buran | 6d27b9968c95e5bfa75e7b4232fac3d7dc0f118c3ee7e8be5397111128b9fa68

Analysis

max time kernel
99s
max time network
150s
platform
windows7_x64
resource
win7v20210408
submitted
31-08-2021 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pattern.exe
Size

416KB
MD5

dcef208fcdac3345c6899a478d16980f
SHA1

fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0
SHA256

824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc
SHA512

28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Reserved email: [email protected] Your personal ID: 152-A71-888 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

Processes:

taskeng.exetaskeng.exe

pid	Process
420	taskeng.exe
364	taskeng.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

taskeng.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\StopMeasure.tiff	taskeng.exe
File opened for modification	C:\Users\Admin\Pictures\ExpandCopy.tiff	taskeng.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid	Process
1556	notepad.exe

Loads dropped DLL 1 IoCs

Processes:

pattern.exe

pid	Process
1240	pattern.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pattern.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	pattern.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start"	pattern.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskeng.exe

description	ioc	Process
File opened (read-only)	\??\O:	taskeng.exe
File opened (read-only)	\??\N:	taskeng.exe
File opened (read-only)	\??\L:	taskeng.exe
File opened (read-only)	\??\Z:	taskeng.exe
File opened (read-only)	\??\W:	taskeng.exe
File opened (read-only)	\??\V:	taskeng.exe
File opened (read-only)	\??\U:	taskeng.exe
File opened (read-only)	\??\Q:	taskeng.exe
File opened (read-only)	\??\K:	taskeng.exe
File opened (read-only)	\??\G:	taskeng.exe
File opened (read-only)	\??\A:	taskeng.exe
File opened (read-only)	\??\S:	taskeng.exe
File opened (read-only)	\??\M:	taskeng.exe
File opened (read-only)	\??\F:	taskeng.exe
File opened (read-only)	\??\B:	taskeng.exe
File opened (read-only)	\??\X:	taskeng.exe
File opened (read-only)	\??\E:	taskeng.exe
File opened (read-only)	\??\I:	taskeng.exe
File opened (read-only)	\??\H:	taskeng.exe
File opened (read-only)	\??\Y:	taskeng.exe
File opened (read-only)	\??\T:	taskeng.exe
File opened (read-only)	\??\R:	taskeng.exe
File opened (read-only)	\??\P:	taskeng.exe
File opened (read-only)	\??\J:	taskeng.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
5	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

taskeng.exe

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Foundry.thmx	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kuching.kd8eby0.152-A71-888	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153305.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00018_.WMF	taskeng.exe
File created	C:\Program Files (x86)\Microsoft.NET\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access_output\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\MMHMM.WAV	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html.kd8eby0.152-A71-888	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_zh_CN.jar.kd8eby0.152-A71-888	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00957_.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\powerpnt.exe.manifest.kd8eby0.152-A71-888	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\VeriSignLogo.jpg.kd8eby0.152-A71-888	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\BUZZ.WAV	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6CDT	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00175_.GIF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_GreenTea.gif.kd8eby0.152-A71-888	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue.css.kd8eby0.152-A71-888	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\jaccess.jar	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh89	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00122_.WMF.kd8eby0.152-A71-888	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21340_.GIF	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Havana.kd8eby0.152-A71-888	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Equity.xml.kd8eby0.152-A71-888	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE.kd8eby0.152-A71-888	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Melbourne.kd8eby0.152-A71-888	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\TAB_ON.GIF.kd8eby0.152-A71-888	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveLetter.dotx.kd8eby0.152-A71-888	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Rio_Gallegos.kd8eby0.152-A71-888	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Prague	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile.html	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00494_.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178460.JPG	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0251301.WMF.kd8eby0.152-A71-888	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME05.CSS.kd8eby0.152-A71-888	taskeng.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01243_.GIF.kd8eby0.152-A71-888	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10299_.GIF.kd8eby0.152-A71-888	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR40F.GIF.kd8eby0.152-A71-888	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties.kd8eby0.152-A71-888	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Antigua	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0183574.WMF.kd8eby0.152-A71-888	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00633_.WMF.kd8eby0.152-A71-888	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0195534.WMF.kd8eby0.152-A71-888	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18255_.WMF	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yakutsk	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\file_obj.gif.kd8eby0.152-A71-888	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187893.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR45F.GIF.kd8eby0.152-A71-888	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\http.luac.kd8eby0.152-A71-888	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cambridge_Bay	taskeng.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\vlc.mo	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar.kd8eby0.152-A71-888	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6.kd8eby0.152-A71-888	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MML2OMML.XSL.kd8eby0.152-A71-888	taskeng.exe

