buran | 824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

Analysis

max time kernel
107s
max time network
151s
platform
windows7_x64
resource
win7v20210408
submitted
31-08-2021 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pattern.exe
Size

416KB
MD5

dcef208fcdac3345c6899a478d16980f
SHA1

fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0
SHA256

824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc
SHA512

28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Reserved email: [email protected] Your personal ID: 41B-414-AEF Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

Processes:

csrss.execsrss.exe

pid	Process
540	csrss.exe
368	csrss.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

csrss.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\BackupEdit.tiff	csrss.exe
File opened for modification	C:\Users\Admin\Pictures\SubmitSuspend.tiff	csrss.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid	Process
1948	notepad.exe

Loads dropped DLL 1 IoCs

Processes:

pattern.exe

pid	Process
1260	pattern.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pattern.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	pattern.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start"	pattern.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

csrss.exe

description	ioc	Process
File opened (read-only)	\??\T:	csrss.exe
File opened (read-only)	\??\Q:	csrss.exe
File opened (read-only)	\??\L:	csrss.exe
File opened (read-only)	\??\E:	csrss.exe
File opened (read-only)	\??\Z:	csrss.exe
File opened (read-only)	\??\Y:	csrss.exe
File opened (read-only)	\??\S:	csrss.exe
File opened (read-only)	\??\F:	csrss.exe
File opened (read-only)	\??\X:	csrss.exe
File opened (read-only)	\??\V:	csrss.exe
File opened (read-only)	\??\K:	csrss.exe
File opened (read-only)	\??\I:	csrss.exe
File opened (read-only)	\??\U:	csrss.exe
File opened (read-only)	\??\P:	csrss.exe
File opened (read-only)	\??\O:	csrss.exe
File opened (read-only)	\??\N:	csrss.exe
File opened (read-only)	\??\M:	csrss.exe
File opened (read-only)	\??\J:	csrss.exe
File opened (read-only)	\??\H:	csrss.exe
File opened (read-only)	\??\G:	csrss.exe
File opened (read-only)	\??\W:	csrss.exe
File opened (read-only)	\??\R:	csrss.exe
File opened (read-only)	\??\B:	csrss.exe
File opened (read-only)	\??\A:	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
5	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

csrss.exe

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Simferopol.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zaporozhye	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00669_.WMF.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301252.WMF.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME17.CSS	csrss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217872.WMF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02756U.BMP	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_COL.HXC.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_mid.gif	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files\ClearAssert.jpg	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Panama.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_zh_4.4.0.v20140623020002.jar.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232795.WMF.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Kiev	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178523.JPG.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImagesMask.bmp.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Vostok.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\msjet.xsl	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115863.GIF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarViewButtonImages.jpg	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\LAUNCH.GIF.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01628_.WMF.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00200_.WMF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV_COL.HXT.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBBTN.DPV	csrss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_zh_CN.jar.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\zipfs.jar.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00454_.WMF.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.ICO.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REC.CFG.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_ja_4.4.0.v20140623020002.jar.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099190.JPG.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\St_Johns	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Madrid.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00439_.WMF.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21310_.GIF	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_zh_CN.jar	csrss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Winamac	csrss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Chisinau.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099157.JPG	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\COMPUTER.ICO	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_ja.jar.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00045_.WMF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00235_.WMF.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00364_.WMF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageSmall.jpg.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.zh_CN_5.5.0.165303.jar	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImages.jpg	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar	csrss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_zh_TW.properties.kd8eby0.41B-414-AEF	csrss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Almaty	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ru.jar	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImagesMask.bmp	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml.kd8eby0.41B-414-AEF	csrss.exe

