buran | 0b3e8b562e8fe50b6039db8d1f3871bdf6f9d1f9246ab7459eb91844bcbc8bd6

Analysis

max time kernel
137s
max time network
129s
platform
windows7_x64
resource
win7v20201028
submitted
19-02-2021 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70ca11d0dfb726a0c141e05253a1b42d.exe
Size

581KB
MD5

70ca11d0dfb726a0c141e05253a1b42d
SHA1

3b8ff05941e2acebf7fc071c70b18ea9da83326b
SHA256

0b3e8b562e8fe50b6039db8d1f3871bdf6f9d1f9246ab7459eb91844bcbc8bd6
SHA512

dc08a9d20e5fc789a1ffab9f9b2cd136bdc9e61f44f6c9ee06b0ae15495db9a1bf340b4d75fb393eadce75fc1cdfb7cb6f80cce525e4850305ea5b0906850478

Score

10^/10

buran persistence ransomware upx

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: kassmaster@tutanota.com and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: kassmaster@tutanota.com Reserved email: kassmaster@danwin1210.me Your personal ID: 15D-3C3-588 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

kassmaster@tutanota.com

kassmaster@danwin1210.me

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

944 svchost.exe
1604 svchost.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe	upx
\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe	upx
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe	upx
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe	upx
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe	upx

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

916 notepad.exe
Loads dropped DLL 2 IoCs

Processes:

70ca11d0dfb726a0c141e05253a1b42d.exe

pid process

292 70ca11d0dfb726a0c141e05253a1b42d.exe
292 70ca11d0dfb726a0c141e05253a1b42d.exe

pid	process
916	notepad.exe

pid	process
292	70ca11d0dfb726a0c141e05253a1b42d.exe
292	70ca11d0dfb726a0c141e05253a1b42d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

70ca11d0dfb726a0c141e05253a1b42d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	70ca11d0dfb726a0c141e05253a1b42d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start"	70ca11d0dfb726a0c141e05253a1b42d.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 geoiptool.com

flow	ioc
5	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe.15D-3C3-588	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6CDT.15D-3C3-588	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImagesMask.bmp	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.c.15D-3C3-588	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Tijuana	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_zh_4.4.0.v20140623020002.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\CET.15D-3C3-588	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF.15D-3C3-588	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00289_.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199475.WMF.15D-3C3-588	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar.15D-3C3-588	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105520.WMF.15D-3C3-588	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00135_.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Thatch.xml	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME32.CSS.15D-3C3-588	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator_2.0.0.v20131217-1203.jar.15D-3C3-588	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_de.properties	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx.15D-3C3-588	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099174.WMF.15D-3C3-588	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImages.jpg	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar.15D-3C3-588	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.SYD.15D-3C3-588	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09662_.WMF.15D-3C3-588	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt.15D-3C3-588	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\vlc.mo	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_zh_CN.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Singapore	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml.15D-3C3-588	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107744.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePageStyle.css	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Dawson_Creek	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Davis	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107146.WMF	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar.15D-3C3-588	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml.15D-3C3-588	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_zh_4.4.0.v20140623020002.jar	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt.15D-3C3-588	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14757_.GIF.15D-3C3-588	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGZIP.DPV	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-spi-actions.jar.15D-3C3-588	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00157_.GIF.15D-3C3-588	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212685.WMF.15D-3C3-588	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLAPPTR.FAE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\config.ini	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00308_.WMF.15D-3C3-588	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01139_.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00202_.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePage.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Dialog.accdt	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099180.WMF.15D-3C3-588	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Perspective.xml	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107254.WMF	svchost.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14756_.GIF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\SPACER.GIF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ContactSelector.ico	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dubai.15D-3C3-588	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01478U.BMP	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01245_.GIF	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1104 vssadmin.exe
916 vssadmin.exe

pid	process
1104	vssadmin.exe
916	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

70ca11d0dfb726a0c141e05253a1b42d.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	70ca11d0dfb726a0c141e05253a1b42d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	70ca11d0dfb726a0c141e05253a1b42d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	70ca11d0dfb726a0c141e05253a1b42d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	process
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

