 wrote to memory of 1380	576	services.exe	cmd.exe
PID 1576 wrote to memory of 1052	1576	cmd.exe	WMIC.exe
PID 1576 wrote to memory of 1052	1576	cmd.exe	WMIC.exe
PID 1576 wrote to memory of 1052	1576	cmd.exe	WMIC.exe
PID 1576 wrote to memory of 1052	1576	cmd.exe	WMIC.exe
PID 576 wrote to memory of 1712	576	services.exe	cmd.exe
PID 576 wrote to memory of 1712	576	services.exe	cmd.exe
PID 576 wrote to memory of 1712	576	services.exe	cmd.exe
PID 576 wrote to memory of 1712	576	services.exe	cmd.exe
PID 576 wrote to memory of 1236	576	services.exe	services.exe
PID 576 wrote to memory of 1236	576	services.exe	services.exe
PID 576 wrote to memory of 1236	576	services.exe	services.exe
PID 576 wrote to memory of 1236	576	services.exe	services.exe
PID 1380 wrote to memory of 1544	1380	cmd.exe	vssadmin.exe
PID 1380 wrote to memory of 1544	1380	cmd.exe	vssadmin.exe
PID 1380 wrote to memory of 1544	1380	cmd.exe	vssadmin.exe
PID 1380 wrote to memory of 1544	1380	cmd.exe	vssadmin.exe
PID 1712 wrote to memory of 840	1712	cmd.exe	WMIC.exe
PID 1712 wrote to memory of 840	1712	cmd.exe	WMIC.exe
PID 1712 wrote to memory of 840	1712	cmd.exe	WMIC.exe
PID 1712 wrote to memory of 840	1712	cmd.exe	WMIC.exe
PID 1712 wrote to memory of 776	1712	cmd.exe	vssadmin.exe
PID 1712 wrote to memory of 776	1712	cmd.exe	vssadmin.exe
PID 1712 wrote to memory of 776	1712	cmd.exe	vssadmin.exe
PID 1712 wrote to memory of 776	1712	cmd.exe	vssadmin.exe
PID 576 wrote to memory of 964	576	services.exe	notepad.exe
PID 576 wrote to memory of 964	576	services.exe	notepad.exe
PID 576 wrote to memory of 964	576	services.exe	notepad.exe
PID 576 wrote to memory of 964	576	services.exe	notepad.exe
PID 576 wrote to memory of 964	576	services.exe	notepad.exe
PID 576 wrote to memory of 964	576	services.exe	notepad.exe
PID 576 wrote to memory of 964	576	services.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe
"C:\Users\Admin\AppData\Local\Temp\438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:476

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:1728

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:776

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 0
3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
PID:1236

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:964

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:296

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
b36da5c81e37e66335b100fe541c1668

SHA1
81b166b7d5c9801ca146d1ef5b95aac47c952112

SHA256
996dbe67869eabac1e506abdc5b12c933eb5c735778481c9894c7a9ae9bd1d49

SHA512
c551487a3b6f952a7328abd2449934427209dc537a0c0429335facb7faa103fc5a8788197ab6f48830e184d953cbd0e9e99b4787e3565f52c9fd50759ff0abaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
a39a754e0b0ba7e439a962153cc63feb

SHA1
b4d9a16bce5017a94196a68d87de254f0795922b

SHA256
bcd4f320f4b3cf23708d4f373d4eb0208c453dbaffa9f5b402ab73f127528c6e

SHA512
8c206e9fc85c7a05b4eaa34269c5af83bf016c043d881472b9f90ecf83c781892c450d1593d36bdcc080c552748e2fe61c439769ca93ccdc5a2453b74a2175b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
c8f6d84e4c36d9393622a1af12a9a848

SHA1
1df0282b790a4a641c0f256a842141d5666a3f30

SHA256
c7b9816df943aee5e1923deaaa2abef8881da46a27fec381e0b92ac30f810ebb

SHA512
a835f48c7468366ebee56d2387493c5d789a695d895ad9c0f010cdd7ca96ed33269266a2ca4264a45021644d811853eab371520377bcdf404f70ab3b9ed6f9d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
a00620526efb2f4aeaeaaaa4af7e1340

