buran | 8b00d26012b7c13819459fa567024ca068fed3aa0c0539c63ae73ebb00bca9a2

Analysis

max time kernel
151s
max time network
152s
platform
windows10_x64
resource
win10v20210410
submitted
31-08-2021 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb7bb6a1db8768a0ab5bb4cf85f9a1aa.exe
Size

234KB
MD5

bb7bb6a1db8768a0ab5bb4cf85f9a1aa
SHA1

20b76c0f2f987cb5974cd07eaa303c344703bcf7
SHA256

8b00d26012b7c13819459fa567024ca068fed3aa0c0539c63ae73ebb00bca9a2
SHA512

9a120461e3b37e1ec5d2986f1ac7cc224de3f7360432b1f8897782c6ae8783d8bd8152f1144781f460d80567827b1b3e4b66d1b91203d005224d53791407f394

Score

10^/10

buran smokeloader backdoor persistence ransomware trojan

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. PAY FAST 500$=0.013 btc or the price will increase tomorrow bitcoin address bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8 To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? [email protected] TELEGRAM @ payfast290 Your personal ID: 819-116-524 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Family

smokeloader

Version

2020

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 5 IoCs

Processes:

889E.exetaskeng.exetaskeng.exegahwrcegahwrce

pid	Process
3972	889E.exe
2456	taskeng.exe
3868	taskeng.exe
2380	gahwrce
1704	gahwrce

Deletes itself 1 IoCs

Processes:

pid	Process
2996

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

889E.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run	889E.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start"	889E.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskeng.exe

description	ioc	Process
File opened (read-only)	\??\H:	taskeng.exe
File opened (read-only)	\??\Y:	taskeng.exe
File opened (read-only)	\??\X:	taskeng.exe
File opened (read-only)	\??\W:	taskeng.exe
File opened (read-only)	\??\V:	taskeng.exe
File opened (read-only)	\??\P:	taskeng.exe
File opened (read-only)	\??\K:	taskeng.exe
File opened (read-only)	\??\G:	taskeng.exe
File opened (read-only)	\??\A:	taskeng.exe
File opened (read-only)	\??\U:	taskeng.exe
File opened (read-only)	\??\T:	taskeng.exe
File opened (read-only)	\??\S:	taskeng.exe
File opened (read-only)	\??\M:	taskeng.exe
File opened (read-only)	\??\L:	taskeng.exe
File opened (read-only)	\??\I:	taskeng.exe
File opened (read-only)	\??\Z:	taskeng.exe
File opened (read-only)	\??\Q:	taskeng.exe
File opened (read-only)	\??\J:	taskeng.exe
File opened (read-only)	\??\R:	taskeng.exe
File opened (read-only)	\??\O:	taskeng.exe
File opened (read-only)	\??\N:	taskeng.exe
File opened (read-only)	\??\F:	taskeng.exe
File opened (read-only)	\??\E:	taskeng.exe
File opened (read-only)	\??\B:	taskeng.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
25	geoiptool.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

bb7bb6a1db8768a0ab5bb4cf85f9a1aa.exegahwrce

description	pid	Process	procid_target
PID 2112 set thread context of 1468	2112	bb7bb6a1db8768a0ab5bb4cf85f9a1aa.exe	78
PID 2380 set thread context of 1704	2380	gahwrce	117

Drops file in Program Files directory 64 IoCs

Processes:

taskeng.exe

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.nl_zh_4.4.0.v20140623020002.jar	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-modules_ja.jar.payfast290.819-116-524	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN109.XML.payfast290.819-116-524	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\AppxManifest.xml	taskeng.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\_Resources\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nl-nl\ui-strings.js.payfast290.819-116-524	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\IRIS.INF.payfast290.819-116-524	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sl-si\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-ms.payfast290.819-116-524	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ul-oob.xrm-ms.payfast290.819-116-524	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\xaml\onenote\CaptureThumbnailImageControl.xaml	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2708_20x20x32.png	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2_32x32x32.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluNoInternetConnection_120x80.svg.payfast290.819-116-524	taskeng.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteWideTile.scale-200.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ws_60x42.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-150_contrast-white.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_altform-unplated_contrast-white.png	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ul-oob.xrm-ms	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\SmallTile.scale-125_contrast-black.png	taskeng.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png.payfast290.819-116-524	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fr-fr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\main.css	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe.payfast290.819-116-524	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ul-oob.xrm-ms	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT.HXS.payfast290.819-116-524	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\mainPageBackground.html	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\challenge\Become_a_Star_Unearned_small.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\SkypeApp\Assets\SkypeTile.scale-100_contrast-black.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\svgCheckboxUnselected.svg	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_download_18.svg	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\ui-strings.js	taskeng.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ul-oob.xrm-ms.payfast290.819-116-524	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN120.XML.payfast290.819-116-524	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-16_altform-unplated_contrast-high.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-16.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\da-dk\ui-strings.js.payfast290.819-116-524	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\ja-jp\ui-strings.js	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\cstm_brand_preview2x.png.payfast290.819-116-524	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_zh_CN.jar	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookMedTile.scale-100.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_listview-hover.svg.payfast290.819-116-524	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fil_get.svg	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ru-ru\ui-strings.js.payfast290.819-116-524	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\nub.png	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\minimalist.dotx.payfast290.819-116-524	taskeng.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSmallTile.scale-400.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ar_get.svg	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE.payfast290.819-116-524	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-pl.xrm-ms.payfast290.819-116-524	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSYHBD.TTC	taskeng.exe

