buran | a41da84a70aac4a8274ad4276cc9cb8ac79604103fd3a53455653a9439887162

Analysis

max time kernel
152s
max time network
149s
platform
windows10_x64
resource
win10v20210408
submitted
29-08-2021 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd87ab1ec4c93f1ef50d624c1944e2a3.exe
Size

140KB
MD5

cd87ab1ec4c93f1ef50d624c1944e2a3
SHA1

ab3ecbd441af8aa95320300ce4bfdcf07d8da7b5
SHA256

a41da84a70aac4a8274ad4276cc9cb8ac79604103fd3a53455653a9439887162
SHA512

327ed4f155d591c5c9adbc5d25b30f729f15fa89d91693bfa1a4b4266288b97ae7d6b549e10f02dd636c3db9947fecba5de9f09b279f8a7fde3ce9532a4da734

Score

10^/10

buran raccoon smokeloader 20d9c80657d1d0fda9625cbd629ba419b8a34404 d02c5d65069fc7ce1993e7c52edf0c9c4c195c81 backdoor discovery evasion persistence ransomware spyware stealer themida trojan

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. PAY FAST 500$=0.013 btc or the price will increase tomorrow bitcoin address bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8 To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? [email protected] TELEGRAM @ payfast290 Your personal ID: 2BC-18B-F1B Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Family

smokeloader

Version

2020

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Extracted

Family

raccoon

Botnet

20d9c80657d1d0fda9625cbd629ba419b8a34404

Attributes

url4cnc
https://telete.in/hfuimoneymake

rc4.plain

Extracted

Family

raccoon

Botnet

d02c5d65069fc7ce1993e7c52edf0c9c4c195c81

Attributes

url4cnc
https://telete.in/open3entershift

rc4.plain

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description	pid	Process	procid_target
PID 3460 created 1860	3460	WerFault.exe	79

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file

Executes dropped EXE 6 IoCs

Processes:

8BF5.exe9155.exe92BD.exe9483.exesmss.exesmss.exe

pid	Process
1860	8BF5.exe
2900	9155.exe
1564	92BD.exe
2300	9483.exe
3972	smss.exe
1636	smss.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9155.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9155.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9155.exe

Deletes itself 1 IoCs

Processes:

pid	Process
3024

Loads dropped DLL 1 IoCs

Processes:

8BF5.exe

pid	Process
1860	8BF5.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/files/0x000200000001ab58-122.dat	themida
behavioral2/files/0x000200000001ab58-123.dat	themida
behavioral2/memory/2900-133-0x0000000001000000-0x0000000001001000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

92BD.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start"	92BD.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	92BD.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

9155.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9155.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

smss.exe

description	ioc	Process
File opened (read-only)	\??\F:	smss.exe
File opened (read-only)	\??\E:	smss.exe
File opened (read-only)	\??\S:	smss.exe
File opened (read-only)	\??\Q:	smss.exe
File opened (read-only)	\??\O:	smss.exe
File opened (read-only)	\??\K:	smss.exe
File opened (read-only)	\??\M:	smss.exe
File opened (read-only)	\??\J:	smss.exe
File opened (read-only)	\??\Z:	smss.exe
File opened (read-only)	\??\T:	smss.exe
File opened (read-only)	\??\P:	smss.exe
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\I:	smss.exe
File opened (read-only)	\??\H:	smss.exe
File opened (read-only)	\??\A:	smss.exe
File opened (read-only)	\??\Y:	smss.exe
File opened (read-only)	\??\X:	smss.exe
File opened (read-only)	\??\W:	smss.exe
File opened (read-only)	\??\V:	smss.exe
File opened (read-only)	\??\B:	smss.exe
File opened (read-only)	\??\U:	smss.exe
File opened (read-only)	\??\R:	smss.exe
File opened (read-only)	\??\L:	smss.exe
File opened (read-only)	\??\G:	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
28	geoiptool.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

9155.exe

pid	Process
2900	9155.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cd87ab1ec4c93f1ef50d624c1944e2a3.exe

description	pid	Process	procid_target
PID 900 set thread context of 3040	900	cd87ab1ec4c93f1ef50d624c1944e2a3.exe	77

