buran | 0c78dda7cde2f39df3e2bd8f70a1e36736876c591d08893153086e84c2698619

Analysis

max time kernel
153s
max time network
135s
platform
windows10_x64
resource
win10v20210408
submitted
31-08-2021 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c78dda7cde2f39df3e2bd8f70a1e36736876c591d08893153086e84c2698619.exe
Size

270KB
MD5

8543c3b45bb5b84e464217a983daaaa8
SHA1

d983fd166944b7a5d9e01aca2eeb8e9581319744
SHA256

0c78dda7cde2f39df3e2bd8f70a1e36736876c591d08893153086e84c2698619
SHA512

6cd223ae1d2cb596b2da48abc2a2f2224ee80bc5be195b4e49f5454f26556614e4c825b78afe3d1498c39c2c2ceae8bf289abff816aadb807ba90b98538d9ef0

Score

10^/10

buran smokeloader backdoor discovery evasion persistence ransomware spyware stealer themida trojan

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. PAY FAST 500$=0.013 btc or the price will increase tomorrow bitcoin address bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8 To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? [email protected] TELEGRAM @ payfast290 Your personal ID: 198-F95-CFF Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Family

smokeloader

Version

2020

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 4 IoCs

Processes:

3876.exe3CCC.exesvchost.exesvchost.exe

pid	Process
3796	3876.exe
1140	3CCC.exe
2272	svchost.exe
4060	svchost.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3CCC.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3CCC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3CCC.exe

Deletes itself 1 IoCs

Processes:

pid	Process
2568

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/files/0x0004000000015534-122.dat	themida
behavioral1/files/0x0004000000015534-124.dat	themida
behavioral1/memory/1140-132-0x0000000001270000-0x0000000001271000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3876.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	3876.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start"	3876.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

3CCC.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3CCC.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	Process
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
28	geoiptool.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

3CCC.exe

pid	Process
1140	3CCC.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0c78dda7cde2f39df3e2bd8f70a1e36736876c591d08893153086e84c2698619.exe

description	pid	Process	procid_target
PID 900 set thread context of 2916	900	0c78dda7cde2f39df3e2bd8f70a1e36736876c591d08893153086e84c2698619.exe	75

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exe

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorWideTile.scale-125.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-125_contrast-high.png	svchost.exe
File created	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6365_72x72x32.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\ui-strings.js.payfast290.198-F95-CFF	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\redshift.ini.payfast290.198-F95-CFF	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms.payfast290.198-F95-CFF	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART9.BDR.payfast290.198-F95-CFF	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchLargeTile.scale-125.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\WideTile.scale-125.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.di_1.4.0.v20140414-1837.jar	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\grmarble.jpg	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\crown.png	svchost.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Klondike\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8794_32x32x32.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\ui-strings.js	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\ui-strings.js	svchost.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\PREVIEW.GIF.payfast290.198-F95-CFF	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_k_col.hxk.payfast290.198-F95-CFF	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\ExchangeLargeTile.scale-200.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	svchost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\combinepdf-tool-view.js	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.ui_5.5.0.165303.jar	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.payfast290.198-F95-CFF	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\PrizeHistory\awards_perfect_ribbon.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\export.svg	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-text_ja.jar.payfast290.198-F95-CFF	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ppd.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\vlc.mo	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\AppList.scale-200.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\rofl.png	svchost.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\RestoreDebug.vstm.payfast290.198-F95-CFF	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Dark.scale-125.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp7.scale-200.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-down.png.payfast290.198-F95-CFF	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ja_JP.jar.payfast290.198-F95-CFF	svchost.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial Black-Arial.xml.payfast290.198-F95-CFF	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.png	svchost.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\keystore\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar.payfast290.198-F95-CFF	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ul-oob.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\word.x-none.msi.16.x-none.vreg.dat.payfast290.198-F95-CFF	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.scale-100.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\ui-strings.js.payfast290.198-F95-CFF	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_ja_4.4.0.v20140623020002.jar.payfast290.198-F95-CFF	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-64_altform-unplated.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\GenericMailMediumTile.scale-400.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-40.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\ui-strings.js.payfast290.198-F95-CFF	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo	svchost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-fr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ua_16x11.png	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailBadge.scale-150.png	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html.payfast290.198-F95-CFF	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0c78dda7cde2f39df3e2bd8f70a1e36736876c591d08893153086e84c2698619.exe

