buran | 6d27b9968c95e5bfa75e7b4232fac3d7dc0f118c3ee7e8be5397111128b9fa68

Analysis

max time kernel
136s
max time network
130s
platform
windows10_x64
resource
win10v20210408
submitted
31-08-2021 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pattern.exe
Size

416KB
MD5

dcef208fcdac3345c6899a478d16980f
SHA1

fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0
SHA256

824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc
SHA512

28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Reserved email: [email protected] Your personal ID: 18C-9D3-ACB Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

Processes:

smss.exesmss.exe

pid	Process
492	smss.exe
4016	smss.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid	Process
404	notepad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pattern.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	pattern.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start"	pattern.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

smss.exe

description	ioc	Process
File opened (read-only)	\??\B:	smss.exe
File opened (read-only)	\??\T:	smss.exe
File opened (read-only)	\??\Q:	smss.exe
File opened (read-only)	\??\P:	smss.exe
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\M:	smss.exe
File opened (read-only)	\??\I:	smss.exe
File opened (read-only)	\??\E:	smss.exe
File opened (read-only)	\??\A:	smss.exe
File opened (read-only)	\??\X:	smss.exe
File opened (read-only)	\??\W:	smss.exe
File opened (read-only)	\??\V:	smss.exe
File opened (read-only)	\??\L:	smss.exe
File opened (read-only)	\??\J:	smss.exe
File opened (read-only)	\??\U:	smss.exe
File opened (read-only)	\??\S:	smss.exe
File opened (read-only)	\??\G:	smss.exe
File opened (read-only)	\??\F:	smss.exe
File opened (read-only)	\??\H:	smss.exe
File opened (read-only)	\??\Z:	smss.exe
File opened (read-only)	\??\Y:	smss.exe
File opened (read-only)	\??\R:	smss.exe
File opened (read-only)	\??\O:	smss.exe
File opened (read-only)	\??\K:	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
6	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

smss.exe

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_small.png	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\msipc.dll.mui.kd8eby0.18C-9D3-ACB	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\Email.ot	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\_Resources\0.rsrc	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Triangle.png	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jar.kd8eby0.18C-9D3-ACB	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-oob.xrm-ms	smss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-ae\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2_48x48x32.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\bn_60x42.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\de-DE.PhoneNumber.model	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\HLSL\ConstantsPerLightData.fx	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\ui-strings.js.kd8eby0.18C-9D3-ACB	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\ui-strings.js.kd8eby0.18C-9D3-ACB	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPP.HTM.kd8eby0.18C-9D3-ACB	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-pl.xrm-ms	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\Square150x150Logo.scale-100.png	smss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48_contrast-black.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSplashSquareTile.scale-100.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-unplated.png	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ppd.xrm-ms	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleWideTile.scale-125.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96_altform-fullcolor.png	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe.kd8eby0.18C-9D3-ACB	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupLargeTile.scale-150.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreSmallTile.scale-200.png	smss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_zh_CN.jar.kd8eby0.18C-9D3-ACB	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\msipc.dll.mui.kd8eby0.18C-9D3-ACB	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\it-it\ui-strings.js.kd8eby0.18C-9D3-ACB	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\share_icons.png	smss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.kd8eby0.18C-9D3-ACB	smss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-black_scale-200.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\plugin.js.kd8eby0.18C-9D3-ACB	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\ui-strings.js.kd8eby0.18C-9D3-ACB	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\beach_11d.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OneConnectSplashScreen.scale-200.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\call.png	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\WPFT532.CNV	smss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\vlc.mo	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Kiss.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\cloud_icon.png	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml.kd8eby0.18C-9D3-ACB	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART1.BDR.kd8eby0.18C-9D3-ACB	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL110.XML.kd8eby0.18C-9D3-ACB	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\.lastModified	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1251_36x36x32.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon.png	smss.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-250.png	smss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-gb\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x86__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hr-hr\ui-strings.js.kd8eby0.18C-9D3-ACB	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\conticon.gif.kd8eby0.18C-9D3-ACB	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ppd.xrm-ms	smss.exe