Drops file in Program Files directory 64 IoCs

Processes:

smss.exe

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\RELEASE-NOTES.html	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-phn.xrm-ms.payfast290.2BC-18B-F1B	smss.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\7F90D34A-6846-4B37-9E6C-DA49ECC4DACB\root\vfs\Windows\assembly\GAC_MSIL\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ppd.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-pl.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE.POTX.payfast290.2BC-18B-F1B	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_zh_CN.jar.payfast290.2BC-18B-F1B	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_zh_CN.jar	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\msipc.dll.mui.payfast290.2BC-18B-F1B	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL119.XML.payfast290.2BC-18B-F1B	smss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt.payfast290.2BC-18B-F1B	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\QUAD.INF.payfast290.2BC-18B-F1B	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ko_KR.jar	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\psfontj2d.properties	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_ja_4.4.0.v20140623020002.jar.payfast290.2BC-18B-F1B	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms.payfast290.2BC-18B-F1B	smss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\vlc.mo	smss.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_zh_CN.jar	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\EUROTOOL.XLAM.payfast290.2BC-18B-F1B	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-80.png.payfast290.2BC-18B-F1B	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-ms.payfast290.2BC-18B-F1B	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ppd.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ppd.xrm-ms.payfast290.2BC-18B-F1B	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\AUTHOR.XSL.payfast290.2BC-18B-F1B	smss.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_zh_CN.jar	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml.payfast290.2BC-18B-F1B	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\BOMB.WAV.payfast290.2BC-18B-F1B	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\PREVIEW.GIF	smss.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_ja.jar	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ul-oob.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms.payfast290.2BC-18B-F1B	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe.payfast290.2BC-18B-F1B	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\COPYRIGHT	smss.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-windows.jar	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ppd.xrm-ms.payfast290.2BC-18B-F1B	smss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt.payfast290.2BC-18B-F1B	smss.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_zh_CN.jar	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png.payfast290.2BC-18B-F1B	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as90.xsl	smss.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActionExceptionHandlers.exsd.payfast290.2BC-18B-F1B	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActions.exsd.payfast290.2BC-18B-F1B	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\WATER.INF.payfast290.2BC-18B-F1B	smss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\vlc.mo	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe.payfast290.2BC-18B-F1B	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-ms.payfast290.2BC-18B-F1B	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 14 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
2264	1860	WerFault.exe	79
1304	1860	WerFault.exe	79
1688	1860	WerFault.exe	79
3372	1860	WerFault.exe	79
3940	1860	WerFault.exe	79
3160	1860	WerFault.exe	79
1884	1860	WerFault.exe	79
1980	1860	WerFault.exe	79
3932	1860	WerFault.exe	79
4052	1860	WerFault.exe	79
892	1860	WerFault.exe	79
2368	1860	WerFault.exe	79
1552	1860	WerFault.exe	79
3460	1860	WerFault.exe	79

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cd87ab1ec4c93f1ef50d624c1944e2a3.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cd87ab1ec4c93f1ef50d624c1944e2a3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cd87ab1ec4c93f1ef50d624c1944e2a3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cd87ab1ec4c93f1ef50d624c1944e2a3.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exe

pid	Process
2308	vssadmin.exe
3292	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cd87ab1ec4c93f1ef50d624c1944e2a3.exe

pid	Process
3040	cd87ab1ec4c93f1ef50d624c1944e2a3.exe
3040	cd87ab1ec4c93f1ef50d624c1944e2a3.exe
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
3024

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

cd87ab1ec4c93f1ef50d624c1944e2a3.exe

pid	Process
3040	cd87ab1ec4c93f1ef50d624c1944e2a3.exe
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