Drops file in Windows directory 1 IoCs

Processes:

csrss.exe

description	ioc	Process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exe

pid	Process
1100	vssadmin.exe
1576	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

pattern.execsrss.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	pattern.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	pattern.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	pattern.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

pattern.exeWMIC.exeWMIC.exevssvc.exe

description	pid	Process
Token: SeDebugPrivilege	1260	pattern.exe
Token: SeDebugPrivilege	1260	pattern.exe
Token: SeIncreaseQuotaPrivilege	1468	WMIC.exe
Token: SeSecurityPrivilege	1468	WMIC.exe
Token: SeTakeOwnershipPrivilege	1468	WMIC.exe
Token: SeLoadDriverPrivilege	1468	WMIC.exe
Token: SeSystemProfilePrivilege	1468	WMIC.exe
Token: SeSystemtimePrivilege	1468	WMIC.exe
Token: SeProfSingleProcessPrivilege	1468	WMIC.exe
Token: SeIncBasePriorityPrivilege	1468	WMIC.exe
Token: SeCreatePagefilePrivilege	1468	WMIC.exe
Token: SeBackupPrivilege	1468	WMIC.exe
Token: SeRestorePrivilege	1468	WMIC.exe
Token: SeShutdownPrivilege	1468	WMIC.exe
Token: SeDebugPrivilege	1468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1468	WMIC.exe
Token: SeRemoteShutdownPrivilege	1468	WMIC.exe
Token: SeUndockPrivilege	1468	WMIC.exe
Token: SeManageVolumePrivilege	1468	WMIC.exe
Token: 33	1468	WMIC.exe
Token: 34	1468	WMIC.exe
Token: 35	1468	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1612	WMIC.exe
Token: SeSecurityPrivilege	1612	WMIC.exe
Token: SeTakeOwnershipPrivilege	1612	WMIC.exe
Token: SeLoadDriverPrivilege	1612	WMIC.exe
Token: SeSystemProfilePrivilege	1612	WMIC.exe
Token: SeSystemtimePrivilege	1612	WMIC.exe
Token: SeProfSingleProcessPrivilege	1612	WMIC.exe
Token: SeIncBasePriorityPrivilege	1612	WMIC.exe
Token: SeCreatePagefilePrivilege	1612	WMIC.exe
Token: SeBackupPrivilege	1612	WMIC.exe
Token: SeRestorePrivilege	1612	WMIC.exe
Token: SeShutdownPrivilege	1612	WMIC.exe
Token: SeDebugPrivilege	1612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1612	WMIC.exe
Token: SeRemoteShutdownPrivilege	1612	WMIC.exe
Token: SeUndockPrivilege	1612	WMIC.exe
Token: SeManageVolumePrivilege	1612	WMIC.exe
Token: 33	1612	WMIC.exe
Token: 34	1612	WMIC.exe
Token: 35	1612	WMIC.exe
Token: SeBackupPrivilege	328	vssvc.exe
Token: SeRestorePrivilege	328	vssvc.exe
Token: SeAuditPrivilege	328	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1468	WMIC.exe
Token: SeSecurityPrivilege	1468	WMIC.exe
Token: SeTakeOwnershipPrivilege	1468	WMIC.exe
Token: SeLoadDriverPrivilege	1468	WMIC.exe
Token: SeSystemProfilePrivilege	1468	WMIC.exe
Token: SeSystemtimePrivilege	1468	WMIC.exe
Token: SeProfSingleProcessPrivilege	1468	WMIC.exe
Token: SeIncBasePriorityPrivilege	1468	WMIC.exe
Token: SeCreatePagefilePrivilege	1468	WMIC.exe
Token: SeBackupPrivilege	1468	WMIC.exe
Token: SeRestorePrivilege	1468	WMIC.exe
Token: SeShutdownPrivilege	1468	WMIC.exe
Token: SeDebugPrivilege	1468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1468	WMIC.exe
Token: SeRemoteShutdownPrivilege	1468	WMIC.exe
Token: SeUndockPrivilege	1468	WMIC.exe
Token: SeManageVolumePrivilege	1468	WMIC.exe
Token: 33	1468	WMIC.exe
Token: 34	1468	WMIC.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

