buran | 0863cb3e4d763ee32b811fd1ab6f82acb04876f1f75d62f63e0151888e962cb6

Analysis

max time kernel
151s
max time network
157s
platform
windows10_x64
resource
win10v20210408
submitted
29-08-2021 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c3b197326eff73272c14223a1870284.exe
Size

139KB
MD5

9c3b197326eff73272c14223a1870284
SHA1

d3e57a7dd92e56017330ec8599d825f784cc23b9
SHA256

0863cb3e4d763ee32b811fd1ab6f82acb04876f1f75d62f63e0151888e962cb6
SHA512

8b331a1feabcb90faf814d9bbdb3facc0703533fd6a98ef2273ffa8846bc5da255ccba74f60102485165e336ff3f5d172edb013239faec543206588c8f0d11ea

Score

10^/10

buran redline smokeloader backdoor discovery infostealer persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. PAY FAST 590$=0.013 btc or the price will increase tomorrow bitcoin address bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8 To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? [email protected] TELEGRAM @ payfast290 Your personal ID: 226-6AA-139 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Family

smokeloader

Version

2020

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Extracted

Family

redline

95.217.117.91:21361

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3380-146-0x0000000003A90000-0x0000000003AAF000-memory.dmp	family_redline
behavioral2/memory/3380-154-0x0000000003E50000-0x0000000003E6E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 4 IoCs

Processes:

1AFB.exe1BE6.exespoolsv.exespoolsv.exe

pid	Process
3380	1AFB.exe
940	1BE6.exe
2672	spoolsv.exe
3732	spoolsv.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

spoolsv.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\MergeSearch.tiff	spoolsv.exe

Deletes itself 1 IoCs

Processes:

pid	Process
3092

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1BE6.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	1BE6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\spoolsv.exe\" -start"	1BE6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spoolsv.exe

description	ioc	Process
File opened (read-only)	\??\H:	spoolsv.exe
File opened (read-only)	\??\E:	spoolsv.exe
File opened (read-only)	\??\A:	spoolsv.exe
File opened (read-only)	\??\R:	spoolsv.exe
File opened (read-only)	\??\P:	spoolsv.exe
File opened (read-only)	\??\O:	spoolsv.exe
File opened (read-only)	\??\K:	spoolsv.exe
File opened (read-only)	\??\F:	spoolsv.exe
File opened (read-only)	\??\U:	spoolsv.exe
File opened (read-only)	\??\Q:	spoolsv.exe
File opened (read-only)	\??\N:	spoolsv.exe
File opened (read-only)	\??\J:	spoolsv.exe
File opened (read-only)	\??\M:	spoolsv.exe
File opened (read-only)	\??\I:	spoolsv.exe
File opened (read-only)	\??\Z:	spoolsv.exe
File opened (read-only)	\??\X:	spoolsv.exe
File opened (read-only)	\??\W:	spoolsv.exe
File opened (read-only)	\??\T:	spoolsv.exe
File opened (read-only)	\??\G:	spoolsv.exe
File opened (read-only)	\??\B:	spoolsv.exe
File opened (read-only)	\??\Y:	spoolsv.exe
File opened (read-only)	\??\V:	spoolsv.exe
File opened (read-only)	\??\S:	spoolsv.exe
File opened (read-only)	\??\L:	spoolsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
25	geoiptool.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

9c3b197326eff73272c14223a1870284.exe

description	pid	Process	procid_target
PID 656 set thread context of 3628	656	9c3b197326eff73272c14223a1870284.exe	76

Drops file in Program Files directory 64 IoCs

Processes:

spoolsv.exe

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul-oob.xrm-ms.payfast.226-6AA-139	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\APPLAUSE.WAV.payfast.226-6AA-139	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\starttile.smile.scale-150.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarLargeTile.scale-100.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\video_offline_demo_page3.jpg	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-tw\ui-strings.js	spoolsv.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-200.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLogoExtensions.targetsize-256.png	spoolsv.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\WinStore\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_ru_135x40.svg.payfast.226-6AA-139	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\vlc.mo.payfast.226-6AA-139	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteWideTile.scale-125.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\createpdf.svg	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-up.png.payfast.226-6AA-139	spoolsv.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy.jar.payfast.226-6AA-139	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.White.png.payfast.226-6AA-139	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSWDS_EN.LEX	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_1.0.454.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\bg_pattern_RHP.png.payfast.226-6AA-139	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close.png.payfast.226-6AA-139	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_zh_CN.jar.payfast.226-6AA-139	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.png.payfast.226-6AA-139	spoolsv.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\DailyChallenges\tile2_diamond.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1938_24x24x32.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6449_48x48x32.png	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\ui-strings.js.payfast.226-6AA-139	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\5311_32x32x32.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OneConnectSplashScreen.scale-200.png	spoolsv.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\HoloAssets\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\ui-strings.js.payfast.226-6AA-139	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\css\main.css.payfast.226-6AA-139	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pt-br\ui-strings.js.payfast.226-6AA-139	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\SmallTile.scale-125.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.scale-150.png	spoolsv.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-100_8wekyb3d8bbwe\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\EnsoUI\id_arrow.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluEmptyStateDCFiles_280x192.svg.payfast.226-6AA-139	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\heart_icon.png	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ul-oob.xrm-ms	spoolsv.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\ui-strings.js.payfast.226-6AA-139	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-fr\ui-strings.js	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-gb\ui-strings.js.payfast.226-6AA-139	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaBrightRegular.ttf.payfast.226-6AA-139	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-125_contrast-white.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\mask\11h.png	spoolsv.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\BingLocalSearchService.winmd	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\RHP_icons_2x.png.payfast.226-6AA-139	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\rna-main.js.payfast.226-6AA-139	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ca-es\ui-strings.js.payfast.226-6AA-139	spoolsv.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml.payfast.226-6AA-139	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\MANIFEST.MF.payfast.226-6AA-139	spoolsv.exe

