buran | d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1

Analysis

max time kernel
150s
max time network
135s
platform
windows7_x64
resource
win7v20201028
submitted
28-02-2021 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe
Size

271KB
MD5

f8ca42285e4979fc25e1e358aaaf3ee3
SHA1

83bb7336deceeb094574714c1043ce9d3d420ee8
SHA256

d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1
SHA512

00bddc7a539b957f9dfb74941c56bab532221f4783d1ec90bde4019b9af68a79886d36d2e12fd9511836a8447cbecd56ee4a988b1e0dd6c6dc170b9c60b20a54

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: threesixnine@ctemplar.com and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: threesixnine@ctemplar.com Your personal ID: 82E-43B-05A Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

threesixnine@ctemplar.com

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

smss.exesmss.exe

pid process

968 smss.exe
1304 smss.exe
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1500 notepad.exe

pid	process
968	smss.exe
1304	smss.exe

pid	process
1500	notepad.exe

Loads dropped DLL 2 IoCs

Processes:

d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe

pid	process
544	d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe
544	d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start"	d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

smss.exe

description	ioc	process
File opened (read-only)	\??\Y:	smss.exe
File opened (read-only)	\??\V:	smss.exe
File opened (read-only)	\??\T:	smss.exe
File opened (read-only)	\??\B:	smss.exe
File opened (read-only)	\??\R:	smss.exe
File opened (read-only)	\??\J:	smss.exe
File opened (read-only)	\??\I:	smss.exe
File opened (read-only)	\??\Z:	smss.exe
File opened (read-only)	\??\X:	smss.exe
File opened (read-only)	\??\W:	smss.exe
File opened (read-only)	\??\U:	smss.exe
File opened (read-only)	\??\S:	smss.exe
File opened (read-only)	\??\H:	smss.exe
File opened (read-only)	\??\G:	smss.exe
File opened (read-only)	\??\O:	smss.exe
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\M:	smss.exe
File opened (read-only)	\??\A:	smss.exe
File opened (read-only)	\??\E:	smss.exe
File opened (read-only)	\??\Q:	smss.exe
File opened (read-only)	\??\P:	smss.exe
File opened (read-only)	\??\L:	smss.exe
File opened (read-only)	\??\K:	smss.exe
File opened (read-only)	\??\F:	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 geoiptool.com

flow	ioc
5	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

smss.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01148_.WMF.82E-43B-05A	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar.82E-43B-05A	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00233_.WMF.82E-43B-05A	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_left.gif	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02134_.GIF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR35B.GIF.82E-43B-05A	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_right.gif	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_ja_4.4.0.v20140623020002.jar	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Norfolk	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\rjmx.jar	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Dubai.82E-43B-05A	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196060.WMF	smss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_SelectionSubpicture.png	smss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\BG_ADOBE.GIF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK.82E-43B-05A	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME02.CSS	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDRESN.CFG.82E-43B-05A	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Dawson	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm	smss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WWINTL.DLL.IDX_DLL	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPT.CFG.82E-43B-05A	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08758_.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239965.WMF	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife.82E-43B-05A	smss.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Mauritius.82E-43B-05A	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115865.GIF.82E-43B-05A	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Inuvik	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Salta.82E-43B-05A	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Galapagos	smss.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Waveform.thmx.82E-43B-05A	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Canary	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00640_.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONINTL.REST.IDX_DLL	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18244_.WMF	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Port_Moresby.82E-43B-05A	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105348.WMF.82E-43B-05A	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143753.GIF.82E-43B-05A	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME26.CSS.82E-43B-05A	smss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html.82E-43B-05A	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR4F.GIF	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONTACT.CFG.82E-43B-05A	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105396.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01168_.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00728_.WMF.82E-43B-05A	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02062U.BMP.82E-43B-05A	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\EST	smss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo.82E-43B-05A	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02424_.WMF	smss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net_1.2.200.v20120807-0927.jar	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105490.WMF.82E-43B-05A	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01361_.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01162_.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_SlateBlue.gif	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