pattern.execsrss.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 1260 wrote to memory of 540	1260	pattern.exe	31
PID 1260 wrote to memory of 540	1260	pattern.exe	31
PID 1260 wrote to memory of 540	1260	pattern.exe	31
PID 1260 wrote to memory of 540	1260	pattern.exe	31
PID 1260 wrote to memory of 1948	1260	pattern.exe	32
PID 1260 wrote to memory of 1948	1260	pattern.exe	32
PID 1260 wrote to memory of 1948	1260	pattern.exe	32
PID 1260 wrote to memory of 1948	1260	pattern.exe	32
PID 1260 wrote to memory of 1948	1260	pattern.exe	32
PID 1260 wrote to memory of 1948	1260	pattern.exe	32
PID 1260 wrote to memory of 1948	1260	pattern.exe	32
PID 540 wrote to memory of 1832	540	csrss.exe	34
PID 540 wrote to memory of 1832	540	csrss.exe	34
PID 540 wrote to memory of 1832	540	csrss.exe	34
PID 540 wrote to memory of 1832	540	csrss.exe	34
PID 540 wrote to memory of 920	540	csrss.exe	36
PID 540 wrote to memory of 920	540	csrss.exe	36
PID 540 wrote to memory of 920	540	csrss.exe	36
PID 540 wrote to memory of 920	540	csrss.exe	36
PID 540 wrote to memory of 1792	540	csrss.exe	37
PID 540 wrote to memory of 1792	540	csrss.exe	37
PID 540 wrote to memory of 1792	540	csrss.exe	37
PID 540 wrote to memory of 1792	540	csrss.exe	37
PID 540 wrote to memory of 1080	540	csrss.exe	38
PID 540 wrote to memory of 1080	540	csrss.exe	38
PID 540 wrote to memory of 1080	540	csrss.exe	38
PID 540 wrote to memory of 1080	540	csrss.exe	38
PID 540 wrote to memory of 1896	540	csrss.exe	40
PID 540 wrote to memory of 1896	540	csrss.exe	40
PID 540 wrote to memory of 1896	540	csrss.exe	40
PID 540 wrote to memory of 1896	540	csrss.exe	40
PID 540 wrote to memory of 1400	540	csrss.exe	45
PID 540 wrote to memory of 1400	540	csrss.exe	45
PID 540 wrote to memory of 1400	540	csrss.exe	45
PID 540 wrote to memory of 1400	540	csrss.exe	45
PID 540 wrote to memory of 368	540	csrss.exe	42
PID 540 wrote to memory of 368	540	csrss.exe	42
PID 540 wrote to memory of 368	540	csrss.exe	42
PID 540 wrote to memory of 368	540	csrss.exe	42
PID 1896 wrote to memory of 1100	1896	cmd.exe	47
PID 1896 wrote to memory of 1100	1896	cmd.exe	47
PID 1896 wrote to memory of 1100	1896	cmd.exe	47
PID 1896 wrote to memory of 1100	1896	cmd.exe	47
PID 1832 wrote to memory of 1468	1832	cmd.exe	48
PID 1832 wrote to memory of 1468	1832	cmd.exe	48
PID 1832 wrote to memory of 1468	1832	cmd.exe	48
PID 1832 wrote to memory of 1468	1832	cmd.exe	48
PID 1400 wrote to memory of 1612	1400	cmd.exe	49
PID 1400 wrote to memory of 1612	1400	cmd.exe	49
PID 1400 wrote to memory of 1612	1400	cmd.exe	49
PID 1400 wrote to memory of 1612	1400	cmd.exe	49
PID 1400 wrote to memory of 1576	1400	cmd.exe	52
PID 1400 wrote to memory of 1576	1400	cmd.exe	52
PID 1400 wrote to memory of 1576	1400	cmd.exe	52
PID 1400 wrote to memory of 1576	1400	cmd.exe	52
PID 540 wrote to memory of 1460	540	csrss.exe	54
PID 540 wrote to memory of 1460	540	csrss.exe	54
PID 540 wrote to memory of 1460	540	csrss.exe	54
PID 540 wrote to memory of 1460	540	csrss.exe	54
PID 540 wrote to memory of 1460	540	csrss.exe	54
PID 540 wrote to memory of 1460	540	csrss.exe	54
PID 540 wrote to memory of 1460	540	csrss.exe	54

C:\Users\Admin\AppData\Local\Temp\pattern.exe
"C:\Users\Admin\AppData\Local\Temp\pattern.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:920
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1100
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Modifies extensions of user files
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:368
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1400
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1612
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1576
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1460
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  PID:1948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
bc382383b6c90d20dba3f58aa0f40ade