Drops file in Windows directory 1 IoCs

Processes:

taskeng.exe

description	ioc	Process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

gahwrcebb7bb6a1db8768a0ab5bb4cf85f9a1aa.exe

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gahwrce
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bb7bb6a1db8768a0ab5bb4cf85f9a1aa.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bb7bb6a1db8768a0ab5bb4cf85f9a1aa.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bb7bb6a1db8768a0ab5bb4cf85f9a1aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gahwrce
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gahwrce

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exe

pid	Process
4068	vssadmin.exe
3948	vssadmin.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

889E.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	889E.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	889E.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bb7bb6a1db8768a0ab5bb4cf85f9a1aa.exe

pid	Process
1468	bb7bb6a1db8768a0ab5bb4cf85f9a1aa.exe
1468	bb7bb6a1db8768a0ab5bb4cf85f9a1aa.exe
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
2996

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

bb7bb6a1db8768a0ab5bb4cf85f9a1aa.exe

pid	Process
1468	bb7bb6a1db8768a0ab5bb4cf85f9a1aa.exe
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

889E.exeWMIC.exeWMIC.exevssvc.exe

description	pid	Process
Token: SeDebugPrivilege	3972	889E.exe
Token: SeDebugPrivilege	3972	889E.exe
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeIncreaseQuotaPrivilege	3564	WMIC.exe
Token: SeSecurityPrivilege	3564	WMIC.exe
Token: SeTakeOwnershipPrivilege	3564	WMIC.exe
Token: SeLoadDriverPrivilege	3564	WMIC.exe
Token: SeSystemProfilePrivilege	3564	WMIC.exe
Token: SeSystemtimePrivilege	3564	WMIC.exe
Token: SeProfSingleProcessPrivilege	3564	WMIC.exe
Token: SeIncBasePriorityPrivilege	3564	WMIC.exe
Token: SeCreatePagefilePrivilege	3564	WMIC.exe
Token: SeBackupPrivilege	3564	WMIC.exe
Token: SeRestorePrivilege	3564	WMIC.exe
Token: SeShutdownPrivilege	3564	WMIC.exe
Token: SeDebugPrivilege	3564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3564	WMIC.exe
Token: SeRemoteShutdownPrivilege	3564	WMIC.exe
Token: SeUndockPrivilege	3564	WMIC.exe
Token: SeManageVolumePrivilege	3564	WMIC.exe
Token: 33	3564	WMIC.exe
Token: 34	3564	WMIC.exe
Token: 35	3564	WMIC.exe
Token: 36	3564	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2756	WMIC.exe
Token: SeSecurityPrivilege	2756	WMIC.exe
Token: SeTakeOwnershipPrivilege	2756	WMIC.exe
Token: SeLoadDriverPrivilege	2756	WMIC.exe
Token: SeSystemProfilePrivilege	2756	WMIC.exe
Token: SeSystemtimePrivilege	2756	WMIC.exe
Token: SeProfSingleProcessPrivilege	2756	WMIC.exe
Token: SeIncBasePriorityPrivilege	2756	WMIC.exe
Token: SeCreatePagefilePrivilege	2756	WMIC.exe
Token: SeBackupPrivilege	2756	WMIC.exe
Token: SeRestorePrivilege	2756	WMIC.exe
Token: SeShutdownPrivilege	2756	WMIC.exe
Token: SeDebugPrivilege	2756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2756	WMIC.exe
Token: SeRemoteShutdownPrivilege	2756	WMIC.exe
Token: SeUndockPrivilege	2756	WMIC.exe
Token: SeManageVolumePrivilege	2756	WMIC.exe
Token: 33	2756	WMIC.exe
Token: 34	2756	WMIC.exe
Token: 35	2756	WMIC.exe
Token: 36	2756	WMIC.exe
Token: SeBackupPrivilege	4080	vssvc.exe
Token: SeRestorePrivilege	4080	vssvc.exe
Token: SeAuditPrivilege	4080	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3564	WMIC.exe
Token: SeSecurityPrivilege	3564	WMIC.exe
Token: SeTakeOwnershipPrivilege	3564	WMIC.exe
Token: SeLoadDriverPrivilege	3564	WMIC.exe
Token: SeSystemProfilePrivilege	3564	WMIC.exe
Token: SeSystemtimePrivilege	3564	WMIC.exe
Token: SeProfSingleProcessPrivilege	3564	WMIC.exe
Token: SeIncBasePriorityPrivilege	3564	WMIC.exe
Token: SeCreatePagefilePrivilege	3564	WMIC.exe
Token: SeBackupPrivilege	3564	WMIC.exe
Token: SeRestorePrivilege	3564	WMIC.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
2996