92BD.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe9155.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWMIC.exeWerFault.exeWerFault.exevssvc.exe

description	pid	Process
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeDebugPrivilege	1564	92BD.exe
Token: SeDebugPrivilege	1564	92BD.exe
Token: SeRestorePrivilege	2264	WerFault.exe
Token: SeBackupPrivilege	2264	WerFault.exe
Token: SeDebugPrivilege	2264	WerFault.exe
Token: SeDebugPrivilege	1304	WerFault.exe
Token: SeDebugPrivilege	1688	WerFault.exe
Token: SeDebugPrivilege	3372	WerFault.exe
Token: SeDebugPrivilege	3940	WerFault.exe
Token: SeDebugPrivilege	2900	9155.exe
Token: SeDebugPrivilege	3160	WerFault.exe
Token: SeDebugPrivilege	1884	WerFault.exe
Token: SeDebugPrivilege	1980	WerFault.exe
Token: SeDebugPrivilege	3932	WerFault.exe
Token: SeDebugPrivilege	4052	WMIC.exe
Token: SeDebugPrivilege	892	WerFault.exe
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeIncreaseQuotaPrivilege	4052	WMIC.exe
Token: SeSecurityPrivilege	4052	WMIC.exe
Token: SeTakeOwnershipPrivilege	4052	WMIC.exe
Token: SeLoadDriverPrivilege	4052	WMIC.exe
Token: SeSystemProfilePrivilege	4052	WMIC.exe
Token: SeSystemtimePrivilege	4052	WMIC.exe
Token: SeProfSingleProcessPrivilege	4052	WMIC.exe
Token: SeIncBasePriorityPrivilege	4052	WMIC.exe
Token: SeCreatePagefilePrivilege	4052	WMIC.exe
Token: SeBackupPrivilege	4052	WMIC.exe
Token: SeRestorePrivilege	4052	WMIC.exe
Token: SeShutdownPrivilege	4052	WMIC.exe
Token: SeDebugPrivilege	4052	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4052	WMIC.exe
Token: SeRemoteShutdownPrivilege	4052	WMIC.exe
Token: SeUndockPrivilege	4052	WMIC.exe
Token: SeManageVolumePrivilege	4052	WMIC.exe
Token: 33	4052	WMIC.exe
Token: 34	4052	WMIC.exe
Token: 35	4052	WMIC.exe
Token: 36	4052	WMIC.exe
Token: SeDebugPrivilege	2368	WerFault.exe
Token: SeBackupPrivilege	1060	vssvc.exe
Token: SeRestorePrivilege	1060	vssvc.exe
Token: SeAuditPrivilege	1060	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4052	WMIC.exe
Token: SeSecurityPrivilege	4052	WMIC.exe
Token: SeTakeOwnershipPrivilege	4052	WMIC.exe
Token: SeLoadDriverPrivilege	4052	WMIC.exe
Token: SeSystemProfilePrivilege	4052	WMIC.exe
Token: SeSystemtimePrivilege	4052	WMIC.exe
Token: SeProfSingleProcessPrivilege	4052	WMIC.exe
Token: SeIncBasePriorityPrivilege	4052	WMIC.exe
Token: SeCreatePagefilePrivilege	4052	WMIC.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3024

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cd87ab1ec4c93f1ef50d624c1944e2a3.exe92BD.exesmss.exe