SHA1
b626e4d049d88702236910b302c955eecc8c7d5f

SHA256
bf25937b534e738f02e5ec01592dd9a72d79e67bc32f3a5e157a0608f5bbd117

SHA512
651e85acf56ec7bffdc10941ba3bcebea5aede44d479e4db5d61160de2b975c484499a95564adaf90f350d6a1bf3aa97774019f1464045114cbb97806fc76c2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
a2981517afbb3ebe48d2168b07274f47

SHA1
78e0fa382ca97436ec5c43209a2e391b41d356ab

SHA256
f5ef795d1577213ce930034afc93387232cc95dfe53db40db0ed65fbb44bcfae

SHA512
4e939a2270036ebf0eaec96ba231eb38cb4e2389064a30e5f3b9e5e5581d363ab934431e69978e015f25f3352d17e3b3242d02357aa034838a94912fa8d6ba15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5
2902de11e30dcc620b184e3bb0f0c1cb

SHA1
5d11d14a2558801a2688dc2d6dfad39ac294f222

SHA256
e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

SHA512
efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
0465994d32988b4ff5811340c4905188

SHA1
7b4043cbd9509bc78b08863ad22b720632686785

SHA256
b33b95c79ca7fc2da4e43282f29ec14db42bdafd53c8888de793cea52caa20bb

SHA512
04654263a6391c84e0fd230a992dbd107f905599a066d124055591ce19a9d74b61627bb9d4dc9df89f396b12f795b649f0331e4aad39304a5ad0e0bccc36ad43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
dadf9a870234e5be026ae5308ca00f86

SHA1
5142df81a34a44a068f654ebc88d29a2496b6c26

SHA256
d66d31f9b523f8a7b1db0eca6315007c55cf216c6964e942c6542357b403e805

SHA512
2bd0438673cafd7fba966ff07922d5f153f718633df0d70dad293fd2ceba03ed6b1f3077f629ba6045efbbaf66d6043101caf578650db3911ade2a1cc6e17440

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
43ba92e049a1debba1e908f9ad616def

SHA1
53f768bf4f0f186c0e27436eca5997af87cf9287

SHA256
0512a576711b2f5d064626d40d69932896a5eba8d1aab961de916e24b9108aa9

SHA512
c0fa4c988b69646d389389b97e120f65e53e1d421cc8ba06cb5cfe1224b604886d041ad5a71a94f0fae90947648f5305343a0016d66172f2b3c532d94471a0d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
34e10393da8597349cdc8e9de4bf40b5

SHA1
828895e1a0052a5c3b58364b75ee7d1d37acb609

SHA256
d241a3f76caf9562fa6f600bb51bd4dde0ba181c7663c4009e23d9f414872059

SHA512
7be0773c74ab3be69afc393d342b38e2e3d313d76d022c2d96fe0f52beeda30bf6d3680a401016f183e9e5a2e98c9c2974c5798944ff05e816a9d0d69f5eced6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
8863340fbf94301f510b2c76bbc4031d

SHA1
cd9e5756e1af17e82625e5aed106ef96051ce050

SHA256
d45341e1720ff91d737f9dd4f439e0c9433e68ebe6348ba9e3a4132bdb9e8aa0

SHA512
c089b413df24f35705bd9cfd302166d38f0b2cb923be5d911a01f09a45ea0d62389cb9f64c0270f556660999d9d04942d574f7f4dae976ba93592c290d5b4d19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D4X32ZLU\I4ZW00YB.htm

MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L1Y3K90W\QGPO0DCR.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\Desktop\BlockTrace.ram.kd8eby0.41B-414-AEF

MD5
a8abb259dcbc82f9a81dd492434d5049

SHA1
04ff8a83d153240bbcb1867294dfa926db6487c5

SHA256
50ba5ca27c35f6db6ed055a8b69d2d66869dc8957b9add8c089268a1ca6447b4

SHA512
16c7ed36098ffba219fdb9787c4870e4cbf8461e69da993a2d34c1d27a58f00e1a41546e54f59d53b920492f515d9f1c5cf694006c32f7b372862230e7255325

Download Submit
C:\Users\Admin\Desktop\ConvertFromResolve.bmp.kd8eby0.41B-414-AEF