Drops file in Windows directory 1 IoCs

Processes:

spoolsv.exe

description	ioc	Process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

9c3b197326eff73272c14223a1870284.exe

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9c3b197326eff73272c14223a1870284.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9c3b197326eff73272c14223a1870284.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9c3b197326eff73272c14223a1870284.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exe

pid	Process
2664	vssadmin.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

1BE6.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	1BE6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1BE6.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9c3b197326eff73272c14223a1870284.exe

pid	Process
3628	9c3b197326eff73272c14223a1870284.exe
3628	9c3b197326eff73272c14223a1870284.exe
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
3092

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

9c3b197326eff73272c14223a1870284.exe

pid	Process
3628	9c3b197326eff73272c14223a1870284.exe
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exevssvc.exe1AFB.exe

description	pid	Process
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeIncreaseQuotaPrivilege	3908	WMIC.exe
Token: SeSecurityPrivilege	3908	WMIC.exe
Token: SeTakeOwnershipPrivilege	3908	WMIC.exe
Token: SeLoadDriverPrivilege	3908	WMIC.exe
Token: SeSystemProfilePrivilege	3908	WMIC.exe
Token: SeSystemtimePrivilege	3908	WMIC.exe
Token: SeProfSingleProcessPrivilege	3908	WMIC.exe
Token: SeIncBasePriorityPrivilege	3908	WMIC.exe
Token: SeCreatePagefilePrivilege	3908	WMIC.exe
Token: SeBackupPrivilege	3908	WMIC.exe
Token: SeRestorePrivilege	3908	WMIC.exe
Token: SeShutdownPrivilege	3908	WMIC.exe
Token: SeDebugPrivilege	3908	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3908	WMIC.exe
Token: SeRemoteShutdownPrivilege	3908	WMIC.exe
Token: SeUndockPrivilege	3908	WMIC.exe
Token: SeManageVolumePrivilege	3908	WMIC.exe
Token: 33	3908	WMIC.exe
Token: 34	3908	WMIC.exe
Token: 35	3908	WMIC.exe
Token: 36	3908	WMIC.exe
Token: SeBackupPrivilege	3140	vssvc.exe
Token: SeRestorePrivilege	3140	vssvc.exe
Token: SeAuditPrivilege	3140	vssvc.exe
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeIncreaseQuotaPrivilege	3908	WMIC.exe
Token: SeSecurityPrivilege	3908	WMIC.exe
Token: SeTakeOwnershipPrivilege	3908	WMIC.exe
Token: SeLoadDriverPrivilege	3908	WMIC.exe
Token: SeSystemProfilePrivilege	3908	WMIC.exe
Token: SeSystemtimePrivilege	3908	WMIC.exe
Token: SeProfSingleProcessPrivilege	3908	WMIC.exe
Token: SeIncBasePriorityPrivilege	3908	WMIC.exe
Token: SeCreatePagefilePrivilege	3908	WMIC.exe
Token: SeBackupPrivilege	3908	WMIC.exe
Token: SeRestorePrivilege	3908	WMIC.exe
Token: SeShutdownPrivilege	3908	WMIC.exe
Token: SeDebugPrivilege	3908	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3908	WMIC.exe
Token: SeRemoteShutdownPrivilege	3908	WMIC.exe
Token: SeUndockPrivilege	3908	WMIC.exe
Token: SeManageVolumePrivilege	3908	WMIC.exe
Token: 33	3908	WMIC.exe
Token: 34	3908	WMIC.exe
Token: 35	3908	WMIC.exe
Token: 36	3908	WMIC.exe
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeDebugPrivilege	3380	1AFB.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3092