SHA1
764bdfb3c74e16dd9d225608ad7e029f7cd41a1e

SHA256
ff0aa6b3465b237a8b2b6899696e56f7ef1f4dc7ab0d9ddd38964338d3fe342f

SHA512
1413e003c445e4b122329412ccddaa788cf51ad93d493d4a9883f6fdee9276fccb50544e26983a0e55eb5381d8d737fba3595e0a5e28b4923a469d96312cc7ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
ac3bfbc26f286ba88ec2a1576b43d5b3

SHA1
e4709601dc40a38ce75283da4fa3d730dc1f7e7b

SHA256
e17947d26fee7d5f2d860433935ae6df2d3fe7964f3df7fe6ef01434edd3624e

SHA512
e13e03e0e3692fc51ff18b36c393473f70f6931f4ca8e49083c5ab50fc87dfe9c9ca4a18f725fc553482648feedad105592a6b77253d2b47852f7f401b3b3b14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
826c1982a1c2fdbe242ca153d6431c51

SHA1
de22856ef242c02641e712cbd1ea906c4667ac5f

SHA256
c17ad4e4f249088e20a3468890bf80ec1255c7220ce197d4e1c8d9a19f629da0

SHA512
7f381e273c1f42641268582300941a4328ac09ec3427002e56a5e46c71bde8874cffc04128e5c93e07c0fb2712db671743285d172d74d7493ae454d4ebf34470

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
4f10231095719fdce58ca4900f857003

SHA1
ec410bc56db508659e66a9a93266aba1b4a684e6

SHA256
ec83aa7e82a903ab1e491d453aadea0196f99e9363071cb92e0168c158842fcb

SHA512
d8d57edc61d271475dae414f302ce09b5444a2f8d1909dc0c795b584a25322f9ca91f46d8cd3206c5ac6c67b7273085ab5882bf581a19a72c14d7b863d0177ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\I14MIR0D.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1R1CL99\SIMSL8J3.htm
MD5
6b17a59cec1a7783febae9aa55c56556

SHA1
01d4581e2b3a6348679147a915a0b22b2a66643a

SHA256
66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

SHA512
3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
MD5
574f031251f67bcc6ea9168364d2fbfd

SHA1
f5d6140140829eaa550d2ef57b3ca8281b3d79bb

SHA256
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8

SHA512
d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
MD5
574f031251f67bcc6ea9168364d2fbfd

SHA1
f5d6140140829eaa550d2ef57b3ca8281b3d79bb

SHA256
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8

SHA512
d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
MD5
574f031251f67bcc6ea9168364d2fbfd

SHA1
f5d6140140829eaa550d2ef57b3ca8281b3d79bb

SHA256
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8

SHA512
d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b

Download Submit
C:\Users\Admin\Desktop\AssertResize.xhtml.187-7CE-4F1
MD5
9a015b1f81f148edb9f442856b5baf69

SHA1
63aae38c766f976523a6b2496b3244be315af3bd

SHA256
333fd06fb6618e7b311a1719c4155a96c1840228e035ed8a0b6acec96e8ae5db

SHA512
220fa6989732fdc8d7b931093815a4c6ecf6dca6a4c5de545d6ea3523b6d5f050b6a3189f095f84a6c95e969f2d2136aff86ac27de153268d01812c2d3f74724

Download Submit
C:\Users\Admin\Desktop\ConvertToImport.tif.187-7CE-4F1
MD5
0af8a588d2f83334bd559a34a315200d

SHA1
4ed5d3a46d548ceb7c2d9226d0de068a2dd57d81

SHA256
29d84a27f64dc8c5e1bb33dc910b0f62421704b0b517709c7e5118272c640062

SHA512
a4a6b0ed36615079c0d717063f27a7a373f12b4f3384be0adb0b4355a4d0a460046a690543d267569ec926c11583c6015639ae541679a0eb8eacdb87ac1ba943