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bb7bb6a1db8768a0ab5bb4cf85f9a1aa.exe889E.exetaskeng.exe

description	pid	Process	procid_target
PID 2112 wrote to memory of 1468	2112	bb7bb6a1db8768a0ab5bb4cf85f9a1aa.exe	78
PID 2112 wrote to memory of 1468	2112	bb7bb6a1db8768a0ab5bb4cf85f9a1aa.exe	78
PID 2112 wrote to memory of 1468	2112	bb7bb6a1db8768a0ab5bb4cf85f9a1aa.exe	78
PID 2112 wrote to memory of 1468	2112	bb7bb6a1db8768a0ab5bb4cf85f9a1aa.exe	78
PID 2112 wrote to memory of 1468	2112	bb7bb6a1db8768a0ab5bb4cf85f9a1aa.exe	78
PID 2112 wrote to memory of 1468	2112	bb7bb6a1db8768a0ab5bb4cf85f9a1aa.exe	78
PID 2996 wrote to memory of 3972	2996		80
PID 2996 wrote to memory of 3972	2996		80
PID 2996 wrote to memory of 3972	2996		80
PID 2996 wrote to memory of 3576	2996		81
PID 2996 wrote to memory of 3576	2996		81
PID 2996 wrote to memory of 3576	2996		81
PID 2996 wrote to memory of 3576	2996		81
PID 2996 wrote to memory of 1564	2996		82
PID 2996 wrote to memory of 1564	2996		82
PID 2996 wrote to memory of 1564	2996		82
PID 2996 wrote to memory of 1368	2996		83
PID 2996 wrote to memory of 1368	2996		83
PID 2996 wrote to memory of 1368	2996		83
PID 2996 wrote to memory of 1368	2996		83
PID 3972 wrote to memory of 2456	3972	889E.exe	84
PID 3972 wrote to memory of 2456	3972	889E.exe	84
PID 3972 wrote to memory of 2456	3972	889E.exe	84
PID 3972 wrote to memory of 2744	3972	889E.exe	85
PID 3972 wrote to memory of 2744	3972	889E.exe	85
PID 3972 wrote to memory of 2744	3972	889E.exe	85
PID 3972 wrote to memory of 2744	3972	889E.exe	85
PID 3972 wrote to memory of 2744	3972	889E.exe	85
PID 3972 wrote to memory of 2744	3972	889E.exe	85
PID 2996 wrote to memory of 2168	2996		86
PID 2996 wrote to memory of 2168	2996		86
PID 2996 wrote to memory of 2168	2996		86
PID 2996 wrote to memory of 2344	2996		87
PID 2996 wrote to memory of 2344	2996		87
PID 2996 wrote to memory of 2344	2996		87
PID 2996 wrote to memory of 2344	2996		87
PID 2996 wrote to memory of 3480	2996		88
PID 2996 wrote to memory of 3480	2996		88
PID 2996 wrote to memory of 3480	2996		88
PID 2996 wrote to memory of 3448	2996		89
PID 2996 wrote to memory of 3448	2996		89
PID 2996 wrote to memory of 3448	2996		89
PID 2996 wrote to memory of 3448	2996		89
PID 2996 wrote to memory of 3736	2996		90
PID 2996 wrote to memory of 3736	2996		90
PID 2996 wrote to memory of 3736	2996		90
PID 2996 wrote to memory of 1076	2996		91
PID 2996 wrote to memory of 1076	2996		91
PID 2996 wrote to memory of 1076	2996		91
PID 2996 wrote to memory of 1076	2996		91
PID 2456 wrote to memory of 424	2456	taskeng.exe	92
PID 2456 wrote to memory of 424	2456	taskeng.exe	92
PID 2456 wrote to memory of 424	2456	taskeng.exe	92
PID 2456 wrote to memory of 3120	2456	taskeng.exe	93
PID 2456 wrote to memory of 3120	2456	taskeng.exe	93
PID 2456 wrote to memory of 3120	2456	taskeng.exe	93
PID 2456 wrote to memory of 3848	2456	taskeng.exe	96
PID 2456 wrote to memory of 3848	2456	taskeng.exe	96
PID 2456 wrote to memory of 3848	2456	taskeng.exe	96
PID 2456 wrote to memory of 3488	2456	taskeng.exe	104
PID 2456 wrote to memory of 3488	2456	taskeng.exe	104
PID 2456 wrote to memory of 3488	2456	taskeng.exe	104
PID 2456 wrote to memory of 752	2456	taskeng.exe	98
PID 2456 wrote to memory of 752	2456	taskeng.exe	98

C:\Users\Admin\AppData\Local\Temp\bb7bb6a1db8768a0ab5bb4cf85f9a1aa.exe
"C:\Users\Admin\AppData\Local\Temp\bb7bb6a1db8768a0ab5bb4cf85f9a1aa.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\bb7bb6a1db8768a0ab5bb4cf85f9a1aa.exe
  "C:\Users\Admin\AppData\Local\Temp\bb7bb6a1db8768a0ab5bb4cf85f9a1aa.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1468

C:\Users\Admin\AppData\Local\Temp\889E.exe
C:\Users\Admin\AppData\Local\Temp\889E.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:424
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:3120
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:3848
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:752
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:4068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    PID:1112
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3564
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3948
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:3868
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:3488
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1792
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:2744