description	pid	Process	procid_target
PID 900 wrote to memory of 3040	900	cd87ab1ec4c93f1ef50d624c1944e2a3.exe	77
PID 900 wrote to memory of 3040	900	cd87ab1ec4c93f1ef50d624c1944e2a3.exe	77
PID 900 wrote to memory of 3040	900	cd87ab1ec4c93f1ef50d624c1944e2a3.exe	77
PID 900 wrote to memory of 3040	900	cd87ab1ec4c93f1ef50d624c1944e2a3.exe	77
PID 900 wrote to memory of 3040	900	cd87ab1ec4c93f1ef50d624c1944e2a3.exe	77
PID 900 wrote to memory of 3040	900	cd87ab1ec4c93f1ef50d624c1944e2a3.exe	77
PID 3024 wrote to memory of 1860	3024		79
PID 3024 wrote to memory of 1860	3024		79
PID 3024 wrote to memory of 1860	3024		79
PID 3024 wrote to memory of 2900	3024		80
PID 3024 wrote to memory of 2900	3024		80
PID 3024 wrote to memory of 2900	3024		80
PID 3024 wrote to memory of 1564	3024		82
PID 3024 wrote to memory of 1564	3024		82
PID 3024 wrote to memory of 1564	3024		82
PID 3024 wrote to memory of 2300	3024		83
PID 3024 wrote to memory of 2300	3024		83
PID 3024 wrote to memory of 2300	3024		83
PID 3024 wrote to memory of 2272	3024		84
PID 3024 wrote to memory of 2272	3024		84
PID 3024 wrote to memory of 2272	3024		84
PID 3024 wrote to memory of 2272	3024		84
PID 3024 wrote to memory of 3484	3024		85
PID 3024 wrote to memory of 3484	3024		85
PID 3024 wrote to memory of 3484	3024		85
PID 3024 wrote to memory of 2180	3024		86
PID 3024 wrote to memory of 2180	3024		86
PID 3024 wrote to memory of 2180	3024		86
PID 3024 wrote to memory of 2180	3024		86
PID 3024 wrote to memory of 716	3024		87
PID 3024 wrote to memory of 716	3024		87
PID 3024 wrote to memory of 716	3024		87
PID 3024 wrote to memory of 2656	3024		88
PID 3024 wrote to memory of 2656	3024		88
PID 3024 wrote to memory of 2656	3024		88
PID 3024 wrote to memory of 2656	3024		88
PID 1564 wrote to memory of 3972	1564	92BD.exe	90
PID 1564 wrote to memory of 3972	1564	92BD.exe	90
PID 1564 wrote to memory of 3972	1564	92BD.exe	90
PID 1564 wrote to memory of 1320	1564	92BD.exe	91
PID 1564 wrote to memory of 1320	1564	92BD.exe	91
PID 1564 wrote to memory of 1320	1564	92BD.exe	91
PID 1564 wrote to memory of 1320	1564	92BD.exe	91
PID 1564 wrote to memory of 1320	1564	92BD.exe	91
PID 1564 wrote to memory of 1320	1564	92BD.exe	91
PID 3024 wrote to memory of 364	3024		92
PID 3024 wrote to memory of 364	3024		92
PID 3024 wrote to memory of 364	3024		92
PID 3024 wrote to memory of 196	3024		94
PID 3024 wrote to memory of 196	3024		94
PID 3024 wrote to memory of 196	3024		94
PID 3024 wrote to memory of 196	3024		94
PID 3024 wrote to memory of 1568	3024		96
PID 3024 wrote to memory of 1568	3024		96
PID 3024 wrote to memory of 1568	3024		96
PID 3024 wrote to memory of 1032	3024		99
PID 3024 wrote to memory of 1032	3024		99
PID 3024 wrote to memory of 1032	3024		99
PID 3024 wrote to memory of 1032	3024		99
PID 3972 wrote to memory of 3800	3972	smss.exe	107
PID 3972 wrote to memory of 3800	3972	smss.exe	107
PID 3972 wrote to memory of 3800	3972	smss.exe	107
PID 3972 wrote to memory of 3340	3972	smss.exe	108
PID 3972 wrote to memory of 3340	3972	smss.exe	108

C:\Users\Admin\AppData\Local\Temp\cd87ab1ec4c93f1ef50d624c1944e2a3.exe
"C:\Users\Admin\AppData\Local\Temp\cd87ab1ec4c93f1ef50d624c1944e2a3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:900
- C:\Users\Admin\AppData\Local\Temp\cd87ab1ec4c93f1ef50d624c1944e2a3.exe
  "C:\Users\Admin\AppData\Local\Temp\cd87ab1ec4c93f1ef50d624c1944e2a3.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3040

C:\Users\Admin\AppData\Local\Temp\8BF5.exe
C:\Users\Admin\AppData\Local\Temp\8BF5.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 736
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 752
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1304
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 848
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 900
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3372
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1188
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1224
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1260
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1144
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1264
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3932
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1260
  2⤵
  - Program crash
  PID:4052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1144
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1144
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1168
  2⤵
  - Program crash
  PID:1552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1288
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  PID:3460

C:\Users\Admin\AppData\Local\Temp\9155.exe
C:\Users\Admin\AppData\Local\Temp\9155.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Users\Admin\AppData\Local\Temp\92BD.exe
C:\Users\Admin\AppData\Local\Temp\92BD.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:3800
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:3340
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    PID:1320
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:1916
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3292
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:204
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2300
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:1320

C:\Users\Admin\AppData\Local\Temp\9483.exe
C:\Users\Admin\AppData\Local\Temp\9483.exe
1⤵
- Executes dropped EXE
PID:2300