916 vssadmin.exe
744 vssadmin.exe

pid	process
916	vssadmin.exe
744	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

smss.exed76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	smss.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	544	d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe
Token: SeDebugPrivilege	544	d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe
Token: SeIncreaseQuotaPrivilege	1592	WMIC.exe
Token: SeSecurityPrivilege	1592	WMIC.exe
Token: SeTakeOwnershipPrivilege	1592	WMIC.exe
Token: SeLoadDriverPrivilege	1592	WMIC.exe
Token: SeSystemProfilePrivilege	1592	WMIC.exe
Token: SeSystemtimePrivilege	1592	WMIC.exe
Token: SeProfSingleProcessPrivilege	1592	WMIC.exe
Token: SeIncBasePriorityPrivilege	1592	WMIC.exe
Token: SeCreatePagefilePrivilege	1592	WMIC.exe
Token: SeBackupPrivilege	1592	WMIC.exe
Token: SeRestorePrivilege	1592	WMIC.exe
Token: SeShutdownPrivilege	1592	WMIC.exe
Token: SeDebugPrivilege	1592	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1592	WMIC.exe
Token: SeRemoteShutdownPrivilege	1592	WMIC.exe
Token: SeUndockPrivilege	1592	WMIC.exe
Token: SeManageVolumePrivilege	1592	WMIC.exe
Token: 33	1592	WMIC.exe
Token: 34	1592	WMIC.exe
Token: 35	1592	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1844	WMIC.exe
Token: SeSecurityPrivilege	1844	WMIC.exe
Token: SeTakeOwnershipPrivilege	1844	WMIC.exe
Token: SeLoadDriverPrivilege	1844	WMIC.exe
Token: SeSystemProfilePrivilege	1844	WMIC.exe
Token: SeSystemtimePrivilege	1844	WMIC.exe
Token: SeProfSingleProcessPrivilege	1844	WMIC.exe
Token: SeIncBasePriorityPrivilege	1844	WMIC.exe
Token: SeCreatePagefilePrivilege	1844	WMIC.exe
Token: SeBackupPrivilege	1844	WMIC.exe
Token: SeRestorePrivilege	1844	WMIC.exe
Token: SeShutdownPrivilege	1844	WMIC.exe
Token: SeDebugPrivilege	1844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1844	WMIC.exe
Token: SeRemoteShutdownPrivilege	1844	WMIC.exe
Token: SeUndockPrivilege	1844	WMIC.exe
Token: SeManageVolumePrivilege	1844	WMIC.exe
Token: 33	1844	WMIC.exe
Token: 34	1844	WMIC.exe
Token: 35	1844	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1592	WMIC.exe
Token: SeSecurityPrivilege	1592	WMIC.exe
Token: SeTakeOwnershipPrivilege	1592	WMIC.exe
Token: SeLoadDriverPrivilege	1592	WMIC.exe
Token: SeSystemProfilePrivilege	1592	WMIC.exe
Token: SeSystemtimePrivilege	1592	WMIC.exe
Token: SeProfSingleProcessPrivilege	1592	WMIC.exe
Token: SeIncBasePriorityPrivilege	1592	WMIC.exe
Token: SeCreatePagefilePrivilege	1592	WMIC.exe
Token: SeBackupPrivilege	1592	WMIC.exe
Token: SeRestorePrivilege	1592	WMIC.exe
Token: SeShutdownPrivilege	1592	WMIC.exe
Token: SeDebugPrivilege	1592	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1592	WMIC.exe
Token: SeRemoteShutdownPrivilege	1592	WMIC.exe
Token: SeUndockPrivilege	1592	WMIC.exe
Token: SeManageVolumePrivilege	1592	WMIC.exe
Token: 33	1592	WMIC.exe
Token: 34	1592	WMIC.exe
Token: 35	1592	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1844	WMIC.exe
Token: SeSecurityPrivilege	1844	WMIC.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exesmss.execmd.execmd.execmd.exe