Drops file in Windows directory 1 IoCs

Processes:

smss.exe

description	ioc	Process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exe

pid	Process
2856	vssadmin.exe
3116	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

pattern.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	pattern.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	pattern.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

pattern.exeWMIC.exeWMIC.exevssvc.exe

description	pid	Process
Token: SeDebugPrivilege	628	pattern.exe
Token: SeDebugPrivilege	628	pattern.exe
Token: SeIncreaseQuotaPrivilege	2472	WMIC.exe
Token: SeSecurityPrivilege	2472	WMIC.exe
Token: SeTakeOwnershipPrivilege	2472	WMIC.exe
Token: SeLoadDriverPrivilege	2472	WMIC.exe
Token: SeSystemProfilePrivilege	2472	WMIC.exe
Token: SeSystemtimePrivilege	2472	WMIC.exe
Token: SeProfSingleProcessPrivilege	2472	WMIC.exe
Token: SeIncBasePriorityPrivilege	2472	WMIC.exe
Token: SeCreatePagefilePrivilege	2472	WMIC.exe
Token: SeBackupPrivilege	2472	WMIC.exe
Token: SeRestorePrivilege	2472	WMIC.exe
Token: SeShutdownPrivilege	2472	WMIC.exe
Token: SeDebugPrivilege	2472	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2472	WMIC.exe
Token: SeRemoteShutdownPrivilege	2472	WMIC.exe
Token: SeUndockPrivilege	2472	WMIC.exe
Token: SeManageVolumePrivilege	2472	WMIC.exe
Token: 33	2472	WMIC.exe
Token: 34	2472	WMIC.exe
Token: 35	2472	WMIC.exe
Token: 36	2472	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2864	WMIC.exe
Token: SeSecurityPrivilege	2864	WMIC.exe
Token: SeTakeOwnershipPrivilege	2864	WMIC.exe
Token: SeLoadDriverPrivilege	2864	WMIC.exe
Token: SeSystemProfilePrivilege	2864	WMIC.exe
Token: SeSystemtimePrivilege	2864	WMIC.exe
Token: SeProfSingleProcessPrivilege	2864	WMIC.exe
Token: SeIncBasePriorityPrivilege	2864	WMIC.exe
Token: SeCreatePagefilePrivilege	2864	WMIC.exe
Token: SeBackupPrivilege	2864	WMIC.exe
Token: SeRestorePrivilege	2864	WMIC.exe
Token: SeShutdownPrivilege	2864	WMIC.exe
Token: SeDebugPrivilege	2864	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2864	WMIC.exe
Token: SeRemoteShutdownPrivilege	2864	WMIC.exe
Token: SeUndockPrivilege	2864	WMIC.exe
Token: SeManageVolumePrivilege	2864	WMIC.exe
Token: 33	2864	WMIC.exe
Token: 34	2864	WMIC.exe
Token: 35	2864	WMIC.exe
Token: 36	2864	WMIC.exe
Token: SeBackupPrivilege	2980	vssvc.exe
Token: SeRestorePrivilege	2980	vssvc.exe
Token: SeAuditPrivilege	2980	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2472	WMIC.exe
Token: SeSecurityPrivilege	2472	WMIC.exe
Token: SeTakeOwnershipPrivilege	2472	WMIC.exe
Token: SeLoadDriverPrivilege	2472	WMIC.exe
Token: SeSystemProfilePrivilege	2472	WMIC.exe
Token: SeSystemtimePrivilege	2472	WMIC.exe
Token: SeProfSingleProcessPrivilege	2472	WMIC.exe
Token: SeIncBasePriorityPrivilege	2472	WMIC.exe
Token: SeCreatePagefilePrivilege	2472	WMIC.exe
Token: SeBackupPrivilege	2472	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2864	WMIC.exe
Token: SeRestorePrivilege	2472	WMIC.exe
Token: SeSecurityPrivilege	2864	WMIC.exe
Token: SeShutdownPrivilege	2472	WMIC.exe
Token: SeTakeOwnershipPrivilege	2864	WMIC.exe
Token: SeDebugPrivilege	2472	WMIC.exe
Token: SeLoadDriverPrivilege	2864	WMIC.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