Drops file in Windows directory 1 IoCs

Processes:

taskeng.exe

description	ioc	Process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exe

pid	Process
1224	vssadmin.exe
1440	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

taskeng.exepattern.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	taskeng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	pattern.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	pattern.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	pattern.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	taskeng.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

pattern.exeWMIC.exeWMIC.exevssvc.exe

description	pid	Process
Token: SeDebugPrivilege	1240	pattern.exe
Token: SeDebugPrivilege	1240	pattern.exe
Token: SeIncreaseQuotaPrivilege	812	WMIC.exe
Token: SeSecurityPrivilege	812	WMIC.exe
Token: SeTakeOwnershipPrivilege	812	WMIC.exe
Token: SeLoadDriverPrivilege	812	WMIC.exe
Token: SeSystemProfilePrivilege	812	WMIC.exe
Token: SeSystemtimePrivilege	812	WMIC.exe
Token: SeProfSingleProcessPrivilege	812	WMIC.exe
Token: SeIncBasePriorityPrivilege	812	WMIC.exe
Token: SeCreatePagefilePrivilege	812	WMIC.exe
Token: SeBackupPrivilege	812	WMIC.exe
Token: SeRestorePrivilege	812	WMIC.exe
Token: SeShutdownPrivilege	812	WMIC.exe
Token: SeDebugPrivilege	812	WMIC.exe
Token: SeSystemEnvironmentPrivilege	812	WMIC.exe
Token: SeRemoteShutdownPrivilege	812	WMIC.exe
Token: SeUndockPrivilege	812	WMIC.exe
Token: SeManageVolumePrivilege	812	WMIC.exe
Token: 33	812	WMIC.exe
Token: 34	812	WMIC.exe
Token: 35	812	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1468	WMIC.exe
Token: SeSecurityPrivilege	1468	WMIC.exe
Token: SeTakeOwnershipPrivilege	1468	WMIC.exe
Token: SeLoadDriverPrivilege	1468	WMIC.exe
Token: SeSystemProfilePrivilege	1468	WMIC.exe
Token: SeSystemtimePrivilege	1468	WMIC.exe
Token: SeProfSingleProcessPrivilege	1468	WMIC.exe
Token: SeIncBasePriorityPrivilege	1468	WMIC.exe
Token: SeCreatePagefilePrivilege	1468	WMIC.exe
Token: SeBackupPrivilege	1468	WMIC.exe
Token: SeRestorePrivilege	1468	WMIC.exe
Token: SeShutdownPrivilege	1468	WMIC.exe
Token: SeDebugPrivilege	1468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1468	WMIC.exe
Token: SeRemoteShutdownPrivilege	1468	WMIC.exe
Token: SeUndockPrivilege	1468	WMIC.exe
Token: SeManageVolumePrivilege	1468	WMIC.exe
Token: 33	1468	WMIC.exe
Token: 34	1468	WMIC.exe
Token: 35	1468	WMIC.exe
Token: SeBackupPrivilege	1004	vssvc.exe
Token: SeRestorePrivilege	1004	vssvc.exe
Token: SeAuditPrivilege	1004	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1468	WMIC.exe
Token: SeSecurityPrivilege	1468	WMIC.exe
Token: SeTakeOwnershipPrivilege	1468	WMIC.exe
Token: SeLoadDriverPrivilege	1468	WMIC.exe
Token: SeSystemProfilePrivilege	1468	WMIC.exe
Token: SeSystemtimePrivilege	1468	WMIC.exe
Token: SeProfSingleProcessPrivilege	1468	WMIC.exe
Token: SeIncBasePriorityPrivilege	1468	WMIC.exe
Token: SeCreatePagefilePrivilege	1468	WMIC.exe
Token: SeBackupPrivilege	1468	WMIC.exe
Token: SeRestorePrivilege	1468	WMIC.exe
Token: SeShutdownPrivilege	1468	WMIC.exe
Token: SeDebugPrivilege	1468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1468	WMIC.exe
Token: SeRemoteShutdownPrivilege	1468	WMIC.exe
Token: SeUndockPrivilege	1468	WMIC.exe
Token: SeManageVolumePrivilege	1468	WMIC.exe
Token: 33	1468	WMIC.exe
Token: 34	1468	WMIC.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

