buran | 48d81158ea4d8260ab5c9743eb37e81d184eecd48f5747a26f1689cc4bb0b286

Analysis

max time kernel
153s
max time network
159s
platform
windows10_x64
resource
win10v20210408
submitted
29-08-2021 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48d81158ea4d8260ab5c9743eb37e81d184eecd48f5747a26f1689cc4bb0b286.exe
Size

140KB
MD5

c9facdcf31e12cfacabdd7a50bc8e4c8
SHA1

eb85d2228cab428c24ef6ccf615e998c29aa7650
SHA256

48d81158ea4d8260ab5c9743eb37e81d184eecd48f5747a26f1689cc4bb0b286
SHA512

d03166813301e05e88dc8b7a0604ea59f243d551b2d8b034075d1de4c79f3b8b2009ad96e7bd301a6e9d75bdea9036d1c4a74ace43e2e5ca549119c50c023c29

Score

10^/10

buran redline smokeloader backdoor discovery evasion infostealer persistence ransomware spyware stealer themida trojan

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. PAY FAST 590$=0.013 btc or the price will increase tomorrow bitcoin address bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8 To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? [email protected] TELEGRAM @ payfast290 Your personal ID: 83E-C4A-B39 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Family

smokeloader

Version

2020

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Extracted

Family

redline

95.217.117.91:21361

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1216-151-0x0000000003B70000-0x0000000003B8F000-memory.dmp	family_redline
behavioral1/memory/1216-154-0x0000000003D60000-0x0000000003D7E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 5 IoCs

Processes:

83E.exe8FB.exeDED.exelsass.exelsass.exe

pid	Process
1216	83E.exe
3908	8FB.exe
2164	DED.exe
4024	lsass.exe
2844	lsass.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DED.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DED.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DED.exe

Deletes itself 1 IoCs

Processes:

pid	Process
2536

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/files/0x0004000000015534-125.dat	themida
behavioral1/files/0x0004000000015534-127.dat	themida
behavioral1/memory/2164-180-0x0000000001100000-0x0000000001101000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8FB.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	8FB.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start"	8FB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

DED.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DED.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

lsass.exe

description	ioc	Process
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\K:	lsass.exe
File opened (read-only)	\??\H:	lsass.exe
File opened (read-only)	\??\B:	lsass.exe
File opened (read-only)	\??\S:	lsass.exe
File opened (read-only)	\??\R:	lsass.exe
File opened (read-only)	\??\O:	lsass.exe
File opened (read-only)	\??\N:	lsass.exe
File opened (read-only)	\??\M:	lsass.exe
File opened (read-only)	\??\J:	lsass.exe
File opened (read-only)	\??\I:	lsass.exe
File opened (read-only)	\??\A:	lsass.exe
File opened (read-only)	\??\Z:	lsass.exe
File opened (read-only)	\??\V:	lsass.exe
File opened (read-only)	\??\U:	lsass.exe
File opened (read-only)	\??\G:	lsass.exe
File opened (read-only)	\??\F:	lsass.exe
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\Q:	lsass.exe
File opened (read-only)	\??\P:	lsass.exe
File opened (read-only)	\??\Y:	lsass.exe
File opened (read-only)	\??\X:	lsass.exe
File opened (read-only)	\??\T:	lsass.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
25	geoiptool.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

DED.exe

pid	Process
2164	DED.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

48d81158ea4d8260ab5c9743eb37e81d184eecd48f5747a26f1689cc4bb0b286.exe

description	pid	Process	procid_target
PID 740 set thread context of 3300	740	48d81158ea4d8260ab5c9743eb37e81d184eecd48f5747a26f1689cc4bb0b286.exe	77