70ca11d0dfb726a0c141e05253a1b42d.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	292	70ca11d0dfb726a0c141e05253a1b42d.exe
Token: SeDebugPrivilege	292	70ca11d0dfb726a0c141e05253a1b42d.exe
Token: SeIncreaseQuotaPrivilege	816	WMIC.exe
Token: SeSecurityPrivilege	816	WMIC.exe
Token: SeTakeOwnershipPrivilege	816	WMIC.exe
Token: SeLoadDriverPrivilege	816	WMIC.exe
Token: SeSystemProfilePrivilege	816	WMIC.exe
Token: SeSystemtimePrivilege	816	WMIC.exe
Token: SeProfSingleProcessPrivilege	816	WMIC.exe
Token: SeIncBasePriorityPrivilege	816	WMIC.exe
Token: SeCreatePagefilePrivilege	816	WMIC.exe
Token: SeBackupPrivilege	816	WMIC.exe
Token: SeRestorePrivilege	816	WMIC.exe
Token: SeShutdownPrivilege	816	WMIC.exe
Token: SeDebugPrivilege	816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	816	WMIC.exe
Token: SeRemoteShutdownPrivilege	816	WMIC.exe
Token: SeUndockPrivilege	816	WMIC.exe
Token: SeManageVolumePrivilege	816	WMIC.exe
Token: 33	816	WMIC.exe
Token: 34	816	WMIC.exe
Token: 35	816	WMIC.exe
Token: SeBackupPrivilege	2008	vssvc.exe
Token: SeRestorePrivilege	2008	vssvc.exe
Token: SeAuditPrivilege	2008	vssvc.exe
Token: SeIncreaseQuotaPrivilege	816	WMIC.exe
Token: SeSecurityPrivilege	816	WMIC.exe
Token: SeTakeOwnershipPrivilege	816	WMIC.exe
Token: SeLoadDriverPrivilege	816	WMIC.exe
Token: SeSystemProfilePrivilege	816	WMIC.exe
Token: SeSystemtimePrivilege	816	WMIC.exe
Token: SeProfSingleProcessPrivilege	816	WMIC.exe
Token: SeIncBasePriorityPrivilege	816	WMIC.exe
Token: SeCreatePagefilePrivilege	816	WMIC.exe
Token: SeBackupPrivilege	816	WMIC.exe
Token: SeRestorePrivilege	816	WMIC.exe
Token: SeShutdownPrivilege	816	WMIC.exe
Token: SeDebugPrivilege	816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	816	WMIC.exe
Token: SeRemoteShutdownPrivilege	816	WMIC.exe
Token: SeUndockPrivilege	816	WMIC.exe
Token: SeManageVolumePrivilege	816	WMIC.exe
Token: 33	816	WMIC.exe
Token: 34	816	WMIC.exe
Token: 35	816	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1600	WMIC.exe
Token: SeSecurityPrivilege	1600	WMIC.exe
Token: SeTakeOwnershipPrivilege	1600	WMIC.exe
Token: SeLoadDriverPrivilege	1600	WMIC.exe
Token: SeSystemProfilePrivilege	1600	WMIC.exe
Token: SeSystemtimePrivilege	1600	WMIC.exe
Token: SeProfSingleProcessPrivilege	1600	WMIC.exe
Token: SeIncBasePriorityPrivilege	1600	WMIC.exe
Token: SeCreatePagefilePrivilege	1600	WMIC.exe
Token: SeBackupPrivilege	1600	WMIC.exe
Token: SeRestorePrivilege	1600	WMIC.exe
Token: SeShutdownPrivilege	1600	WMIC.exe
Token: SeDebugPrivilege	1600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1600	WMIC.exe
Token: SeRemoteShutdownPrivilege	1600	WMIC.exe
Token: SeUndockPrivilege	1600	WMIC.exe
Token: SeManageVolumePrivilege	1600	WMIC.exe
Token: 33	1600	WMIC.exe
Token: 34	1600	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