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9c3b197326eff73272c14223a1870284.exe1BE6.exespoolsv.exe

description	pid	Process	procid_target
PID 656 wrote to memory of 3628	656	9c3b197326eff73272c14223a1870284.exe	76
PID 656 wrote to memory of 3628	656	9c3b197326eff73272c14223a1870284.exe	76
PID 656 wrote to memory of 3628	656	9c3b197326eff73272c14223a1870284.exe	76
PID 656 wrote to memory of 3628	656	9c3b197326eff73272c14223a1870284.exe	76
PID 656 wrote to memory of 3628	656	9c3b197326eff73272c14223a1870284.exe	76
PID 656 wrote to memory of 3628	656	9c3b197326eff73272c14223a1870284.exe	76
PID 3092 wrote to memory of 3380	3092		78
PID 3092 wrote to memory of 3380	3092		78
PID 3092 wrote to memory of 3380	3092		78
PID 3092 wrote to memory of 940	3092		80
PID 3092 wrote to memory of 940	3092		80
PID 3092 wrote to memory of 940	3092		80
PID 3092 wrote to memory of 2476	3092		81
PID 3092 wrote to memory of 2476	3092		81
PID 3092 wrote to memory of 2476	3092		81
PID 3092 wrote to memory of 2476	3092		81
PID 3092 wrote to memory of 2176	3092		82
PID 3092 wrote to memory of 2176	3092		82
PID 3092 wrote to memory of 2176	3092		82
PID 3092 wrote to memory of 1312	3092		83
PID 3092 wrote to memory of 1312	3092		83
PID 3092 wrote to memory of 1312	3092		83
PID 3092 wrote to memory of 1312	3092		83
PID 3092 wrote to memory of 3576	3092		84
PID 3092 wrote to memory of 3576	3092		84
PID 3092 wrote to memory of 3576	3092		84
PID 3092 wrote to memory of 2844	3092		85
PID 3092 wrote to memory of 2844	3092		85
PID 3092 wrote to memory of 2844	3092		85
PID 3092 wrote to memory of 2844	3092		85
PID 940 wrote to memory of 2672	940	1BE6.exe	86
PID 940 wrote to memory of 2672	940	1BE6.exe	86
PID 940 wrote to memory of 2672	940	1BE6.exe	86
PID 3092 wrote to memory of 3668	3092		87
PID 3092 wrote to memory of 3668	3092		87
PID 3092 wrote to memory of 3668	3092		87
PID 3092 wrote to memory of 2808	3092		88
PID 3092 wrote to memory of 2808	3092		88
PID 3092 wrote to memory of 2808	3092		88
PID 3092 wrote to memory of 2808	3092		88
PID 3092 wrote to memory of 2724	3092		89
PID 3092 wrote to memory of 2724	3092		89
PID 3092 wrote to memory of 2724	3092		89
PID 3092 wrote to memory of 3324	3092		90
PID 3092 wrote to memory of 3324	3092		90
PID 3092 wrote to memory of 3324	3092		90
PID 3092 wrote to memory of 3324	3092		90
PID 2672 wrote to memory of 1604	2672	spoolsv.exe	91
PID 2672 wrote to memory of 1604	2672	spoolsv.exe	91
PID 2672 wrote to memory of 1604	2672	spoolsv.exe	91
PID 2672 wrote to memory of 3956	2672	spoolsv.exe	92
PID 2672 wrote to memory of 3956	2672	spoolsv.exe	92
PID 2672 wrote to memory of 3956	2672	spoolsv.exe	92
PID 2672 wrote to memory of 2416	2672	spoolsv.exe	93
PID 2672 wrote to memory of 2416	2672	spoolsv.exe	93
PID 2672 wrote to memory of 2416	2672	spoolsv.exe	93
PID 2672 wrote to memory of 2836	2672	spoolsv.exe	101
PID 2672 wrote to memory of 2836	2672	spoolsv.exe	101
PID 2672 wrote to memory of 2836	2672	spoolsv.exe	101
PID 2672 wrote to memory of 4060	2672	spoolsv.exe	98
PID 2672 wrote to memory of 4060	2672	spoolsv.exe	98
PID 2672 wrote to memory of 4060	2672	spoolsv.exe	98
PID 2672 wrote to memory of 3732	2672	spoolsv.exe	97
PID 2672 wrote to memory of 3732	2672	spoolsv.exe	97

C:\Users\Admin\AppData\Local\Temp\9c3b197326eff73272c14223a1870284.exe
"C:\Users\Admin\AppData\Local\Temp\9c3b197326eff73272c14223a1870284.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:656
- C:\Users\Admin\AppData\Local\Temp\9c3b197326eff73272c14223a1870284.exe
  "C:\Users\Admin\AppData\Local\Temp\9c3b197326eff73272c14223a1870284.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3628

C:\Users\Admin\AppData\Local\Temp\1AFB.exe
C:\Users\Admin\AppData\Local\Temp\1AFB.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3380

C:\Users\Admin\AppData\Local\Temp\1BE6.exe
C:\Users\Admin\AppData\Local\Temp\1BE6.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:940
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:1604
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3908
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:3956
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2416
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Modifies extensions of user files
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:3732
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:4060
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2456

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2476

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2176

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1312

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3576

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2844

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3668

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2808

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2724

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3324

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
5703edef7cb0f99305a6b18845e0443e