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3576

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1564

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1368

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2168

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2344

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3480

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3448

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3736

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1076

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4072

C:\Users\Admin\AppData\Roaming\gahwrce
C:\Users\Admin\AppData\Roaming\gahwrce
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2380
- C:\Users\Admin\AppData\Roaming\gahwrce
  C:\Users\Admin\AppData\Roaming\gahwrce
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
bc382383b6c90d20dba3f58aa0f40ade

SHA1
b626e4d049d88702236910b302c955eecc8c7d5f

SHA256
bf25937b534e738f02e5ec01592dd9a72d79e67bc32f3a5e157a0608f5bbd117

SHA512
651e85acf56ec7bffdc10941ba3bcebea5aede44d479e4db5d61160de2b975c484499a95564adaf90f350d6a1bf3aa97774019f1464045114cbb97806fc76c2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
a2981517afbb3ebe48d2168b07274f47

SHA1
78e0fa382ca97436ec5c43209a2e391b41d356ab

SHA256
f5ef795d1577213ce930034afc93387232cc95dfe53db40db0ed65fbb44bcfae

SHA512
4e939a2270036ebf0eaec96ba231eb38cb4e2389064a30e5f3b9e5e5581d363ab934431e69978e015f25f3352d17e3b3242d02357aa034838a94912fa8d6ba15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
0465994d32988b4ff5811340c4905188

SHA1
7b4043cbd9509bc78b08863ad22b720632686785

SHA256
b33b95c79ca7fc2da4e43282f29ec14db42bdafd53c8888de793cea52caa20bb

SHA512
04654263a6391c84e0fd230a992dbd107f905599a066d124055591ce19a9d74b61627bb9d4dc9df89f396b12f795b649f0331e4aad39304a5ad0e0bccc36ad43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
2a5b33bb1b4efa8200e9e8cdcda921f1

SHA1
87528d7b97419053db41bbb3b0e8cdb0c0773cf6

SHA256
76f2a14b7b23398973b79f2841fdf2eab3950522569f048351d6dc23a96924df

SHA512
32ff6b0b6f586d8d61545fef0e60b7b4a5d51a8073f0a9d6ce107d2aa04489d11446c8e7652d881781f41f599be4b8a3bcf7e8f78ae80753dee4577b1c7ef74a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
1a7e64a0a1bc6f85bbf71885ff44871a

SHA1
b366de31a56752976871b14f1c2cb903d342a23f

SHA256
ff8eb9dfb0986e034fa7d2b871a03aec3228e7f2f7c058cf4a11e77ca4492e28

SHA512
2c2067582d12cb773d52f65e991360515f0755bcdf453ab6d2484696031c3743be58189fcbef7fa5f5170ef90d1a21d4a96dc2c508393b46237aecf397635369

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
afcdf2ea53263188d2bff986810c87f5

SHA1
cae13888cc01d3621951ce9059ad012cab0a3f40

SHA256
96193f9ea1864b283d9fb9a47d7e658476f15a6db1fef62e497af5adf8d32b75

SHA512
af2d0f15621c1fdf26ee74223a8d1b733ac94e1a41245f916d4dc7d0aa99848a8d312065e457bdd4d8f514cfe74cdd12ffafcdfd3cfffc56aadbacf4648de4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GDGLHSEM\FFMJDPF5.htm

MD5
6b17a59cec1a7783febae9aa55c56556

SHA1
01d4581e2b3a6348679147a915a0b22b2a66643a

SHA256
66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

SHA512
3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U0EJMF7X\ULO18HUT.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\889E.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\889E.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Roaming\gahwrce

MD5
bb7bb6a1db8768a0ab5bb4cf85f9a1aa

SHA1
20b76c0f2f987cb5974cd07eaa303c344703bcf7

SHA256
8b00d26012b7c13819459fa567024ca068fed3aa0c0539c63ae73ebb00bca9a2

SHA512
9a120461e3b37e1ec5d2986f1ac7cc224de3f7360432b1f8897782c6ae8783d8bd8152f1144781f460d80567827b1b3e4b66d1b91203d005224d53791407f394

Download Submit
C:\Users\Admin\AppData\Roaming\gahwrce

MD5
bb7bb6a1db8768a0ab5bb4cf85f9a1aa

SHA1
20b76c0f2f987cb5974cd07eaa303c344703bcf7

SHA256
8b00d26012b7c13819459fa567024ca068fed3aa0c0539c63ae73ebb00bca9a2

SHA512
9a120461e3b37e1ec5d2986f1ac7cc224de3f7360432b1f8897782c6ae8783d8bd8152f1144781f460d80567827b1b3e4b66d1b91203d005224d53791407f394

Download Submit
C:\Users\Admin\AppData\Roaming\gahwrce

MD5
bb7bb6a1db8768a0ab5bb4cf85f9a1aa

SHA1
20b76c0f2f987cb5974cd07eaa303c344703bcf7

SHA256
8b00d26012b7c13819459fa567024ca068fed3aa0c0539c63ae73ebb00bca9a2

SHA512
9a120461e3b37e1ec5d2986f1ac7cc224de3f7360432b1f8897782c6ae8783d8bd8152f1144781f460d80567827b1b3e4b66d1b91203d005224d53791407f394