NOTEPAD.EXE

pid process

2016 NOTEPAD.EXE

pid	process
2016	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

70ca11d0dfb726a0c141e05253a1b42d.exesvchost.execmd.execmd.execmd.exe

description	pid	process	target process
PID 292 wrote to memory of 944	292	70ca11d0dfb726a0c141e05253a1b42d.exe	svchost.exe
PID 292 wrote to memory of 944	292	70ca11d0dfb726a0c141e05253a1b42d.exe	svchost.exe
PID 292 wrote to memory of 944	292	70ca11d0dfb726a0c141e05253a1b42d.exe	svchost.exe
PID 292 wrote to memory of 944	292	70ca11d0dfb726a0c141e05253a1b42d.exe	svchost.exe
PID 292 wrote to memory of 916	292	70ca11d0dfb726a0c141e05253a1b42d.exe	notepad.exe
PID 292 wrote to memory of 916	292	70ca11d0dfb726a0c141e05253a1b42d.exe	notepad.exe
PID 292 wrote to memory of 916	292	70ca11d0dfb726a0c141e05253a1b42d.exe	notepad.exe
PID 292 wrote to memory of 916	292	70ca11d0dfb726a0c141e05253a1b42d.exe	notepad.exe
PID 292 wrote to memory of 916	292	70ca11d0dfb726a0c141e05253a1b42d.exe	notepad.exe
PID 292 wrote to memory of 916	292	70ca11d0dfb726a0c141e05253a1b42d.exe	notepad.exe
PID 292 wrote to memory of 916	292	70ca11d0dfb726a0c141e05253a1b42d.exe	notepad.exe
PID 944 wrote to memory of 1316	944	svchost.exe	cmd.exe
PID 944 wrote to memory of 1316	944	svchost.exe	cmd.exe
PID 944 wrote to memory of 1316	944	svchost.exe	cmd.exe
PID 944 wrote to memory of 1316	944	svchost.exe	cmd.exe
PID 944 wrote to memory of 396	944	svchost.exe	cmd.exe
PID 944 wrote to memory of 396	944	svchost.exe	cmd.exe
PID 944 wrote to memory of 396	944	svchost.exe	cmd.exe
PID 944 wrote to memory of 396	944	svchost.exe	cmd.exe
PID 944 wrote to memory of 1156	944	svchost.exe	cmd.exe
PID 944 wrote to memory of 1156	944	svchost.exe	cmd.exe
PID 944 wrote to memory of 1156	944	svchost.exe	cmd.exe
PID 944 wrote to memory of 1156	944	svchost.exe	cmd.exe
PID 944 wrote to memory of 304	944	svchost.exe	cmd.exe
PID 944 wrote to memory of 304	944	svchost.exe	cmd.exe
PID 944 wrote to memory of 304	944	svchost.exe	cmd.exe
PID 944 wrote to memory of 304	944	svchost.exe	cmd.exe
PID 944 wrote to memory of 1332	944	svchost.exe	cmd.exe
PID 944 wrote to memory of 1332	944	svchost.exe	cmd.exe
PID 944 wrote to memory of 1332	944	svchost.exe	cmd.exe
PID 944 wrote to memory of 1332	944	svchost.exe	cmd.exe
PID 1316 wrote to memory of 816	1316	cmd.exe	WMIC.exe
PID 1316 wrote to memory of 816	1316	cmd.exe	WMIC.exe
PID 1316 wrote to memory of 816	1316	cmd.exe	WMIC.exe
PID 1316 wrote to memory of 816	1316	cmd.exe	WMIC.exe
PID 944 wrote to memory of 2040	944	svchost.exe	cmd.exe
PID 944 wrote to memory of 2040	944	svchost.exe	cmd.exe
PID 944 wrote to memory of 2040	944	svchost.exe	cmd.exe
PID 944 wrote to memory of 2040	944	svchost.exe	cmd.exe
PID 1332 wrote to memory of 1104	1332	cmd.exe	vssadmin.exe
PID 1332 wrote to memory of 1104	1332	cmd.exe	vssadmin.exe
PID 1332 wrote to memory of 1104	1332	cmd.exe	vssadmin.exe
PID 1332 wrote to memory of 1104	1332	cmd.exe	vssadmin.exe
PID 944 wrote to memory of 1604	944	svchost.exe	svchost.exe
PID 944 wrote to memory of 1604	944	svchost.exe	svchost.exe
PID 944 wrote to memory of 1604	944	svchost.exe	svchost.exe
PID 944 wrote to memory of 1604	944	svchost.exe	svchost.exe
PID 2040 wrote to memory of 1600	2040	cmd.exe	WMIC.exe
PID 2040 wrote to memory of 1600	2040	cmd.exe	WMIC.exe
PID 2040 wrote to memory of 1600	2040	cmd.exe	WMIC.exe
PID 2040 wrote to memory of 1600	2040	cmd.exe	WMIC.exe
PID 2040 wrote to memory of 916	2040	cmd.exe	vssadmin.exe
PID 2040 wrote to memory of 916	2040	cmd.exe	vssadmin.exe
PID 2040 wrote to memory of 916	2040	cmd.exe	vssadmin.exe
PID 2040 wrote to memory of 916	2040	cmd.exe	vssadmin.exe
PID 944 wrote to memory of 1356	944	svchost.exe	notepad.exe
PID 944 wrote to memory of 1356	944	svchost.exe	notepad.exe
PID 944 wrote to memory of 1356	944	svchost.exe	notepad.exe
PID 944 wrote to memory of 1356	944	svchost.exe	notepad.exe
PID 944 wrote to memory of 1356	944	svchost.exe	notepad.exe
PID 944 wrote to memory of 1356	944	svchost.exe	notepad.exe
PID 944 wrote to memory of 1356	944	svchost.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\70ca11d0dfb726a0c141e05253a1b42d.exe
"C:\Users\Admin\AppData\Local\Temp\70ca11d0dfb726a0c141e05253a1b42d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:292