pattern.exesmss.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 628 wrote to memory of 492	628	pattern.exe	75
PID 628 wrote to memory of 492	628	pattern.exe	75
PID 628 wrote to memory of 492	628	pattern.exe	75
PID 628 wrote to memory of 404	628	pattern.exe	76
PID 628 wrote to memory of 404	628	pattern.exe	76
PID 628 wrote to memory of 404	628	pattern.exe	76
PID 628 wrote to memory of 404	628	pattern.exe	76
PID 628 wrote to memory of 404	628	pattern.exe	76
PID 628 wrote to memory of 404	628	pattern.exe	76
PID 492 wrote to memory of 976	492	smss.exe	80
PID 492 wrote to memory of 976	492	smss.exe	80
PID 492 wrote to memory of 976	492	smss.exe	80
PID 492 wrote to memory of 3452	492	smss.exe	81
PID 492 wrote to memory of 3452	492	smss.exe	81
PID 492 wrote to memory of 3452	492	smss.exe	81
PID 492 wrote to memory of 2268	492	smss.exe	84
PID 492 wrote to memory of 2268	492	smss.exe	84
PID 492 wrote to memory of 2268	492	smss.exe	84
PID 492 wrote to memory of 3892	492	smss.exe	87
PID 492 wrote to memory of 3892	492	smss.exe	87
PID 492 wrote to memory of 3892	492	smss.exe	87
PID 492 wrote to memory of 2152	492	smss.exe	86
PID 492 wrote to memory of 2152	492	smss.exe	86
PID 492 wrote to memory of 2152	492	smss.exe	86
PID 492 wrote to memory of 3316	492	smss.exe	89
PID 492 wrote to memory of 3316	492	smss.exe	89
PID 492 wrote to memory of 3316	492	smss.exe	89
PID 492 wrote to memory of 4016	492	smss.exe	90
PID 492 wrote to memory of 4016	492	smss.exe	90
PID 492 wrote to memory of 4016	492	smss.exe	90
PID 976 wrote to memory of 2472	976	cmd.exe	93
PID 976 wrote to memory of 2472	976	cmd.exe	93
PID 976 wrote to memory of 2472	976	cmd.exe	93
PID 2152 wrote to memory of 2856	2152	cmd.exe	94
PID 2152 wrote to memory of 2856	2152	cmd.exe	94
PID 2152 wrote to memory of 2856	2152	cmd.exe	94
PID 3316 wrote to memory of 2864	3316	cmd.exe	95
PID 3316 wrote to memory of 2864	3316	cmd.exe	95
PID 3316 wrote to memory of 2864	3316	cmd.exe	95
PID 3316 wrote to memory of 3116	3316	cmd.exe	98
PID 3316 wrote to memory of 3116	3316	cmd.exe	98
PID 3316 wrote to memory of 3116	3316	cmd.exe	98
PID 492 wrote to memory of 3928	492	smss.exe	100
PID 492 wrote to memory of 3928	492	smss.exe	100
PID 492 wrote to memory of 3928	492	smss.exe	100
PID 492 wrote to memory of 3928	492	smss.exe	100
PID 492 wrote to memory of 3928	492	smss.exe	100
PID 492 wrote to memory of 3928	492	smss.exe	100

C:\Users\Admin\AppData\Local\Temp\pattern.exe
"C:\Users\Admin\AppData\Local\Temp\pattern.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:492
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:976
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:3452
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:3892
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3316
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2864
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3116
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:4016
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3928
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  PID:404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
bc382383b6c90d20dba3f58aa0f40ade

SHA1
b626e4d049d88702236910b302c955eecc8c7d5f

SHA256
bf25937b534e738f02e5ec01592dd9a72d79e67bc32f3a5e157a0608f5bbd117

SHA512
651e85acf56ec7bffdc10941ba3bcebea5aede44d479e4db5d61160de2b975c484499a95564adaf90f350d6a1bf3aa97774019f1464045114cbb97806fc76c2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
a2981517afbb3ebe48d2168b07274f47

SHA1
78e0fa382ca97436ec5c43209a2e391b41d356ab

SHA256
f5ef795d1577213ce930034afc93387232cc95dfe53db40db0ed65fbb44bcfae

SHA512
4e939a2270036ebf0eaec96ba231eb38cb4e2389064a30e5f3b9e5e5581d363ab934431e69978e015f25f3352d17e3b3242d02357aa034838a94912fa8d6ba15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
0465994d32988b4ff5811340c4905188