SHA1
fb6f022ebde210306e1a6575462d6451e98af454

SHA256
e4ce02059eb175c30879041d610db7b8798cdf57a4c67afc83c125c2db36e883

SHA512
4631853bda1498ff3cace6a348fd2d6770edd0fec166707c3afebff09644f34e29a7a6dd3e9cb167c40e8b5fa1fbbc80ba26d80b4d939daf56278c276b07ada4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
888f7457c332ac5e1897316e159f58c1

SHA1
a3047c6e978158dfae29b5735e8131ec1b30703d

SHA256
c2c14652875bfeb1ed529202da6d45eb974acab193c005908cf90b8c5cf3dd41

SHA512
0abdc5f78ade2f56b0f1954adc0479b5dcc88d401bfac95754e7dd80adefe7375a426fd89f81b657ebe9c113092524dcbd1e80c39a4bec51ccd93bc0bc3a5aff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
939460925953ce88e1086341b8a11bda

SHA1
06249b891050a9fac128ccfee943aeb5bede1c7b

SHA256
d4da3c5ff04a3b677eb77b1bfedc14e29ebd0d01c476d44a0b1a2366447ab016

SHA512
a8dc3eb58a4a550cc2551463a3d813396caf3f2b65f5b13c8e339a4a32652895ee15c23eb5ba833eca4e7c22331a622657cf5bd64098f0c54e43b4e92fe65f30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
c5ba537cad337bb8bfc0ff8fb0ce84a3

SHA1
4ba559bff814f4c4c0a2fded9ae63a274f029e50

SHA256
43e6b21bae94382129bfe13cba122c76ed705b31fccc8b47f44066847212d914

SHA512
8bcc7da2c24467e9cb01c3d20e1f9450603faa9bbc8db02f5cf14612246b37e181dc9452a773ba16f508ddbc05664bd3f3f5c686076f382b77533178215644b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
160ed2434b32490b5f38639b8f891992

SHA1
4480e83a07758f1aa1651f614546a8f867ee43d0

SHA256
c665a4fea9d22a80dd6bb005726ef98ca2992679bcb97c60b1d69428eca2d4c9

SHA512
89f49128a9c511ac6389a121cfc5f93254bed7d56031de5b3e7f5029846fdd56876dd56bc2ec905ded3c38be1698ba5ad064bc43805562224b07d6eb5a7f1403

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
27f8bca11199705038cc7ae56ad05cf0

SHA1
0343bcf94d0dfed0f661240eba209b584c3f67d2

SHA256
e5d9cb77576e801ceeafc645337106e61400e2cd1dc5fbf3ed1c0c916eb83a5f

SHA512
bb36a9f837e073c13f7710da58c2fde8dcacfff750fd747991f35b701edbb430d2aeb8bbbff1975de49491d3b582d5dcdb84c5889af4dd6dbe41bcefe271a198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DRMDU4BX\GKB1J6B9.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\1AFB.exe

MD5
90a4117c429afee1aeebc7588c4d3ea5

SHA1
25a2cfd6c0b66c3b5b2b3125d771824bdafe3138

SHA256
883486f3967d164f35a1760ae98fd10b7023c31afcf7388b82e11132816db603

SHA512
ed4f02aaa0b8035bb9ec068b33f5e6e24a66a98649a00f748f37ca9e13d283c6641c7cb7f20dde009b14841bd4eaedd3c1caef261bfe31cf5ce4dad63b11d933

Download Submit
C:\Users\Admin\AppData\Local\Temp\1AFB.exe

MD5
90a4117c429afee1aeebc7588c4d3ea5

SHA1
25a2cfd6c0b66c3b5b2b3125d771824bdafe3138

SHA256
883486f3967d164f35a1760ae98fd10b7023c31afcf7388b82e11132816db603

SHA512
ed4f02aaa0b8035bb9ec068b33f5e6e24a66a98649a00f748f37ca9e13d283c6641c7cb7f20dde009b14841bd4eaedd3c1caef261bfe31cf5ce4dad63b11d933

Download Submit
C:\Users\Admin\AppData\Local\Temp\1BE6.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\1BE6.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\Desktop\BlockMeasure.htm.payfast.226-6AA-139

MD5
7a2c4d4808a148f19ba9722abfb6bb6b

SHA1
50d8ef4865533d1dc89176d918f2c6167a0de6b7

SHA256
84e24b2fa2d8526507f69d3ecbd61911a237f0f4c1ff4b3f0eff917f4ea073c8

SHA512
ee744879cfba4a3b38502f93da37a7e0a9a1a6f01bf715cbb0c3c0a7c177f5224a6c916c47a6833279fab680cb557d8ae2e95450c26dc2942d35989119175a1f