pattern.exetaskeng.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 1240 wrote to memory of 420	1240	pattern.exe	31
PID 1240 wrote to memory of 420	1240	pattern.exe	31
PID 1240 wrote to memory of 420	1240	pattern.exe	31
PID 1240 wrote to memory of 420	1240	pattern.exe	31
PID 1240 wrote to memory of 1556	1240	pattern.exe	32
PID 1240 wrote to memory of 1556	1240	pattern.exe	32
PID 1240 wrote to memory of 1556	1240	pattern.exe	32
PID 1240 wrote to memory of 1556	1240	pattern.exe	32
PID 1240 wrote to memory of 1556	1240	pattern.exe	32
PID 1240 wrote to memory of 1556	1240	pattern.exe	32
PID 1240 wrote to memory of 1556	1240	pattern.exe	32
PID 420 wrote to memory of 940	420	taskeng.exe	34
PID 420 wrote to memory of 940	420	taskeng.exe	34
PID 420 wrote to memory of 940	420	taskeng.exe	34
PID 420 wrote to memory of 940	420	taskeng.exe	34
PID 420 wrote to memory of 1448	420	taskeng.exe	36
PID 420 wrote to memory of 1448	420	taskeng.exe	36
PID 420 wrote to memory of 1448	420	taskeng.exe	36
PID 420 wrote to memory of 1448	420	taskeng.exe	36
PID 420 wrote to memory of 996	420	taskeng.exe	37
PID 420 wrote to memory of 996	420	taskeng.exe	37
PID 420 wrote to memory of 996	420	taskeng.exe	37
PID 420 wrote to memory of 996	420	taskeng.exe	37
PID 420 wrote to memory of 1128	420	taskeng.exe	38
PID 420 wrote to memory of 1128	420	taskeng.exe	38
PID 420 wrote to memory of 1128	420	taskeng.exe	38
PID 420 wrote to memory of 1128	420	taskeng.exe	38
PID 420 wrote to memory of 1860	420	taskeng.exe	39
PID 420 wrote to memory of 1860	420	taskeng.exe	39
PID 420 wrote to memory of 1860	420	taskeng.exe	39
PID 420 wrote to memory of 1860	420	taskeng.exe	39
PID 420 wrote to memory of 1752	420	taskeng.exe	44
PID 420 wrote to memory of 1752	420	taskeng.exe	44
PID 420 wrote to memory of 1752	420	taskeng.exe	44
PID 420 wrote to memory of 1752	420	taskeng.exe	44
PID 420 wrote to memory of 364	420	taskeng.exe	43
PID 420 wrote to memory of 364	420	taskeng.exe	43
PID 420 wrote to memory of 364	420	taskeng.exe	43
PID 420 wrote to memory of 364	420	taskeng.exe	43
PID 940 wrote to memory of 1468	940	cmd.exe	46
PID 940 wrote to memory of 1468	940	cmd.exe	46
PID 940 wrote to memory of 1468	940	cmd.exe	46
PID 940 wrote to memory of 1468	940	cmd.exe	46
PID 1860 wrote to memory of 1224	1860	cmd.exe	48
PID 1860 wrote to memory of 1224	1860	cmd.exe	48
PID 1860 wrote to memory of 1224	1860	cmd.exe	48
PID 1860 wrote to memory of 1224	1860	cmd.exe	48
PID 1752 wrote to memory of 812	1752	cmd.exe	49
PID 1752 wrote to memory of 812	1752	cmd.exe	49
PID 1752 wrote to memory of 812	1752	cmd.exe	49
PID 1752 wrote to memory of 812	1752	cmd.exe	49
PID 1752 wrote to memory of 1440	1752	cmd.exe	52
PID 1752 wrote to memory of 1440	1752	cmd.exe	52
PID 1752 wrote to memory of 1440	1752	cmd.exe	52
PID 1752 wrote to memory of 1440	1752	cmd.exe	52
PID 420 wrote to memory of 896	420	taskeng.exe	54
PID 420 wrote to memory of 896	420	taskeng.exe	54
PID 420 wrote to memory of 896	420	taskeng.exe	54
PID 420 wrote to memory of 896	420	taskeng.exe	54
PID 420 wrote to memory of 896	420	taskeng.exe	54
PID 420 wrote to memory of 896	420	taskeng.exe	54
PID 420 wrote to memory of 896	420	taskeng.exe	54