MD5
4d6cbf2ff0afe9d37e5d05ffcab4120d

SHA1
985bc9bc622143800da6ab1fe3b744b34e04efb3

SHA256
3a4723d16189e34219878bfabc6642fa5083e373fce7a3f4824e845d952b0dcf

SHA512
c00bc45d9186930a1c4c4ff1c2915470489bb45f0a73e4e1eb4bed92e64078842d5008fab8fea6789a6d84013620304b29c288bdf36d5975ae138473c3dd8495

Download Submit
C:\Users\Admin\Desktop\DebugExit.wdp.kd8eby0.41B-414-AEF

MD5
d0fe68f56f5b52b58dc29f98c697550e

SHA1
2bc9aaecd53904708a1c11a286b96d6cb4c8a022

SHA256
1014e24e8f91ea9d1e4bebbdfd3bbe66c6f413a605f3e66168b7dc678655dc07

SHA512
732c7a6bde8435978b3501119cde09312e516ed6ad062acb5fd8cc814cf346e2672aff14261bb191abc5d64a1096873828aea434b61d86d6398876585c6bebfb

Download Submit
C:\Users\Admin\Desktop\FormatGroup.reg.kd8eby0.41B-414-AEF

MD5
7d28af33ab837fe2d4466b10ce54512c

SHA1
06d0f2360f428e519557cdc8d5f4ba5fd215e402

SHA256
f4fce253e6017d4359ffb0f84d80f7518ef0485b45c0a942f85a63c2db7d99e9

SHA512
5e641f0adcb3a3f209d8a3f4ec74b823597153b14193f4ee1719911875eb9c8d221f0172b25a104d389c1afac641e1a1ec147430e0ca996f274c919b94802c9d

Download Submit
C:\Users\Admin\Desktop\GetSend.bin.kd8eby0.41B-414-AEF

MD5
f665643d180af3ad2dd15f29980e3ad2

SHA1
098a539a7f677d81ff3808baebcec6ffd46f087b

SHA256
4db779427baa2dcc2f717d1f237db1c92114c073e79ffdf0e2dea536e0208817

SHA512
52be49b1aa4df79a39c570ec4d27058c1f83e8aeb758a88a31ae30d59aef154636c794a2b46f8996168fe46f7ec296574882018b13dca5aad6cd2f057fb01784

Download Submit
C:\Users\Admin\Desktop\GrantFormat.jpg.kd8eby0.41B-414-AEF

MD5
0d12c54de7989b38f72b7d156919838e

SHA1
ada55c58dc232e3385a11afa3e86f0821f0dfa36

SHA256
def66fd048ac5c46589aa33c13a2514bf01843e7769348ae1e5695ac2b64c578

SHA512
891b25a44fe8ba46506f138727a27e529fce612500441b1b94796b438a2a447cd35ccc2ba740f7e61f985e1dd1f202f445475ddd3572ab5cbe4a9f21c98bbd23

Download Submit
C:\Users\Admin\Desktop\ImportUnblock.wav.kd8eby0.41B-414-AEF

MD5
0d097840a00d10b9f76bf690463e0d53

SHA1
b7b8d966e195e14266881e1d64056377dc677ca3

SHA256
9cff288cbbffd321d01b39fa745f223dd0d5575c786dd6ef273fbc48eafea60b

SHA512
2f51fa69ca61ee3d5076835aca79fefdc3c4284af8e2ba35d6353b27aec10470f4653e8c138ae9552babd8cf0601fbd08d9430446e6ce16dec3b60cf4984f89b

Download Submit
C:\Users\Admin\Desktop\InitializeStop.mp3.kd8eby0.41B-414-AEF

MD5
58589dade500bf104742ebc56986b371

SHA1
7c8538025452fdfd7f56d0a9e98606181e6fe334

SHA256
134b944ed8cfc2124d27eacb0b8f42d6f83ad9beef6cf2139fa14414cda013e0

SHA512
1ad8b478e300bd8b4bde6469fc1707bed806999bbef2fd31273ccdaeb780c385e4d4159d07745bb364b302dfba7a538410e2de3d9422b2ed46e70d0f8ef2743b