Download Submit
C:\Users\Admin\Desktop\ApproveUnpublish.m4a.payfast290.819-116-524

MD5
5aaa1a55dfd5f4d3e945efceb8c7245d

SHA1
4aa4353b79323ed89aff47fd1c3d168b6e67b1ec

SHA256
8c03374d1bc81dc2cdbd31df5478a014145e4fd34902bbeac95f26e3fa3ac0f4

SHA512
f2ac294ca3c2937013df7c0937adc75548434997a46f8104f2245d08a0613b698ea7b68c153bb2c78410505d1b3f8e7308539a6c8486923f0e1221c1e944f177

Download Submit
C:\Users\Admin\Desktop\ClearUnlock.M2TS.payfast290.819-116-524

MD5
213cccb93d076a0aab7742ae1f02c50c

SHA1
3f64673547eaadc6b27ab308e9e03fa0dfae3f2e

SHA256
2e2f859d77ad80065774589bf37b8771c24964ba1c1cd0581d33d25f985594c3

SHA512
db10359ccfddae8e60d8db806d59b9686b161030ed11a215656bb9a0a3d54f7513dcfa43d1b8c91f0eaabcd0ce7d69a965f8087020d2571a5f2024165099d7e7

Download Submit
C:\Users\Admin\Desktop\CompressSend.ico.payfast290.819-116-524

MD5
7d73384c200b90744b46a9072f29e2ad

SHA1
062275f71b93cdeba4e51bf17b24d4d3b21728ac

SHA256
7e610534f92bb2bcc093d8133c9def1b8188c9f2b054b57b248d51fe11867e51

SHA512
8aa168aab0e6e27912ff7ba7eb1c1e831fd9235c285693418b5a0761f67c65e2b6baf76c5db999fd754944c4cc4dd325fef205f2ae01dcc15255684d5d3d7dbc

Download Submit
C:\Users\Admin\Desktop\ConnectMove.vdx.payfast290.819-116-524

MD5
27ff1d0f7e9f8f21e2460192aa71b6cf

SHA1
e209917f200eec92378637bde28aeb0f6c178210

SHA256
5e0dbad34ec4d5b94c599aee5d7e3dd1a89fd756f421a5734ce05ea4209601c4

SHA512
e0c7183ea187b0beae9edd0918e2eaad3d7f2cd2643be0f91830616802dcd72afa4234e5959f034c1ef880ed5f99c425427774f5904d5fca4ab57bb77bb71f99

Download Submit
C:\Users\Admin\Desktop\ConvertFromFind.asx.payfast290.819-116-524

MD5
8acc802ad1c8d879f50319eaab7b6eeb

SHA1
b4dec9c8a0e1d80b864160d32f324f2ebdb0a6e4

SHA256
1443ac934213a73613be0207c192e629b1d5c16e3fe70360b8d76fe561367a51

SHA512
3c064f640e199eff081831ec0c182a9087e6f29106a604e27f3bb8f20add253c7fa2408e887e89a96552ace93e05884afbd8c1d30ad62eac30ee9c70cf1cd3e8

Download Submit
C:\Users\Admin\Desktop\CopyPop.lock.payfast290.819-116-524

MD5
69f1d3aa064184466c4669101caf764a

SHA1
ed8897e1a1ac3f3037e7450d7394f7246c36bd4d

SHA256
f16b1f480bc367ab96c9dfd3af62b5b211d1b5c0c24efb166bd81914732fdcb8

SHA512
67c81155469e4d7a88b34e3f0822634cc072d16b8ff0926db55b4584722a6a4961dfb410ad8aaa6b64ec448f7d81f46ecb9c7e5dfecc1f59bdd497dbae42feed

Download Submit
C:\Users\Admin\Desktop\EnableTrace.zip.payfast290.819-116-524

MD5
1530ad3391c82c2d485ff5bf1ef09d35

SHA1
7828de0063399629aedf3cca2a5c347a1e13530e

SHA256
16b7cafe2e1d9ebfbf766919240b322c30e2a6f151f333ace4e9c12a0b068296

SHA512
733f9f7195b86be608155d30f2692ccc42947d73e27e150fe594ce3e705d199fc3ec327b5f8ab0964f3a85f32a208d157f9e220ba093d244b805e956328dd76d

Download Submit
C:\Users\Admin\Desktop\ExitUnregister.001.payfast290.819-116-524

MD5
e5ccc6fab97d550a5b65d3b865f63bd0

SHA1
c3d9eafa9a2f65b0b2977a9fb4ae2410a0ce57a1

SHA256
88bcc90990f7e858eda655a7cb5bc4bb5e4cb201011778b81cb5594c1ec98534

SHA512
f04acdbef01e043e04d12a733273516244e4e324fd063b9b6489d253072cf72b3ca22db6f1dc6716a26503d9ac1de61bf59c0bc6648a1ba397f0d247f2eca237

Download Submit
C:\Users\Admin\Desktop\ExpandMount.xls.payfast290.819-116-524

MD5
7968e979a12ba8d8bb502c827ae56dd4

SHA1
cf8cae1629e7578c0ab15e30a025b5fe071ff6bb

SHA256
5178987c44ded0fb010eca08a1df1e9ac0f13098614786830bc0d14021657538

SHA512
5d41c95be9fac5c8e2511e77137cea9e11d848b78518bae59e29600dbd552edb92d80673cfd32a45ebaa79115fbf69d3e17c08654e1075b32725dbc94b2f1953