C:\Users\Admin\AppData\Local\Temp\pattern.exe
"C:\Users\Admin\AppData\Local\Temp\pattern.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:420
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:996
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:1128
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1224
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Modifies extensions of user files
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:364
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:812
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1440
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:896
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  PID:1556

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
bc382383b6c90d20dba3f58aa0f40ade

SHA1
b626e4d049d88702236910b302c955eecc8c7d5f

SHA256
bf25937b534e738f02e5ec01592dd9a72d79e67bc32f3a5e157a0608f5bbd117

SHA512
651e85acf56ec7bffdc10941ba3bcebea5aede44d479e4db5d61160de2b975c484499a95564adaf90f350d6a1bf3aa97774019f1464045114cbb97806fc76c2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
a2981517afbb3ebe48d2168b07274f47

SHA1
78e0fa382ca97436ec5c43209a2e391b41d356ab

SHA256
f5ef795d1577213ce930034afc93387232cc95dfe53db40db0ed65fbb44bcfae

SHA512
4e939a2270036ebf0eaec96ba231eb38cb4e2389064a30e5f3b9e5e5581d363ab934431e69978e015f25f3352d17e3b3242d02357aa034838a94912fa8d6ba15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5
2902de11e30dcc620b184e3bb0f0c1cb

SHA1
5d11d14a2558801a2688dc2d6dfad39ac294f222

SHA256
e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

SHA512
efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
0465994d32988b4ff5811340c4905188

SHA1
7b4043cbd9509bc78b08863ad22b720632686785

SHA256
b33b95c79ca7fc2da4e43282f29ec14db42bdafd53c8888de793cea52caa20bb

SHA512
04654263a6391c84e0fd230a992dbd107f905599a066d124055591ce19a9d74b61627bb9d4dc9df89f396b12f795b649f0331e4aad39304a5ad0e0bccc36ad43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
126b4447312c88b69a943d05236a7831

SHA1
008ad7352055b0d6655aad248d2e0e4286904497

SHA256
6dc8481f116f2baf66da3b4ca4590cf78de060f998b6b73cd37ab0219317c05d

SHA512
023cd158aca34372414f68655d8770d3faf07e4baafbf1404f2d5e772f5c8d92561609aa9cef4b8bc4e698edfddec6ad3284b96cfc430c237b810ae587fe734b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
0965a492b5b90aa61d71781aa1c8564f