Drops file in Program Files directory 64 IoCs

Processes:

lsass.exe

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6100_32x32x32.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf.payfast.83E-C4A-B39	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul-oob.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_UK-UA.respack	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_contrast-white.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.16112.11601.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\circle.cur.payfast.83E-C4A-B39	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin_2.0.100.v20131209-2144.jar.payfast.83E-C4A-B39	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml.payfast.83E-C4A-B39	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicsimple.dotx	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\XMLOffKeys\Keys_OffVer16.xml	lsass.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\strings\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\ui-strings.js.payfast.83E-C4A-B39	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-32.png	lsass.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-72_altform-unplated.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16.png	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-pl.xrm-ms.payfast.83E-C4A-B39	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\PartyChat.winmd	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\OneConnectSplashScreen.scale-125.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-30.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\delete.svg	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ppd.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ppd.xrm-ms.payfast.83E-C4A-B39	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.scale-125_contrast-white.png	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\msipc.dll.mui.payfast.83E-C4A-B39	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\PIXEL.INF.payfast.83E-C4A-B39	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xml.payfast.83E-C4A-B39	lsass.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_neutral_~_8wekyb3d8bbwe\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-tw\ui-strings.js.payfast.83E-C4A-B39	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe.payfast.83E-C4A-B39	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ul-oob.xrm-ms.payfast.83E-C4A-B39	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicelegant.dotx	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-pl.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\NETWORK.INF.payfast.83E-C4A-B39	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_DogNose.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_ja.jar.payfast.83E-C4A-B39	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Light.scale-125.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\LargeTile.scale-200.png	lsass.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-phn.xrm-ms.payfast.83E-C4A-B39	lsass.exe
File created	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_2015.7668.58071.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-64_altform-unplated.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Music.UI.exe	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_contrast-black.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-options.jar.payfast.83E-C4A-B39	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-80.png.payfast.83E-C4A-B39	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\AppxBlockMap.xml	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-200.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reportabuse-default_18.svg	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\bg_patterns_header.png.payfast.83E-C4A-B39	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.rcp_4.3.100.v20141007-2301.jar.payfast.83E-C4A-B39	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\FullScreen\FullScreen-press.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\gl_60x42.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\ui-strings.js.payfast.83E-C4A-B39	lsass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

48d81158ea4d8260ab5c9743eb37e81d184eecd48f5747a26f1689cc4bb0b286.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	48d81158ea4d8260ab5c9743eb37e81d184eecd48f5747a26f1689cc4bb0b286.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	48d81158ea4d8260ab5c9743eb37e81d184eecd48f5747a26f1689cc4bb0b286.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	48d81158ea4d8260ab5c9743eb37e81d184eecd48f5747a26f1689cc4bb0b286.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exe

pid	Process
3956	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

8FB.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	8FB.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	8FB.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

48d81158ea4d8260ab5c9743eb37e81d184eecd48f5747a26f1689cc4bb0b286.exe

pid	Process
3300	48d81158ea4d8260ab5c9743eb37e81d184eecd48f5747a26f1689cc4bb0b286.exe
3300	48d81158ea4d8260ab5c9743eb37e81d184eecd48f5747a26f1689cc4bb0b286.exe
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
2536

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

48d81158ea4d8260ab5c9743eb37e81d184eecd48f5747a26f1689cc4bb0b286.exe

pid	Process
3300	48d81158ea4d8260ab5c9743eb37e81d184eecd48f5747a26f1689cc4bb0b286.exe
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