Download Submit
C:\Users\Admin\Desktop\InstallUnlock.vbs.payfast290.819-116-524

MD5
7620b0be71ec9484daeb05ab2d50c266

SHA1
932d2b113740d1a2d49f4a3eab8bcab3256a105e

SHA256
2b8da5bd981ab4525de5e81d0988c574942ecfd3b78f48711b2a50cafd551859

SHA512
80c110eab625e789efdef3c56138496f6356c725a4f7015fa7f5ae2685552f960fa06c6b77eca64c132db54b0e4f058a88836510549318df22c3ef930a70b947

Download Submit
C:\Users\Admin\Desktop\LockUnpublish.tmp.payfast290.819-116-524

MD5
086d5990e05815c1291874dc179b77ae

SHA1
6c33d534cf39352a14c005d336ec7d02b29a6e61

SHA256
34c5a14aff9da4196e682d1d7f2e4fcb8e339c2d08ad65f89d245ae9037cfaf7

SHA512
57aa0e01f16da7fbe74f7746c5db5a3b37620ef167bc7d3f7bd5ee7b3b1f6a4f2c889c8bc0a9aa02cb7ac4229294952af8b15b86495f81dc9a8f14def2811bd6

Download Submit
C:\Users\Admin\Desktop\MergeDisable.scf.payfast290.819-116-524

MD5
54ce0b740d64f9b16db3350cfe083a18

SHA1
cb4be06d0d75e585e3fc2e4397c95d0c541b0c3f

SHA256
c84978d26cfbbb651d7c70a8edbafdb1c6cd53c267e5dea89e97c834ac0d9ba4

SHA512
db7d01e9e4cc8eb08bda037ef453a27e8adfe121489ea2306ae3fdeb1bc23d9292b55312bca2f7a16b421d4ad730a7696efa443fce57ad032e28c8c6980db62f

Download Submit
C:\Users\Admin\Desktop\MovePop.vbs.payfast290.819-116-524

MD5
2f24c6946f4f988a442e7d6d91fcf3fa

SHA1
f99f2db1fe9f7099976b452830d8398749bb2f13

SHA256
a30bb721d07d0815186019f89cb69c03e96ea632de572c61ce91baa1dbdbed98

SHA512
80601d0025a6bd8b50a02aa2b287071159a5f6b156f4cee71bc2ff0b2e62539a5dff7b98f5a2b68a46dda9e47f879ddff92432446cf8c41b84b80bce60fa172b

Download Submit
C:\Users\Admin\Desktop\NewOpen.mpg.payfast290.819-116-524

MD5
39f9c08dc72522de4c28e9fb85257148

SHA1
7104c1fc80b15f35aef5ed33f0cc5bb6065b2208

SHA256
eb039369c9fcea6a5f7abcc212ed00330ea0f9e386442926e54491781d65661d

SHA512
38b27c3f156e8215afc89b02a406c94e282d2fe27681e60a61c49ba19995f777375e85a812f78ca076ffd5e9ccdb86b22cfbe23d224392c7ba9e783ae937495d

Download Submit
C:\Users\Admin\Desktop\OpenOptimize.MOD.payfast290.819-116-524

MD5
f49ddeabfb9d41778a6d52597f8196d9

SHA1
4992252aa98a3dff6a6f7dafbc33f3c72f2ce8ef

SHA256
a62740ac629c7fed5c495c81ebb9025643e9c5eb64a495937f48bc0d83455124

SHA512
de480e95dd2a61e63aede399e420d36492f0bd2cc11a8b54f8aea219b358c4b66e0748b534a38728918a7339828d817a0bcf598eea5ebca2fb20953be99a10a2

Download Submit
C:\Users\Admin\Desktop\PopSwitch.jfif.payfast290.819-116-524

MD5
2b2ebcb4f488351bc8177036155d5c55

SHA1
5cbacc8db20c8b963fa9c731f91180d378a793e0

SHA256
5ae76aa2f667ae1d25cbbbf0f93aedd6649f9cbcf0b12ee5f4924dd743cfa913

SHA512
613692a7f1a706b77713ac02c5d3a03d1fae74dbf689d1d5bdff03517df31c824c6037f1c839cb280c47d7a40628eaec461f0fd34bd3464d57fb1f7cb4ec4e01

Download Submit
C:\Users\Admin\Desktop\PushAdd.temp.payfast290.819-116-524

MD5
b5e9adfdf33d9c0a4a32459b1155ec60

SHA1
c51682f89deb09d346e9ad70fff670db90a1baef

SHA256
31285ae2777e02665bfd92445e66c08abfe864a86d6e7ce892269bd00798d88b

SHA512
4f0be64e4e1fdde047834a7289f315dedf3f3c2eb3cf069db21b1c812bf1690f847ea5aed2a76abdb4cbc7df728edba999930db47ba1cb7701cba7b8021f4950