Download Submit
C:\Users\Admin\Desktop\ConvertToRemove.m4v.187-7CE-4F1
MD5
59f6b4ea46dbdfaeda7eaa9635c77b34

SHA1
fcd75d6c58825772df834427c799995d8ed37893

SHA256
95e961f28dbf7838d5efbdde204f26aa56734ea89647fd434b92e91ffc8f284e

SHA512
246b787aced93463d0d0e0af1ee6bfd2683c81070add2fed65fb9f8474d68014fa12814d5833ff691b1f02f221d717af2cf89575bc29604a3ad4e5cf29593baf

Download Submit
C:\Users\Admin\Desktop\ConvertToUnlock.xht.187-7CE-4F1
MD5
4b9e69aec9281781f3b26af76e338965

SHA1
1b448107870ea9675a5eb79b1fb17892ca1a2315

SHA256
4de62ad05756e2aa0d1b3ad53ddfdef2c53b83238543b1b31e197f78ed9233a2

SHA512
71073f7a4c303c678cd25817b651d4c389d06efc64291f2c62e1dd7f043cdf8a4190144cc832415f4a254b0afa76da64639d830b4ae905dbedf4b5aaa4fa875e

Download Submit
C:\Users\Admin\Desktop\EnableFind.temp.187-7CE-4F1
MD5
e522748a35d6ef3769dd4ecb63228cdb

SHA1
fc7d65e8d4899ca681f368152e55e8e1c7af7afd

SHA256
3c0fb6e4c91220a8ff608db50f0ae4223be6c5e86589185bea82bd9e195a695c

SHA512
fe68043263ee5a6d673a6ce046f22e11c381ca55685181e7ecce2029750aa99368ea90b1828e17b9a24d3f718a9d7599c36b4a94a378933f93bbb1e772f39553

Download Submit
C:\Users\Admin\Desktop\ImportOptimize.rmi.187-7CE-4F1
MD5
d68d42889b70058ebf0ba8a01b6fcd0b

SHA1
32ac1d7d9e1f8ec2745c33dc8bc3f64734616d27

SHA256
601e3e9dbf5eb37a514926177b1fd62532aba96a0d926ce1b4fe14aebe52ba98

SHA512
8591c33999a2684a26eed3a262513fad8a51ec186ab1888cf2530f81721480e506e76c455065a5bcbd04f61d45fa07dc4ac60c09df464830a500ac250a75684d

Download Submit
C:\Users\Admin\Desktop\ImportResume.WTV.187-7CE-4F1
MD5
4e8358f2d52aa47e482ae99611d49b30

SHA1
b0b1df38f9b626c0107f22d2c5ac45e651379704

SHA256
ded5a3df9f1f9fe0e80d0825bae5f44d045070a1b7766717400502f6d3422def

SHA512
712609d0b9ed14aecab54aa5164aa08dc972260b9f87d644a3222d2fef3c37a7bdb4cde8a33b1800e2c5edf617c15905513ee64217adb5fdb943d872e1d66c19

Download Submit
C:\Users\Admin\Desktop\InvokeHide.ogg.187-7CE-4F1
MD5
a9486adc13aa6f5abca273ccacb9b379

SHA1
bc3b3d3dda6b52c84f1afd74e999f1bfa4c1e92d

SHA256
0b8ea2af8659d090053bf4cd582369e329b885d00a2e55b02d68191f1ace9ec6

SHA512
282fcac0566afd649abc9e05352daa9e3dde75b14fbef26d783c06911a990afdee28c0329afdcc4d977666d417f5fe8f05b8892268349ee85edf74d76b60fedf

Download Submit
C:\Users\Admin\Desktop\MergeExit.cfg.187-7CE-4F1
MD5
4379477f8dbb5bcfd9472a227f1e0e51

SHA1
d2fd4b7836a06bf29d0cc2cc3b9c7a06f707e3c7

SHA256
efd3daacb12da1f7ead53c1829be2e985b39722babbaf86a6ea5d12c16b4f0f6

SHA512
7cd4df3fdf0748570f955aa76826f53f3858b8c3b217dd1c25574e071c8cbb3af56140590d41619a2917c41b9b4290930c4943b9714266fda25c2f2cfd3df532