description	pid	process	target process
PID 544 wrote to memory of 968	544	d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe	smss.exe
PID 544 wrote to memory of 968	544	d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe	smss.exe
PID 544 wrote to memory of 968	544	d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe	smss.exe
PID 544 wrote to memory of 968	544	d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe	smss.exe
PID 544 wrote to memory of 1500	544	d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe	notepad.exe
PID 544 wrote to memory of 1500	544	d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe	notepad.exe
PID 544 wrote to memory of 1500	544	d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe	notepad.exe
PID 544 wrote to memory of 1500	544	d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe	notepad.exe
PID 544 wrote to memory of 1500	544	d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe	notepad.exe
PID 544 wrote to memory of 1500	544	d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe	notepad.exe
PID 544 wrote to memory of 1500	544	d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe	notepad.exe
PID 968 wrote to memory of 1684	968	smss.exe	cmd.exe
PID 968 wrote to memory of 1684	968	smss.exe	cmd.exe
PID 968 wrote to memory of 1684	968	smss.exe	cmd.exe
PID 968 wrote to memory of 1684	968	smss.exe	cmd.exe
PID 968 wrote to memory of 1816	968	smss.exe	cmd.exe
PID 968 wrote to memory of 1816	968	smss.exe	cmd.exe
PID 968 wrote to memory of 1816	968	smss.exe	cmd.exe
PID 968 wrote to memory of 1816	968	smss.exe	cmd.exe
PID 968 wrote to memory of 1748	968	smss.exe	cmd.exe
PID 968 wrote to memory of 1748	968	smss.exe	cmd.exe
PID 968 wrote to memory of 1748	968	smss.exe	cmd.exe
PID 968 wrote to memory of 1748	968	smss.exe	cmd.exe
PID 968 wrote to memory of 600	968	smss.exe	cmd.exe
PID 968 wrote to memory of 600	968	smss.exe	cmd.exe
PID 968 wrote to memory of 600	968	smss.exe	cmd.exe
PID 968 wrote to memory of 600	968	smss.exe	cmd.exe
PID 968 wrote to memory of 940	968	smss.exe	cmd.exe
PID 968 wrote to memory of 940	968	smss.exe	cmd.exe
PID 968 wrote to memory of 940	968	smss.exe	cmd.exe
PID 968 wrote to memory of 940	968	smss.exe	cmd.exe
PID 968 wrote to memory of 1460	968	smss.exe	cmd.exe
PID 968 wrote to memory of 1460	968	smss.exe	cmd.exe
PID 968 wrote to memory of 1460	968	smss.exe	cmd.exe
PID 968 wrote to memory of 1460	968	smss.exe	cmd.exe
PID 1684 wrote to memory of 1592	1684	cmd.exe	WMIC.exe
PID 1684 wrote to memory of 1592	1684	cmd.exe	WMIC.exe
PID 1684 wrote to memory of 1592	1684	cmd.exe	WMIC.exe
PID 1684 wrote to memory of 1592	1684	cmd.exe	WMIC.exe
PID 968 wrote to memory of 1304	968	smss.exe	smss.exe
PID 968 wrote to memory of 1304	968	smss.exe	smss.exe
PID 968 wrote to memory of 1304	968	smss.exe	smss.exe
PID 968 wrote to memory of 1304	968	smss.exe	smss.exe
PID 940 wrote to memory of 916	940	cmd.exe	vssadmin.exe
PID 940 wrote to memory of 916	940	cmd.exe	vssadmin.exe
PID 940 wrote to memory of 916	940	cmd.exe	vssadmin.exe
PID 940 wrote to memory of 916	940	cmd.exe	vssadmin.exe
PID 1460 wrote to memory of 1844	1460	cmd.exe	WMIC.exe
PID 1460 wrote to memory of 1844	1460	cmd.exe	WMIC.exe
PID 1460 wrote to memory of 1844	1460	cmd.exe	WMIC.exe
PID 1460 wrote to memory of 1844	1460	cmd.exe	WMIC.exe
PID 1460 wrote to memory of 744	1460	cmd.exe	vssadmin.exe
PID 1460 wrote to memory of 744	1460	cmd.exe	vssadmin.exe
PID 1460 wrote to memory of 744	1460	cmd.exe	vssadmin.exe
PID 1460 wrote to memory of 744	1460	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe
"C:\Users\Admin\AppData\Local\Temp\d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:744