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2272

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3484

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2180

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:716

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2656

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:364

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:196

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1568

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
5703edef7cb0f99305a6b18845e0443e

SHA1
fb6f022ebde210306e1a6575462d6451e98af454

SHA256
e4ce02059eb175c30879041d610db7b8798cdf57a4c67afc83c125c2db36e883

SHA512
4631853bda1498ff3cace6a348fd2d6770edd0fec166707c3afebff09644f34e29a7a6dd3e9cb167c40e8b5fa1fbbc80ba26d80b4d939daf56278c276b07ada4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
888f7457c332ac5e1897316e159f58c1

SHA1
a3047c6e978158dfae29b5735e8131ec1b30703d

SHA256
c2c14652875bfeb1ed529202da6d45eb974acab193c005908cf90b8c5cf3dd41

SHA512
0abdc5f78ade2f56b0f1954adc0479b5dcc88d401bfac95754e7dd80adefe7375a426fd89f81b657ebe9c113092524dcbd1e80c39a4bec51ccd93bc0bc3a5aff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
939460925953ce88e1086341b8a11bda

SHA1
06249b891050a9fac128ccfee943aeb5bede1c7b

SHA256
d4da3c5ff04a3b677eb77b1bfedc14e29ebd0d01c476d44a0b1a2366447ab016

SHA512
a8dc3eb58a4a550cc2551463a3d813396caf3f2b65f5b13c8e339a4a32652895ee15c23eb5ba833eca4e7c22331a622657cf5bd64098f0c54e43b4e92fe65f30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
6bd3f6df5aae27cd0bb17d3fe249e843

SHA1
ae7f2e67bf2466f47809db963985da6c5ff582dc

SHA256
2c26e6bb448eaa6bee37468db1e8b5c57cf34c4f7286b75b41fbd7786033d842

SHA512
327bfda0ac092896a48bf47304592c0c13df4e251b90982b5f574783d31e2737ecd7fe2534adc17d98525075aed5d72267bac6b89ffbc2abe37597c290a7a8c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
ae35cf00fe6505bda09fdcc98690df7c

SHA1
353f9a8228039d1d54b15802dbf52983f131c42e

SHA256
6c904a19ac8c5f75f3c15b232f9d1c775f671ff810ce835058d48584ecb82da3

SHA512
06f64e5090ffcc6c3f550b832564e5d6964f265d55a743cd2b2408f71978ca4f61683904b23524e9779759e3b330df360e179edcd049c37c14b03f31caee6d81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
651c4137627dd328c2eca7b06bdf9a88

SHA1
7b6a77d1c504b98d609afa0e444f9a5ac11e34d7

SHA256
593e85de85b46a0f68e4027f4dc2a3cb704b262ec07d5b78e8f2a1acb908eb7a

SHA512
0e94bffde1aacf12400468739db6d6b507315b37c34d539aecd9c256d0ab3773d71402d1dcd9424cf205db86b262f6a7f6a7033f4862af40b3b25724ae184a42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DRMDU4BX\F2O88ANT.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\8BF5.exe

MD5
a197870ca6d2a5e77e53a26adbbae2d8

SHA1
7714d4016e63c1f9a7e0220627e464fd2d7df63c

SHA256
7c38c0737eeb5c925e6e244eebae7f1bb05358771ecf7bc615ba11f02cb1156c

SHA512
895269c76df3cb57cfb9f482eb7aaa5f767012e9e9d3dc6643b4874b6061fe1201b68f869a1c326ce95d4db0a881995caf02cb6ece6ec48f3d973dab8407bc35

Download Submit
C:\Users\Admin\AppData\Local\Temp\8BF5.exe

MD5
a197870ca6d2a5e77e53a26adbbae2d8

SHA1
7714d4016e63c1f9a7e0220627e464fd2d7df63c

SHA256
7c38c0737eeb5c925e6e244eebae7f1bb05358771ecf7bc615ba11f02cb1156c

SHA512
895269c76df3cb57cfb9f482eb7aaa5f767012e9e9d3dc6643b4874b6061fe1201b68f869a1c326ce95d4db0a881995caf02cb6ece6ec48f3d973dab8407bc35