DED.exeWMIC.exevssvc.exe

description	pid	Process
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeDebugPrivilege	2164	DED.exe
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeIncreaseQuotaPrivilege	3872	WMIC.exe
Token: SeSecurityPrivilege	3872	WMIC.exe
Token: SeTakeOwnershipPrivilege	3872	WMIC.exe
Token: SeLoadDriverPrivilege	3872	WMIC.exe
Token: SeSystemProfilePrivilege	3872	WMIC.exe
Token: SeSystemtimePrivilege	3872	WMIC.exe
Token: SeProfSingleProcessPrivilege	3872	WMIC.exe
Token: SeIncBasePriorityPrivilege	3872	WMIC.exe
Token: SeCreatePagefilePrivilege	3872	WMIC.exe
Token: SeBackupPrivilege	3872	WMIC.exe
Token: SeRestorePrivilege	3872	WMIC.exe
Token: SeShutdownPrivilege	3872	WMIC.exe
Token: SeDebugPrivilege	3872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3872	WMIC.exe
Token: SeRemoteShutdownPrivilege	3872	WMIC.exe
Token: SeUndockPrivilege	3872	WMIC.exe
Token: SeManageVolumePrivilege	3872	WMIC.exe
Token: 33	3872	WMIC.exe
Token: 34	3872	WMIC.exe
Token: 35	3872	WMIC.exe
Token: 36	3872	WMIC.exe
Token: SeBackupPrivilege	1124	vssvc.exe
Token: SeRestorePrivilege	1124	vssvc.exe
Token: SeAuditPrivilege	1124	vssvc.exe
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeIncreaseQuotaPrivilege	3872	WMIC.exe
Token: SeSecurityPrivilege	3872	WMIC.exe
Token: SeTakeOwnershipPrivilege	3872	WMIC.exe
Token: SeLoadDriverPrivilege	3872	WMIC.exe
Token: SeSystemProfilePrivilege	3872	WMIC.exe
Token: SeSystemtimePrivilege	3872	WMIC.exe
Token: SeProfSingleProcessPrivilege	3872	WMIC.exe
Token: SeIncBasePriorityPrivilege	3872	WMIC.exe
Token: SeCreatePagefilePrivilege	3872	WMIC.exe
Token: SeBackupPrivilege	3872	WMIC.exe
Token: SeRestorePrivilege	3872	WMIC.exe
Token: SeShutdownPrivilege	3872	WMIC.exe
Token: SeDebugPrivilege	3872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3872	WMIC.exe
Token: SeRemoteShutdownPrivilege	3872	WMIC.exe
Token: SeUndockPrivilege	3872	WMIC.exe
Token: SeManageVolumePrivilege	3872	WMIC.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
2536

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

48d81158ea4d8260ab5c9743eb37e81d184eecd48f5747a26f1689cc4bb0b286.exe8FB.exelsass.exe