SHA1
aea58aa80618f50f1b0bace73f5463c43d6ce4b9

SHA256
5026f333197c7bfdf14953196acaccade330d83224fec9fced24d5c40b05b2df

SHA512
d080dfa47bb6735394d4deb268895b7b6f3816536e16769b3cbb74e52acb8fe0df9b027c9ac6824deb751a5daf7bf69b52ee534b46efa77e94e174ccafb19006

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
add48042e3e65dd459235614178c67d7

SHA1
a21d2f9196881bfde287641926f54d90e5f82ce0

SHA256
340556c1d30d4c355d1caaf8ca40b31d1c89257c895f59e317077df743382181

SHA512
e71e992254a8e213b2be5b7cdf99bc7206d4a26a7c65dce20c30283d833cb50e0397007d5aa854887fc7420385a336bd64528fb11253f9183de9c9916d2bba05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
97ea02a4e5616c3d8d30e19225eb89a1

SHA1
b31c239fdf77660c4783a8cb2c47d06a465c2b33

SHA256
e5c289b1e9b77cf40c4ea188ce0d83f253fae3746cf6d363b098b99b8cec58bb

SHA512
f08836b5de2be23affcb14372b27fd64cad2758b3e3f80a04c84bd77845c0a3dadf7804fdc0909f640c502880bf2fdbd235d2a3f2e21a7035dfcca835bf704da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D4X32ZLU\FWIV2942.htm

MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L1Y3K90W\BDV4K1K9.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\Desktop\BackupTest.3g2.kd8eby0.152-A71-888

MD5
9ff4f488dd07b01f10587ab2b0c9ddfe

SHA1
9372dcba4a83d4dea681621910c9a9d43706716e

SHA256
bfed9db9298a675c1eb8c32491db3170acf40d0701b10158841af5084bb5c936

SHA512
d1df80726d6224d592389cc2125d458aef62d18f3e38bb4e0323cc08257d1f7c6ebe46e00159acfc1162b80212b8591711a6a45db0108006c4b6c1457225db14

Download Submit
C:\Users\Admin\Desktop\ConfirmCopy.jpeg.kd8eby0.152-A71-888

MD5
975eedee518fad2ce1918405452ee733

SHA1
d70b9734cf14ce1595f8dadacb56f75bc6121580

SHA256
652c5c9b8c72291fe9eedbf5f72d4babdbffb7e95b15a8491f77a249d7fd0129

SHA512
8807d4a0ab8dd17735ffc4811e950b95201961d59ea8b6f69cce2d5225d4f1abec0037750bbe2597b7bfcee25c172b3f0fe1fde5dab33e9980ad6ee233ed30ce

Download Submit
C:\Users\Admin\Desktop\ConfirmRemove.xps.kd8eby0.152-A71-888

MD5
6d29bcf022c62980a6e6aed7f311de86

SHA1
65760bf7c362997cadd522a95dca91aff67105a9

SHA256
bd002b43565dda61f5f5f5b047c0511f6ed440d70af6b025f58082f7e4dd6832

SHA512
af187b1049b510b09b221212f5ddc182688ccf1af9018f2e356003ad5c0dbb9b82dcc253c46c39998ec4f63e5991e3f1f87555f7e334a80fac555683a5ddde24

Download Submit
C:\Users\Admin\Desktop\ConvertUnblock.snd.kd8eby0.152-A71-888

MD5
2898b151666c66e567c6ee1a13f0bb4f

SHA1
42d9ae1f615d61c4bfc83effc33e8366eab73c86

SHA256
5fe0fbc4d6e95541302618ed1124b10949a82830cad2eeeb52b138df5665c220

SHA512
176b1a93281a25bcc63bfbf9c363cb233f5e27237717cb65a20470d21b1c7c5d7c6e1009461badbd519b79f7f673c94d9fa11d26f79e2917cc7e7486d6756e28