Download Submit
C:\Users\Admin\Desktop\InvokeMeasure.mpeg2.kd8eby0.41B-414-AEF

MD5
c19c2dae906c274d7c49c696fe458242

SHA1
17c08131c57af297806195399ce58d7f3059ab26

SHA256
de9c32b33de1009e49584ccee1a117edf6e3125e0813581ea19814bfa2be5444

SHA512
dc0257cdf240da1af26d2a6048bbb623dc74abf2ec99670cc8a8cf657c3cdbab413f8aada4a1d0d46969c23605ee0e0f2efa58d7f9a0fcb0f99a0fb20b3d762c

Download Submit
C:\Users\Admin\Desktop\LimitAssert.tiff.kd8eby0.41B-414-AEF

MD5
bf4d69bf0f973907c18cdd01648c878e

SHA1
6f2ab4700102fa4596e4c2341568c27d103bc253

SHA256
0106879f75cd200f5bf52eee80d7df7f6b9def7e00162398166c1a9a2ce23e37

SHA512
1ccac4b0166d9d2ad154d2d28104509ecaf254bd372b4c32ffbe16c4e0e203c5d74f20bdbb3c9aeabc1df2a760eab88d07b47c77c37fc3997cb5b72f484372a3

Download Submit
C:\Users\Admin\Desktop\LockComplete.wmf.kd8eby0.41B-414-AEF

MD5
cb30db378ce880b869841f041069239f

SHA1
e1b0d1218ec74c66ca1d0dbd2f51d73df8419b24

SHA256
46dde0da26d84f37a46347d452f155ed25b1ed672d03cc03acd02f05015a103c

SHA512
dd9c961fdce0bff1888f2a06cb7490b9a7ff9fc7ac6328a41cbc991878f2d7d5f2b55751846e4e1ba938c0d59b6306e33fba214d35b18b1a316d0113f3aa71ba

Download Submit
C:\Users\Admin\Desktop\MeasureEdit.wmf.kd8eby0.41B-414-AEF

MD5
cfa4a6d66dd60dddd438b1710c790bfe

SHA1
112d756455377c842a28a23ef0db5dd767623d45

SHA256
6ebebb78bb0878a4f3c170353fcef531813f058bcba6424080fbed8729f2316a

SHA512
284462e18b3ff675e9e25111ff1626b029a2e8bcd029493cf5465a18b44090ed108fa2cb03e8cb58111179c7aec45c4a697b47242d35fb7947fd6abbece6dc63

Download Submit
C:\Users\Admin\Desktop\MountSplit.mp2.kd8eby0.41B-414-AEF

MD5
a39b69dcba8bc346e2006236db4b1797

SHA1
901f75a1dd159f2017e26f9eecc8e4a6239eb9a3

SHA256
2db0d3b339ac30995f4a8a8198a412692c99abe6334f75f2df8ace5fbbf6cbae

SHA512
ef1c002b13870075cb403dd1937d32e1d5697a9b59c06aedc6f86977a0d215b5b0ce4107a361b8736308b6d20f2f03382b8d2e12199cbd579a62b212b9adc386

Download Submit
C:\Users\Admin\Desktop\MountStart.xps.kd8eby0.41B-414-AEF

MD5
f9ca2cd9724493161d1809c436445cc8

SHA1
aab6fd2d97bbdd89ea6e331e1d4062adeae4e8f0

SHA256
2a25dc735b37931edc6838eea47c61d3a91d6e4a205901f668854418f3b35e92

SHA512
c1205d728176f3e6f8dd86625f9ad4c71920bef59763bfea4d5d0b45cbfa64a20b2c4a4274f6a852cffc028426819b0dc2a21b91ece3c2edcf28ce994aba8855

Download Submit
C:\Users\Admin\Desktop\NewOptimize.vsd.kd8eby0.41B-414-AEF

MD5
eca5f23c0e75e264cdddaa80c3645ed6

SHA1
d3dcbd2d7a042a57f393135e0f89f0c2f0e99e89

SHA256
33b548d54cf59d6dd351b3ed429cc2dd5e5342dcd385dcacbe5187d135123e37

SHA512
e9e39f2568190d9a4d4fac9e091cde22998c4b6d026df371617e7f79cc5ba3c85bc76f26a3dfd61384d5b78f773cc1f0261c9c69b1a5a5d0d2063df160290135