description	pid	Process	procid_target
PID 740 wrote to memory of 3300	740	48d81158ea4d8260ab5c9743eb37e81d184eecd48f5747a26f1689cc4bb0b286.exe	77
PID 740 wrote to memory of 3300	740	48d81158ea4d8260ab5c9743eb37e81d184eecd48f5747a26f1689cc4bb0b286.exe	77
PID 740 wrote to memory of 3300	740	48d81158ea4d8260ab5c9743eb37e81d184eecd48f5747a26f1689cc4bb0b286.exe	77
PID 740 wrote to memory of 3300	740	48d81158ea4d8260ab5c9743eb37e81d184eecd48f5747a26f1689cc4bb0b286.exe	77
PID 740 wrote to memory of 3300	740	48d81158ea4d8260ab5c9743eb37e81d184eecd48f5747a26f1689cc4bb0b286.exe	77
PID 740 wrote to memory of 3300	740	48d81158ea4d8260ab5c9743eb37e81d184eecd48f5747a26f1689cc4bb0b286.exe	77
PID 2536 wrote to memory of 1216	2536		79
PID 2536 wrote to memory of 1216	2536		79
PID 2536 wrote to memory of 1216	2536		79
PID 2536 wrote to memory of 3908	2536		81
PID 2536 wrote to memory of 3908	2536		81
PID 2536 wrote to memory of 3908	2536		81
PID 2536 wrote to memory of 2164	2536		82
PID 2536 wrote to memory of 2164	2536		82
PID 2536 wrote to memory of 2164	2536		82
PID 2536 wrote to memory of 1104	2536		84
PID 2536 wrote to memory of 1104	2536		84
PID 2536 wrote to memory of 1104	2536		84
PID 2536 wrote to memory of 1104	2536		84
PID 2536 wrote to memory of 3692	2536		85
PID 2536 wrote to memory of 3692	2536		85
PID 2536 wrote to memory of 3692	2536		85
PID 2536 wrote to memory of 3836	2536		86
PID 2536 wrote to memory of 3836	2536		86
PID 2536 wrote to memory of 3836	2536		86
PID 2536 wrote to memory of 3836	2536		86
PID 2536 wrote to memory of 3180	2536		87
PID 2536 wrote to memory of 3180	2536		87
PID 2536 wrote to memory of 3180	2536		87
PID 2536 wrote to memory of 3880	2536		88
PID 2536 wrote to memory of 3880	2536		88
PID 2536 wrote to memory of 3880	2536		88
PID 2536 wrote to memory of 3880	2536		88
PID 2536 wrote to memory of 3960	2536		89
PID 2536 wrote to memory of 3960	2536		89
PID 2536 wrote to memory of 3960	2536		89
PID 3908 wrote to memory of 4024	3908	8FB.exe	90
PID 3908 wrote to memory of 4024	3908	8FB.exe	90
PID 3908 wrote to memory of 4024	3908	8FB.exe	90
PID 2536 wrote to memory of 1300	2536		91
PID 2536 wrote to memory of 1300	2536		91
PID 2536 wrote to memory of 1300	2536		91
PID 2536 wrote to memory of 1300	2536		91
PID 2536 wrote to memory of 1796	2536		92
PID 2536 wrote to memory of 1796	2536		92
PID 2536 wrote to memory of 1796	2536		92
PID 2536 wrote to memory of 1548	2536		93
PID 2536 wrote to memory of 1548	2536		93
PID 2536 wrote to memory of 1548	2536		93
PID 2536 wrote to memory of 1548	2536		93
PID 4024 wrote to memory of 3744	4024	lsass.exe	94
PID 4024 wrote to memory of 3744	4024	lsass.exe	94
PID 4024 wrote to memory of 3744	4024	lsass.exe	94
PID 4024 wrote to memory of 580	4024	lsass.exe	95
PID 4024 wrote to memory of 580	4024	lsass.exe	95
PID 4024 wrote to memory of 580	4024	lsass.exe	95
PID 4024 wrote to memory of 2532	4024	lsass.exe	104
PID 4024 wrote to memory of 2532	4024	lsass.exe	104
PID 4024 wrote to memory of 2532	4024	lsass.exe	104
PID 4024 wrote to memory of 3888	4024	lsass.exe	97
PID 4024 wrote to memory of 3888	4024	lsass.exe	97
PID 4024 wrote to memory of 3888	4024	lsass.exe	97
PID 4024 wrote to memory of 1540	4024	lsass.exe	98
PID 4024 wrote to memory of 1540	4024	lsass.exe	98

C:\Users\Admin\AppData\Local\Temp\48d81158ea4d8260ab5c9743eb37e81d184eecd48f5747a26f1689cc4bb0b286.exe
"C:\Users\Admin\AppData\Local\Temp\48d81158ea4d8260ab5c9743eb37e81d184eecd48f5747a26f1689cc4bb0b286.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:740
- C:\Users\Admin\AppData\Local\Temp\48d81158ea4d8260ab5c9743eb37e81d184eecd48f5747a26f1689cc4bb0b286.exe
  "C:\Users\Admin\AppData\Local\Temp\48d81158ea4d8260ab5c9743eb37e81d184eecd48f5747a26f1689cc4bb0b286.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3300

C:\Users\Admin\AppData\Local\Temp\83E.exe
C:\Users\Admin\AppData\Local\Temp\83E.exe
1⤵
- Executes dropped EXE
PID:1216

C:\Users\Admin\AppData\Local\Temp\8FB.exe
C:\Users\Admin\AppData\Local\Temp\8FB.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:3744
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:580
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:3888
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:1540
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3956
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2532