SHA1
7b4043cbd9509bc78b08863ad22b720632686785

SHA256
b33b95c79ca7fc2da4e43282f29ec14db42bdafd53c8888de793cea52caa20bb

SHA512
04654263a6391c84e0fd230a992dbd107f905599a066d124055591ce19a9d74b61627bb9d4dc9df89f396b12f795b649f0331e4aad39304a5ad0e0bccc36ad43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
1fc5fa0c8fe07be26a0104deb7ebbe59

SHA1
265f83a70170c6a7e6187595df476c7ad5ea75f4

SHA256
e4f6de32473b050e965ab95d9b05c87e5f2b5dc674c1bc058af76188c2f6d073

SHA512
83f671d9034cd0e97f48f68716328ced57137f257b90786b666580274250842c8d6cdd94826293aba7858f4c3ca492d63639da44d9d5aa012c5c66bf06bb09b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
97d9d2d1193a0f575a560fd7ef387343

SHA1
2d36cabb3f9cb81eaf596be6a1cbe08492c2ea53

SHA256
807b1cfa02bd7fbe751764bfb14372342c1f99cc3f7b4a74adee6bdd72c6d404

SHA512
4921a87ea6cf2bbec869347776b70944486adfbc92ee0c15e7f0262c43b2b9d19789b36a00fd5096d123c33df709e320d1131d607b0ecf69f2b55242748ed787

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
a183e81aacecd4b9f2405b795122dc62

SHA1
b252881f4fe544d0e6541af9cac29b6e35c9b0b0

SHA256
223334277a512f0b4f3af524dcded747da6b1c9b1239343b97e3f78eeb2116ba

SHA512
246361d3e56e08ae7f8ea44e687bcb0e6d94213c1688570ec1e699d7dac66a82bb0da3edef75ce186445808c298899c4820dd262dc530e02c5860ae8f27b4020

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DRMDU4BX\L6I306CP.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZIIA2USJ\KP4ED0LW.htm

MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\Desktop\CompressInstall.pcx.kd8eby0.18C-9D3-ACB

MD5
1d7f772982a3d639c33e1382d722cc1d

SHA1
e05192b3234d62dc66b295da5d7857661c4ec56d

SHA256
80856a42512b2ef4fe29154db9fffc4091814157b9a518209272ae5ab1637b2d

SHA512
5e2baea78cad9d38c61735605f706bffe43c4aeab3af659852a2ebd0678e3606503f2e1624d9268a9903add12ac2b57cb4b36fb62529690b24e33fc725b95272

Download Submit
C:\Users\Admin\Desktop\ConfirmSend.emz.kd8eby0.18C-9D3-ACB

MD5
3200ec526a62742b0dec0c02d9dcc952

SHA1
e78e030724687d219890e69b83a4bbc9b711b363

SHA256
ad88fa0215564f3b59e72d6b7b35a078dc87008d4e823b1e286180cffc4bdc9c

SHA512
704cd73151f6dbaa8f07c6a95d19999f72a51b315c32183e61c0fa3ac4cc66bf91509ed772bdbca0ee271b5ddf4caf24e24585e997851222a7a9f4e2abde0f2f

Download Submit
C:\Users\Admin\Desktop\ConfirmWatch.nfo.kd8eby0.18C-9D3-ACB

MD5
506c85d65e4dc8c76b0b4e0c22cc37f4

SHA1
c67dd16adc717149e43352db10fd21c8a494d95e

SHA256
c491917ddd7ee24050114cc84f841c95dd669e449d90ed939702c1d04d5d1974

SHA512
7a1c6b42138130d48121d7e90388e752ff80b2f670446388646a3956e707ab3ee1b271ae1e0c5b5f5cd41c2eac795a7cf4e770e93d9499934b8b8afea19a2b6e