Download Submit
C:\Users\Admin\AppData\Local\Temp\9155.exe

MD5
067a8002b76c49e820a9421fa3029c86

SHA1
fbf589bf5e44768d9ed07f6b361472e3b54bcb58

SHA256
9fdf1b38392cacb2490a8093fc910e2af3817e92ab459304d721919a63cbfe64

SHA512
4986054c30b069cc145dde03244589eb06513211723ca11cd97204c748b43c07b6f16bab7b9203c3d53a20176879eb467debf90bde43a5a66d23587243fed03a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9155.exe

MD5
067a8002b76c49e820a9421fa3029c86

SHA1
fbf589bf5e44768d9ed07f6b361472e3b54bcb58

SHA256
9fdf1b38392cacb2490a8093fc910e2af3817e92ab459304d721919a63cbfe64

SHA512
4986054c30b069cc145dde03244589eb06513211723ca11cd97204c748b43c07b6f16bab7b9203c3d53a20176879eb467debf90bde43a5a66d23587243fed03a

Download Submit
C:\Users\Admin\AppData\Local\Temp\92BD.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92BD.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9483.exe

MD5
e99afcbb149ba6dfbdd90c034b88fe73

SHA1
be974111ad0a8f3870d09706ea07b5438f418798

SHA256
924b9935b1f2be85aa36e0158f0a55c1200cdf9046077a5b491f1aeb034c2353

SHA512
bf8b1f544ab9e689068f94b7ee5cfbe304b3756308d022be2e487216dd01aed0fcc2ac76e5d6b4c2f434a1125a88d5c71a2ecdafdb7bddd82447e77601c6b4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\9483.exe

MD5
e99afcbb149ba6dfbdd90c034b88fe73

SHA1
be974111ad0a8f3870d09706ea07b5438f418798

SHA256
924b9935b1f2be85aa36e0158f0a55c1200cdf9046077a5b491f1aeb034c2353

SHA512
bf8b1f544ab9e689068f94b7ee5cfbe304b3756308d022be2e487216dd01aed0fcc2ac76e5d6b4c2f434a1125a88d5c71a2ecdafdb7bddd82447e77601c6b4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
memory/196-171-0x0000000000000000-mapping.dmp

Download
memory/196-172-0x0000000002A10000-0x0000000002A14000-memory.dmp

Filesize
16KB

Download
memory/196-173-0x0000000002A00000-0x0000000002A09000-memory.dmp

Filesize
36KB

Download
memory/204-194-0x0000000000000000-mapping.dmp

Download
memory/364-169-0x00000000010C0000-0x00000000010C6000-memory.dmp

Filesize
24KB

Download
memory/364-161-0x0000000000000000-mapping.dmp

Download
memory/364-170-0x00000000010B0000-0x00000000010BC000-memory.dmp

Filesize
48KB

Download
memory/716-147-0x0000000000000000-mapping.dmp

Download
memory/716-151-0x0000000000F50000-0x0000000000F5F000-memory.dmp

Filesize
60KB

Download
memory/716-150-0x0000000000F60000-0x0000000000F69000-memory.dmp

Filesize
36KB

Download
memory/900-116-0x00000000020E0000-0x00000000020EA000-memory.dmp

Filesize
40KB

Download
memory/1032-182-0x0000000002920000-0x0000000002929000-memory.dmp

Filesize
36KB

Download
memory/1032-179-0x0000000000000000-mapping.dmp

Download
memory/1032-181-0x0000000002930000-0x0000000002935000-memory.dmp

Filesize
20KB

Download
memory/1320-160-0x0000000000000000-mapping.dmp

Download
memory/1320-195-0x0000000000000000-mapping.dmp

Download
memory/1320-174-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/1564-124-0x0000000000000000-mapping.dmp