Download Submit
C:\Users\Admin\Desktop\PingGet.ods.187-7CE-4F1
MD5
ebffeb6f8d54a8c1242e14f4f26b26db

SHA1
fd52a3fd724236a03f821f0b0402ed6515f7c3f8

SHA256
7477d4cde070b810486aa4f8d94dcd6526299afcbe43ff93c2af8547ac1b26f6

SHA512
9eae439f3030c36855cd163400bded2a70bccb7f6db39abbe449a4b26867ea3e11610beddf0c29aeb01eaa30f53e234008ba8792f9adfb68c86cf1fa6d84028e

Download Submit
C:\Users\Admin\Desktop\ProtectUpdate.M2T.187-7CE-4F1
MD5
2164bd9773355a309fde8656fa948283

SHA1
4190bd6cfc834144a4efc200a114009a6d4ae81f

SHA256
0cae949742587464ca23865464e66a5cc3ac603d2f22ce20339d9afd0b27d7ed

SHA512
bf5382ff9be93e61818d63deae8c0e9932117b1b3c41f2b29cb70c331c571f1fe97569ffa7011c042853622ce4122694167e59edd00088aabc40eb806ab18104

Download Submit
C:\Users\Admin\Desktop\RedoGet.js.187-7CE-4F1
MD5
2138ef1a3e12e86206b7c91e787ca01a

SHA1
afb442d4e9f6ebe8146636ae545bb376cd53bb83

SHA256
62e529c0ca4f06ac08d342207d74ee1839f9e9c4899044ab7aa767ec28d57989

SHA512
19dc05518e71347adbef102f275c10be1a5e732e960743b82ab92d684777423d442814c84d89ccd1d7c3b9bf539c66d379948816314dd3d38216d26639253018

Download Submit
C:\Users\Admin\Desktop\SaveMeasure.wax.187-7CE-4F1
MD5
a20291b6507dc91a8b593f56e2e87764

SHA1
ce909fc889702d54c6d40cd93f0c01f18a5e0bb2

SHA256
cc3d11ecf7f003ee7caef708a702c343b66becca2902f19ba4dc822f6a312fa1

SHA512
95be3156de2bd6c61eb458791c1159f4cb8709afefb354bc039ba9e1c5efb3286e747a146e5bd2375e61b548e2cc92741d97b443f20efeeb7a3fd996c7dd5724

Download Submit
C:\Users\Admin\Desktop\SkipPublish.pub.187-7CE-4F1
MD5
07b090cae3d13166ad3e6e695dfa6e07

SHA1
f1e38da0494619e1d604a08bd0baf8cf68a04d4c

SHA256
970c5fed103c02c6dc260fdb4f174b67a130af22c6950feb319fd7d35bffc4f1

SHA512
7beb01fb0510aa4203db8e7afdff49c531be597c8ea5b7b47be608f6477b5cabdf9ab1565a8ab58240f0885ea863b20ac08d4a25278acb8edb5021dabf39e144

Download Submit
C:\Users\Admin\Desktop\StepUnlock.ps1xml.187-7CE-4F1
MD5
1a882481e1570022846faeb81711ec99

SHA1
98733b3aa8a4993adc2af475926ec0f1b653ebf4

SHA256
bf334cd49a0942abd7a2950f901401f061da6d591cde36365d0e61c67500b5e8

SHA512
e5027e3a22f0ef5f21d5102193bb78ec855bf25b103e1ec44e9ed1031960335e54f67dd28cf50f2c935bf5cfc74e3085272c97b958265372a6b61fc9b83dbe10

Download Submit
C:\Users\Admin\Desktop\StopDebug.fon.187-7CE-4F1
MD5
7c2a4f5bd55f59ee06ae602941bff311