Download Submit
C:\Users\Admin\Desktop\EnableOut.clr.kd8eby0.152-A71-888

MD5
7b2891acd82daf6c3c1b8df3f8160474

SHA1
b91f2b1aad238ad749c1e1e1cabbce8d8ab889f2

SHA256
1c8a889e8b11b56d49fb7cd3097d260a225022268352f8cf55a19ab69934f431

SHA512
31211f0ab2883532c84c8b6c80ebc8bab4672df85d47feb132e8e9ed3023122e2ca40eb5a5e5308b35ad8fe58dccd5fa88d6be6c309660a8e77f9f6a623d00be

Download Submit
C:\Users\Admin\Desktop\GetUnblock.eps.kd8eby0.152-A71-888

MD5
caaf51b436abdc86260fbb9f8bca07f8

SHA1
ddc3d2fe1518305ab7e5c97cc20e3423bffe2abb

SHA256
cf8a5f95906406b4315003e89f6b3018636f06a07abc7d7678e9c5734001128b

SHA512
8223b7dda94946bfbc2c0c204c227464c4a0c0563445ade7b80da1322c1446e9a5e95d1ef6e4c5f098207d7a5cf53fda4c9c1017dec69d9802e54906594e3288

Download Submit
C:\Users\Admin\Desktop\GetUpdate.potm.kd8eby0.152-A71-888

MD5
ff991cbdab09bc940b310af2a9c7515e

SHA1
4415b7f1ced5582b97a6ff82d0a731e471b2fa91

SHA256
4e4f7dbe1d1833e8b19ca55bf9dec9b45654d0809e6729aecaf683acba3911ae

SHA512
1155aff1638df82b049fa35a45b46119fe0f83017a412df937b626adade1524b06fec156dc073524e4f4c49024444f77f1600ed839584a2dd95c9b01fc3398b8

Download Submit
C:\Users\Admin\Desktop\LimitSkip.search-ms.kd8eby0.152-A71-888

MD5
27e01caa18937880d7c787f0968c7dc6

SHA1
910cb57d5b634b132e7714d6f434d207a5e4c34c

SHA256
0f9083455b98b8d075b04750975db9e62d61a4eb20fa514f1953e4e82a756bc0

SHA512
76fcd0bc70ee4248f504b99d543c83122fbe5af045c34870e4198a47e99a372583f49f5380ff79a988472a92bbca38aa5b1c5ffe31022a56e1c1a9cb8dd1b7ba

Download Submit
C:\Users\Admin\Desktop\LockRevoke.ADT.kd8eby0.152-A71-888

MD5
5547685bdfc0ebad965ce1916a94f2bc

SHA1
f81616234a204f16e1a806d53ad1809c4c00d8f5

SHA256
edfbc7ebe17ed476035cbf34c7bf02a56d2b426c5e0ee46f7ae31afeb382d5c7

SHA512
b9f6e7a7315765a553169c7b411ef616aa32f0380ad6d02a8679015a63ebba399379c24845c98f0a4e6bfc628acb5b0e695882a6592cb675e795b270f775ff71

Download Submit
C:\Users\Admin\Desktop\MergeApprove.wmx.kd8eby0.152-A71-888

MD5
4db7000d17cefdc867734afa29ba9a2d

SHA1
efe3ffa950517b567f6a97264845c5bd81060e06

SHA256
a762b7a77595028fc6089b9cabecf711b45dd27ae58942560c4d291257667b10

SHA512
b7627157e5363949e63d64d3bddf735909ac87622f0786238d050ea23e9e48f3aa7b09d33c8e9776bc644f3ed6bf3bffba13b2952d97cc0d9d60d8c366486357

Download Submit
C:\Users\Admin\Desktop\RegisterConfirm.cfg.kd8eby0.152-A71-888

MD5
c91c9b637126a286b96e87c5e1ab889e

SHA1
ad94a6ec709e0fc3506d688c1dc2901623849126

SHA256
b168bf183d7c42c3f3b8652d2d8ccb23986884dbbc6d632d9a4cf63130433e4f

SHA512
97c0d7c7c9295b2661d9f33344d759c468d7d351a01a5a63c967b0081398868d9f1de9da69e2e0365779da58dc90e7359207f71979a94ae8b5ebb3bcab812374