Download Submit
C:\Users\Admin\Desktop\CheckpointJoin.xlsb.payfast.226-6AA-139

MD5
a77b5e563b334ea6aec9a04798e85380

SHA1
07bd4d87562711a034d9838717ee73993559999f

SHA256
a662e3d86b31af4c0a2850610e8b8b8cd6228e33bf137e00c661b08766ca6aa7

SHA512
b799a000375fb377b68a22193d91abd5fe4d31c2da38092ce32ea299ea00af610ae212be7e64fcdbbcb2e46dd687420f1a597d84622591fb06e892c7b7368cb8

Download Submit
C:\Users\Admin\Desktop\ClearOut.xhtml.payfast.226-6AA-139

MD5
a5ffa6a3bec6f7befbd9e1029d209664

SHA1
c505adb0f2d71a2de9445ec8b710889a916e0981

SHA256
c3c40b0e95e3dac4ef4c4f38424073bb486236398e7ec093d1faebd44cabcea3

SHA512
3d3e2c5d8ccc78d1853619ad0a4b8e346cb91602f1840fb86b04448a24b5bb78823b9edc6e3e19338822204ee532a23cf0d7b88d3cdc004a749482779947063b

Download Submit
C:\Users\Admin\Desktop\CloseSkip.M2V.payfast.226-6AA-139

MD5
5e8a51ebdb60c15998d2fef3d06629d3

SHA1
64128a97b7bd3633e694bd05d0dc60a13d49a058

SHA256
857fe12cf7b96b28bc5001f5997d9bc553540b1e312be36cbbf7a3bf7dff4dd5

SHA512
51840ddb1cb1562cb8181e2500758cfda2a7bbbc9be83f449e425ee39927ff768491cb16dba5a6f43357b441a5502d1f5c6025d561a1ae0ee1c913e706cd8330

Download Submit
C:\Users\Admin\Desktop\ConfirmTest.shtml.payfast.226-6AA-139

MD5
a2016ac7103768c67537a192572ef538

SHA1
de86c1cf7c0f25e913ea69c852ae68f31fe1f4f4

SHA256
2b3db6449e383a38aeb5327a11a51ee613503a11ac8780f45250831c47169bce

SHA512
50e37d918d7a37261652e4f484aa4a6145e4ae70e58e601bc9507b096bf021d013bd2f5d984b455258ab23eeb926488765bc2a3f81715cc1a16c3ba571a9c77b

Download Submit
C:\Users\Admin\Desktop\ConnectImport.xla.payfast.226-6AA-139

MD5
6fea96797b1d7ae1baafe093d5687456

SHA1
ae2cb40aa3fc73ce0e94a41dd3618874a25aefca

SHA256
a60613248de3859267a21057196c067564a9ab898384a3a5841fc8455377a23b

SHA512
3eca4da1bba2f5478649f5c2b8942e043624f0b36a70320e1d061eaf0f54ceb6626c5c57ecde5051df4ae5c612da5c815f63d63674735e5c3b42c995425b20a4

Download Submit
C:\Users\Admin\Desktop\CopyDebug.mid.payfast.226-6AA-139

MD5
9d2b91c0ca7db947291d13c88a54b19a

SHA1
1a7c076e04d1869f29b57cb740a1860e4a0ac66c

SHA256
63f49308dfb59052e8363d42855b837ce14c572da12990281b484448e826cb90

SHA512
1912d58105f090f26e4975fca290d286da24042e8890d98931bc3caea991e15cdd7f9c12a4e11d52229ed9af9a4b3445ae9275dd9f57c932941f8d015cf814b4

Download Submit
C:\Users\Admin\Desktop\DenyGroup.scf.payfast.226-6AA-139

MD5
8eca97932f6c4f446dbd2fd4fdbc8887

SHA1
d297cdfc6f234c658ee43e86b50b50eed816e67c

SHA256
02c59b1c0729095f3fa22b81339969dafa8bce5ecbce81e6bd2996017b07a5c6

SHA512
a7423e1b479f07e9aebbabbdf35132a86498a81735392c080aa6d294107b4d483f2922aaa324218abc6142ae45aef3a63c56b84b7498a67f7df7bf4ec02034c5

Download Submit
C:\Users\Admin\Desktop\DismountRestore.cr2.payfast.226-6AA-139

MD5
d203ee3f395672633ab83790e7fe45a1

SHA1
4617197aead225e4097871c9991a29e9e50086d5

SHA256
e56b03138b262e67f74324bed6b4d40badd626455f1c5c80352a872982c63f90

SHA512
a783cdf0e323f8bb776800083d7d9983d6bd57312762b11e8112e49ba2decd6be911274c8a71357bc95162238e51218e681b83830115e40f21958909847afb62

Download Submit
C:\Users\Admin\Desktop\DismountSearch.ADT.payfast.226-6AA-139

MD5
5ebf922c9cd8a445bc9cd8704b5d09fb

SHA1
83e69335be816839454773199ac034987075acb5

SHA256
9746ba83229c2dec2da3fa093697e9ec2cb59399a8b49555705dba804b5ec78d

SHA512
597fb2d1805aeae0f3792162d082df216340004ca4f7da77df8842319eb336cbb75c71d680ff04a1ed8aeba3ff7e97473f3007832a525c1aa8eaa99fca2a9d4f