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:1156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:916

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 0
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1604

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:1356

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:916

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1584

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e8
1⤵
PID:916

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
1⤵
- Suspicious use of FindShellTrayWindow
PID:2016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
MD5
74666ddc6d7b727d60b336687b0c3899

SHA1
c233af825d0d1b6124fcb08b5b505c5836d40ad3

SHA256
8ced6c8567a83e4c4ceb1585dc062de079e484cc81cdabd9996a1c49e2899d9a

SHA512
3204ccb089a2e15039b3363b93764cf8d80a233f3977a41e22c5857279fd42dbd2c8c71abbca1a285f93a0882f5a8cb4dbc2b20c5c16c421ffb18a1eb624ba02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
de45a65ca84a9d847a105fcf5db17d4d

SHA1
7e9bf35371fa3ceb195e2b2ab9a55be036464e1f

SHA256
35f6afd87526003ea4433d30b8561609d3af244d4602acc30e8b491a30b51694

SHA512
f60e252ffabb64a1b5413e02cd46c10df3cfacadd4051ac50674f79c834cd5607bf49660d57665b18fd86e6b493411afe17668b2cbd131bfeeae954dd2da52d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
25702f32850469ed11d3cd68086b8e48

SHA1
170ace58972fae2bbc1f254631c95c1ccf7388ff

SHA256
42bf99c6490ec13de964fd7e4eaafc5df9f95a87b92f65e2cac8e18a79954411

SHA512
2d121b1442dd4b449c5bafb9bd295a0f15f02aba9030e4571e258420779431cd6dbec11c867284f8ae84f69a1c7b032110e9fab89ab75456f77b6d7aed74706b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
e92176b0889cc1bb97114beb2f3c1728

SHA1
ad1459d390ec23ab1c3da73ff2fbec7fa3a7f443

SHA256
58a4f38ba43f115ba3f465c311eaaf67f43d92e580f7f153de3ab605fc9900f3

SHA512
cd2267ba2f08d2f87538f5b4f8d3032638542ac3476863a35f0df491eb3a84458ce36c06e8c1bd84219f5297b6f386748e817945a406082fa8e77244ec229d8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
1217ab0d20378cd200fbe07bedb5ee7b

SHA1
b10c62032206809cc18abab57a26bd1916005ce0

SHA256
d772cb57e040249255d60d6265daabaf009303399dde95f7e37093a4d0e7b613

SHA512
732d0f36070083b88f340ee9831672cdaaad55a2052b2833096264c81441da5b1c5e8b327ab2549d19fd50517aad95b0a98a6af5f2aeb218e1a97970bb2188bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
e04fb93b0662ef69865ca2fa74a7cfd8

SHA1
8aa28e6a547adbe7eccf512944bff2095dc9422b

SHA256
0dd91ef88c43c1aa5944f7e6b7c62bd66e076d1d9ec60e1348157478b58cb2c8

SHA512
aff7ee43a27557e65b3a5575c2f055d58a92bc7d308c613b753e4ae50ed583acfcddef04a549445948c3125b69f9da53feb1ff7be1885f014e9c6b6fe3b13771

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
b7874b90a005aee3226079f6e1c6d61e

SHA1
8bba02ea2e7b13cd902b045f39755fce3e0d8ed0

SHA256
7d3f5b5412726f9cd284cf78e8f12d2f6a56824debc9477702ff537914bd5a9b

SHA512
e05b9c347a61f35256362b37d0471fc22aa56468bdea8bfd5ef4b10e88b198939d2a2cc76554a5753f5fa68187e4052ef475c1c49e7f245ecc9b29c810eca7e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
dd8f04702048b027b70b5815732430fe

SHA1
ffd17f23db179f34561cd52a697e972b3662fef8

SHA256
2b7b0ed3e507790d4125fc85d9dea9df7afca17d2943a45087514c8efbcd1c63

SHA512
c67e1b9d051a5184012400f8663d1afb47eb4e0de634f065d387d2563060622fcd175a146fcef0b83d859baeb619b56083e5c04926f3e84227d83357ed842698