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0c78dda7cde2f39df3e2bd8f70a1e36736876c591d08893153086e84c2698619.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0c78dda7cde2f39df3e2bd8f70a1e36736876c591d08893153086e84c2698619.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0c78dda7cde2f39df3e2bd8f70a1e36736876c591d08893153086e84c2698619.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exe

pid	Process
3452	vssadmin.exe
492	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

3876.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	3876.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	3876.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0c78dda7cde2f39df3e2bd8f70a1e36736876c591d08893153086e84c2698619.exe

pid	Process
2916	0c78dda7cde2f39df3e2bd8f70a1e36736876c591d08893153086e84c2698619.exe
2916	0c78dda7cde2f39df3e2bd8f70a1e36736876c591d08893153086e84c2698619.exe
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
2568

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

0c78dda7cde2f39df3e2bd8f70a1e36736876c591d08893153086e84c2698619.exe

pid	Process
2916	0c78dda7cde2f39df3e2bd8f70a1e36736876c591d08893153086e84c2698619.exe
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

3876.exe3CCC.exeWMIC.exeWMIC.exevssvc.exe

description	pid	Process
Token: SeShutdownPrivilege	2568
Token: SeCreatePagefilePrivilege	2568
Token: SeShutdownPrivilege	2568
Token: SeCreatePagefilePrivilege	2568
Token: SeShutdownPrivilege	2568
Token: SeCreatePagefilePrivilege	2568
Token: SeShutdownPrivilege	2568
Token: SeCreatePagefilePrivilege	2568
Token: SeDebugPrivilege	3796	3876.exe
Token: SeDebugPrivilege	3796	3876.exe
Token: SeDebugPrivilege	1140	3CCC.exe
Token: SeShutdownPrivilege	2568
Token: SeCreatePagefilePrivilege	2568
Token: SeShutdownPrivilege	2568
Token: SeCreatePagefilePrivilege	2568
Token: SeShutdownPrivilege	2568
Token: SeCreatePagefilePrivilege	2568
Token: SeIncreaseQuotaPrivilege	3328	WMIC.exe
Token: SeSecurityPrivilege	3328	WMIC.exe
Token: SeTakeOwnershipPrivilege	3328	WMIC.exe
Token: SeLoadDriverPrivilege	3328	WMIC.exe
Token: SeSystemProfilePrivilege	3328	WMIC.exe
Token: SeSystemtimePrivilege	3328	WMIC.exe
Token: SeProfSingleProcessPrivilege	3328	WMIC.exe
Token: SeIncBasePriorityPrivilege	3328	WMIC.exe
Token: SeCreatePagefilePrivilege	3328	WMIC.exe
Token: SeBackupPrivilege	3328	WMIC.exe
Token: SeRestorePrivilege	3328	WMIC.exe
Token: SeShutdownPrivilege	3328	WMIC.exe
Token: SeDebugPrivilege	3328	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3328	WMIC.exe
Token: SeRemoteShutdownPrivilege	3328	WMIC.exe
Token: SeUndockPrivilege	3328	WMIC.exe
Token: SeManageVolumePrivilege	3328	WMIC.exe
Token: 33	3328	WMIC.exe
Token: 34	3328	WMIC.exe
Token: 35	3328	WMIC.exe
Token: 36	3328	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1116	WMIC.exe
Token: SeSecurityPrivilege	1116	WMIC.exe
Token: SeTakeOwnershipPrivilege	1116	WMIC.exe
Token: SeLoadDriverPrivilege	1116	WMIC.exe
Token: SeSystemProfilePrivilege	1116	WMIC.exe
Token: SeSystemtimePrivilege	1116	WMIC.exe
Token: SeProfSingleProcessPrivilege	1116	WMIC.exe
Token: SeIncBasePriorityPrivilege	1116	WMIC.exe
Token: SeCreatePagefilePrivilege	1116	WMIC.exe
Token: SeBackupPrivilege	1116	WMIC.exe
Token: SeRestorePrivilege	1116	WMIC.exe
Token: SeShutdownPrivilege	1116	WMIC.exe
Token: SeDebugPrivilege	1116	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1116	WMIC.exe
Token: SeRemoteShutdownPrivilege	1116	WMIC.exe
Token: SeUndockPrivilege	1116	WMIC.exe
Token: SeManageVolumePrivilege	1116	WMIC.exe
Token: 33	1116	WMIC.exe
Token: 34	1116	WMIC.exe
Token: 35	1116	WMIC.exe
Token: 36	1116	WMIC.exe
Token: SeBackupPrivilege	2884	vssvc.exe
Token: SeRestorePrivilege	2884	vssvc.exe
Token: SeAuditPrivilege	2884	vssvc.exe
Token: SeShutdownPrivilege	2568
Token: SeCreatePagefilePrivilege	2568