Download Submit
C:\Users\Admin\Desktop\ConvertResolve.TTS.kd8eby0.18C-9D3-ACB

MD5
f43f362117d4f41542ad4598113471f8

SHA1
ec214ae5731f27081977a127a8abfd9973be2793

SHA256
b2eecc88d2207be67bc2adeff20e577a9be4cc1edc30d2d2b36b133042617f78

SHA512
d90dd6ff72ba26934674df2421b1a553d9f6c58deadc0fc2b502dfe782dedb7ad0665f86496906343c8000537e9636a176c8848ce7d42c404050d2d429124494

Download Submit
C:\Users\Admin\Desktop\ConvertToOut.txt.kd8eby0.18C-9D3-ACB

MD5
16d33554890a8b0d61800fd8e104544a

SHA1
5285d45b316de436342969402a66b8ca0247879a

SHA256
c0cfea53cce677c45e6380e1dc151a6e62aa641c974854b87e5ddf176cccc2f8

SHA512
d465aacd587e410b950f16a991b520560920d55e33b036ed382f75664743b77c3c5cfd91921d023f833586862549b273568d9536ee0549739f6d5115453d45c3

Download Submit
C:\Users\Admin\Desktop\DisconnectClear.mid.kd8eby0.18C-9D3-ACB

MD5
e6e1784813ff30c7249120fbc7785ea7

SHA1
407733ecb743d9838099088ffacff3a701fda5a6

SHA256
9fe90115546d1d51d1ba246ce31c08cd4c3d0fdea4773633c8c571404317bf42

SHA512
5aab8cee4508407ccd26d7bf3ad2d0603e02f1d814de8c05b3946d6e196fb823e93ff53a8d7441a31382a4e63ea9c7f0bb2f6ec52f8fe1a633b28bfe0f5ca04b

Download Submit
C:\Users\Admin\Desktop\DisconnectDebug.mht.kd8eby0.18C-9D3-ACB

MD5
cc760d06e4ea0c119c3d70f7e346073d

SHA1
5e8b6bad0d9b7fa65b3bc0ba55839ca4aa8990c2

SHA256
a2aa205ba09f6ee88c4ade94e3e60e44365d40071bd3c181c1c23ac66598eb50

SHA512
0d9ba2801a4766bb6fb8f0cafd5baa654b731933ec96775cc77835c8f96c57e92d59ec7c6ffa484627f5d36d8997fb6936e3dc010304aa956a9e943ae3b7d57f

Download Submit
C:\Users\Admin\Desktop\DismountMove.rm.kd8eby0.18C-9D3-ACB

MD5
5d6b46b42673914b93903a023ae97194

SHA1
4dfcba55d908056de9c56c90a982a6491476f93f

SHA256
c1662a55f82174def03e61e15a1d3e01d46fde28d4d5b80b616d4c1f1da0f6b0

SHA512
6700d1b2e6d5f9db2d804544af234fb7392ab4df13d9ba41d6108be5c8858d48440958e993edd322fe9cb88ac000628767d4d3a6da03fa6ae1a34a628ff13a43

Download Submit
C:\Users\Admin\Desktop\EnableUnlock.fon.kd8eby0.18C-9D3-ACB

MD5
0a2f2b61ac1838c2a83f2e91acd430ef

SHA1
6002fc361ddf01548f3b18ad4915937efb9788e8

SHA256
b583bb2cdde3b46ae2ce0549b0aec63e586abea581a3b964b5daad1bfda50d13

SHA512
27e667e982616ca6a63f669cb760b6ffe87b6f8929df853d9097b54a6cc2e6f18e600b2b1c07f855f92bf13b9f8f472217e14ae5c9e7b5566d80fda129cd6427

Download Submit
C:\Users\Admin\Desktop\EnterUninstall.mp3.kd8eby0.18C-9D3-ACB

MD5
89d0857e9cf2e06f439479057f6dbc1f

SHA1
14578502e2958c8306c0e587587978f842464d6e

SHA256
06ffe74457119f02577bf7a3d2d792d84354dacf4967c2a5c8bad922d2caa422

SHA512
c56c49a585a952652572187c18b718a2bc479a8f3edabeffa697ecc4d9b97993a932dcaaf3f164e8da13367649b66d36a84b7dbd83ee1fdc224f7ea41d36a900