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
0a3f9e34ff75294c03302af7f541c496

SHA1
a00f616d24be539db08bb373cf48b5110ccb391c

SHA256
0dbdcf047569dc328379f6eb5996149a945f617b1ceefac3d4d5e1ac1b46b765

SHA512
ace7e4f140102a40e6f042937d3b72645fd0846120ab5bed1bbda6ddfe406f8f5cbc4008ef50e9fadd7a81793d0ee8968fc152aa189832493aecf32e2c98fb05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\XLX8F3UF.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1R1CL99\ZKXBC84T.htm
MD5
6b17a59cec1a7783febae9aa55c56556

SHA1
01d4581e2b3a6348679147a915a0b22b2a66643a

SHA256
66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

SHA512
3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
MD5
70ca11d0dfb726a0c141e05253a1b42d

SHA1
3b8ff05941e2acebf7fc071c70b18ea9da83326b

SHA256
0b3e8b562e8fe50b6039db8d1f3871bdf6f9d1f9246ab7459eb91844bcbc8bd6

SHA512
dc08a9d20e5fc789a1ffab9f9b2cd136bdc9e61f44f6c9ee06b0ae15495db9a1bf340b4d75fb393eadce75fc1cdfb7cb6f80cce525e4850305ea5b0906850478

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
MD5
70ca11d0dfb726a0c141e05253a1b42d

SHA1
3b8ff05941e2acebf7fc071c70b18ea9da83326b

SHA256
0b3e8b562e8fe50b6039db8d1f3871bdf6f9d1f9246ab7459eb91844bcbc8bd6

SHA512
dc08a9d20e5fc789a1ffab9f9b2cd136bdc9e61f44f6c9ee06b0ae15495db9a1bf340b4d75fb393eadce75fc1cdfb7cb6f80cce525e4850305ea5b0906850478

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
MD5
70ca11d0dfb726a0c141e05253a1b42d

SHA1
3b8ff05941e2acebf7fc071c70b18ea9da83326b

SHA256
0b3e8b562e8fe50b6039db8d1f3871bdf6f9d1f9246ab7459eb91844bcbc8bd6

SHA512
dc08a9d20e5fc789a1ffab9f9b2cd136bdc9e61f44f6c9ee06b0ae15495db9a1bf340b4d75fb393eadce75fc1cdfb7cb6f80cce525e4850305ea5b0906850478

Download Submit
C:\Users\Admin\Desktop\DisconnectGrant.mpg.15D-3C3-588
MD5
b889384388faa9a5e625bb9c3ea881e7

SHA1
6cd403e93425f6f2f44d293c2d99c8edf7b2ca74

SHA256
1d048153210022a9b5dcc6c055168f74033744f02883406a0338cbfe692f9c03

SHA512
b2451cf011efe74f1fce9bcfd584b3e6774556318b7b23f5f16105b27bea161220250e30aee49afb7af4edbfa114ec81ed2897f381fc7bc97b7fab9f2ca97c95

Download Submit
C:\Users\Admin\Desktop\ExitExport.ram.15D-3C3-588
MD5
2fcd335e65e4b918206b5305d29a0489

SHA1
0ed246becc4fc6402db5c7135f04c3f66fa4d710

SHA256
ea2d1b2827c2475278ac30bc18b531ae34ecd33a5306e97f38064eb1ccc32258

SHA512
077bc42adababe49fae31d2d16ff8c4ad3b5591c247394e23aed71c0eb7dea20c9137bb7c2d726ac6e9897505f493e7e90f078072c18774ac12e87acde16d2cc

Download Submit
C:\Users\Admin\Desktop\ExpandUpdate.ini.15D-3C3-588
MD5
e31544f8ff02b510d3dcf3ee617aaf7b

SHA1
3f9df628d43fc90c1003a32a227340bc4d46d559

SHA256
b4b00a5764df3c0d8a94abb51e88e649c8cf471e7c4215600f8e8296fe94cad8

SHA512
ba076e3edef583bfefe86b334a55009a34bb0262cc29e4dd20d9f3767fd310d43422c762f75370309fec420a872750d8c5f47bd61ac8e6a13225ee1e381322e2

Download Submit
C:\Users\Admin\Desktop\NewLock.mov.15D-3C3-588
MD5
d494f0ea11a5cb7f601769ededa72490