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:1748

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:1500

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
d8b0ff3ef0cac177c2f16157834442b1

SHA1
83504ee29a466c5b6412b7e72c131cd8f975d536

SHA256
667366e5abac32446a226d1cfaef36ebd721bf00334e26b984b477f5c146789c

SHA512
5dafefa8e8677369dca0241512b8b6667f14595770b2f2f1ea7b7ee1717b70f42079c85b1edcea4a45f6fd4896b7a0040264d9b1f63188aba2dd0e5bc25a7eea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
c105de5d82dc4fa359f03f82cb0bf797

SHA1
78ec4e7c84b5b941c6ef4814d7eab379d2a7a12b

SHA256
ada540f3499dc0ec44782e7b52f064fc3ae96159a98d34f130deed0fa1dc8ccc

SHA512
c9251ad48cda6ea6b455f99e162040cecdc934eb73f0bda14ad8c32b0458119f0f90f509da942207d87618933dbe3555cfc414d116f7be9d8eb54b259d583e07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
e92176b0889cc1bb97114beb2f3c1728

SHA1
ad1459d390ec23ab1c3da73ff2fbec7fa3a7f443

SHA256
58a4f38ba43f115ba3f465c311eaaf67f43d92e580f7f153de3ab605fc9900f3

SHA512
cd2267ba2f08d2f87538f5b4f8d3032638542ac3476863a35f0df491eb3a84458ce36c06e8c1bd84219f5297b6f386748e817945a406082fa8e77244ec229d8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
c8f5dcc04731e23047a7e0609731c468

SHA1
5f4b7ec761c1d2f3a24417c06e20619216a9678e

SHA256
de35f9bd437d0839a51b5c3cb5c4e2d6c6f586e703b99bfe63e60bea054b0a97

SHA512
2ca4ab3cd0937f82d6e2eecbd9a21c4fc1a73ec1f19dcc8b635ad96b0cbf25383b3e2a552b9f20b59ef671af6c20f21bfcca99b48733f6bd3a9ebf140ac22caa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
a9bc6e2ca20ae5ea99d0575653497770

SHA1
b0c94bd1c061824afafc8cc126c6147790a34853

SHA256
d24361630c7a14af147aee884d9f56f8b28a3936eac84f96065f8fda00ffed15

SHA512
83c3c8e1fce70dd9b477e36e107459ac01daa31e460b5aa092748b0528b6e1e35023ffaead4b9ac27905d056b2750966d2c05ead4a9a3ec52e1e90a4a8ff6dd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
c1ec00a6144fa3c6ac2b6b6cc28cd44e

SHA1
b3b8663767dbeb03114c4ad28689451f2dc7d834

SHA256
b1a2f7b261f2646417b55193c691915e296f19a1c8f0e571168b21183133a243

SHA512
3deb0c5d1700d638b95101c8e9f2cfae70b2d59e7dde2621c50035e0ed6f0ad525e112c0be2b92bb2825a0390d96c3665cafcdc05ca2e561a31814bb56327f2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
f6f83cd3e7be9adc584c57b9d3a350a1

SHA1
7af9b75a531ed1903a34943f275c797e4fde6ce3

SHA256
2debfb5aac9299c4c1702fd73604cff2231ac3a8dd512681ceab59da89294ec4

SHA512
f66ad747d9f2b257066ebea75d3cf023ee5d61bab2ef1970f6967290caf53d98fe79421f860d292d70f8c04c2438524d9524187c88a4489e99e0a551898fda59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
e504925e5ba810682cfea154499eec62

SHA1
f3f15f8f07ca781d718c88f7088b76e22063e30c

SHA256
29b91af48883fc17814405b93e99e461238b8620070c5b73d464d086ec1d7734

SHA512
36910237990a284caff9486943cb5c77abb93f75a74093822502c2156c317a95fccadb0d2f989c345e1cb9e1cbe2cca30f4c8b4e1ce937451b5d11a85e96692c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\QMFEPFPV.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1R1CL99\5DZGALCF.htm
MD5
6b17a59cec1a7783febae9aa55c56556