Download Submit
C:\Users\Admin\Desktop\ReceiveOpen.png.payfast290.819-116-524

MD5
da1dee28b214ae0ffc677ede0d7834fa

SHA1
88567a9de63639004bd0e3002f966e85e238abd3

SHA256
52e66d22421d82a4ef283f153d8de21ea5beb01e4bc275da545f7231eec47980

SHA512
182a6527cf9142fd4d851268897f5572a45e9da53fd743e9a4a4653bc3119209c23cdb0eec59258d78b5462e429a3d5b71352b6f856169637a68bd31abd0f755

Download Submit
C:\Users\Admin\Desktop\ResetRestore.bin.payfast290.819-116-524

MD5
d64f53ed87bff69614e06eac29c71167

SHA1
05b6f69b8b21d672c8313a63d169ce020f912478

SHA256
8e7d8a3270258d8279cfec2608e651dbac7b0b6ccbb20a495bdc773d1bd91e40

SHA512
4cc232f3b3c84b5113f47be5cc8679df4639353767313e2775cb514bc8e11902c033eacbc5ccd15e3a4b01dc2116b4569596fce35ea0d191d11ce712b76c542e

Download Submit
C:\Users\Admin\Desktop\RestartSelect.MTS.payfast290.819-116-524

MD5
961610cb7f89d352ea19d92afd9b3a47

SHA1
1e8c4095011bdb961413b27c7451ed3b50a17766

SHA256
05aee8386858e687b15ea84a0f3fcaaf8d8789f5ebda3c66c919559d82d74ce7

SHA512
0435cebdff5da7961f278e70cf4b15c1b31ceee1d403afadc0ebc922a467ffc520ba69f99645ecc1ec57e5a697616fb72788cf733a59cd84287f43363e332a02

Download Submit
C:\Users\Admin\Desktop\SetEnable.snd.payfast290.819-116-524

MD5
8d656c65966038a1e578820b8a6a5f72

SHA1
8b4c8fc9623694842ec8d4f213b86ede95a9ef8d

SHA256
15f907434c5574f29220f80f9a4eda754949f0ea3cb4a8d6ad334806cacb3c8c

SHA512
eef9c6158d3e5e7ee9a1e609ab3fe65896015b118b3ba041d6c9665205a6c159920e46c023de24371ee574da18b520d512a45201cf5f7473b582cb13fb484c31

Download Submit
C:\Users\Admin\Desktop\SplitCompress.zip.payfast290.819-116-524

MD5
1b9f4d87d582e1fe3fb06c0c57b4e3df

SHA1
41f2faee14fadc266f9cd5a839677a2332ac8f0f

SHA256
74e3e27701ad6396d4e9452d5657916c8eb14d9d80e323e58c4cc21034ec7e3b

SHA512
b8a1a1618f74cdc64580008dcb1755ec747b5d9c100c22f06bd56b4075a0b37df16a861d4536d4c56a2d524f25abf779bb7a2a4c4c1e392fb3ad2e384b95441c

Download Submit
C:\Users\Admin\Desktop\SyncCopy.wm.payfast290.819-116-524

MD5
eda77a340aa0c60080594c26114b09f7

SHA1
cd483be88e20abc7d64fd3d2f6c637adbbec9002

SHA256
71f3d3c69e9d7250c1a25ba787589a166a1c376763aa67be3deb6e2ada205363

SHA512
8f910556c892ed53dbce45488c5238ec34a119bdd9681cfda4716fa2387e9fc6da8c40aac2ae31d015588655cfbd60206797078ce318ed4c39f146b2da3a9834

Download Submit
C:\Users\Admin\Desktop\TraceRepair.TTS.payfast290.819-116-524

MD5
a93e8454d2dc70eec79f1c9b7cfd584d

SHA1
f7ef5ebf8a27fa24233b6e5231fba2e69a664b17

SHA256
b4a5c6d3fbbd811ae8010a01ed31f7aefc642d127933669e3c3e032c5d94f2a7

SHA512
a77c7465a1afc9972b6d900d0b0aa14fb1642ab6d2528dfede7eb4b8db2275d5e9587286f4dcfab7b481888623bb95f95644dad146a79898568ad36b8bff7a43

Download Submit
C:\Users\Admin\Desktop\UndoAdd.mpg.payfast290.819-116-524

MD5
8b538958933a2f405f194da1fbb9da47

SHA1
9f5c8b32b38078f072f7a108d12c02cf4b7fbfc1

SHA256
2e7e037dc6693534b04e77d039c968b140facbc6d584aaa1a76faa9c36d4dd4b

SHA512
89e0331801d612ee8319912e7d472195c1f2235feb1f80e5442e8a60458fd5398abcba4b9411e5bf13919413bb0fc97dca4f6a8cd6873d2d7b30b6bc8b8e9bcd

Download Submit
C:\Users\Admin\Desktop\UnregisterInstall.dib.payfast290.819-116-524

MD5
d571eecb15a14551306230ab5096aa35

SHA1
c2bc5dbfd83c94511e7ed2b80d2f1b384d95c923

SHA256
2af5035b320786e002a84e73312f09b553b4c20710d883f5951b0dead66b5916

SHA512
d2ef386c10b3a7afd6ac869a30fdf966ae32644b522cc983fb4829e87fa3db257165914626fc74e51d97b3af9e57e8fd527fda6830a2b573c5614a6d8eb9a8c7