SHA1
1f671ea5da61e26b4fc2f9bb34eb3cf3c9008c64

SHA256
e0a09a4559da183daa61ccbd4679725ec262abf383196314090445a14f4e588a

SHA512
a95f89a29cd088d78d68cfae89f157dee92d98d0a06498c95574926436be22a47748c318762af06ff6fc06ddda6903661afedd086881c7afb84968f92bdf8705

Download Submit
C:\Users\Admin\Desktop\OpenRevoke.dib.15D-3C3-588
MD5
566c9d527151bd94e5ae3bf6a13f9d01

SHA1
26df574bdaa3a1d1627806f3f10d86427c432e23

SHA256
f1910b0fc80f2591c179b2aeb9a6546f7f79ee93eea5dca10cc9c2ed377b7969

SHA512
7fc5dacb27f9b4cf9e7e9d323e6a06b4b78f63e3c04998a84f584157ce048702114b47a5cd5eff1a884be55ebaaa271c9559f607437169509b571f58b7e748ae

Download Submit
C:\Users\Admin\Desktop\OpenTest.pdf.15D-3C3-588
MD5
391488b527a83d699da83a14b54b4e8b

SHA1
49d0af5412ce1e083adf92dade78886a826f9450

SHA256
9d60daa0c4637d420d68f99352f4f033578bf2030a6d6934209a54ca38341ff8

SHA512
fe220b705a66fc0ec7671e8931025f663bfc765d842080924e7912b3201ce153eeaa41c90677bd2ddafad30d9837a3a09916598945dbf8a15702e5d2b76d94ce

Download Submit
C:\Users\Admin\Desktop\ReceiveComplete.vdw.15D-3C3-588
MD5
338826c7350c0b60d92096333749579b

SHA1
77d8627ef9846aeb4865eeba61e912616e55d70a

SHA256
7e696fb352d31f669589eadca6971571a3ba2b34ded34182145c068250302619

SHA512
07425fdfe49aa13b33d1b1a86daff922d8f78bbc925b9716ef45d5fddf3ad317100d9d5fb0ae894cd9ec997d79b291e5c72a8f8be2a5baf8cb672ce87c816d7c

Download Submit
C:\Users\Admin\Desktop\ReceiveConvertFrom.reg.15D-3C3-588
MD5
108bcec636a6bc7d83ad5adb7e288db6

SHA1
15ce927d30b7e784bc2b37ee55f1851c81c233bd

SHA256
23e87cc957aabe368519f05bb891487414edc73ccc96fd6b91b36fc4a0a11df2

SHA512
3a24cfd95d80b9124e8e3eefa062929c3604bba543ad4dbc8a07ff33a92b36b825d2096770b4e0748221bd5b30b4874b6d3eb53e7d5496a6f1d22bf8f14fece9

Download Submit
C:\Users\Admin\Desktop\RegisterGrant.cab.15D-3C3-588
MD5
15498ea78425ec8555fa170ffbed2f80

SHA1
0ba941dc86d50bd6c88f82de283d23b5a8f17aae

SHA256
8d88f09883ff6e6b6d51c73717b215b6796e7ff2487fc9c709685ce3cd4760ea

SHA512
4efe89e12c90898375682b46ba91d953114fa3c4aee207f5f76187ce7022ef0189e2becf4e99f073c405626b01e91e0afe9a5770d96ed9f6db54e0226dfb72f4

Download Submit
C:\Users\Admin\Desktop\RemoveRequest.potm.15D-3C3-588
MD5
510b5198a420fdc29dc16af84ec21ae3

SHA1
7b9d507e025e50b32628a85a8e3ca42fa099ffde

SHA256
1b538fc0ca682131995f6238312d3a72586a02927daf71aec6f5661a7d504229

SHA512
c644c38caf9ed6f9ee8c2aa0742745c11489367f8d353f969ee750840711bbf97160e9b1060dc6682245fba568d1a5ac20c7db2df2a4c33de6be878a0c1700fb

Download Submit
C:\Users\Admin\Desktop\RequestSkip.htm.15D-3C3-588
MD5
6f18151ec07bfcd390a592433f288442

SHA1
8ad01e35d345bb1b7d9cef434827782f01a05512

SHA256
0e4bc0eb42ea81557270a59c31b103eba7e2a54c01289377bb3f1f9c33de9891

SHA512
541fea55567b1e7458695479bb3eda3ed170af765a0f0a2c4aa9f9415da9acc6ec4924ff1e2d9c37dc6dab269e528242bfbf74b9b83ff834d64a7ad753915d84