Download Submit
C:\Users\Admin\Desktop\ExpandDismount.xltm.payfast.226-6AA-139

MD5
2f8820543ac13838f8d0d6936e7b9ff3

SHA1
428c5e16333eaf2cc282b536d1eecfe91b336a8d

SHA256
0361af01acd75f6bf7b4df2886617be6f98d0e2070535ca7ddce90e04e53527f

SHA512
c85d7e89e38a855fa04f566f86be38287e8a27c927c40d6fc5a7c1af5f703a6e26bbeb56f6f0bbec27112b64206715c45743e270446455d51fcb03fbba477988

Download Submit
C:\Users\Admin\Desktop\OpenEnter.rle.payfast.226-6AA-139

MD5
eb33502cd7c8b1f00622090044cc3d35

SHA1
7d4d49cccc1dcd24235cf288775c870efd04a773

SHA256
03b00d64b8df38ed38e3a3a5aefd8e3a5de5cc77498ae74522e0b797407a13ec

SHA512
5726099258695336b671802fa93c1ff086632b17a106ef278c4ca67f7d1d35d3eff7fbbfc7766226b49e9d04ec1fe10a746ba511d90fd574b1eeaca2ee56de7b

Download Submit
C:\Users\Admin\Desktop\PublishConnect.gif.payfast.226-6AA-139

MD5
e8ab2737188abce58ccacc894f568f96

SHA1
14a4610166759dfe8f3f774b668916c0bdfc39bc

SHA256
287f807704b60c0247954de406689069bd68fd063756cbdc75bca63632b319ec

SHA512
e2ea63c2b1d19af08fa35b97096d625268d8e7704998b59ac3b1b7d99746149a4bad6c26fdf59922b690ca1ab5424f92b5e9b6be7960219bf29762fefeb814d6

Download Submit
C:\Users\Admin\Desktop\RestartSave.m1v.payfast.226-6AA-139

MD5
feb7f2910ba256a3b620ebe563fb98e6

SHA1
52ee8c31d02946c8c9d21cbf0ccfe4a0c17295f7

SHA256
6626709c47174626275e719cfb1f1492a8932a75bcdf66f310e44fb760afa19f

SHA512
84aa736f7d99eb5f16e07fcb840413b41ed1f86be13ab87ff2f6e3f6f789a49443d93a95d5a6f3e1c3320b231b23a77c01e89a057ba041e1bcba908a7771aed9

Download Submit
C:\Users\Admin\Desktop\ResumeSearch.mp4v.payfast.226-6AA-139

MD5
5f414050370013ec5b6ead9d1b3244d4

SHA1
7a283080628e4e42dffca982bdb1fb63352417f4

SHA256
ee1d3f359d62e04e9f481017fd549de1723e9d43340a6b06b4076714ceff059e

SHA512
a0c49a6c80166b987a9374c516b9e0a1790ed883d1bc2f8db977f9da9ec2fe3f89f33b9fddccb902b05c4356cb7e184b1268358d80a9f65fce24e2e864d90bea

Download Submit
C:\Users\Admin\Desktop\SendRead.3gpp.payfast.226-6AA-139

MD5
95c69525a00a8ff89df8ad0c58b4c827

SHA1
b5cd70e9efc660e23a469d02ea4e6ec8096d9c1b

SHA256
7f3df6b34bb43c006c8e0ade52d62bbe1d258b97fa58e8b7dedaf694f3ecd52e

SHA512
fe7a1215efbabfb31e46b09d29a1b878eb8f397d824f619e5cd6ed2d3ae27f35f2c8b5cb36cedbce341edee4f44a2d8f51a6a35713852fcd498c6a591007caf6

Download Submit
C:\Users\Admin\Desktop\SendRequest.css.payfast.226-6AA-139

MD5
9871a6aa6017cef0fb0c56366b2932ca

SHA1
623313c6b253da1b840b47cd326549555674ed06

SHA256
1c58eed44949343264c7cb79a4b8d8538100f1fe1bdd24eb24f4ece8c3af8d78

SHA512
4e75083dd6278aaa58715a928e332d5e591a22e01d60bb4e07f11a8e1242ebb88b47d68ddb4aab800556d710709a58e8076671fa536a089eabf19993e3196c9e

Download Submit
C:\Users\Admin\Desktop\StopReset.rtf.payfast.226-6AA-139

MD5
19c316ffc1e4d11d9414ea6715a64652

SHA1
8b4bf64414cb607d59fa646a4e3477260971c1a9

SHA256
4cf40031b4b1ac13ef0f08808f547fde822577c48da3e6c229208cecabb32100

SHA512
807feca3b6a0cd003906278d5c5cb40c22edad3956c25e17883595665124dbcdea1f01ae9cae59456dd058a2df7f5f7875a86a0978107b912100d4c389c1fef7