Download Submit
C:\Users\Admin\Desktop\NewSearch.mp3.kd8eby0.41B-414-AEF

MD5
22bd40bd94bcd98c4647192cc0737664

SHA1
d335245f6d7c2656878b06b89b28f80704c6113f

SHA256
b19a3186d797c0b52b893db6fd0903a5d348ae4909292b3f1f33fa852035343e

SHA512
8418297b9b901b51f773b08e773ac3cb544af562744fd7fd4b952945c9dbba89da2d2671fb844cba495f806c911d62bb3f51ad3f8e35d71f5a3fd97d696423ac

Download Submit
C:\Users\Admin\Desktop\RemoveBlock.dwfx.kd8eby0.41B-414-AEF

MD5
8499befe02d037dfce8a1884eb30690a

SHA1
2eba52d8ff97338e29b75e891092f31f6fc18055

SHA256
43908f8629f9466bd5b75ec8055bb18d3ebffd2fe855612ae68d2448ae142e82

SHA512
bcbd87e0fa7f385f004989b91fa909d09fb5de00c83649635238e1065b2a35ae8285ab2f6ef66d94ce3f4eb10c86e56e51e3e1b9e25757eb85ba7f7333d44b4b

Download Submit
C:\Users\Admin\Desktop\SendGrant.M2V.kd8eby0.41B-414-AEF

MD5
26978221c605bf86955624c261babf29

SHA1
31520aa026d8ed5313bd1331aad36fef067eff5b

SHA256
e241345b61dc7a3b3e57afb5d4705e46a13d284f66c52a6b739c6934370e9cb9

SHA512
f737e512391095d0ddb20365e728688ca260ec7ffcbc3be597affab9c2ef04cf96aab486186b8c6202dca3fa463080c43801123f77e5214402d3fd7df8cc307c

Download Submit
C:\Users\Admin\Desktop\StartPublish.vstm.kd8eby0.41B-414-AEF

MD5
ff9d75b238b4b91f9af2713cf51635a3

SHA1
2ed3f3c94fe7bb1e0394ad0b97a94c885fca3a19

SHA256
7fe783053c0a954261f7fba0523945f48a6421f283974ea96ad7ef274dbd73c1

SHA512
5d2c9b874887caa7bdea9bbf930ce630793697be869e6a441f924412605e394e299766d6fffbeb2dc28fbbc2977b94614180689c54e6b74f8f7d3a8b16ff742a

Download Submit
C:\Users\Admin\Desktop\SuspendConnect.emf.kd8eby0.41B-414-AEF

MD5
d33d3d4582fdcf1442f882b814e09a18

SHA1
3c510983f0ee4a1a35b8629d818c08d2caa1fb20

SHA256
77f767365c84ad3b924ab622baa2f9d03ec5a631250fd7a08d234d4df390136b

SHA512
9d8c934394b810b0fbe124b25568a3852e99d21b6dbd4d33e8e4cad45e0e4ab9c16c45424a22609a3f034c1169846dc27b5b75393601c3eab238889b594f77fe

Download Submit
C:\Users\Admin\Desktop\SwitchPublish.vb.kd8eby0.41B-414-AEF

MD5
f84fda3c56b72db5ed434dc3bbe21172

SHA1
a8cc255270ce915bbd5b9efb8e0db0ca7dc640d0

SHA256
e1f303b28cadee0d5114de3185480c2454252ef0eebad296299f9df25b06bd6c

SHA512
03fac979f91ba531d89a2fc72922fe6ce5569240053e8a6af04614d4031629b50c258a8305d1c57851b16940c97f271e654cef5c2fff1d5ecbb32cea684491fc

Download Submit
C:\Users\Admin\Desktop\SyncStart.xlsx.kd8eby0.41B-414-AEF

MD5
38e34759b5a404cdeff827bf5f3d29c4

SHA1
7e365f71eed7238e0f275e063494fe046491f758

SHA256
a0c751f83c5700ae25a21195f5c61e149c10cfc3dd7299e3bc7434cdb0d646db

SHA512
190d66299c127abef4a7283b520e190239fb65a3b933ed7e2f7ebfd20052df04b5d16baea746f3f75c38a0f075813272cbdd33780eea7f2a7c6a1e4247cddaa6