Download Submit
C:\Users\Admin\Desktop\ResetUnpublish.vssm.15D-3C3-588
MD5
7cb04e6da8a9cce3c043cb9b219bdd6c

SHA1
2adae56966a537286ac6ede57b2f6d13c5e2c04b

SHA256
ac71c92d7b8201087b39f31e37feb1bf020456b2c801cac422a4c8022acff390

SHA512
2584cd77d87118772fa4b0b06e24f17f082e343aa6f3fb761877ac57d21a65aee9712d87b1fb4916c6c3c8f8c5d263eb398e57585070ac7747af93cfa08650ef

Download Submit
C:\Users\Admin\Desktop\RestartGrant.xls.15D-3C3-588
MD5
143aa0b06a52c8886e025d2a90ecd44a

SHA1
b9dc2374acc293e100f798173b16b526510927de

SHA256
8abab1a9cd61759c739f982d26612264c79ce74bb9e4e2003949ffdd5cf0ebc6

SHA512
5249c725bc8c278bb4bb4116c2f6631e81e18f72d19dc7efaae9ac169e1706c08c5c8e98f09c21a7f7a9fefd5ace4433fb0d741332507092ffda465e125a1339

Download Submit
C:\Users\Admin\Desktop\ResumeInstall.m4a.15D-3C3-588
MD5
4e71e7187a1b3994c0b57605a12308cc

SHA1
3176565ea177221e72be70b6eef9377a9115ebff

SHA256
8759ebb1fbcdfe8e2d41823f1a46c6360ef644bfe5e9e36a6ad7c083007f82a8

SHA512
47a1a212149ff0816d423387d5d9d822aef0942a23ed87acc2744dbcf041faa743ab8150d0f83d0ca3197e90394ff3fe248e4fdf15d0fd2cf95c256a0f9997ca

Download Submit
C:\Users\Admin\Desktop\SaveMove.3gpp.15D-3C3-588
MD5
2bed8d2da6afaf115e27bd50dba8a2d3

SHA1
824d575d6af6f9e36fad8d0254b1d73da79d2a6d

SHA256
ee1fc2fa9192e0fe649b87bfdf2946617136f2b334f06870605e1c2ef30f7acd

SHA512
360ee4de27a1d64d93109216901c4119fc2f13d6f030df4de2ce25975b4b8a755c1d4864b4cbdd934c721571ea33f6f0abb15af2e68ba4bd480dbe0468285173

Download Submit
C:\Users\Admin\Desktop\SendStep.mht.15D-3C3-588
MD5
6da198deca2240e30e2a44f9d65da140

SHA1
d62514368ca62444e289c3bd7b8092c7df22595f

SHA256
666d6cdb36b0921f0702126bb8e4be5f3eb6fd441917b0a38f2d84257737a634

SHA512
d3ccfa21cb5456feef11dcdc3218625a6a2fdcc7a4ef732130cf0b623782e9c7b7ef256541bcd541c674a2a2408773b7ae3a024f280aa893dbeae5a22930cb4c

Download Submit
C:\Users\Admin\Desktop\StartClose.mp2v.15D-3C3-588
MD5
309a78c13926db33278294feb4491399

SHA1
44f944ba125a211bb366ba2161eb1c795d4d5160

SHA256
c1171342846dbdb2ee893da9c5caf8020bb2bea4630a38b87f33ef8954f5c6fc

SHA512
e8e6e946f5e2dd2a826448135216b0c0d6bf97cbad59c9d40a755ae5f03594cfc5cd1f7e9599ee842504e346c85e6b197cf14e56c9d7dee6658bab56e26e71bc

Download Submit
C:\Users\Admin\Desktop\StopLimit.doc.15D-3C3-588
MD5
c3940be576c74b3b432a59c2102f3e08

SHA1
2c054f64c07e8224d6436f69ddfb89de3fecb0d4

SHA256
29a06ae2f9a1a5d30dd9b7ff3ffc0bde64e6afdb9feac4537d0facd4d92b907c

SHA512
e3f5b964763b0f7885c3aa326fa84a7f20d822e2dea83e0c9d20e2658700e572afdde8c2d49af3f6797b590c90eff9bae7a0e2486f71c206cf07e29deb66bd63

Download Submit
C:\Users\Admin\Desktop\UninstallSet.vsdx.15D-3C3-588
MD5
11b43b1828414b07d59a6efba8782224