SHA1
b390a1472e33ad2fa133cb06c621cf1425f97231

SHA256
2a21e7b93ce31a77263ca6604b34ee2ae17982e9accf2eb5edccddd2f595abd8

SHA512
389baecc2a8a245638158f1de080c301faeacc41e08b03bf091cc40cba305a524a704bd817175dc81b5900a3f14af7a4f867612a206fc323aaa36593ab2018a7

Download Submit
C:\Users\Admin\Desktop\UnprotectMove.htm.187-7CE-4F1
MD5
333517df054c350774e06ea36c8203ac

SHA1
694486766b0d9bc6044b9b12e0d6080140ac932b

SHA256
6cb381086d4733ccd32274c39a33bf472393d8a8837230c12432a320d6c211e5

SHA512
d00877bcd7fe84bd15f3b618038d093de40ac6dc62e8185284719b7474afb92485ac331fb75c68b8ae2d8a676b4bde0bd6390b9ea5359126af6666b5b7fe1694

Download Submit
C:\Users\Admin\Desktop\WaitRegister.png.187-7CE-4F1
MD5
5b36a1071095d5805fd1e496e2f8a090

SHA1
a016248f34949e089cd4004cd256716bda4c39ef

SHA256
5225fb17e85a47c1e07f850e94d5c7c9364fe2904204dddd759fd89c4ea14455

SHA512
389eb602da06c11d582fe13926aa174353b0feeeb2f994e1adce439e4ec8a2264e64138cf61b81f1dc0b9b025354f1414958e334097b362f2ee063cadd3ebfdd

Download Submit
C:\Users\Admin\Desktop\WaitStop.ico.187-7CE-4F1
MD5
bfd93eb6ae683dd9bf4486b13718b137

SHA1
4752183a56a76a21a2d129d878bab35a40665d16

SHA256
44cd4dbaaf10551ea7d64e202af888f9a7728e0db6a3085ecaf23f4c28cb8001

SHA512
2e0a1338aef8a2a4be7b9fc9506799788f45e5f70bfd36cb4ecf4b2dd89ab0315cd7ede61e579d2793c6cbff21850f1d9e4b2dde46ed5759e9c933e13b0df9bc

Download Submit
C:\Users\Admin\Desktop\WriteRevoke.AAC.187-7CE-4F1
MD5
4333ecf9f859851cc4acab979bb9d903

SHA1
5051fe4c8ee922a2ae981927879526b143d51cac

SHA256
9f22d7cac3597ce2db90c5dd34a33b7b1b08c2ef2e711d011ca2030cbec11c7e

SHA512
c83aa1151abb547ac9b54bfdbe201d058a6697e0ce795efd184814f4110f298e0cec423f00d64993b355aabd9be6f6f34c874177358aa35b3c79b051f6ce1881

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
MD5
574f031251f67bcc6ea9168364d2fbfd

SHA1
f5d6140140829eaa550d2ef57b3ca8281b3d79bb

SHA256
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8

SHA512
d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b

Download Submit
memory/292-19-0x0000000000000000-mapping.dmp

Download
memory/296-7-0x0000000000000000-mapping.dmp

Download
memory/296-6-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/576-4-0x0000000000000000-mapping.dmp

Download
memory/776-29-0x0000000000000000-mapping.dmp

Download
memory/840-28-0x0000000000000000-mapping.dmp

Download
memory/964-51-0x0000000000000000-mapping.dmp

Download
memory/1052-22-0x0000000000000000-mapping.dmp

Download
memory/1236-24-0x0000000000000000-mapping.dmp

Download
memory/1380-21-0x0000000000000000-mapping.dmp

Download
memory/1432-2-0x000007FEF74B0000-0x000007FEF772A000-memory.dmp

Filesize
2.5MB

Download
memory/1544-26-0x0000000000000000-mapping.dmp

Download
memory/1576-17-0x0000000000000000-mapping.dmp

Download
memory/1712-23-0x0000000000000000-mapping.dmp

Download
memory/1728-18-0x0000000000000000-mapping.dmp

Download
memory/2032-20-0x0000000000000000-mapping.dmp

Download