C:\Users\Admin\AppData\Local\Temp\DED.exe
C:\Users\Admin\AppData\Local\Temp\DED.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1104

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3692

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3836

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3180

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3880

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3960

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1300

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1796

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1548

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
5703edef7cb0f99305a6b18845e0443e

SHA1
fb6f022ebde210306e1a6575462d6451e98af454

SHA256
e4ce02059eb175c30879041d610db7b8798cdf57a4c67afc83c125c2db36e883

SHA512
4631853bda1498ff3cace6a348fd2d6770edd0fec166707c3afebff09644f34e29a7a6dd3e9cb167c40e8b5fa1fbbc80ba26d80b4d939daf56278c276b07ada4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
888f7457c332ac5e1897316e159f58c1

SHA1
a3047c6e978158dfae29b5735e8131ec1b30703d

SHA256
c2c14652875bfeb1ed529202da6d45eb974acab193c005908cf90b8c5cf3dd41

SHA512
0abdc5f78ade2f56b0f1954adc0479b5dcc88d401bfac95754e7dd80adefe7375a426fd89f81b657ebe9c113092524dcbd1e80c39a4bec51ccd93bc0bc3a5aff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
939460925953ce88e1086341b8a11bda

SHA1
06249b891050a9fac128ccfee943aeb5bede1c7b

SHA256
d4da3c5ff04a3b677eb77b1bfedc14e29ebd0d01c476d44a0b1a2366447ab016

SHA512
a8dc3eb58a4a550cc2551463a3d813396caf3f2b65f5b13c8e339a4a32652895ee15c23eb5ba833eca4e7c22331a622657cf5bd64098f0c54e43b4e92fe65f30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
f68deee7f4563777db6716cbafaaa1c9

SHA1
fe831dfff5910e16eaa0c4dd186e38a75e94635b

SHA256
eb9ee58f723fdd77a413269bf2d0b268aa18476d3ac26a13d934f2298087c68f

SHA512
2b042e1bca90dd33848424a68343ab6dc498e0f30215fb6a81852a6f29722d49204e088f8220c86490defef5f15d8e36e7bac94785cb003f9cbc0e8e8b0795c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
b499c334a45544c71f82bae205519a39

SHA1
b8b11c0fc712f18611ed477ccbc5d3768dd4d68a

SHA256
ceb07d803dadfc50cce4861570bd3966b0bf0935e6f21a9e2ae18a6f416b8a97

SHA512
dcd435036ff33653aa002c4a4a0692cc663a30b5b4e8170610573f722fa17ddd9281da455f8b13140a0b66ab1abdfdb5c327a0c83ea1a9a6c90a20fc0075bfe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
d1cae9e4b78de40ef8cd32ab87b40684

SHA1
812735eca784f38ecae57dac4d65f42f20315000

SHA256
8ecfcda581332a45f3fabe6fa83cbf576991f78407b58ac41e1f07cb3feb6451

SHA512
ac0733e84550c01ddd033f443e7329d9503c32b0df05f4b8e8c60d49fa546f7458b5476b910e2aa140ae7f1855b299c2e51c081109978e903b434ee6c68d1a8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DRMDU4BX\XFH4EEJ2.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\83E.exe

MD5
90a4117c429afee1aeebc7588c4d3ea5

SHA1
25a2cfd6c0b66c3b5b2b3125d771824bdafe3138

SHA256
883486f3967d164f35a1760ae98fd10b7023c31afcf7388b82e11132816db603

SHA512
ed4f02aaa0b8035bb9ec068b33f5e6e24a66a98649a00f748f37ca9e13d283c6641c7cb7f20dde009b14841bd4eaedd3c1caef261bfe31cf5ce4dad63b11d933