Download Submit
C:\Users\Admin\Desktop\UseSync.ps1xml.payfast290.819-116-524

MD5
18ad9a9a2d58e4152dc68dfccdda41d4

SHA1
84dc89dc7589b506dc322eda4201c2b6b5df0f8c

SHA256
10d16433f421634c2dc26f4ea648ce8f4a9ad6ce502dbf32de5c64e0509327eb

SHA512
ad7ca1a08e54f445867b4e6ddfbf0dfc035f4783016334ea18853a82addf42c6e686182aeee881f3ac83a3c753a592d7e948f378e649089368a9a2fb5d223ceb

Download Submit
memory/424-161-0x0000000000000000-mapping.dmp

Download
memory/752-165-0x0000000000000000-mapping.dmp

Download
memory/1076-158-0x0000000000000000-mapping.dmp

Download
memory/1076-160-0x0000000000FD0000-0x0000000000FD9000-memory.dmp

Filesize
36KB

Download
memory/1076-159-0x0000000000FE0000-0x0000000000FE5000-memory.dmp

Filesize
20KB

Download
memory/1112-166-0x0000000000000000-mapping.dmp

Download
memory/1368-135-0x0000000000CE0000-0x0000000000CEB000-memory.dmp

Filesize
44KB

Download
memory/1368-134-0x0000000000CF0000-0x0000000000CF7000-memory.dmp

Filesize
28KB

Download
memory/1368-127-0x0000000000000000-mapping.dmp

Download
memory/1468-115-0x0000000000402FAB-mapping.dmp

Download
memory/1468-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1564-126-0x0000000000CC0000-0x0000000000CCC000-memory.dmp

Filesize
48KB

Download
memory/1564-125-0x0000000000CD0000-0x0000000000CD7000-memory.dmp

Filesize
28KB

Download
memory/1564-124-0x0000000000000000-mapping.dmp

Download
memory/1704-206-0x0000000000402FAB-mapping.dmp

Download
memory/1792-202-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/1792-201-0x0000000000000000-mapping.dmp

Download
memory/2112-116-0x0000000001D90000-0x0000000001E3E000-memory.dmp

Filesize
696KB

Download
memory/2168-144-0x0000000000110000-0x0000000000119000-memory.dmp

Filesize
36KB

Download
memory/2168-143-0x0000000000000000-mapping.dmp

Download
memory/2168-145-0x0000000000100000-0x000000000010F000-memory.dmp

Filesize
60KB

Download
memory/2344-146-0x0000000000000000-mapping.dmp

Download
memory/2344-147-0x00000000009E0000-0x00000000009E5000-memory.dmp

Filesize
20KB

Download
memory/2344-148-0x00000000009D0000-0x00000000009D9000-memory.dmp

Filesize
36KB

Download
memory/2380-208-0x0000000001EB0000-0x0000000001FFA000-memory.dmp

Filesize
1.3MB

Download
memory/2456-128-0x0000000000000000-mapping.dmp

Download
memory/2744-131-0x0000000000000000-mapping.dmp

Download
memory/2744-136-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/2756-171-0x0000000000000000-mapping.dmp

Download
memory/2996-117-0x00000000008E0000-0x00000000008F6000-memory.dmp

Filesize
88KB

Download
memory/3120-162-0x0000000000000000-mapping.dmp

Download
memory/3448-153-0x0000000000FC0000-0x0000000000FC4000-memory.dmp

Filesize
16KB

Download
memory/3448-152-0x0000000000000000-mapping.dmp

Download
memory/3448-154-0x0000000000FB0000-0x0000000000FB9000-memory.dmp

Filesize
36KB

Download
memory/3480-149-0x0000000000000000-mapping.dmp

Download
memory/3480-150-0x0000000000FF0000-0x0000000000FF6000-memory.dmp

Filesize
24KB

Download
memory/3480-151-0x0000000000FE0000-0x0000000000FEC000-memory.dmp

Filesize
48KB

Download
memory/3488-164-0x0000000000000000-mapping.dmp

Download
memory/3564-172-0x0000000000000000-mapping.dmp

Download
memory/3576-123-0x0000000000660000-0x00000000006CB000-memory.dmp

Filesize
428KB

Download
memory/3576-122-0x00000000006D0000-0x0000000000744000-memory.dmp

Filesize
464KB

Download
memory/3576-121-0x0000000000000000-mapping.dmp

Download
memory/3736-156-0x00000000009C0000-0x00000000009C5000-memory.dmp

Filesize
20KB

Download
memory/3736-155-0x0000000000000000-mapping.dmp

Download
memory/3736-157-0x00000000009B0000-0x00000000009B9000-memory.dmp

Filesize
36KB

Download
memory/3848-163-0x0000000000000000-mapping.dmp

Download
memory/3868-167-0x0000000000000000-mapping.dmp

Download
memory/3948-173-0x0000000000000000-mapping.dmp

Download
memory/3972-118-0x0000000000000000-mapping.dmp

Download
memory/4068-169-0x0000000000000000-mapping.dmp

Download