SHA1
01d4581e2b3a6348679147a915a0b22b2a66643a

SHA256
66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

SHA512
3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
MD5
f8ca42285e4979fc25e1e358aaaf3ee3

SHA1
83bb7336deceeb094574714c1043ce9d3d420ee8

SHA256
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1

SHA512
00bddc7a539b957f9dfb74941c56bab532221f4783d1ec90bde4019b9af68a79886d36d2e12fd9511836a8447cbecd56ee4a988b1e0dd6c6dc170b9c60b20a54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
MD5
f8ca42285e4979fc25e1e358aaaf3ee3

SHA1
83bb7336deceeb094574714c1043ce9d3d420ee8

SHA256
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1

SHA512
00bddc7a539b957f9dfb74941c56bab532221f4783d1ec90bde4019b9af68a79886d36d2e12fd9511836a8447cbecd56ee4a988b1e0dd6c6dc170b9c60b20a54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
MD5
f8ca42285e4979fc25e1e358aaaf3ee3

SHA1
83bb7336deceeb094574714c1043ce9d3d420ee8

SHA256
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1

SHA512
00bddc7a539b957f9dfb74941c56bab532221f4783d1ec90bde4019b9af68a79886d36d2e12fd9511836a8447cbecd56ee4a988b1e0dd6c6dc170b9c60b20a54

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
MD5
f8ca42285e4979fc25e1e358aaaf3ee3

SHA1
83bb7336deceeb094574714c1043ce9d3d420ee8

SHA256
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1

SHA512
00bddc7a539b957f9dfb74941c56bab532221f4783d1ec90bde4019b9af68a79886d36d2e12fd9511836a8447cbecd56ee4a988b1e0dd6c6dc170b9c60b20a54

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
MD5
f8ca42285e4979fc25e1e358aaaf3ee3

SHA1
83bb7336deceeb094574714c1043ce9d3d420ee8

SHA256
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1

SHA512
00bddc7a539b957f9dfb74941c56bab532221f4783d1ec90bde4019b9af68a79886d36d2e12fd9511836a8447cbecd56ee4a988b1e0dd6c6dc170b9c60b20a54

Download Submit
memory/544-2-0x00000000008E0000-0x00000000008F1000-memory.dmp

Filesize
68KB

Download
memory/544-3-0x0000000076881000-0x0000000076883000-memory.dmp

Filesize
8KB

Download
memory/544-4-0x00000000003C0000-0x00000000003F7000-memory.dmp

Filesize
220KB

Download
memory/544-5-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/600-33-0x0000000000000000-mapping.dmp

Download
memory/744-43-0x0000000000000000-mapping.dmp

Download
memory/916-41-0x0000000000000000-mapping.dmp

Download
memory/940-34-0x0000000000000000-mapping.dmp

Download
memory/968-16-0x0000000000B40000-0x0000000000B51000-memory.dmp

Filesize
68KB

Download
memory/968-21-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/968-9-0x0000000000000000-mapping.dmp

Download
memory/1304-44-0x0000000000B80000-0x0000000000B91000-memory.dmp

Filesize
68KB

Download
memory/1304-38-0x0000000000000000-mapping.dmp

Download
memory/1460-35-0x0000000000000000-mapping.dmp

Download
memory/1480-6-0x000007FEF7EB0000-0x000007FEF812A000-memory.dmp

Filesize
2.5MB

Download
memory/1500-12-0x0000000000000000-mapping.dmp

Download
memory/1500-11-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1592-36-0x0000000000000000-mapping.dmp

Download
memory/1684-30-0x0000000000000000-mapping.dmp

Download
memory/1748-32-0x0000000000000000-mapping.dmp

Download
memory/1816-31-0x0000000000000000-mapping.dmp

Download
memory/1844-42-0x0000000000000000-mapping.dmp

Download