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
2568

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0c78dda7cde2f39df3e2bd8f70a1e36736876c591d08893153086e84c2698619.exe3876.exesvchost.exe

description	pid	Process	procid_target
PID 900 wrote to memory of 2916	900	0c78dda7cde2f39df3e2bd8f70a1e36736876c591d08893153086e84c2698619.exe	75
PID 900 wrote to memory of 2916	900	0c78dda7cde2f39df3e2bd8f70a1e36736876c591d08893153086e84c2698619.exe	75
PID 900 wrote to memory of 2916	900	0c78dda7cde2f39df3e2bd8f70a1e36736876c591d08893153086e84c2698619.exe	75
PID 900 wrote to memory of 2916	900	0c78dda7cde2f39df3e2bd8f70a1e36736876c591d08893153086e84c2698619.exe	75
PID 900 wrote to memory of 2916	900	0c78dda7cde2f39df3e2bd8f70a1e36736876c591d08893153086e84c2698619.exe	75
PID 900 wrote to memory of 2916	900	0c78dda7cde2f39df3e2bd8f70a1e36736876c591d08893153086e84c2698619.exe	75
PID 2568 wrote to memory of 3796	2568		79
PID 2568 wrote to memory of 3796	2568		79
PID 2568 wrote to memory of 3796	2568		79
PID 2568 wrote to memory of 1140	2568		80
PID 2568 wrote to memory of 1140	2568		80
PID 2568 wrote to memory of 1140	2568		80
PID 2568 wrote to memory of 4032	2568		82
PID 2568 wrote to memory of 4032	2568		82
PID 2568 wrote to memory of 4032	2568		82
PID 2568 wrote to memory of 4032	2568		82
PID 2568 wrote to memory of 3964	2568		83
PID 2568 wrote to memory of 3964	2568		83
PID 2568 wrote to memory of 3964	2568		83
PID 2568 wrote to memory of 3760	2568		84
PID 2568 wrote to memory of 3760	2568		84
PID 2568 wrote to memory of 3760	2568		84
PID 2568 wrote to memory of 3760	2568		84
PID 2568 wrote to memory of 2204	2568		85
PID 2568 wrote to memory of 2204	2568		85
PID 2568 wrote to memory of 2204	2568		85
PID 2568 wrote to memory of 3904	2568		86
PID 2568 wrote to memory of 3904	2568		86
PID 2568 wrote to memory of 3904	2568		86
PID 2568 wrote to memory of 3904	2568		86
PID 3796 wrote to memory of 2272	3796	3876.exe	87
PID 3796 wrote to memory of 2272	3796	3876.exe	87
PID 3796 wrote to memory of 2272	3796	3876.exe	87
PID 3796 wrote to memory of 1388	3796	3876.exe	88
PID 3796 wrote to memory of 1388	3796	3876.exe	88
PID 3796 wrote to memory of 1388	3796	3876.exe	88
PID 3796 wrote to memory of 1388	3796	3876.exe	88
PID 3796 wrote to memory of 1388	3796	3876.exe	88
PID 3796 wrote to memory of 1388	3796	3876.exe	88
PID 2568 wrote to memory of 1248	2568		89
PID 2568 wrote to memory of 1248	2568		89
PID 2568 wrote to memory of 1248	2568		89
PID 2568 wrote to memory of 2008	2568		90
PID 2568 wrote to memory of 2008	2568		90
PID 2568 wrote to memory of 2008	2568		90
PID 2568 wrote to memory of 2008	2568		90
PID 2568 wrote to memory of 3708	2568		91
PID 2568 wrote to memory of 3708	2568		91
PID 2568 wrote to memory of 3708	2568		91
PID 2568 wrote to memory of 3768	2568		92
PID 2568 wrote to memory of 3768	2568		92
PID 2568 wrote to memory of 3768	2568		92
PID 2568 wrote to memory of 3768	2568		92
PID 2272 wrote to memory of 3664	2272	svchost.exe	94
PID 2272 wrote to memory of 3664	2272	svchost.exe	94
PID 2272 wrote to memory of 3664	2272	svchost.exe	94
PID 2272 wrote to memory of 2264	2272	svchost.exe	95
PID 2272 wrote to memory of 2264	2272	svchost.exe	95
PID 2272 wrote to memory of 2264	2272	svchost.exe	95
PID 2272 wrote to memory of 3740	2272	svchost.exe	106
PID 2272 wrote to memory of 3740	2272	svchost.exe	106
PID 2272 wrote to memory of 3740	2272	svchost.exe	106
PID 2272 wrote to memory of 4068	2272	svchost.exe	105
PID 2272 wrote to memory of 4068	2272	svchost.exe	105