SHA1
7fa1053a249930fe0eb555e5e48a489d87e4044a

SHA256
fb22f2241daba189aa8810ae3b500fc9da11f9c2a4056f1723d5280074f5d8a9

SHA512
c0e98e3662a342fc20629c3968fa1f9c6ae30112002a4f81c0c24a04a41caad485fa16da3ae6cbfda6703939af94e1b880db03e02c5c98f77142eb595cb16228

Download Submit
C:\Users\Admin\Desktop\UnlockRevoke.asf.15D-3C3-588
MD5
4d97beec3684db1c30e26e5804ee624f

SHA1
37e037d30405080e882c24539ff6b4e7fe2f042f

SHA256
eefacb2b19dfaa6509382c58e3d9ada9a4c7b82ea1e74914f47b30a3276b1f4e

SHA512
76ef55ef0b9a9d7927cd556510bca5cb664d8f02970f60e501139735b1b01c27179d333a26898dc1873a1700a4d1498fdc219bf80b3c00d4a8294ff7a61abefb

Download Submit
C:\Users\Admin\Desktop\UsePush.3g2.15D-3C3-588
MD5
5319a9861435257b8e37bffe03747643

SHA1
3f9b74e24418e17de01c5358ff1b73c0ef720f83

SHA256
98f37fefc0eea456bdc500ad10c503d623b183ef24d4a109b40bd024386c1512

SHA512
9a236fed8f8e4a31a47fc1775c06b109e91c2c5b47ccf8922128bd7ff2eb1c2c0eb12b505a737226c23d0abe9b6893e9ca95e5255ed73212399606f09bea4e20

Download Submit
C:\Users\Admin\Desktop\UseResize.m4v.15D-3C3-588
MD5
ecb61e3b4bd868e985bc10a23b86d705

SHA1
a33e326f3091290fd4ea22747bce4b055f1d6650

SHA256
8cb918ff7b58c92d4b1e671cfb140868c5f6210f783fc16f04efe260c19cbaa9

SHA512
2eec1a852a908415000e89e40d6601a1d9c8d02a5b550236e5c8b622cbf42c1663ff50ad932afe3c7c35ca074a352911370c33ebd70c3dd5209c33dde71e167f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
MD5
70ca11d0dfb726a0c141e05253a1b42d

SHA1
3b8ff05941e2acebf7fc071c70b18ea9da83326b

SHA256
0b3e8b562e8fe50b6039db8d1f3871bdf6f9d1f9246ab7459eb91844bcbc8bd6

SHA512
dc08a9d20e5fc789a1ffab9f9b2cd136bdc9e61f44f6c9ee06b0ae15495db9a1bf340b4d75fb393eadce75fc1cdfb7cb6f80cce525e4850305ea5b0906850478

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
MD5
70ca11d0dfb726a0c141e05253a1b42d

SHA1
3b8ff05941e2acebf7fc071c70b18ea9da83326b

SHA256
0b3e8b562e8fe50b6039db8d1f3871bdf6f9d1f9246ab7459eb91844bcbc8bd6

SHA512
dc08a9d20e5fc789a1ffab9f9b2cd136bdc9e61f44f6c9ee06b0ae15495db9a1bf340b4d75fb393eadce75fc1cdfb7cb6f80cce525e4850305ea5b0906850478

Download Submit
memory/292-2-0x0000000076861000-0x0000000076863000-memory.dmp

Filesize
8KB

Download
memory/304-26-0x0000000000000000-mapping.dmp

Download
memory/396-24-0x0000000000000000-mapping.dmp

Download
memory/816-28-0x0000000000000000-mapping.dmp

Download
memory/916-9-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/916-37-0x0000000000000000-mapping.dmp

Download
memory/916-10-0x0000000000000000-mapping.dmp

Download
memory/944-6-0x0000000000000000-mapping.dmp

Download
memory/1104-30-0x0000000000000000-mapping.dmp

Download
memory/1156-25-0x0000000000000000-mapping.dmp

Download
memory/1316-23-0x0000000000000000-mapping.dmp

Download
memory/1332-27-0x0000000000000000-mapping.dmp

Download
memory/1356-64-0x0000000000000000-mapping.dmp

Download
memory/1436-3-0x000007FEF6B80000-0x000007FEF6DFA000-memory.dmp

Filesize
2.5MB

Download
memory/1584-38-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download
memory/1600-36-0x0000000000000000-mapping.dmp

Download
memory/1604-32-0x0000000000000000-mapping.dmp

Download
memory/2040-29-0x0000000000000000-mapping.dmp

Download