Download
memory/1568-175-0x0000000000000000-mapping.dmp

Download
memory/1568-178-0x0000000000DB0000-0x0000000000DB9000-memory.dmp

Filesize
36KB

Download
memory/1568-177-0x0000000000DC0000-0x0000000000DC5000-memory.dmp

Filesize
20KB

Download
memory/1636-196-0x0000000000000000-mapping.dmp

Download
memory/1860-155-0x0000000003A40000-0x0000000003ACF000-memory.dmp

Filesize
572KB

Download
memory/1860-118-0x0000000000000000-mapping.dmp

Download
memory/1860-156-0x0000000000400000-0x0000000001DB7000-memory.dmp

Filesize
25.7MB

Download
memory/1916-202-0x0000000000000000-mapping.dmp

Download
memory/2180-145-0x0000000002760000-0x000000000276B000-memory.dmp

Filesize
44KB

Download
memory/2180-138-0x0000000000000000-mapping.dmp

Download
memory/2180-144-0x0000000002770000-0x0000000002777000-memory.dmp

Filesize
28KB

Download
memory/2272-132-0x0000000000000000-mapping.dmp

Download
memory/2272-139-0x0000000002760000-0x00000000027CB000-memory.dmp

Filesize
428KB

Download
memory/2272-137-0x0000000002A00000-0x0000000002A74000-memory.dmp

Filesize
464KB

Download
memory/2300-180-0x0000000000400000-0x0000000001DB7000-memory.dmp

Filesize
25.7MB

Download
memory/2300-127-0x0000000000000000-mapping.dmp

Download
memory/2300-192-0x0000000000000000-mapping.dmp

Download
memory/2300-176-0x0000000001F10000-0x0000000001F9F000-memory.dmp

Filesize
572KB

Download
memory/2308-201-0x0000000000000000-mapping.dmp

Download
memory/2656-154-0x0000000000190000-0x0000000000199000-memory.dmp

Filesize
36KB

Download
memory/2656-153-0x00000000001A0000-0x00000000001A5000-memory.dmp

Filesize
20KB

Download
memory/2656-152-0x0000000000000000-mapping.dmp

Download
memory/2824-193-0x0000000000000000-mapping.dmp

Download
memory/2900-143-0x0000000005A20000-0x0000000005A21000-memory.dmp

Filesize
4KB

Download
memory/2900-188-0x0000000007670000-0x0000000007671000-memory.dmp

Filesize
4KB

Download
memory/2900-133-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/2900-136-0x0000000005F20000-0x0000000005F21000-memory.dmp

Filesize
4KB

Download
memory/2900-140-0x00000000037D0000-0x00000000037D1000-memory.dmp

Filesize
4KB

Download
memory/2900-149-0x00000000037F0000-0x00000000037F1000-memory.dmp

Filesize
4KB

Download
memory/2900-183-0x0000000007200000-0x0000000007201000-memory.dmp

Filesize
4KB

Download
memory/2900-184-0x0000000007900000-0x0000000007901000-memory.dmp

Filesize
4KB

Download
memory/2900-121-0x0000000000000000-mapping.dmp

Download
memory/2900-186-0x0000000007120000-0x0000000007121000-memory.dmp

Filesize
4KB

Download
memory/2900-187-0x0000000007550000-0x0000000007551000-memory.dmp

Filesize
4KB

Download
memory/2900-131-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/2900-189-0x0000000008330000-0x0000000008331000-memory.dmp

Filesize
4KB

Download
memory/2900-148-0x0000000005990000-0x0000000005991000-memory.dmp

Filesize
4KB

Download
memory/2900-146-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/2900-197-0x0000000007650000-0x0000000007651000-memory.dmp

Filesize
4KB

Download
memory/2900-204-0x0000000007FB0000-0x0000000007FB1000-memory.dmp

Filesize
4KB

Download
memory/3024-117-0x0000000000760000-0x0000000000776000-memory.dmp

Filesize
88KB

Download
memory/3040-115-0x0000000000402FAB-mapping.dmp

Download
memory/3040-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3292-203-0x0000000000000000-mapping.dmp

Download
memory/3340-191-0x0000000000000000-mapping.dmp

Download
memory/3484-135-0x0000000000000000-mapping.dmp

Download
memory/3484-141-0x0000000000540000-0x0000000000547000-memory.dmp

Filesize
28KB

Download
memory/3484-142-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/3800-190-0x0000000000000000-mapping.dmp

Download
memory/3972-157-0x0000000000000000-mapping.dmp

Download
memory/4052-200-0x0000000000000000-mapping.dmp

Download