Download Submit
C:\Users\Admin\Desktop\SyncTrace.zip.kd8eby0.41B-414-AEF

MD5
3628c7da3e7097397398a8f93132af8a

SHA1
19e2022ce67b5d9f3653d952a7ffc1f0cd62d8eb

SHA256
bbc1bc10c7b6c12495fdea1298f1a124d84256095c75667cd81c426b5d2d81b7

SHA512
149a11e4fcbaaddf247024634fdd6ba5941b89af8fe0e2d1c2a498690807f4283fb5706c4f30b7edd02221626b6e3b0fa3f8ebb4939c46da991a9b83f5448039

Download Submit
C:\Users\Admin\Desktop\TraceOptimize.7z.kd8eby0.41B-414-AEF

MD5
33ed8aea6dd995af933ae779e9bfa7a3

SHA1
0ee31e704f4d028d1ff499257adf2b7c3917dd4d

SHA256
b359035234fa1b150b75e13345f5300256faa9095eccfca8a2ba7ac0f5f9ad32

SHA512
473a8c20efbca095212bb8800390111d56c79f29a50c6bedb7ceebf8f249a1df199ed3e85a2a956585705a40f524528633d02aaea20950cbaf3231c9e4ef7e82

Download Submit
C:\Users\Admin\Desktop\UninstallComplete.ADTS.kd8eby0.41B-414-AEF

MD5
da098fe3f580b4a674a57ea2b522d321

SHA1
df94f6f2bff9ffd9b3b2605c91e11316f73e143d

SHA256
799b6bf47be9be376aee99d847f6b7edc9dab505ebbf010a869f792fbfaa6ca6

SHA512
6fd94d77254e11a999fb64da9f03c7ebf53869c7ffaa1f863c1c87aeaa0da4fd86be23d3214ea24ddaf9eb659a74e31f5097ab20eb9dc111f1935cbd0abe7f02

Download Submit
C:\Users\Admin\Desktop\UninstallFind.svg.kd8eby0.41B-414-AEF

MD5
42b8a2e814e7d92586ce664d54b32dde

SHA1
55d2f03d172c2ae83fdad1d331cc1c7040e5a14e

SHA256
8a43f816611491868e61d8e4d7529a646e5ef955975e585626a741fbf3f40450

SHA512
750edd2eac742077f2151ebb28a12a7f3d0485fcb031f178e34dcebf77174eaf7027e19ee1513fd4b21ccb2a2785b5faeee688e9496d21f340435de5c9229a0b

Download Submit
C:\Users\Admin\Desktop\WriteReceive.xhtml.kd8eby0.41B-414-AEF

MD5
d4f5b738e917ebe55d8fdccb2dcf3e46

SHA1
c9a21e76dd4edb368e354e8c7b084fc3712fc05b

SHA256
c184746e1ac13a12b5967c3f650b0e7c315f566b25f2fe5250ba48e669e881c0

SHA512
0ee33dd6133a391ee3e6a56763467bca6e96fff06add994af562efd66c60d79f1fa32c8120e6b401f1f239270605c60b71838fedcb18b3c8889954000891a14c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
memory/368-93-0x00000000006F0000-0x0000000000835000-memory.dmp

Filesize
1.3MB

Download
memory/368-86-0x0000000000000000-mapping.dmp

Download
memory/540-64-0x0000000000000000-mapping.dmp

Download
memory/920-81-0x0000000000000000-mapping.dmp

Download
memory/1080-83-0x0000000000000000-mapping.dmp

Download
memory/1100-89-0x0000000000000000-mapping.dmp

Download
memory/1260-60-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/1260-62-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1260-61-0x0000000001ED0000-0x0000000002015000-memory.dmp

Filesize
1.3MB

Download
memory/1400-85-0x0000000000000000-mapping.dmp

Download
memory/1460-122-0x0000000000000000-mapping.dmp

Download
memory/1468-90-0x0000000000000000-mapping.dmp

Download
memory/1576-94-0x0000000000000000-mapping.dmp

Download
memory/1612-91-0x0000000000000000-mapping.dmp

Download
memory/1792-82-0x0000000000000000-mapping.dmp

Download
memory/1832-80-0x0000000000000000-mapping.dmp

Download
memory/1896-84-0x0000000000000000-mapping.dmp

Download
memory/1948-71-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1948-66-0x0000000000000000-mapping.dmp

Download