Download Submit
C:\Users\Admin\Desktop\TestCompress.vssm.payfast.226-6AA-139

MD5
e5fa2734396053470c098bfbfeeb7ad4

SHA1
ed7a417b10096e60c3259e8c2345461f2f9c1d78

SHA256
3d7f49403f43b483760e41ca83c88a5af7147a13ac89eb816c100cf74f7c6d0c

SHA512
5a6c54721dd2914dcffe75e73d7f3e97c650b1834e6bf2543e0b1046d2a75633fc8ec2ce619be5ba01134637828ca519d47ad82d7796a0bd96a4923b8942e60d

Download Submit
C:\Users\Admin\Desktop\TestPush.mpeg2.payfast.226-6AA-139

MD5
79d95fbe0aab0cda8cf4bf3baa8bad54

SHA1
baa62ca3a66e89daef3393dd9d7db60d602401a2

SHA256
2d1a3a1bcfac1331f0a432a8b4cc7625e8d6c4543490801a2e12f752abddd521

SHA512
84aee4cf492b218b7161c3b1a755c2f848ea63777595acd63a79e548642cf53af2cdc3f28f43079b34f1ec25deb3ea2d33e210c756f70de365348f245b502a03

Download Submit
C:\Users\Admin\Desktop\TraceDebug.3gp2.payfast.226-6AA-139

MD5
898f60cd1f1b97009b7596f217b0ee61

SHA1
5e4ab1ca88912c8f8bf38dc069f5fd4f663bb8cd

SHA256
06a1c419aca61e328937c465988fee248fe3fcf51f7f0ef782c79d84c2e3c1ac

SHA512
593f178ef7b865c43b296bf0105bdb8e8816a65bb093c08d0d55bd96731b602721e0a5386f19a3f3600acdcca10ccd848649e4e623ddc63d51671f5840a4f285

Download Submit
C:\Users\Admin\Desktop\UpdateUninstall.wav.payfast.226-6AA-139

MD5
c3ffef03141035327750ca10da7f8407

SHA1
c8485f7bb536e6c97755647f17a2a3a985c450a9

SHA256
c04d804726c7d317d67ab71e521a1004de7a7a1a4e816784e44c63b761c717c7

SHA512
1808595841ee4b83eb0ad3348ea21959d583a8d49b5309eae21c80e046128d933aff2d86ba3f6a1d58003892346dab44d1bb6280777a44b7a134134d72fe2f43

Download Submit
C:\Users\Admin\Desktop\WatchConvert.i64.payfast.226-6AA-139

MD5
5627c981ec516fb3d779f418888b224c

SHA1
2de3616e76073e9764e6ee701623f811d06ffe27

SHA256
9baad34a014386afa664a6e80c846eb172eadcd0e8e86da4a46685a362dab9d6

SHA512
aab4e2131ff602b7d2ab3b6302ac59ccfb9e44405c215ba90a258fff98564223bcbad38d79cb99c70fdcdb52d8002677729274e50d2ff68a3064a6ce66093f77

Download Submit
C:\Users\Admin\Desktop\WriteResolve.raw.payfast.226-6AA-139

MD5
e85c6eec6ee937527ce86371a6ddc7fc

SHA1
6a219c81d00f46e9faea6222c024915ba20fd5f8

SHA256
04e3a4885243730d526a3a5f9de757fdb68c788a545fc2b30c078479791f8636

SHA512
7c76d5cc49d6084eb9567ed5998da2ed6f5b20e8a8edb4f1d01b9d5b1282aeae0f5c06d48bd9661f554c7451feb1f35af15e6dbb16f5a858b9e1a82912cfea13