Download Submit
C:\Users\Admin\Desktop\RenameDebug.lock.kd8eby0.152-A71-888

MD5
13034c67f8a46861196cedbb5acee813

SHA1
a9981e4ca4beb371f6df11f16ea2dea301f8896b

SHA256
cf06b106b41ac33fb94b9d3097edde9d9a938d451a2687b8fd9b4546657308c6

SHA512
4c5d0194e929f4f6a5db2a2adbaa0f6542c6f632de2fd5feb2e49610807e7b5ce6c4a50aaf10a8a1e1c843bc2bc32e7195248a301812f3245d7f369de91fd0cb

Download Submit
C:\Users\Admin\Desktop\ResizeClose.mpeg.kd8eby0.152-A71-888

MD5
5d335d2cc4218d9a557894f775ecabf5

SHA1
a099153e88dad4d0a7163e1a685c3acfa414b111

SHA256
d797a606f4c2d91f83547cc23269b5484dfbfba663e00b61ca6796f52b810a61

SHA512
b91c47e8c05e47ab5e6304ba015c97796967d7e449cb75728be27fd525adb2c011ebd03ac26cf9fac4aa7338d02d5f6cb5b7d03575ec91e6dbefba576d4c2e61

Download Submit
C:\Users\Admin\Desktop\RestoreOut.mp3.kd8eby0.152-A71-888

MD5
b58262e68dd3f2eb7d7eea0ee2223367

SHA1
009a18d9f09965d45205626ef756a1c61e1d3e9f

SHA256
abab00f16b1b154b060ad2432f3dbdd0735d6cc225e396e5a6e6d6bb1ad42bc6

SHA512
9f258508202dae6d214252ae353139769b972af636e780c593b7616da12efdfcc050d9faba2e2e430d1e205f9bc5bc37af18bc736aa2e19cd3371b9fcfcc9ed5

Download Submit
C:\Users\Admin\Desktop\ResumeMount.bmp.kd8eby0.152-A71-888

MD5
53857c0eb794c138a4cddc872b75b79b

SHA1
00a09242ef5f8dffccef4c84539d0840d9d36214

SHA256
a47a9866b798e91c9b19e1877d96d2ba5e1f298454bf8d0c47aef6bcb0a1210d

SHA512
0ab3930d289f8948c09b2e403aae23f2eb5a211952ad4b3c4bb0e5a4be7aca98749de8762254650a2954b03a43e40a1f910e789715054053232bbfc481e8bc57

Download Submit
C:\Users\Admin\Desktop\RevokeSelect.wvx.kd8eby0.152-A71-888

MD5
8609d00853446bafe9359afd425a5592

SHA1
d29dc10dcfc4159c134cba19bb009596831bdfdf

SHA256
8cee469ae970fa0696f10b326c9f07f659878329ba00970593afdcf7b46f0d84

SHA512
1de94d968bfad1ce88334333469ae069ab61e3ab8e0257fa1734ba0a8dae98287f7820569197450dfc362b37dd7fa9124311bf552857ea2fe603e9a00b64446d

Download Submit
C:\Users\Admin\Desktop\SendStop.mhtml.kd8eby0.152-A71-888

MD5
ce7963c28565e3781d925033a5b8b6b1

SHA1
de4f49de457d01251450d0acfb63677e8607d0b2

SHA256
95f68aa604d5a8f890c52ae92419ac856c307e64bd2346c3d879a22366502086

SHA512
ce752652b5d45a8890de5cf623bd5b73338a3d54721f6f675816a4406e4c61268af8237f0d4f69345858ce10e8d30e23d76f3f4f9505fdc457dfb8257a9bba16