C:\Users\Admin\AppData\Local\Temp\0c78dda7cde2f39df3e2bd8f70a1e36736876c591d08893153086e84c2698619.exe
"C:\Users\Admin\AppData\Local\Temp\0c78dda7cde2f39df3e2bd8f70a1e36736876c591d08893153086e84c2698619.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:900
- C:\Users\Admin\AppData\Local\Temp\0c78dda7cde2f39df3e2bd8f70a1e36736876c591d08893153086e84c2698619.exe
  "C:\Users\Admin\AppData\Local\Temp\0c78dda7cde2f39df3e2bd8f70a1e36736876c591d08893153086e84c2698619.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2916

C:\Users\Admin\AppData\Local\Temp\3876.exe
C:\Users\Admin\AppData\Local\Temp\3876.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:3664
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1116
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    PID:3972
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3328
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:492
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:3780
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3452
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:4068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:3740
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:1388

C:\Users\Admin\AppData\Local\Temp\3CCC.exe
C:\Users\Admin\AppData\Local\Temp\3CCC.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4032

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3964

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3760

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2204

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3904

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1248

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2008

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3708

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3768

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
bc382383b6c90d20dba3f58aa0f40ade

SHA1
b626e4d049d88702236910b302c955eecc8c7d5f

SHA256
bf25937b534e738f02e5ec01592dd9a72d79e67bc32f3a5e157a0608f5bbd117

SHA512
651e85acf56ec7bffdc10941ba3bcebea5aede44d479e4db5d61160de2b975c484499a95564adaf90f350d6a1bf3aa97774019f1464045114cbb97806fc76c2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
a2981517afbb3ebe48d2168b07274f47

SHA1
78e0fa382ca97436ec5c43209a2e391b41d356ab

SHA256
f5ef795d1577213ce930034afc93387232cc95dfe53db40db0ed65fbb44bcfae

SHA512
4e939a2270036ebf0eaec96ba231eb38cb4e2389064a30e5f3b9e5e5581d363ab934431e69978e015f25f3352d17e3b3242d02357aa034838a94912fa8d6ba15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
0465994d32988b4ff5811340c4905188

SHA1
7b4043cbd9509bc78b08863ad22b720632686785

SHA256
b33b95c79ca7fc2da4e43282f29ec14db42bdafd53c8888de793cea52caa20bb

SHA512
04654263a6391c84e0fd230a992dbd107f905599a066d124055591ce19a9d74b61627bb9d4dc9df89f396b12f795b649f0331e4aad39304a5ad0e0bccc36ad43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
610b30dc885618b1328c4db0522d4120