Download Submit
C:\Users\Admin\Desktop\ExpandUnprotect.vsdm.kd8eby0.18C-9D3-ACB

MD5
e234bd13d9586b875e9fc146aaff0da6

SHA1
9304bed7dc01f3ff029d4c6675c82ad1a0fefabd

SHA256
658277658ce60643f12b40c48ddae2069154321e0619b1a93e1a0df504ebe355

SHA512
3b7bc6c87045130edaf3930ea388b2b1ec51e0ae855066177e7fa7c25c40b5d8c1d734ae6c9b4e541febada4c7292d498dd8bb00f8466f55269cdfe77207d1e2

Download Submit
C:\Users\Admin\Desktop\FormatShow.dwfx.kd8eby0.18C-9D3-ACB

MD5
aac5dafd8207ffec5224131eee6b1bc5

SHA1
0d79a3776d103cc07a9d29d78aa6c448adf618ec

SHA256
e311c5bf2cf461ac33bb57589f0ebc9ea178fa733fc145fdb6d8a757093b330d

SHA512
53694c11af500ded1fd33752ce0822e646e76dbf2a52bc3b872733c4a063ff2e136242b66d235783557e35aaff1618aec3a170f238d9c67c4c7a72ed5aa71e55

Download Submit
C:\Users\Admin\Desktop\InitializeTest.xps.kd8eby0.18C-9D3-ACB

MD5
b364112ad54e48554fee6c0390087515

SHA1
8042652fd4137b737ca46214fc8dda5f171bb058

SHA256
f16a6d9f81dbb040938debcd2b0e74f956d5f75513ade5256448855e65b5cdc7

SHA512
310b17e387df443e9cd06d0a3849b74c7081005d1f997f49cf8f7a8fed803ebfe47fc4d71b3edf24aa458c73762e1b49faf7cb7be6e6b02a86910434e7508c60

Download Submit
C:\Users\Admin\Desktop\InstallConvertFrom.jpe.kd8eby0.18C-9D3-ACB

MD5
508e5f1537cbdd9afd717ba0a4a1764f

SHA1
04109e56b547d990c09e5ca6b2cdee743e5c465e

SHA256
0a69e36ad36ed2ef54c9174d3c38dd9fb24843a73e5757605a068abac65fda75

SHA512
6eec11a660aff3bec44b3d501c0ff76601ba4365f623e3c1731af3888991c42823aae6ba2c07122ebe95cc308dbe3373e1475c69a24fa1efefd0d9150eef0363

Download Submit
C:\Users\Admin\Desktop\NewSplit.mp4v.kd8eby0.18C-9D3-ACB

MD5
46348b71defffb8ec2659b55d8f53b0a

SHA1
2020fc89e020d9e55fafb664f160b504f5f3a497

SHA256
52902919d8111bda11cd0d2861523d483fec06133ea9af2ea21f1c5ca48ff1e1

SHA512
d8ba906cdd8561c81d0baae6bbdf3be70f0ab52007d9f13e9d3ebd2970db1a89321de779bcd98e4a6f85df3be3deca46b9aa00dd81188d29e9c3ff8719580d44

Download Submit
C:\Users\Admin\Desktop\ProtectUnpublish.ADT.kd8eby0.18C-9D3-ACB

MD5
2f5bcf743025657dfd97d1bb86fdf75e

SHA1
4898eccd690334af867ba04e9f082bb7719d10aa

SHA256
1b2b27e6bc78a755f13eece9ebec1ce7bd7e59cc3bfdb1b0c60d47c5f593fa42

SHA512
88138cb915d602c373854868c66dc9c50902300bc802c9454907416c3294202568834597bb1a3ce4bd138b2b8ea6c4b589ebf0f7c8bd0750b070a0b6dea603f6

Download Submit
C:\Users\Admin\Desktop\ReadConvertTo.DVR-MS.kd8eby0.18C-9D3-ACB

MD5
376d7e90d78599984d73b29a2ed477c7

SHA1
20386c4acb1b606943a96b7f585fd7487c1d45cb

SHA256
c009f6a9d51a1f8f6cc9e068177ac6c1ab980fe3f5a60ac5eb154a88c76bcab8

SHA512
5a518750b890cfc3d7118f6dfb0cd1c8cd208bef9199c80ac338fb2e883d6e81f59285c483ba79566456246af9f06268b0732985f17cc6d321cc7b869d3d9eda