Download Submit
C:\Users\Admin\Desktop\SwitchSet.asp.kd8eby0.152-A71-888

MD5
c817066d0235be672dc1fbcdd049827c

SHA1
1b26ffcf1e48f4ae5b6f4144693d4bffb03cc243

SHA256
083e0e0ede5c3bf3efed7ba5d150731455a1e40b7baea7d3b2e12b0001d70f95

SHA512
8b7f5a5b02a945f30ef28f98591bfaf701a7097a75ac20c096265dd045faf5d50e2af0a46c54672a748fc9c8a0c8a23941a756cb1643905606fd2a0216d26355

Download Submit
C:\Users\Admin\Desktop\SwitchStart.txt.kd8eby0.152-A71-888

MD5
fb57fa5bccfd22c9defd3775dbe8103f

SHA1
393fa37453f66678b344caee88d0fdca70eb406c

SHA256
28fbcf6c1a5cd2fbe2b2bbe7c575e677cab59e20a0ca0d8a4711eb8d38e74633

SHA512
7bb6a70c28383b9e308ce6726f46e5e3a7f5cbfdbf05c45df7e1a7f1e1da1fd26620adf790123c5ad9bca6e88a7f31ea8a5f1e25d56c2466d3e1da53799f1cff

Download Submit
C:\Users\Admin\Desktop\UnregisterConfirm.3gp2.kd8eby0.152-A71-888

MD5
1b0bd81c8a13117f6e9bb613222e1710

SHA1
3b54e75f47da2020bd0deb51309f61f268ecb46c

SHA256
d826a24dd3ca9d418a1dd61cf6e2009ff2b96c0f7415e2be9bc180d8061ecb2d

SHA512
6fc5e2c56a9903600fbde4c002da5b31664ac24941de62b4556f66ab0b246bdea2e01bb50464c6e4e4a6749a769360acd8f05921a587ab30677a101fee59676f

Download Submit
C:\Users\Admin\Desktop\UpdateProtect.rmi.kd8eby0.152-A71-888

MD5
4d6ca0511072ed5de278a7dbfefb63c2

SHA1
0c246db02efb986ae6a0d4dc2531e6d2a7502b58

SHA256
614970acd4603002595377f4163b461d52b4e3f6729496966c23e8788bf9f1f8

SHA512
aef4e6a5fd52ef02ab7b3808ff945923980674c6081b7dcf0db8545f8f875a759eb6ecccfeb7b97bccc267ed07444e01cbe8df4e6d6db6fb0a02375279146e74

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
memory/364-94-0x0000000001DE0000-0x0000000001F25000-memory.dmp

Filesize
1.3MB

Download
memory/364-87-0x0000000000000000-mapping.dmp

Download
memory/420-72-0x0000000001E90000-0x0000000001FD5000-memory.dmp

Filesize
1.3MB

Download
memory/420-64-0x0000000000000000-mapping.dmp

Download
memory/812-92-0x0000000000000000-mapping.dmp

Download
memory/896-117-0x0000000000000000-mapping.dmp

Download
memory/940-81-0x0000000000000000-mapping.dmp

Download
memory/996-83-0x0000000000000000-mapping.dmp

Download
memory/1128-84-0x0000000000000000-mapping.dmp

Download
memory/1224-91-0x0000000000000000-mapping.dmp

Download
memory/1240-60-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download
memory/1240-62-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1240-61-0x0000000001DA0000-0x0000000001EE5000-memory.dmp

Filesize
1.3MB

Download
memory/1440-95-0x0000000000000000-mapping.dmp

Download
memory/1448-82-0x0000000000000000-mapping.dmp

Download
memory/1468-89-0x0000000000000000-mapping.dmp

Download
memory/1556-71-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1556-66-0x0000000000000000-mapping.dmp

Download
memory/1752-86-0x0000000000000000-mapping.dmp

Download
memory/1860-85-0x0000000000000000-mapping.dmp

Download