SHA1
e37eabef8fd4f2db0935c0dc1a5f1c5b73f9991e

SHA256
1aeb8605cdaec13c8536f786574123b0e69abef7462f73d09cb504946199f193

SHA512
cdfa45856153799869f710b676f13c963e6d052d851c5f9cabf703c953b92f8b0053d60050cf13862c4da778f5f8a1a62321d8bdf4c320339ddcc70bcaf73b56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
8b6160bfc6de3965aaab49785bc9c244

SHA1
6580032dbfdb55cef462adc67423124a756595e1

SHA256
79f4aaf6fbcc4cc0be0381585e9000a8f57817681fc50d8c4e611096ceae49e8

SHA512
9ffa0c4e6befe71c95f1e90b8e066e7648d95533ac67ccbc419ed7a377c6e465c1218165f952aa0eb66fd3cee09ecc972e9894a2e84ad4aaf2967cddd42f5ecb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
e01be7c0f5b4a6689aac9ea4f1131b10

SHA1
f9bf233c255de58e926d17bf554b975e048ff949

SHA256
318b7dfe068c890d05daa411a173df19f1d5381c627c721e6e350c6bc86c313a

SHA512
5d50764c6bd5887bcfb41d1b22f7df240d49c2d9066d8ea8378f26a1c3474ab9a93c0859b97352f8e55a253227261ade2739cdb97d99f948f4515185b65e4397

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DRMDU4BX\K6SS60UD.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZIIA2USJ\3DWQ0R4T.htm

MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\3876.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3876.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3CCC.exe

MD5
47a68cf6b107308db52aa7335cfe44a4

SHA1
ffcc95c0e88766768e1eb0eed3388f48ce6306f7

SHA256
52d699631ae78b87cc151948a6626394d0a428f8d99004ef5c747c8cc9a56735

SHA512
a46a607a5130b23ed000d585458918e6933f016eb20b916f01e9e3aa065e2ae720ea5922ae2a5b1baf6f890f85c04f69638248e15614815c78355d88c6e61702

Download Submit
C:\Users\Admin\AppData\Local\Temp\3CCC.exe

MD5
47a68cf6b107308db52aa7335cfe44a4

SHA1
ffcc95c0e88766768e1eb0eed3388f48ce6306f7

SHA256
52d699631ae78b87cc151948a6626394d0a428f8d99004ef5c747c8cc9a56735

SHA512
a46a607a5130b23ed000d585458918e6933f016eb20b916f01e9e3aa065e2ae720ea5922ae2a5b1baf6f890f85c04f69638248e15614815c78355d88c6e61702

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
memory/492-193-0x0000000000000000-mapping.dmp

Download
memory/900-116-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/1116-191-0x0000000000000000-mapping.dmp

Download
memory/1140-129-0x0000000077C60000-0x0000000077DEE000-memory.dmp

Filesize
1.6MB

Download
memory/1140-179-0x00000000061C0000-0x00000000061C1000-memory.dmp

Filesize
4KB

Download
memory/1140-175-0x0000000007EB0000-0x0000000007EB1000-memory.dmp

Filesize
4KB

Download
memory/1140-138-0x0000000005D60000-0x0000000005D61000-memory.dmp

Filesize
4KB

Download
memory/1140-139-0x0000000005EB0000-0x0000000005EB1000-memory.dmp

Filesize
4KB

Download
memory/1140-140-0x0000000005DE0000-0x0000000005DE1000-memory.dmp

Filesize
4KB

Download
memory/1140-176-0x0000000007980000-0x0000000007981000-memory.dmp

Filesize
4KB

Download
memory/1140-177-0x0000000007AA0000-0x0000000007AA1000-memory.dmp

Filesize
4KB

Download
memory/1140-142-0x0000000005D90000-0x0000000005D91000-memory.dmp

Filesize
4KB

Download
memory/1140-121-0x0000000000000000-mapping.dmp

Download
memory/1140-145-0x0000000005E20000-0x0000000005E21000-memory.dmp

Filesize
4KB

Download
memory/1140-180-0x0000000007DF0000-0x0000000007DF1000-memory.dmp

Filesize
4KB

Download
memory/1140-174-0x00000000077B0000-0x00000000077B1000-memory.dmp

Filesize
4KB

Download
memory/1140-132-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/1140-135-0x00000000063B0000-0x00000000063B1000-memory.dmp