Download Submit
C:\Users\Admin\Desktop\RedoPublish.txt.kd8eby0.18C-9D3-ACB

MD5
ed981602fe8988efc3b8fd113888ebd8

SHA1
89fa59625ea1f79767f4d1fa4f800a9f56538889

SHA256
4c8d110955e2c5d62cecae79f333f726bf45e93555e5cae41f0db8a725588f05

SHA512
35a0e6e0a9c5f9431ceeb270384ba2317f65cd331449053e5de4b581e370ea58e31616b045dfc4545d3ed5e26f8230bae5d09a50c9c7ae9752d167022bf82cef

Download Submit
C:\Users\Admin\Desktop\RemoveAssert.reg.kd8eby0.18C-9D3-ACB

MD5
753be732f5cf00ec9a9ae93cefa4cb67

SHA1
20fe40c28ac2419f42f68daa7eac17968d007307

SHA256
593f9ee691d819eb00cb4136bdf80f12e70a533e1425c4e3b10d85046efe2396

SHA512
9f8cc2e0d2395c5df0ab8cd3d8bb9073ed85e96ee3398042a60770cfbad37c5e15a4712c166f8b5a1068b46fe39eb1f56a04b77b83f9c37b9b49c15a326e2803

Download Submit
C:\Users\Admin\Desktop\RequestStop.odp.kd8eby0.18C-9D3-ACB

MD5
88208531db70026f9e3a691623918c95

SHA1
b7d625b22d1da14613d2b4be3d8ccd45de789f05

SHA256
b5fa9293ee09c722a7479fa2b08485dc52581ff18c32e3c91c3f6a5958dd30b2

SHA512
07d2eee6eb6d7efaf8edaf175aa29e0a434627ef71f0fb10f963eec36c07ce40e89df1f542fe83ce8c097e96fac9a8ac3971c3bb2bdfeebf5b2911379a211e1f

Download Submit
C:\Users\Admin\Desktop\SelectUnblock.mht.kd8eby0.18C-9D3-ACB

MD5
6bafc6b6a9cdc6bb856cddded9f8bd15

SHA1
6e24891acad20a52835a168370966022c08e3353

SHA256
a4d1ba4e2d21764324f73085db50e9b2f83305b6c495e51feb3c9e33630e1190

SHA512
3bb9c307a734c4710c9108d8835c91b668339deb746a93f45838f311d1cab24654bdd9743701c9b39fe7e6b481f415ea9e4cdc1b518802e50c85bb6d15f39554

Download Submit
C:\Users\Admin\Desktop\SendTrace.ppsx.kd8eby0.18C-9D3-ACB

MD5
e2f7c37aed136018c849554238e5c1b9

SHA1
8b9a91c3feb9397ab929d7575e4f42b3ead190fd

SHA256
ed3680da9991415ee90e2d3c72b4e755906e23c6eb857f24f9539df07f9cb5d0

SHA512
540156cbf46f48b0bcada448374852acd99fa25b90782126b75b3a1cc429a571ff4138c347f560ff0a0b64b3de557d3247dc2a7a9b57f28c7182ab0debeeab8a

Download Submit
C:\Users\Admin\Desktop\StopLimit.htm.kd8eby0.18C-9D3-ACB

MD5
de20244396081a0b0a42f5853eac0e3d

SHA1
c15bc0859eaa0336a2b0aa3fd2029b5eabddfd74

SHA256
e85cdd67c54129aebb93d15cf0439086c303f41672be63dfe8415bd72e7cd1a0

SHA512
11a0a4fba49a2dafa5aec4a80a7f63709d18caa0a7633fda6e11d3d8584b0dac250e0e5348805d64f901ac617b8aafb0baa312850e3a6e0744c47fb3131605b3

Download Submit
C:\Users\Admin\Desktop\TraceBlock.vsdx.kd8eby0.18C-9D3-ACB

MD5
42c34ba7bbc16718dda3cb866c9b913b

SHA1
3ed7e1972117a0154709396ad099bde7afd2538e

SHA256
3600e16daa77d3e47212324e5b0646223f036edf086eeb85fb8adb5045ae1634

SHA512
ac902657e67281bedcd1bf54d5148973ce3ac402e6b4a819812b415a9faf38283fed790b4fffdbc8d335f405c9162002db72a391dd8c0cf66895e7d1c6198ab9