Download Submit
C:\Users\Admin\AppData\Local\Temp\83E.exe

MD5
90a4117c429afee1aeebc7588c4d3ea5

SHA1
25a2cfd6c0b66c3b5b2b3125d771824bdafe3138

SHA256
883486f3967d164f35a1760ae98fd10b7023c31afcf7388b82e11132816db603

SHA512
ed4f02aaa0b8035bb9ec068b33f5e6e24a66a98649a00f748f37ca9e13d283c6641c7cb7f20dde009b14841bd4eaedd3c1caef261bfe31cf5ce4dad63b11d933

Download Submit
C:\Users\Admin\AppData\Local\Temp\8FB.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\8FB.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\DED.exe

MD5
146018469ce8690f4da893e0269a1ae7

SHA1
94ec664dff33827c42cce634dea676b56e4cfb89

SHA256
01c0aadd0d9b47985b070d6ab49bc0e7977c632a3c5843efe249a6586f951e09

SHA512
8a03bd9719f39f6f99a1f522783cda64680609602c8571dd664c10d73f6336a09ddc3d3d242a1b6f7183f21766b6529a2ea2dd7d6ff54eab07dbe418dfc0c0f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DED.exe

MD5
146018469ce8690f4da893e0269a1ae7

SHA1
94ec664dff33827c42cce634dea676b56e4cfb89

SHA256
01c0aadd0d9b47985b070d6ab49bc0e7977c632a3c5843efe249a6586f951e09

SHA512
8a03bd9719f39f6f99a1f522783cda64680609602c8571dd664c10d73f6336a09ddc3d3d242a1b6f7183f21766b6529a2ea2dd7d6ff54eab07dbe418dfc0c0f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
memory/580-192-0x0000000000000000-mapping.dmp