Filesize
4KB

Download
memory/1140-178-0x00000000088E0000-0x00000000088E1000-memory.dmp

Filesize
4KB

Download
memory/1248-163-0x0000000001010000-0x0000000001016000-memory.dmp

Filesize
24KB

Download
memory/1248-161-0x0000000000000000-mapping.dmp

Download
memory/1248-164-0x0000000001000000-0x000000000100C000-memory.dmp

Filesize
48KB

Download
memory/1388-152-0x0000000000000000-mapping.dmp

Download
memory/1388-162-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/2008-166-0x00000000009F0000-0x00000000009F4000-memory.dmp

Filesize
16KB

Download
memory/2008-165-0x0000000000000000-mapping.dmp

Download
memory/2008-167-0x00000000009E0000-0x00000000009E9000-memory.dmp

Filesize
36KB

Download
memory/2204-143-0x0000000000B70000-0x0000000000B79000-memory.dmp

Filesize
36KB

Download
memory/2204-144-0x0000000000B60000-0x0000000000B6F000-memory.dmp

Filesize
60KB

Download
memory/2204-141-0x0000000000000000-mapping.dmp

Download
memory/2264-182-0x0000000000000000-mapping.dmp

Download
memory/2272-147-0x0000000000000000-mapping.dmp

Download
memory/2568-117-0x0000000000D30000-0x0000000000D46000-memory.dmp

Filesize
88KB

Download
memory/2916-115-0x0000000000402FAB-mapping.dmp

Download
memory/2916-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3328-192-0x0000000000000000-mapping.dmp

Download
memory/3452-190-0x0000000000000000-mapping.dmp

Download
memory/3664-181-0x0000000000000000-mapping.dmp

Download
memory/3708-169-0x00000000008C0000-0x00000000008C5000-memory.dmp

Filesize
20KB

Download
memory/3708-170-0x00000000008B0000-0x00000000008B9000-memory.dmp

Filesize
36KB

Download
memory/3708-168-0x0000000000000000-mapping.dmp

Download
memory/3740-183-0x0000000000000000-mapping.dmp

Download
memory/3760-134-0x0000000000000000-mapping.dmp

Download
memory/3760-136-0x00000000036B0000-0x00000000036B7000-memory.dmp

Filesize
28KB

Download
memory/3760-137-0x00000000036A0000-0x00000000036AB000-memory.dmp

Filesize
44KB

Download
memory/3768-173-0x0000000000CF0000-0x0000000000CF9000-memory.dmp

Filesize
36KB

Download
memory/3768-171-0x0000000000000000-mapping.dmp

Download
memory/3768-172-0x0000000000D00000-0x0000000000D05000-memory.dmp

Filesize
20KB

Download
memory/3780-185-0x0000000000000000-mapping.dmp

Download
memory/3796-118-0x0000000000000000-mapping.dmp

Download
memory/3904-146-0x0000000000000000-mapping.dmp

Download
memory/3904-150-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/3904-148-0x00000000001F0000-0x00000000001F5000-memory.dmp

Filesize
20KB

Download
memory/3964-131-0x0000000000A20000-0x0000000000A2C000-memory.dmp

Filesize
48KB

Download
memory/3964-130-0x0000000000A30000-0x0000000000A37000-memory.dmp

Filesize
28KB

Download
memory/3964-126-0x0000000000000000-mapping.dmp

Download
memory/3972-186-0x0000000000000000-mapping.dmp

Download
memory/4032-123-0x0000000000000000-mapping.dmp

Download
memory/4032-127-0x0000000000E70000-0x0000000000EE4000-memory.dmp

Filesize
464KB

Download
memory/4032-128-0x0000000000E00000-0x0000000000E6B000-memory.dmp

Filesize
428KB

Download
memory/4060-187-0x0000000000000000-mapping.dmp

Download
memory/4068-184-0x0000000000000000-mapping.dmp

Download