Download Submit
C:\Users\Admin\Desktop\UnblockSkip.mpe.kd8eby0.18C-9D3-ACB

MD5
4a242d3304520acf7f4a1e8bcbcdd24e

SHA1
5ca5d0a50b347fa5b5b83a42c74f4d3fa9934d45

SHA256
47d04ab5c0fa29aa7e92643d171c42c7fe8d57d86b49307c68022a0cc2b1d27a

SHA512
f0f70ef6ad6dcd7774da5fd9fd1662d197ffd16a97f21003c96971e76a79c3acb431fdeb40f8b0787e7a41a8821f43df9e3b16bc31b556d1ee36b6c3e5bdf64b

Download Submit
C:\Users\Admin\Desktop\UnlockNew.shtml.kd8eby0.18C-9D3-ACB

MD5
9f1f62b4ab64aac1d59e754f9c6f0235

SHA1
6d3eab8d906687307280c75ed8b40fa27a37b45d

SHA256
1993170cac6975730f768230c4794683398e324a885c38bcf2d5ad1db86dfeac

SHA512
092df4cacf58196c3eaf5a3e6b9b49d9cacbd250a9a8c902b176ba6057ef601db8d3a137e3f8e38ba28c74af55808342a8d8f3af8159762acd1b4c542fe6bb9a

Download Submit
C:\Users\Admin\Desktop\UnpublishReset.mov.kd8eby0.18C-9D3-ACB

MD5
a69464cb20217ce5f3f70cc96211be34

SHA1
6509567916328e2c8e9e1bc5da5692d0d9ebf0db

SHA256
582d5e1b6cab095251d92c0cf2a40a9bc96e8d26ebc849096d9996b388902bc7

SHA512
809dafbd31d8632cc7db7c922c4cd905e94e99b814ccdbbd89114139f2f64b165c0bcc9a0bd9a788c87b88e3f70a81ae3a667c99a35f972ac68fb09429be5596

Download Submit
C:\Users\Admin\Desktop\WaitSync.css.kd8eby0.18C-9D3-ACB

MD5
b77975847a8c85f071eb93ee85a9dba2

SHA1
c5aa2293b8ba2c5c047e3a461d2901174acadb59

SHA256
561ded70ca1133ac0ff4cbec1334d307aeb8af866276ee6e3bf2c677be708cd8

SHA512
815946f3e22a074d9349bbe9e456c11e9f20c6d3bad6024b36c592cbfdba96850d4fdcff29b8bec98bdc129ed7a716306b7a5c03e2d88eea76d6295b5a9a784b

Download Submit
memory/404-119-0x0000000000000000-mapping.dmp

Download
memory/404-123-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/492-122-0x0000000000D00000-0x0000000000E45000-memory.dmp

Filesize
1.3MB

Download
memory/492-116-0x0000000000000000-mapping.dmp

Download
memory/628-114-0x0000000000C90000-0x0000000000DD5000-memory.dmp

Filesize
1.3MB

Download
memory/628-115-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/976-130-0x0000000000000000-mapping.dmp

Download
memory/2152-134-0x0000000000000000-mapping.dmp

Download
memory/2268-132-0x0000000000000000-mapping.dmp

Download
memory/2472-139-0x0000000000000000-mapping.dmp

Download
memory/2856-140-0x0000000000000000-mapping.dmp

Download
memory/2864-141-0x0000000000000000-mapping.dmp

Download
memory/3116-143-0x0000000000000000-mapping.dmp

Download
memory/3316-135-0x0000000000000000-mapping.dmp

Download
memory/3452-131-0x0000000000000000-mapping.dmp

Download
memory/3892-133-0x0000000000000000-mapping.dmp

Download
memory/3928-172-0x0000000000000000-mapping.dmp

Download
memory/4016-136-0x0000000000000000-mapping.dmp

Download
memory/4016-142-0x0000000000E00000-0x0000000000F45000-memory.dmp

Filesize
1.3MB

Download