Download
memory/740-116-0x0000000001D70000-0x0000000001E1E000-memory.dmp

Filesize
696KB

Download
memory/1104-126-0x0000000000000000-mapping.dmp

Download
memory/1104-129-0x0000000000680000-0x00000000006F4000-memory.dmp

Filesize
464KB

Download
memory/1104-131-0x0000000000610000-0x000000000067B000-memory.dmp

Filesize
428KB

Download
memory/1216-174-0x0000000007060000-0x0000000007061000-memory.dmp

Filesize
4KB

Download
memory/1216-154-0x0000000003D60000-0x0000000003D7E000-memory.dmp

Filesize
120KB

Download
memory/1216-162-0x0000000006540000-0x0000000006541000-memory.dmp

Filesize
4KB

Download
memory/1216-163-0x0000000006542000-0x0000000006543000-memory.dmp

Filesize
4KB

Download
memory/1216-161-0x0000000006A50000-0x0000000006A51000-memory.dmp

Filesize
4KB

Download
memory/1216-153-0x0000000006550000-0x0000000006551000-memory.dmp

Filesize
4KB

Download
memory/1216-167-0x0000000006360000-0x0000000006361000-memory.dmp

Filesize
4KB

Download
memory/1216-151-0x0000000003B70000-0x0000000003B8F000-memory.dmp

Filesize
124KB

Download
memory/1216-168-0x0000000006390000-0x0000000006391000-memory.dmp

Filesize
4KB

Download
memory/1216-170-0x00000000064A0000-0x00000000064A1000-memory.dmp

Filesize
4KB

Download
memory/1216-173-0x0000000006544000-0x0000000006546000-memory.dmp

Filesize
8KB

Download
memory/1216-146-0x0000000001D90000-0x0000000001EDA000-memory.dmp

Filesize
1.3MB

Download
memory/1216-147-0x0000000000400000-0x0000000001D89000-memory.dmp

Filesize
25.5MB

Download
memory/1216-164-0x0000000006543000-0x0000000006544000-memory.dmp

Filesize
4KB

Download
memory/1216-118-0x0000000000000000-mapping.dmp

Download
memory/1300-166-0x00000000009C0000-0x00000000009C9000-memory.dmp

Filesize
36KB

Download
memory/1300-152-0x0000000000000000-mapping.dmp

Download
memory/1300-165-0x00000000009D0000-0x00000000009D4000-memory.dmp

Filesize
16KB

Download
memory/1540-195-0x0000000000000000-mapping.dmp

Download
memory/1548-175-0x0000000000000000-mapping.dmp

Download
memory/1548-177-0x0000000001100000-0x0000000001109000-memory.dmp

Filesize
36KB

Download
memory/1548-176-0x0000000001110000-0x0000000001115000-memory.dmp

Filesize
20KB

Download
memory/1796-169-0x0000000000000000-mapping.dmp

Download
memory/1796-172-0x0000000000FA0000-0x0000000000FA9000-memory.dmp

Filesize
36KB

Download
memory/1796-171-0x0000000000FB0000-0x0000000000FB5000-memory.dmp

Filesize
20KB

Download
memory/2164-198-0x0000000007820000-0x0000000007821000-memory.dmp

Filesize
4KB

Download
memory/2164-189-0x0000000007C30000-0x0000000007C31000-memory.dmp

Filesize
4KB

Download
memory/2164-180-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download
memory/2164-178-0x0000000077D80000-0x0000000077F0E000-memory.dmp

Filesize
1.6MB

Download
memory/2164-187-0x0000000005A60000-0x0000000006066000-memory.dmp

Filesize
6.0MB

Download
memory/2164-188-0x0000000007530000-0x0000000007531000-memory.dmp

Filesize
4KB

Download
memory/2164-202-0x0000000007500000-0x0000000007501000-memory.dmp

Filesize
4KB

Download
memory/2164-190-0x0000000007700000-0x0000000007701000-memory.dmp

Filesize
4KB

Download
memory/2164-124-0x0000000000000000-mapping.dmp

Download
memory/2164-203-0x0000000008160000-0x0000000008161000-memory.dmp

Filesize
4KB

Download
memory/2532-193-0x0000000000000000-mapping.dmp

Download
memory/2536-117-0x0000000000710000-0x0000000000726000-memory.dmp

Filesize
88KB

Download
memory/2844-196-0x0000000000000000-mapping.dmp

Download
memory/3180-136-0x0000000000000000-mapping.dmp

Download
memory/3180-137-0x0000000000330000-0x0000000000339000-memory.dmp

Filesize
36KB

Download
memory/3180-138-0x0000000000320000-0x000000000032F000-memory.dmp

Filesize
60KB

Download
memory/3300-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3300-115-0x0000000000402FAB-mapping.dmp

Download
memory/3692-130-0x0000000000BC0000-0x0000000000BC7000-memory.dmp

Filesize
28KB

Download
memory/3692-128-0x0000000000000000-mapping.dmp

Download
memory/3692-132-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

Filesize
48KB

Download
memory/3744-191-0x0000000000000000-mapping.dmp

Download
memory/3836-135-0x0000000000570000-0x000000000057B000-memory.dmp

Filesize
44KB

Download
memory/3836-133-0x0000000000000000-mapping.dmp

Download
memory/3836-134-0x0000000000580000-0x0000000000587000-memory.dmp

Filesize
28KB

Download
memory/3872-201-0x0000000000000000-mapping.dmp

Download
memory/3880-140-0x0000000000180000-0x0000000000185000-memory.dmp

Filesize
20KB

Download
memory/3880-139-0x0000000000000000-mapping.dmp

Download
memory/3880-141-0x0000000000170000-0x0000000000179000-memory.dmp

Filesize
36KB

Download
memory/3888-194-0x0000000000000000-mapping.dmp

Download
memory/3908-121-0x0000000000000000-mapping.dmp

Download
memory/3956-200-0x0000000000000000-mapping.dmp

Download
memory/3960-149-0x00000000009E0000-0x00000000009EC000-memory.dmp

Filesize
48KB

Download
memory/3960-142-0x0000000000000000-mapping.dmp

Download
memory/3960-148-0x00000000009F0000-0x00000000009F6000-memory.dmp

Filesize
24KB

Download
memory/4024-143-0x0000000000000000-mapping.dmp

Download