Download Submit
memory/656-116-0x0000000001DC0000-0x0000000001DCA000-memory.dmp

Filesize
40KB

Download
memory/940-121-0x0000000000000000-mapping.dmp

Download
memory/1312-131-0x0000000002B40000-0x0000000002B47000-memory.dmp

Filesize
28KB

Download
memory/1312-132-0x0000000002B30000-0x0000000002B3B000-memory.dmp

Filesize
44KB

Download
memory/1312-130-0x0000000000000000-mapping.dmp

Download
memory/1604-175-0x0000000000000000-mapping.dmp

Download
memory/2176-127-0x0000000000000000-mapping.dmp

Download
memory/2176-129-0x00000000009F0000-0x00000000009FC000-memory.dmp

Filesize
48KB

Download
memory/2176-128-0x0000000000C00000-0x0000000000C07000-memory.dmp

Filesize
28KB

Download
memory/2416-177-0x0000000000000000-mapping.dmp

Download
memory/2456-215-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

Filesize
4KB

Download
memory/2456-214-0x0000000000000000-mapping.dmp

Download
memory/2476-125-0x0000000002A70000-0x0000000002AE4000-memory.dmp

Filesize
464KB

Download
memory/2476-124-0x0000000000000000-mapping.dmp

Download
memory/2476-126-0x0000000002A00000-0x0000000002A6B000-memory.dmp

Filesize
428KB

Download
memory/2664-183-0x0000000000000000-mapping.dmp

Download
memory/2672-137-0x0000000000000000-mapping.dmp

Download
memory/2724-167-0x0000000000000000-mapping.dmp

Download
memory/2724-172-0x00000000009F0000-0x00000000009F9000-memory.dmp

Filesize
36KB

Download
memory/2724-170-0x0000000000C00000-0x0000000000C05000-memory.dmp

Filesize
20KB

Download
memory/2808-166-0x0000000002770000-0x0000000002779000-memory.dmp

Filesize
36KB

Download
memory/2808-165-0x0000000002780000-0x0000000002784000-memory.dmp

Filesize
16KB

Download
memory/2808-161-0x0000000000000000-mapping.dmp

Download
memory/2836-178-0x0000000000000000-mapping.dmp

Download
memory/2844-136-0x0000000000000000-mapping.dmp

Download
memory/2844-141-0x0000000000160000-0x0000000000165000-memory.dmp

Filesize
20KB

Download
memory/2844-142-0x0000000000150000-0x0000000000159000-memory.dmp

Filesize
36KB

Download
memory/3092-117-0x0000000000A50000-0x0000000000A66000-memory.dmp

Filesize
88KB

Download
memory/3324-174-0x0000000002ED0000-0x0000000002ED9000-memory.dmp

Filesize
36KB

Download
memory/3324-173-0x0000000002EE0000-0x0000000002EE5000-memory.dmp

Filesize
20KB

Download
memory/3324-171-0x0000000000000000-mapping.dmp

Download
memory/3380-163-0x00000000063A0000-0x00000000063A1000-memory.dmp

Filesize
4KB

Download
memory/3380-169-0x0000000006520000-0x0000000006521000-memory.dmp

Filesize
4KB

Download
memory/3380-185-0x0000000008430000-0x0000000008431000-memory.dmp

Filesize
4KB

Download
memory/3380-186-0x0000000008A50000-0x0000000008A51000-memory.dmp

Filesize
4KB

Download
memory/3380-187-0x0000000008D30000-0x0000000008D31000-memory.dmp

Filesize
4KB

Download
memory/3380-188-0x0000000008E20000-0x0000000008E21000-memory.dmp

Filesize
4KB

Download
memory/3380-189-0x0000000009000000-0x0000000009001000-memory.dmp

Filesize
4KB

Download
memory/3380-184-0x0000000008260000-0x0000000008261000-memory.dmp

Filesize
4KB

Download
memory/3380-118-0x0000000000000000-mapping.dmp

Download
memory/3380-146-0x0000000003A90000-0x0000000003AAF000-memory.dmp

Filesize
124KB

Download
memory/3380-153-0x0000000006590000-0x0000000006591000-memory.dmp

Filesize
4KB

Download
memory/3380-155-0x0000000006A90000-0x0000000006A91000-memory.dmp

Filesize
4KB

Download
memory/3380-168-0x0000000006584000-0x0000000006586000-memory.dmp

Filesize
8KB

Download
memory/3380-164-0x00000000064B0000-0x00000000064B1000-memory.dmp

Filesize
4KB

Download
memory/3380-154-0x0000000003E50000-0x0000000003E6E000-memory.dmp

Filesize
120KB

Download
memory/3380-162-0x0000000004010000-0x0000000004011000-memory.dmp

Filesize
4KB

Download
memory/3380-160-0x0000000006583000-0x0000000006584000-memory.dmp

Filesize
4KB

Download
memory/3380-159-0x0000000006582000-0x0000000006583000-memory.dmp

Filesize
4KB

Download
memory/3380-156-0x0000000006580000-0x0000000006581000-memory.dmp

Filesize
4KB

Download
memory/3380-144-0x0000000000400000-0x0000000001D89000-memory.dmp

Filesize
25.5MB

Download
memory/3380-143-0x0000000001E00000-0x0000000001EAE000-memory.dmp

Filesize
696KB

Download
memory/3576-135-0x00000000003F0000-0x00000000003FF000-memory.dmp

Filesize
60KB

Download
memory/3576-134-0x0000000000600000-0x0000000000609000-memory.dmp

Filesize
36KB

Download
memory/3576-133-0x0000000000000000-mapping.dmp

Download
memory/3628-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3628-115-0x0000000000402FAB-mapping.dmp

Download
memory/3668-145-0x0000000000000000-mapping.dmp

Download
memory/3668-157-0x0000000000FE0000-0x0000000000FE6000-memory.dmp

Filesize
24KB

Download
memory/3668-158-0x0000000000FD0000-0x0000000000FDC000-memory.dmp

Filesize
48KB

Download
memory/3732-180-0x0000000000000000-mapping.dmp

Download
memory/3908-182-0x0000000000000000-mapping.dmp

Download
memory/3956-176-0x0000000000000000-mapping.dmp

Download
memory/4060-179-0x0000000000000000-mapping.dmp

Download